Moderate severityNVD Advisory· Published Nov 28, 2012· Updated Jun 16, 2026
CVE-2012-5370
CVE-2012-5370
Description
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jruby:jruby-parentMaven | < 1.7.1 | 1.7.1 |
Affected products
6- osv-coords5 versionspkg:apk/chainguard/jruby-9.4pkg:apk/chainguard/jruby-9.4-default-rubypkg:apk/wolfi/jruby-9.4pkg:apk/wolfi/jruby-9.4-default-rubypkg:maven/org.jruby/jruby-parent
< 0+ 4 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 1.7.1
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-fmmq-j7pq-f85cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-5370ghsaADVISORY
- jruby.org/2012/12/03/jruby-1-7-1ghsaWEB
- rhn.redhat.com/errata/RHSA-2013-0533.htmlnvdWEB
- bugzilla.redhat.com/show_bug.cginvdWEB
- github.com/jruby/jruby/commit/5e4aab28b26fd127112b76fabfac9a33b64caf77ghsaWEB
- 2012.appsec-forum.ch/conferences/nvd
- asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdfnvd
- www.ocert.org/advisories/ocert-2012-001.htmlnvd
- www.131002.net/data/talks/appsec12_slides.pdfnvd
News mentions
0No linked articles in our index yet.