actionmailer Ruby Library 3.x < 6.1.7.9 / 7.0.x < 7.0.8.5 / 7.1.x < 7.1.4.1 / 7.2.x < 7.2.1.1 DoS (CVE-2024-47889)

The version of the actionmailer Ruby library installed on the remote host is 3.x prior to 6.1.7.9, 7.0.x prior to 7.0.8.5, 7.1.x prior to 7.1.4.1 or 7.2.x prior to 7.2.1.1. It is, therefore, affected by a denial of service DoS vulnerability. The vulnerability lies in the blockformat helper of...

The vulnerability of the SAML library for Ruby SAML and the Git-based software platform, which is used for collaborative code development on GitLab, allows for an increase in privileges.

The vulnerability of the SAML library for Ruby SAML applications and the Git-based software platform for collaborative code development on GitLab is related to errors in verifying the cryptographic signature. Exploiting this vulnerability could allow a malicious actor to increase their privileges...

Ruby SAML 数据伪造问题漏洞

Ruby SAML is an open source implementation of a SAML authorization client from SAML-Toolkits. A data forgery vulnerability exists in Ruby SAML that stems from Ruby-SAML's inability to properly verify the signature of a SAML response, allowing an attacker to log in to a vulnerable system as an...

PT-2024-6310 · Gitlab +2 · Gitlab +2

Name of the Vulnerable Software and Affected Versions: Ruby-SAML versions prior to 1.17.0 Ruby-SAML versions 1.13.0 through 1.16.0 GitLab versions prior to 17.3.3, 17.2.7, 17.1.8, 17.0.8, and 16.11.10 Description: The vulnerability is related to the Ruby SAML library, which is used for implementi...

Ruby: Uncontrolled Resource Consumption when parsing maliciously crafted XML with REXML

The REXML library in Ruby was found to be vulnerable to an issue where parsing a maliciously crafted XML file could lead to uncontrolled resource consumption, resulting in a denial of service. The vulnerability was caused by a flaw in the namespace handling functionality of the REXML library...

USN-6960-1 ruby-rmagick vulnerability

Nick Browning discovered that RMagick incorrectly handled memory under certain operations. An attacker could possibly use this issue to cause a denial of service through memory exhaustion...

The vulnerability of the ruby-find-library-file function in the EMACS text editor arises from improper elimination of special elements used in the command, allowing an attacker to execute arbitrary code.

The vulnerability of the ruby-find-library-file function in the EMACS text editor is related to improper elimination of special elements. Exploiting this vulnerability can allow an attacker to execute arbitrary code...

USN-6748-1 ruby-sanitize vulnerabilities

It was discovered that Sanitize incorrectly handled noscript elements under certain circumstances. An attacker could possibly use this issue to execute a cross-site scripting XSS attack. This issue only affected Ubuntu 22.04 LTS. CVE-2023-23627 It was discovered that Sanitize incorrectly handled...

The vulnerability of the Ruby/Git interpreter’s library allows a hacker to execute arbitrary code.

The vulnerability of the Ruby/Git interpreter’s library is related to the implementation or modification of arguments. Exploiting this vulnerability allows a malicious actor to execute arbitrary code remotely...

PT-2024-22612

Name of the Vulnerable Software and Affected Versions ROTP versions prior to 6.3.0 Description The Ruby One Time Password library ROTP is an open source library for generating and validating one time passwords. Affected versions had overly permissive default permissions. Recommendations For...

UBUNTU-CVE-2024-27285

YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting XSS attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in...

CVE-2023-50725

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. The following paths in resque-web have been found to be vulnerable to reflected XSS: "/failed/?class=alertdocument.cookie" and "/queues/". This issue has been patched in...

The vulnerability of the `yajl_tree_parse` function in the YAJL-ruby JSON library allows a attacker to cause a service failure.

The vulnerability of the yajltreeparse function in the YAJL-ruby JSON library is related to improper memory release before deleting the last reference. Exploiting this vulnerability could allow a malicious actor to cause service failures...

The vulnerability of the yajl_buf.c component in the YAJL-ruby JSON library allows a hacker to gain access to confidential data.

The vulnerability of the yajlbuf.c component in the YAJL-ruby library relates to the situation where an operation is performed outside the buffer’s memory boundaries. Exploiting this vulnerability could allow a remote attacker to gain access to confidential data...

Fedora 36 : rubygem-redcarpet (2023-597f13ffb9)

The remote Fedora 36 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-597f13ffb9 advisory. A security flow was found on redcarpet that escaping html was not properly done even if requested on some cases which may cause XSS vulnerability. This issue...

Fedora 37 : rubygem-redcarpet (2023-8682a0e17d)

The remote Fedora 37 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2023-8682a0e17d advisory. A security flow was found on redcarpet that escaping html was not properly done even if requested on some cases which may cause XSS vulnerability. This issue...

UBUNTU-CVE-2023-28756

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2...

CVE-2023-28102 Command injection in discordrb

discordrb is an implementation of the Discord API using Ruby. In discordrb before commit 91e13043ffa the encoder.rb file unsafely constructs a shell string using the file parameter, which can potentially leave clients of discordrb vulnerable to command injection. The library is not directly...

GNU Emacs 命令注入漏洞

GNU Emacs is a family of text editors in the American GNU community. A security vulnerability exists in GNU Emacs version 28.2 and earlier, which stems from the discovery of a local command injection vulnerability contained in the ruby-find-library-file function of ruby-mode.el. An attacker can...

SUSE CVE-2005-1992

The XMLRPC server in utils.rb for the ruby library libruby 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands...