17 matches found
Rails: Active Support: Active Support: Denial of Service via large scientific notation strings
A flaw was found in Active Support, a toolkit of support libraries for Ruby on Rails. A remote attacker can exploit this vulnerability by providing specially crafted strings containing scientific notation e.g., "1e10000" to number helpers. This input causes the BigDecimal component to expand into...
CVE-2026-33176
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation e.g. 1e10000, which BigDecimal expands into extremely large...
CVE-2026-33176 Rails Active Support has a possible DoS vulnerability in its number helpers
Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation e.g. 1e10000, which BigDecimal expands into extremely large...
CVE-2026-33176
The connected advisory GHSA-2J26-FRM8-CMJ9 confirms a DoS in Rails Active Support number helpers: parsing strings with scientific notation (e.g., 1e10000) can expand to huge decimals, causing excessive memory and CPU usage. This is triggered during number formatting and may lead to DoS. Fixed rel...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the BigDecimal and BigInteger handling in the MessageSerializer class. An attacker can execute arbitrary code or manipulate application behavior by providing crafted serialized objects. Details...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the BigDecimal and BigInteger handling in the MessageSerializer class. An attacker can execute arbitrary code or manipulate application behavior by providing crafted serialized objects. Details...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the BigDecimal and BigInteger handling in the MessageSerializer class. An attacker can execute arbitrary code or manipulate application behavior by providing crafted serialized objects. Details...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the BigDecimal and BigInteger handling in the MessageSerializer class. An attacker can execute arbitrary code or manipulate application behavior by providing crafted serialized objects. Details...
apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale
A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service...
apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale
A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service...
apache-johnzon: Prevent inefficient internal conversion from BigDecimal at large scale
A flaw was found in Apache Johnzon. This issue could allow an attacker to craft a specific JSON input that Johnzon will deserialize into a BigDecimal, which Johnzon may use to start converting large numbers, resulting in a denial of service...
GHSA-CGWF-W82Q-5JRR Apache Commons Compress denial of service vulnerability
Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0. Users are recommended to upgrade to version 1.24.0, which fixes the issue. A third party can create a malformed...
GHSA-CRQG-JRPJ-FC84 Apache Johnzon Deserialization of Untrusted Data vulnerability
A malicious attacker can craft up some JSON input that uses large numbers numbers such as 1e20000000 that Apache Johnzon will deserialize into BigDecimal and maybe use numbers too large which may result in a slow conversion Denial of service risk. Apache Johnzon 1.2.21 mitigates this by setting a...
OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936)
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE subcomponent: Libraries. Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via...
OpenJDK: Slow conversion of BigDecimal to long (Libraries, 8211936)
Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE subcomponent: Libraries. Supported versions that are affected are Java SE: 7u211, 8u202, 11.0.2 and 12; Java SE Embedded: 8u201. Easily exploitable vulnerability allows unauthenticated attacker with network access via...
USN-3975-1 openjdk-8, openjdk-lts vulnerabilities
It was discovered that the BigDecimal implementation in OpenJDK performed excessive computation when given certain values. An attacker could use this to cause a denial of service excessive CPU usage. CVE-2019-2602 Corwin de Boor and Robert Xiao discovered that the RMI registry implementation in...
SuSE9 Security Update : ruby (YOU Patch Number 12452)
This update for ruby fixes the following security issues : - Improve return value checks for OpenSSL function OCSPbasicverify to refuse usage of revoked certificates. CVE-2009-0642 - Increase entropy of DNS identifiers to avoid spoofing attacks. CVE-2008-3905 - Fix denial of service DoS...