CVE-2015-4410: 
Ruby vulnerability analysis and mitigation

CVE-2015-4410 affects the Moped::BSON::ObjecId.legal? method in rubygem-moped before commit dd5a7c14b5d2e466f7875d079af71ad19774609b. The vulnerability was discovered in 2015 and involves improper input validation in the regular expression implementation used for validating ObjectId strings (Sakurity Blog, OSS Security).

The vulnerability stems from the use of ^$ anchors in regular expressions instead of \A\z for string boundary matching in Ruby. The vulnerable implementation used the pattern /^[0-9a-f]{24}$/i for validating ObjectId strings, which in Ruby's default multiline mode allows for injection of newline characters, bypassing the intended validation (Sakurity Blog). The vulnerability has a CVSS v3.1 Base Score of 7.5 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The vulnerability allows remote attackers to cause a denial of service (worker resource consumption) through crafted strings or perform cross-site scripting (XSS) attacks. When exploited, it can cause MongoDB to respond with assertion errors, leading to multiple retry attempts and resource consumption (Sakurity Blog, Red Hat Bugzilla).

The vulnerability was fixed by replacing the vulnerable regular expression pattern /^[0-9a-f]{24}$/i with /\A\h{24}\z/i. Users should update to a version of rubygem-moped that includes commit dd5a7c14b5d2e466f7875d079af71ad19774609b or later (Github Commit).

The security community highlighted this as an example of a common Ruby regular expression pitfall. The vulnerability sparked discussions about the default behavior of regular expression anchors in Ruby and proper string boundary matching practices (Homakov Blog).