Miggo Logo

CVE-2015-4410: Moped Rubygem Data Injection Vulnerability

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.83986%
Published
8/19/2020
Updated
8/25/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mopedrubygems< 1.5.31.5.3
mopedrubygems>= 2.0.0, < 2.0.52.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Moped::BSON::ObjectId.legal? method's regex validation. The original implementation used /^[0-9a-f]{24}$/i, which does not properly anchor the entire string in Ruby (due to ^/$ matching line boundaries). The commit dd5a7c14b5d2e466f7875d079af71ad19774609b fixed this by replacing ^/$ with \A/\z. This flaw allowed inputs with trailing newlines or multi-line data to pass validation, enabling resource consumption (DoS) or BSON injection. The GitHub advisory, CVE description, and supporting technical analysis (e.g., Sakurity blog) explicitly identify this function as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

`T** Mop**::*SON::O*j**I*.l***l?` m*t*o* in ru*y**m-mop** ***or* [*ommit ****************************************](*ttps://*it*u*.*om/mon*oi*/mop**/*ommit/****************************************#*i**-********************************R**) *llows r*mot

Reasoning

T** vuln*r**ility st*ms *rom t** `Mop**::*SON::O*j**tI*.l***l?` m*t*o*'s r***x v*li**tion. T** ori*in*l impl*m*nt*tion us** `/^[*-**-*]{**}$/i`, w*i** *o*s not prop*rly *n**or t** *ntir* strin* in Ru*y (*u* to ^/$ m*t**in* lin* *oun**ri*s). T** *ommi