Astra Linux - уязвимость в ruby2.5

REXML is an XML toolkit for Ruby. The REXML gem version 3.3.2 has a DoS vulnerability when it parses an XML document that contains many entity expansions using SAX2 or the pull parser API. The REXML gem versions 3.3.3 and later include a patch to fix this vulnerability...

Astra Linux - уязвимость в ruby-websocket-extensions

The websocket-extensions Ruby module before version 0.1.5 allowed Denial of Service DoS attacks through Regex backtracking. The extension parser could take quadratic time when parsing a header containing an unclosed string parameter value whose content was a repeated two-byte sequence of a...

Astra Linux - уязвимость в ruby2.5

In the CGI gem before version 0.4.2 for Ruby, there is a Regular Expression Denial of Service ReDoS vulnerability in the UtilescapeElement method...

Astra Linux - уязвимость в ruby-loofah

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. Loofah = 2.1.0; versions less than 2.19.1 are vulnerable to cross-site scripting due to the image/svg+xml media type in data URIs. This issue has been fixed in version 2.19.1...

Astra Linux - уязвимость в ruby-rack

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforced its paramslimit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters...

Astra Linux – Vulnerability in Ruby 2.5

REXML is an XML toolkit for Ruby. The REXML gem prior to version 3.3.9 has a ReDoS vulnerability when it parses an XML document containing many digits between “&” and “x…” in a hexadecimal character reference &x…. This issue does not occur in Ruby 3.2 or later versions. Ruby 3.1 is the only...

Astra Linux - уязвимость в ruby-rack

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial-of-service vulnerability ReDos, degree 2 polynomial. This vulnerability has been fixed in 3.0.9.1 and 2.2.8.1...

Astra Linux - уязвимость в ruby-rails-html-sanitizer

Rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there was a potential XSS vulnerability with certain configurations of Rails::Html::Sanitizer, due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer might allow an attacke...

Astra Linux - уязвимость в ruby-rack

A sequence injection vulnerability exists in Rack versions 2.0.9.1, 2.1.4.1, and 2.2.3.1. This vulnerability could allow for shell escapes in the Lint and CommonLogger components of Rack...

Astra Linux - уязвимость в ruby-sinatra

In versions of Sinatra before 2.2.0, it does not validate that the expanded path matches publicdir when serving static files...

Astra Linux - уязвимость в ruby2.5

There is a buffer over-read issue in Ruby before version 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. This issue occurs during the conversion from strings to floats, including in methods like KernelFloat and Stringtof...

Astra Linux - уязвимость в ruby2.5, jruby

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby, up to 3.2.1. The Time parser improperly handles invalid URLs that contain specific characters. This causes an increase in execution time when parsing strings into Time objects. The fixed versions are 0.1.1 and 0.2.2...

Astra Linux - уязвимость в puma

Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP requests comply with the RFC7230 standard, Puma and the frontend proxy may disagree about where the requests start and...

Astra Linux – Vulnerability in Ruby 2.5

A issue was discovered in RDoc versions 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdocoptions used for configuration in RDoc as a YAML file, object injection and resulting remote code execution are possible because there are no restrictions on the classes that c...

Astra Linux - уязвимость в ruby2.5

In the date gem for Ruby, from version 3.2.0 onwards, Date.parse can cause ReDoS Regular Expression Denial of Service attacks due to the use of a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1...

Astra Linux - уязвимость в ruby2.5

REXML is an XML toolkit for Ruby. The REXML gem before version 3.3.6 has a DoS vulnerability when it parses XMLs that contain many elements with the same local name attribute. If you need to parse untrusted XMLs using tree parser APIs like REXML::Document.new, you may be vulnerable to this...

Astra Linux - уязвимость в ruby2.5, jruby

A issue was discovered in Ruby between versions 2.6.7, 2.7.x up to 2.7.3, and 3.x up to 3.0.1. The Net::IMAP library does not raise an exception when the StartTLS command fails with an unknown response. This may allow man-in-the-middle attackers to bypass TLS protections by leveraging the network...

Astra Linux - уязвимость в ruby2.5

The REXML gem before version 3.2.5 in Ruby, before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly handle XML round-trip issues. An incorrect document may be generated after parsing and serializing...

Astra Linux - уязвимость в ruby-kramdown

Before version 2.3.1, Kramdown did not restrict Rouge formatters to the Rouge::Formatters namespace, allowing arbitrary classes to be instantiated...

Astra Linux - уязвимость в ruby2.5

REXML is an XML toolkit for Ruby. The REXML gem before version 3.3.1 has some DoS vulnerabilities when it parses XML that contains many special characters such as . If you need to parse untrusted XMLs, you may be affected by these vulnerabilities. The REXML gem version 3.3.2 or later includes...