MiracleLinux 7 : rh-ruby25-ruby-2.5.3-6.el7 (AXSA:2019-3613:01)

🗓️ 16 Jan 2026 00:00:00Reported by TenableType

MiracleLinux 7 hosts have Ruby and Rubygems vulnerabilities listed in AXSA-2019-3613:01.

Reporter	Title	Published	Views	Family All 686
Tenable Nessus	macOS 10.13.x < 10.13.6 Multiple Vulnerabilities	10 Apr 201900:00	–	nessus
Tenable Nessus	Amazon Linux 2 : ruby (ALAS-2018-983)	18 Apr 201800:00	–	nessus
Tenable Nessus	Amazon Linux 2 : ruby (ALAS-2019-1143)	10 Jan 201900:00	–	nessus
Tenable Nessus	Amazon Linux 2 : ruby (ALAS-2019-1276)	28 Aug 201900:00	–	nessus
Tenable Nessus	Amazon Linux AMI : ruby23 / ruby24 (ALAS-2018-1113)	7 Dec 201800:00	–	nessus
Tenable Nessus	Amazon Linux AMI : ruby20 / ruby22,ruby23,ruby24 (ALAS-2018-983)	6 Apr 201800:00	–	nessus
Tenable Nessus	Amazon Linux AMI : ruby20 (ALAS-2020-1416)	13 Aug 202000:00	–	nessus
Tenable Nessus	CentOS 7 : ruby (CESA-2018:3738)	14 Dec 201800:00	–	nessus
Tenable Nessus	CentOS 7 : ruby (CESA-2019:2028)	30 Aug 201900:00	–	nessus
Tenable Nessus	Debian DLA-1336-1 : rubygems security update	2 Apr 201800:00	–	nessus

Source	Link
tsn	www.tsn.miraclelinux.com/en/node/10062
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2019-3613:01.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(289679);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/16");

  script_cve_id(
    "CVE-2017-17742",
    "CVE-2018-6914",
    "CVE-2018-8777",
    "CVE-2018-8778",
    "CVE-2018-8779",
    "CVE-2018-8780",
    "CVE-2018-16395",
    "CVE-2018-16396",
    "CVE-2018-1000073",
    "CVE-2018-1000074",
    "CVE-2018-1000075",
    "CVE-2018-1000076",
    "CVE-2018-1000077",
    "CVE-2018-1000078",
    "CVE-2018-1000079"
  );

  script_name(english:"MiracleLinux 7 : rh-ruby25-ruby-2.5.3-6.el7 (AXSA:2019-3613:01)");

  script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2019-3613:01 advisory.

    * ruby: OpenSSL::X509::Name equality check does not work correctly (CVE-2018-16395)
    * ruby: HTTP response splitting in WEBrick (CVE-2017-17742)
    * ruby: DoS by large request in WEBrick (CVE-2018-8777)
    * ruby: Buffer under-read in String#unpack (CVE-2018-8778)
    * ruby: Unintentional directory traversal by poisoned NULL byte in Dir (CVE-2018-8780)
    * ruby: Tainted flags are not propagated in Array#pack and String#unpack with some directives
    (CVE-2018-16396)
    * rubygems: Path traversal when writing to a symlinked basedir outside of the root (CVE-2018-1000073)
    * rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on
    specially crafted YAML (CVE-2018-1000074)
    * rubygems: Improper verification of signatures in tarball allows to install mis-signed gem
    (CVE-2018-1000076)
    * rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage
    URL (CVE-2018-1000077)
    * rubygems: XSS vulnerability in homepage attribute when displayed via gem server (CVE-2018-1000078)
    * rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations
    (CVE-2018-1000079)
    * ruby: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
    (CVE-2018-6914)
    * ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket (CVE-2018-8779)
    * rubygems: Infinite loop vulnerability due to negative size in tar header causes Denial of Service
    (CVE-2018-1000075)

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/10062");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8780");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2018-16395");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_set_attribute(attribute:"vendor_severity", value:"High");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/23");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/02/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-ruby");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-ruby-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-ruby-doc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-ruby-irb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-ruby-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-bigdecimal");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-did_you_mean");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-io-console");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-minitest");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-net-telnet");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-openssl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-power_assert");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-psych");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-rake");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-rdoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-test-unit");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygem-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygems");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:rh-ruby25-rubygems-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Miracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);

if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);

var constraints = [
  {
    'release': '7',
    'pkgs': [
      {'reference':'rh-ruby25-ruby-2.5.3-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-ruby-devel-2.5.3-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-ruby-doc-2.5.3-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-ruby-irb-2.5.3-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-ruby-libs-2.5.3-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-bigdecimal-1.3.4-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-did_you_mean-1.2.0-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-io-console-0.4.6-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-json-2.1.0-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-minitest-5.10.3-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-net-telnet-0.1.1-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-openssl-2.1.2-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-power_assert-1.1.1-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-psych-3.0.2-6.el7', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-rake-12.3.0-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-rdoc-6.0.1-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-test-unit-3.2.7-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygem-xmlrpc-0.3.0-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygems-2.7.6-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
      {'reference':'rh-ruby25-rubygems-devel-2.7.6-6.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}
if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'rh-ruby25-ruby / rh-ruby25-ruby-devel / rh-ruby25-ruby-doc / etc');
}

16 Jan 2026 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 27.5

CVSS 39.8

EPSS0.0421