{"api_version":"1","generated_at":"2026-04-22T23:07:58+00:00","cve":"CVE-2008-1145","urls":{"html":"https://cve.report/CVE-2008-1145","api":"https://cve.report/api/cve/CVE-2008-1145.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2008-1145","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2008-1145"},"summary":{"title":"CVE-2008-1145","description":"Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) \"..%5c\" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2008-03-04 23:44:00","updated_at":"2023-08-01 18:58:00"},"problem_types":["CWE-22"],"metrics":[],"references":[{"url":"http://secunia.com/advisories/29536","name":"29536","refsource":"SECUNIA","tags":[],"title":"rPath update for ruby - Advisories - Secunia","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://support.apple.com/kb/HT2163","name":"http://support.apple.com/kb/HT2163","refsource":"CONFIRM","tags":[],"title":"About the security content of Security Update 2008-004 and Mac OS X 10.5.4","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/29357","name":"29357","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"Miva Merchant: MivaScript Compiler Overview","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/489205/100/0/threaded","name":"20080306 [DSECRG-08-018] Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory traversal file Download Vulnerability","refsource":"BUGTRAQ","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html","name":"FEDORA-2008-2443","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 8 Update: ruby-1.8.6.114-1.fc8","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/","name":"http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/","refsource":"CONFIRM","tags":["Exploit","Patch"],"title":"File access vulnerability of WEBrick","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/31687","name":"31687","refsource":"SECUNIA","tags":[],"title":"SUSE Update for Multiple Packages - Secunia Advisories - Vulnerability Intelligence - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html","name":"SUSE-SR:2008:017","refsource":"SUSE","tags":[],"title":"[security-announce] SUSE Security Summary Report SUSE-SR:2008:017","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securitytracker.com/id?1019562","name":"1019562","refsource":"SECTRACK","tags":[],"title":"Ruby Directory Traversal Flaw in WEBrick Library Lets Remote Users View Files on the Target System. - SecurityTracker","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html","name":"FEDORA-2008-2458","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 7 Update: ruby-1.8.6.114-1.fc7","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/32371","name":"32371","refsource":"SECUNIA","tags":[],"title":"Red Hat update for ruby - Secunia Advisories - Vulnerability Intelligence - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/29232","name":"29232","refsource":"SECUNIA","tags":["Vendor Advisory"],"title":"Ruby WEBrick Information Disclosure Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html","name":"APPLE-SA-2008-06-30","refsource":"APPLE","tags":[],"title":"APPLE-SA-2008-06-30 Security Update 2008-004 and Mac OS X v10.5.4","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/bid/28123","name":"28123","refsource":"BID","tags":[],"title":"Ruby WEBrick Remote Directory Traversal and Information Disclosure Vulnerabilities","mime":"text/html","httpstatus":"200","archivestatus":"0"},{"url":"http://www.kb.cert.org/vuls/id/404515","name":"VU#404515","refsource":"CERT-VN","tags":["US Government Resource"],"title":"US-CERT Vulnerability Notes","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://secunia.com/advisories/30802","name":"30802","refsource":"SECUNIA","tags":[],"title":"Apple Mac OS X Security Update Fixes Multiple Vulnerabilities - Secunia Advisories - Vulnerability Intelligence - Secunia.com","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123","name":"http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123","refsource":"CONFIRM","tags":[],"title":"Advisories:rPSA-2008-0123 - rPath Wiki","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937","name":"oval:org.mitre.oval:def:10937","refsource":"OVAL","tags":[],"title":"Repository  /  Oval Repository","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://wiki.rpath.com/Advisories:rPSA-2008-0123","name":"http://wiki.rpath.com/Advisories:rPSA-2008-0123","refsource":"CONFIRM","tags":[],"title":"Advisories:rPSA-2008-0123 - rPath Wiki","mime":"text/html","httpstatus":"-1","archivestatus":"200"},{"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2008:142","name":"MDVSA-2008:142","refsource":"MANDRIVA","tags":[],"title":"Support / Security / Advisories /  / MDVSA-2008:142 | Mandriva","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2008:141","name":"MDVSA-2008:141","refsource":"MANDRIVA","tags":[],"title":"Support / Security / Advisories /  / MDVSA-2008:141 | Mandriva","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41010","name":"ruby-webrick-directory-traversal(41010)","refsource":"XF","tags":[],"title":"IBM X-Force Exchange","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/489218/100/0/threaded","name":"20080306 Re: [DSECRG-08-018] Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory traversal file Download Vulnerability","refsource":"BUGTRAQ","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.redhat.com/support/errata/RHSA-2008-0897.html","name":"RHSA-2008:0897","refsource":"REDHAT","tags":[],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.vupen.com/english/advisories/2008/0787","name":"ADV-2008-0787","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.exploit-db.com/exploits/5215","name":"5215","refsource":"EXPLOIT-DB","tags":[],"title":"Ruby 1.8.6 (Webrick Httpd 1.3.1) Directory Traversal Vulnerability","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://issues.rpath.com/browse/RPL-2338","name":"https://issues.rpath.com/browse/RPL-2338","refsource":"CONFIRM","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"http://www.vupen.com/english/advisories/2008/1981/references","name":"ADV-2008-1981","refsource":"VUPEN","tags":[],"title":"Webmail : Solution de messagerie professionnelle - OVHcloud- OVH","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://www.securityfocus.com/archive/1/490056/100/0/threaded","name":"20080325 rPSA-2008-0123-1 ruby","refsource":"BUGTRAQ","tags":[],"title":"SecurityFocus","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2008-1145","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2008-1145","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"7","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"8","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"1.9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"-1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"ruby","cpe6":"1.9.0.1","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ruby-lang","cpe5":"webrick","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"1.8","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webrick","cpe5":"webrick","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"1.8_p114","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webrick","cpe5":"webrick","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"1.8_p115","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webrick","cpe5":"webrick","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"1.9","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webrick","cpe5":"webrick","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2008","cve_id":"1145","vulnerable":"1","versionEndIncluding":"1.9_1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"webrick","cpe5":"webrick","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[{"cvename":"CVE-2008-1145","organization":"Red Hat","lastmodified":"2008-12-04","contributor":"Mark J Cox","statementText":"This issue was addressed in affected versions of Ruby as shipped in Red Hat Enterprise Linux 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2008-0897.html","cve_year":"2008","cve_id":"1145","crc32":"2f7503e9"}],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"data_version":"4.0","data_type":"CVE","data_format":"MITRE","CVE_data_meta":{"ID":"CVE-2008-1145","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"description":{"description_data":[{"lang":"eng","value":"Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) \"..%5c\" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_affected":"=","version_value":"n/a"}]}}]}}]}},"references":{"reference_data":[{"url":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html","refsource":"MISC","name":"http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html"},{"url":"http://secunia.com/advisories/30802","refsource":"MISC","name":"http://secunia.com/advisories/30802"},{"url":"http://support.apple.com/kb/HT2163","refsource":"MISC","name":"http://support.apple.com/kb/HT2163"},{"url":"http://www.vupen.com/english/advisories/2008/1981/references","refsource":"MISC","name":"http://www.vupen.com/english/advisories/2008/1981/references"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html","refsource":"MISC","name":"http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html"},{"url":"http://secunia.com/advisories/29232","refsource":"MISC","name":"http://secunia.com/advisories/29232"},{"url":"http://secunia.com/advisories/29357","refsource":"MISC","name":"http://secunia.com/advisories/29357"},{"url":"http://secunia.com/advisories/29536","refsource":"MISC","name":"http://secunia.com/advisories/29536"},{"url":"http://secunia.com/advisories/31687","refsource":"MISC","name":"http://secunia.com/advisories/31687"},{"url":"http://secunia.com/advisories/32371","refsource":"MISC","name":"http://secunia.com/advisories/32371"},{"url":"http://wiki.rpath.com/Advisories:rPSA-2008-0123","refsource":"MISC","name":"http://wiki.rpath.com/Advisories:rPSA-2008-0123"},{"url":"http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123","refsource":"MISC","name":"http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123"},{"url":"http://www.kb.cert.org/vuls/id/404515","refsource":"MISC","name":"http://www.kb.cert.org/vuls/id/404515"},{"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2008:141","refsource":"MISC","name":"http://www.mandriva.com/security/advisories?name=MDVSA-2008:141"},{"url":"http://www.mandriva.com/security/advisories?name=MDVSA-2008:142","refsource":"MISC","name":"http://www.mandriva.com/security/advisories?name=MDVSA-2008:142"},{"url":"http://www.redhat.com/support/errata/RHSA-2008-0897.html","refsource":"MISC","name":"http://www.redhat.com/support/errata/RHSA-2008-0897.html"},{"url":"http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/","refsource":"MISC","name":"http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/"},{"url":"http://www.securityfocus.com/archive/1/489205/100/0/threaded","refsource":"MISC","name":"http://www.securityfocus.com/archive/1/489205/100/0/threaded"},{"url":"http://www.securityfocus.com/archive/1/489218/100/0/threaded","refsource":"MISC","name":"http://www.securityfocus.com/archive/1/489218/100/0/threaded"},{"url":"http://www.securityfocus.com/archive/1/490056/100/0/threaded","refsource":"MISC","name":"http://www.securityfocus.com/archive/1/490056/100/0/threaded"},{"url":"http://www.securityfocus.com/bid/28123","refsource":"MISC","name":"http://www.securityfocus.com/bid/28123"},{"url":"http://www.securitytracker.com/id?1019562","refsource":"MISC","name":"http://www.securitytracker.com/id?1019562"},{"url":"http://www.vupen.com/english/advisories/2008/0787","refsource":"MISC","name":"http://www.vupen.com/english/advisories/2008/0787"},{"url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41010","refsource":"MISC","name":"https://exchange.xforce.ibmcloud.com/vulnerabilities/41010"},{"url":"https://issues.rpath.com/browse/RPL-2338","refsource":"MISC","name":"https://issues.rpath.com/browse/RPL-2338"},{"url":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937","refsource":"MISC","name":"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937"},{"url":"https://www.exploit-db.com/exploits/5215","refsource":"MISC","name":"https://www.exploit-db.com/exploits/5215"},{"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html","refsource":"MISC","name":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html"},{"url":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html","refsource":"MISC","name":"https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html"}]}},"nvd":{"publishedDate":"2008-03-04 23:44:00","lastModifiedDate":"2023-08-01 18:58:00","problem_types":["CWE-22"],"metrics":{"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"AND","children":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ruby-lang:webrick:-:*:*:*:*:ruby:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","versionStartIncluding":"1.8.0","versionEndExcluding":"1.8.5.115","cpe_name":[]},{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","versionStartIncluding":"1.8.6","versionEndExcluding":"1.8.6.114","cpe_name":[]},{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:1.9.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":false,"cpe23Uri":"cpe:2.3:a:ruby-lang:ruby:1.9.0.1:*:*:*:*:*:*:*","cpe_name":[]}]}],"cpe_match":[]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:7:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2008","CveId":"1145","Ordinal":"31033","Title":"CVE-2008-1145","CVE":"CVE-2008-1145","Year":"2008"},"notes":[{"CveYear":"2008","CveId":"1145","Ordinal":"1","NoteData":"Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) \"..%5c\" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.","Type":"Description","Title":null},{"CveYear":"2008","CveId":"1145","Ordinal":"2","NoteData":"2008-03-04","Type":"Other","Title":"Published"},{"CveYear":"2008","CveId":"1145","Ordinal":"3","NoteData":"2018-10-11","Type":"Other","Title":"Modified"}]}}}