CVE-2021-22902

The actionpack ruby gem a framework for handling and responding to web requests in Rails before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch t...

CVE-2021-22904

CVE-2021-22904 concerns Rails Action Pack/token authentication DoS due to a too-permissive regular expression in Action Controller. Affected component: actionpack Ruby gem (versions before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6). Impact: potential denial of service via crafted requests or headers; no e...

CVE-2021-22902

CVE-2021-22902 refers to a denial-of-service vulnerability in Rails Action Dispatch mime-type parsing. The actionpack gem, prior to versions 6.0.3.7 and 6.1.3.2, can be exploited by specially crafted HTTP Accept headers that trigger catastrophic backtracking in the regular expression engine. The ...

CVE-2021-22904

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticateorrequestwithhttptoken or...

CVE-2021-22904

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticateorrequestwithhttptoken or...

Exploit for Argument Injection in Dragonfly_Project Dragonfly

CVE-2021-33564 PoC Exploit script for CVE-2021-33564 Argument...

rubygem-json: Unsafe object creation vulnerability in JSON

A flaw was found in rubygem-json. While parsing certain JSON documents, the json gem including the one bundled with Ruby can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269...

Exploit for Argument Injection in Dragonfly_Project Dragonfly

CVE-2021-33564 PoC Exploit script for CVE-2021-33564 Argument...

PT-2021-4288 · Ruby +2 · Bindata +2

Name of the Vulnerable Software and Affected Versions: bindata RubyGem versions prior to 2.4.10 Description: The issue is related to a potential denial-of-service vulnerability in the bindata RubyGem. In affected versions, it is very slow for certain classes in BinData to be created, such as...

OESA-2021-1175 rubygem-redcarpet security update

A fast, safe and extensible Markdown to XHTML parser. Security Fixes: Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being perform...

GHSA-7359-3C6R-HFC2 Improper Certificate Validation in oauth ruby gem

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information...

Improper Certificate Validation in oauth ruby gem

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information...

rubygem-actionview: CSRF vulnerability in rails-ujs

A flaw was found in rubygem-actionview. A regression of CVE-2015-1840 causes Rails-ujs to send CSRF tokens to wrong domains. The highest threat from this vulnerability is to data integrity...

UBUNTU-CVE-2020-26247

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the...

rubygem-secure_headers: limited header injection when using dynamic overrides with user input

A directive injection vulnerability was found in Secure Headers RubyGem before versions 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into the vulnerable function, a new line could be injected, leading to limited header injection, which could create a new Content Security Policy head...

rubygem-actionview: views that use the `j` or `escape_javascript` methods are susceptible to XSS attacks

A flaw was found in rubygem-actionview. Views that use the j or escapejavascript methods may be susceptible to XSS attacks with ActionView's JavaScript literal escape helpers. The highest threat from this vulnerability is to data confidentiality and integrity...

rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser

A flaw was found in the websocket-extensions ruby module in versions prior to 0.1.5. The parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and another character. When abused by an...

SUSE-SU-2020:2929-1 Security update for rubygem-activesupport-4_2

This update for rubygem-activesupport-42 fixes the following issues: - CVE-2020-8165: Fixed deserialization of untrusted data in MemCacheStore potentially resulting in remote code execution bsc1172186...

CVE-2016-11086

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information...

DEBIAN-CVE-2016-11086

lib/oauth/consumer.rb in the oauth-ruby gem through 0.5.4 for Ruby does not verify server X.509 certificates if a certificate bundle cannot be found, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information...