UBUNTU-CVE-2023-4785

Lack of error handling in the TCP server in Google's gRPC starting version 1.23 on posix-compatible platforms ex. Linux allows an attacker to cause a denial of service by initiating a significant number of connections with the server. Note that gRPC C++ Python, and Ruby are affected, but gRPC Jav...

The vulnerability of the Ruby programming language’s URI component lies in the use of a regular expression c, which has an inefficient computational cost. This allows attackers to trigger a service failure.

The vulnerability of the Ruby programming language’s URI component is related to the incorrect handling of invalid URL addresses. Exploiting this vulnerability allows a remote attacker to cause service failures...

ruby/cgi-gem: HTTP response splitting in CGI

A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients...

USN-6087-1: Ruby vulnerabilities

It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to cause a denial of service. CVE-2023-28755 It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possily use this issue to cause a deni...

DEBIAN-CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2...

SUSE CVE-2018-3741

There is a possible XSS vulnerability in all rails-html-sanitizer gem versions below 1.0.4 for Ruby. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications...

SUSE CVE-2019-18848

The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string...

SUSE CVE-2020-10663

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsi...

SUSE CVE-2021-32066

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between th...

The vulnerability of the Arr-pm library for writing/readding RPM packages for the Ruby programming language interpreter allows a perpetrator to execute arbitrary commands.

The vulnerability of the Arr-pm library for writing/readding RPM packages for the Ruby programming language exists because measures to neutralize special elements used in the operating system command are not taken. Exploiting this vulnerability can allow an attacker to execute arbitrary commands...

The vulnerability of Ruby programming language date parsing methods, related to uncontrolled resource consumption, allows attackers to cause service failures.

The vulnerability of Ruby programming language date parsing methods is related to an uncontrolled consumption of resources. Exploiting this vulnerability allows a malicious actor to cause service failures...

The vulnerability of the “String to CSV conversion” algorithm in the Kernel#Float and String#to_f methods of the Ruby language interpreter allows a attacker to cause a service failure.

The vulnerability of the Stringtof and KernelFloat methods in the Ruby language interpreter involves operations that go beyond the buffer boundaries in memory. Exploiting this vulnerability could allow an attacker to cause a service failure...

CVE-2022-29218

CVE-2022-29218 affects RubyGems, the Ruby package registry. An ordering mistake in the gem-upload code allowed some gems (platforms ending with numbers, e.g., arm64-darwin-21) to be temporarily replaced in the CDN cache by a malicious package. The issue has been patched, and a broad review of log...

CVE-2022-28738

A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations...

CVE-2022-29176 Unauthorized gem takeover for some gems on rubygems.org

Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one or more dashes i...

Ruby 资源管理错误漏洞

Ruby is a cross-platform, object-oriented, dynamically-typed programming language from the individual developer, Yukihiro Matsumoto. A resource management error vulnerability exists in Ruby. The vulnerability allows an attacker to write to unexpected memory locations using specially crafted regul...

mruby buffer overflow vulnerability (CNVD-2022-31851)

mruby is a lightweight implementation of the Ruby language. mruby/mruby versions prior to GitHub repository mruby/mruby 3.2 are vulnerable to a buffer error that stems from out-of-range reads of the mrbget parameter. An attacker could exploit this vulnerability to execute arbitrary code...

Unspecified vulnerability in mruby (CNVD-2022-25188)

mruby is a lightweight implementation of the Ruby language. A security vulnerability exists in mruby 3.1 and earlier, which stems from post-release reuse in mrbvmexec. No details of the vulnerability are provided at this time...

ruby: StartTLS stripping vulnerability in Net::IMAP

Ruby's Net::IMAP module did not raise an exception when receiving an unexpected response to the STARTTLS command and the connection was not upgraded to use TLS. A man-in-the-middle attacker could use this flaw to prevent Ruby applications using Net::IMAP to enable TLS encryption for a connection ...

ruby:2.5 security update

An update is available for rubygem-bson, rubygem-mysql2, rubygem-bundler, ruby, rubygem-mongo, rubygem-pg, rubygem-abrt. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the C...