Fluid Attacks Database

Description

Cross-site Scripting in in JRuby The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jruby.ext.posix:jna-posix	=0.7	0.8
maven	org.jruby.joni:joni	-	-
maven	org.jruby:jruby-core	>=0 <1.4.1	1.4.1
maven	jline:jline	>=0 <1.4.1	1.4.1
debian 12	jruby	>=0 <1.5.0~rc1-1	1.5.0~rc1-1
debian 13	jruby	>=0 <1.5.0~rc1-1	1.5.0~rc1-1
debian 14	jruby	>=0 <1.5.0~rc1-1	1.5.0~rc1-1

Aliases

1. CVE-2010-13302. NVD-2010-13303. OSV-2010-13304. OSV-DEBIAN-2010-13305. GCVE-2010-13306. SECURITY-TRACKER-CVE-2010-1330

References

1. http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html2. https://bugs.gentoo.org/show_bug.cgi?id=3174353. https://bugzilla.redhat.com/show_bug.cgi?id=7503064. https://exchange.xforce.ibmcloud.com/vulnerabilities/802775. http://rhn.redhat.com/errata/RHSA-2011-1456.html6. http://www.osvdb.org/77297

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.