Fluid Attacks Database

Description

JRuby denial of service via Hash Collision JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jruby:jruby-parent	>=0 <1.7.1	1.7.1
debian 13	jruby	>=0 <1.5.6-5	1.5.6-5
debian 12	jruby	>=0 <1.5.6-5	1.5.6-5
debian 14	jruby	>=0 <1.5.6-5	1.5.6-5

Aliases

1. CVE-2012-53702. NVD-2012-53703. OSV-2012-53704. OSV-DEBIAN-2012-53705. GCVE-2012-53706. SECURITY-TRACKER-CVE-2012-5370

References

1. https://github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf772. https://bugzilla.redhat.com/show_bug.cgi?id=8806713. http://jruby.org/2012/12/03/jruby-1-7-14. http://rhn.redhat.com/errata/RHSA-2013-0533.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.