VIR Vulnerability Intelligence Relay

CVE-2016-2337

critical
Published 2017-01-06 · Modified 2026-05-06
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-2337.html

OS impact
OSVersionStatusFixed in
suse slesaffected

Application impact
VendorProductVersionsFixed
ruby-langruby2.2.2
ruby-langruby2.3.0

References

Verify integrity in audit chain (admin only). AS-IS.