GHSA-W9PC-FMGC-VXVW vulnerabilities

Vulnerabilities for packages: ruby3.2-rails, logstash, ruby3.3-rails, ruby3.3-rack, ruby3.4-rails, gitlab-cng...

Low: ruby3.2

Issue Overview: REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches t...

GHSA-F279-RF2R-M6M5 vulnerabilities

Vulnerabilities for packages: ruby3.3-webrick, ruby3.4-webrick, ruby4.0-webrick...

Medium: ruby3.2

Issue Overview: Net::IMAP implements Internet Message Access Protocol IMAP client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads server responses. At any time while the client is...

Medium: ruby3.2

Issue Overview: Ruby WEBrick readheader HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is deployed behind an HTTP proxy that fulfills specific...

OESA-2025-1686 rubygem-rack security update

Rack provides a minimal, modular, and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a single...

ALSA-2025:4063 Moderate: ruby:3.1 security update

Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fixes: rexml: DoS vulnerability in REXML CVE-2024-39908 rexml: rubygem-rexml: DoS when parsing an XML having many specific characters suc...

Medium: ruby3.2

Issue Overview: In the URI gem before 1.0.3 for Ruby, the URI handling methods URI.join, URImerge, URI+ have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. CVE-2025-27221 Affected Packages: ruby3.2 Issue Correction: Run dnf update...

GHSA-7WQH-767X-R66V vulnerabilities

Vulnerabilities for packages: kube-fluentd-operator, ruby3.4-rails, logstash, gitlab-cng, ruby3.2-rails, ruby3.3-rails, ruby3.3-rack...

OESA-2024-2383 rubygem-actionmailer security update

Email on Rails. Compose, deliver, and test emails using the familiar controller/view pattern. First-class support for multipart email and attachments. Security Fixes: Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5,...

DEBIAN-CVE-2024-47889

Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the blockformat helper in Action Mailer. Carefully crafted text can cause the blockformat helper to...

UBUNTU-CVE-2024-47888

Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the plaintextforblockquotenode helper in Action Text. Carefully crafted text can cause the...

UBUNTU-CVE-2024-41128

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters...

Regular Expression Denial of Service (ReDoS)

Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS when using HTTP Token authentication via the method authenticateorrequestwithhttptoken or a similar method. By sending specially crafted headers, an attacker can cause the application to consum...

DEBIAN-CVE-2024-27280

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fix...

PT-2024-2479 · Ruby +7 · Rdoc +7

Name of the Vulnerable Software and Affected Versions: RDoc versions 6.3.3 through 6.6.2 Description: The issue is related to the restoration of untrusted data in memory by the RDoc documentation generator for the Ruby programming language. This can be exploited to execute arbitrary code using...