CVE-2008-1145

Exp

Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.

Published: 2008-03-04 Last update: 2026-04-23 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2008-1145 is rated High Exploit Risk (64.4/100): CVSS Medium severity, with high exploitation likelihood (EPSS 59.85%, 98th percentile). 3 public exploit reference(s) are indexed (Exploit-DB). Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2008-1145

EDB-ID Source Kind Published Link
5215 exploit_db edb 2008-03-06 Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2008-1145

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2025-12-28 65.46% 59.85% -5.61%
2 2025-12-27 59.87% 65.46% +5.59%
3 2025-11-30 59.87%

Full EPSS history (31 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2008-1145

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.0 2.0 MEDIUM
AV:N/AC:L/Au:N/C:P/I:N/A:N Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:N)
No integrity impact.
Availability impact (A:N)
No availability impact.
 10.0 2.9 [email protected]

Weakness enumeration for CVE-2008-1145

OS Trackers for CVE-2008-1145

vendor priority summary link
redhat low https://access.redhat.com/security/cve/CVE-2008-1145
ubuntu medium CVE-2008-1145 medium priority: Ubuntu including 2 source packages (ruby1.8, ruby1.9), 10 status rows across 5 suites (dapper, edgy, feisty, gutsy, upstream): not-affected 8, released 2. https://ubuntu.com/security/CVE-2008-1145

Vendor comments (NVD) for CVE-2008-1145

  • Red Hat (2008-12-04T00:00:00)

    This issue was addressed in affected versions of Ruby as shipped in Red Hat Enterprise Linux 4 and 5 via: https://rhn.redhat.com/errata/RHSA-2008-0897.html

Affected software / configurations for CVE-2008-1145

Vendor Product Version Raw CPE
ruby-lang webrick cpe:2.3:a:ruby-lang:webrick:-:*:*:*:*:ruby:*:*
fedoraproject fedora 7 cpe:2.3:o:fedoraproject:fedora:7:*:*:*:*:*:*:*
fedoraproject fedora 8 cpe:2.3:o:fedoraproject:fedora:8:*:*:*:*:*:*:*

References for CVE-2008-1145

URL Tags
http://lists.apple.com/archives/security-announce/2008//Jun/msg00002.html Broken Link Mailing List
http://lists.opensuse.org/opensuse-security-announce/2008-08/msg00006.html Mailing List Third Party Advisory
http://secunia.com/advisories/29232 Not Applicable Vendor Advisory
http://secunia.com/advisories/29357 Not Applicable Vendor Advisory
http://secunia.com/advisories/29536 Not Applicable
http://secunia.com/advisories/30802 Not Applicable
http://secunia.com/advisories/31687 Not Applicable
http://secunia.com/advisories/32371 Not Applicable
http://support.apple.com/kb/HT2163 Third Party Advisory
http://wiki.rpath.com/Advisories:rPSA-2008-0123 Broken Link
http://wiki.rpath.com/wiki/Advisories:rPSA-2008-0123 Broken Link
http://www.kb.cert.org/vuls/id/404515 Third Party Advisory US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2008:141 Broken Link
http://www.mandriva.com/security/advisories?name=MDVSA-2008:142 Broken Link
http://www.redhat.com/support/errata/RHSA-2008-0897.html Third Party Advisory
http://www.ruby-lang.org/en/news/2008/03/03/webrick-file-access-vulnerability/ Exploit Patch Vendor Advisory
http://www.securityfocus.com/archive/1/489205/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/489218/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/archive/1/490056/100/0/threaded Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/28123 Broken Link Third Party Advisory VDB Entry
http://www.securitytracker.com/id?1019562 Broken Link Third Party Advisory VDB Entry
http://www.vupen.com/english/advisories/2008/0787 Permissions Required
http://www.vupen.com/english/advisories/2008/1981/references Permissions Required
https://exchange.xforce.ibmcloud.com/vulnerabilities/41010 Third Party Advisory VDB Entry
https://issues.rpath.com/browse/RPL-2338 Broken Link
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10937 Broken Link
https://www.exploit-db.com/exploits/5215 Exploit Third Party Advisory VDB Entry
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00338.html Third Party Advisory
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00354.html Third Party Advisory
cvelogic Threat Intelligence