Miggo Logo
Miggo Vulnerability Database
CVE-2014-9490

CVE-2014-9490: sentry-raven allows remote attackers to cause a denial of service via a large exponent value in a scientific number

5

CVSS Score

Basic Information

CVE ID
CVE-2014-9490
GHSA ID
GHSA-c9c5-9fpr-m882
EPSS Score
0.7183%
CWE
CWE-400
Published
10/24/2017
Updated
11/5/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:N/I:N/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
sentry-ravenrubygems< 0.12.20.12.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the numtok() function's handling of scientific notation in JSON parsing. The original code converted exponents by performing 10^N computations, which becomes computationally expensive for large N values. The patch explicitly removes this computation and returns the raw string instead. The CVE description, commit diff, and test case changes all directly implicate this function as the vulnerable component.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `numtok` *un*tion in `li*/r*v*n/okjson.r*` in t** r*v*n-ru*y **m ***or* *.**.* *or Ru*y *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** vi* * l*r** *xpon*nt v*lu* in * s*i*nti*i* num**r.

Reasoning

T** vuln*r**ility st*ms *rom t** `numtok()` *un*tion's **n*lin* o* s*i*nti*i* not*tion in JSON p*rsin*. T** ori*in*l *o** *onv*rt** *xpon*nts *y p*r*ormin* **^N *omput*tions, w*i** ***om*s *omput*tion*lly *xp*nsiv* *or l*r** N v*lu*s. T** p*t** *xpli