USN-5462-1 ruby2.5, ruby2.7, ruby3.0 vulnerabilities

It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. CVE-2022-28738 It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly us...

UBUNTU-CVE-2022-28739

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including KernelFloat and Stringtof...

Ruby 缓冲区错误漏洞

Ruby is a cross-platform, object-oriented, dynamically-typed programming language developed by individual developer Yukihiro Matsumoto. A buffer error vulnerability exists in Ruby, which stems from a buffer out-of-bounds read in String-to-Float conversions, including KernelFloat and Stringtof. Th...

PT-2022-2609

Name of the Vulnerable Software and Affected Versions Ruby versions 2.6.0 through 2.6.9 Ruby versions 2.7.x through 2.7.5 Ruby versions 3.0.0 through 3.0.3 Ruby versions 3.1.0 through 3.1.1 Description The issue is related to a buffer over-read in Ruby, specifically in String-to-Float conversion,...

PT-2022-2610

Name of the Vulnerable Software and Affected Versions Ruby versions 3.0.0 through 3.0.3 Ruby versions 3.1.0 through 3.1.1 Description A double free was found in the Regexp compiler. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected...

ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network...

ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network...

DEBIAN-CVE-2021-41816

CGI.escapehtml in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms such as Windows where sizet and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby...

OESA-2022-1497 ruby security update

Object-oriented scripting language interpreter. Security Fixes: CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.CVE-2021-41819...

AZL-7126 CVE-2021-41819 affecting package ruby for versions less than 3.1.2-2

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby...

UBUNTU-CVE-2021-41819

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby...

PT-2021-7376

Name of the Vulnerable Software and Affected Versions Ruby versions through 2.6.8 CGI gem versions through 0.3.0 Description The issue is related to the CGI::Cookie.parse function in Ruby, which mishandles security prefixes in cookie names. This allows a remote attacker to impact data integrity...

USN-5020-1 ruby2.3, ruby2.5, ruby2.7 vulnerabilities

It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. CVE-2021-31799 It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to conduct port scans and service banner...

ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network...

ruby: Potential HTTP request smuggling in WEBrick

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy which also has a po...

ruby: Code injection via command argument of Shell#test / Shell#[]

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument aka the "command" argument to Shell or Shelltest in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method...

The REXML gem before 3.2.5 in Ruby before 2.6.7 2.7.x before 2.7.3 and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

...

DEBIAN-CVE-2021-28965

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing...

ALPINE-CVE-2021-28965

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing...

AZL-6860 CVE-2021-28965 affecting package ruby for versions less than 2.7.4-1

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing...