CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedHat Linux•added 2024/05/22 9:40 a.m.•4 views

rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing

A denial of service DoS vulnerability was found in rubygem-rack in how it parses Rack Header. Carefully crafted headers can cause header parsing in Rack to take longer than expected, resulting in a possible denial of service issue. Accept and Forwarded headers are impacted...

7.5CVSS6.6AI score0.01996EPSS

OSV•added 2024/05/19 8:15 p.m.•7 views

CVE-2024-36078

In Zammad before 6.3.1, a Ruby gem bundled by Zammad is installed with world-writable file permissions. This allowed a local attacker on the server to modify the gem's files, injecting arbitrary code into Zammad processes which run with the environment and permissions of the Zammad user...

6.7CVSS6.9AI score

NVD•added 2024/05/19 8:15 p.m.•12 views

CVE-2024-36078

6.7CVSS6.7AI score0.00202EPSS

Vulnrichment•added 2024/05/19 7:36 p.m.•16 views

CVE-2024-36078

7AI score0.00202EPSS

CVE•added 2024/05/19 7:36 p.m.•51 views

CVE-2024-36078

The CVE-2024-36078 issue affects Zammad prior to 6.3.1, where a bundled Ruby gem is installed with world-writable permissions. This enables a local attacker on the server to modify the gem’s files and inject arbitrary code into Zammad processes running under the Zammad user’s environment, potenti...

6.7CVSS6.9AI score0.00202EPSS

Exploits0References1Affected Software1

Cvelist•added 2024/05/19 7:36 p.m.•29 views

CVE-2024-36078

6.7AI score0.00202EPSS

Positive Technologies•added 2024/05/19 12:0 a.m.•3 views

PT-2024-26886 · Zammad · Zammad

Name of the Vulnerable Software and Affected Versions: Zammad versions prior to 6.3.1 Description: A Ruby gem bundled by Zammad is installed with world-writable file permissions, allowing a local attacker on the server to modify the gem's files and inject arbitrary code into Zammad processes. The...

6.7CVSS7.5AI score0.00202EPSS

OSV•added 2024/05/16 4:15 p.m.•1 views

DEBIAN-CVE-2024-35176

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this...

5.3CVSS6.2AI score0.02064EPSS

Exploits1References1

RedHat Linux•added 2024/04/30 2:52 p.m.•1 views

rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing

7.5CVSS6.6AI score0.01996EPSS

RedHat Linux•added 2024/04/30 2:37 p.m.•0 views

rubygem-rack: Denial of Service Vulnerability in Rack Content-Type Parsing

A denial of service DoS vulnerability was found in rubygem-rack in how it parses Content-Type. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability...

7.5CVSS6.6AI score0.35376EPSS

RedHat Linux•added 2024/04/23 4:29 p.m.•1 views

rubygem-rack: Denial of Service Vulnerability in Rack Content-Type Parsing

7.5CVSS6.6AI score0.35376EPSS

RedHat Linux•added 2024/04/16 3:26 p.m.•1 views

rubygem-rack: Denial of Service Vulnerability in Rack Content-Type Parsing

7.5CVSS6.6AI score0.35376EPSS

RedHat Linux•added 2024/04/01 1:31 a.m.•4 views

rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-28755

A flaw was found in the rubygem URI. The URI parser mishandles invalid URLs that have specific characters, which causes an increase in execution time parsing strings to URI objects. This issue may result in a regular expression denial of service ReDoS...

5.3CVSS7.5AI score0.02637EPSS

Github Security Blog•added 2024/03/15 7:53 p.m.•15 views

TurboBoost Commands vulnerable to arbitrary method invocation

Impact TurboBoost Commands has existing protections in place to guarantee that only public methods on Command classes can be invoked; however, the existing checks aren't as robust as they should be. It's possible for a sophisticated attacker to invoke more methods than should be permitted dependi...

8.1CVSS7.2AI score0.00796EPSS

Exploits0References6Affected Software2

CNNVD•added 2024/02/29 12:0 a.m.•4 views

json-jwt gem for Ruby Security Vulnerability

The json-jwt gem for Ruby is a Ruby-based JSON Web token. A security vulnerability exists in version 1.16.3 of the json-jwt gem for Ruby, which stems from a vulnerability that allows identity checks to be bypassed via a signature/cryptographic obfuscation attack...

8.4CVSS6.7AI score0.00231EPSS

Exploits1References3

RedhatCVE•added 2024/02/27 6:32 p.m.•37 views

CVE-2024-26143

A vulnerability was found in actionpack ruby gem. Applications using the translate method may be susceptible to a cross-site scripting XSS attack...

4.1CVSS6.1AI score0.01034EPSS

Exploits1References4

RedhatCVE•added 2024/02/26 9:3 p.m.•30 views

CVE-2024-27456

An insecure file permission flaw was found in rack-cors. The permissions for .rb files distributed with rack-cors ruby gem are set to 0666 by default, which may allow users with low privileges to edit files. This issue impacts integrity, confidentiality, and availability...

7.8CVSS6.8AI score0.00771EPSS

Exploits1References3

RedHat Linux•added 2024/02/13 2:45 p.m.•0 views

rubygem-puma: HTTP request smuggling when parsing chunked transfer encoding bodies and zero-length content-length headers

An HTTP request smuggling attack vulnerability was found in Rubygem Puma. This flaw allows an attacker to gain unauthorized access to sensitive data due to an inconsistent interpretation of HTTP requests...

9.8CVSS7.1AI score0.00738EPSS