Amazon Linux 2023 : ruby3.2, ruby3.2-bundled-gems, ruby3.2-default-gems (ALAS2023-2024-743)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-743 advisory. An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., GET /admin...

AZL-51904 CVE-2024-49761 affecting package ruby for versions less than 3.3.5-1

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between & and x...; in a hex numeric character reference &x...;. This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML...

AZL-51908 CVE-2024-49761 affecting package rubygem-rexml for versions less than 3.3.9-1

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between & and x...; in a hex numeric character reference &x...;. This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML...

AZL-51876 CVE-2024-49761 affecting package ruby for versions less than 3.1.4-8

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between & and x...; in a hex numeric character reference &x...;. This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML...

ALPINE-CVE-2024-49761

REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between & and x...; in a hex numeric character reference &x...;. This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML...

Regular Expression Denial of Service (ReDoS)

Overview rexml is an An XML toolkit for Ruby. Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS due to the usage of insecure regular expressions in CHARACTERREFERENCES. This vulnerability can be exploited when parsing XML content containing numerous...

PT-2024-7931

Name of the Vulnerable Software and Affected Versions Action Mailer versions 3.0.0 through 6.1.7.8 Action Mailer versions 7.0.0 through 7.0.8.4 Action Mailer versions 7.1.0 through 7.1.4.0 Action Mailer versions 7.2.0 through 7.2.1.0 Description The issue is related to the block format helper in...

RHSA-2014:0876 Red Hat Security Advisory: ruby193-rubygem-activerecord security update

Bulletin has no description...

Medium: ruby3.2

Issue Overview: ruby: RCE vulnerability with .rdocoptions in RDoc CVE-2024-27281 ruby: Arbitrary memory address read vulnerability with Regex search CVE-2024-27282 Affected Packages: ruby3.2 Issue Correction: Run dnf update ruby3.2 --releasever 2023.5.20240819 or dnf update --advisory...

OPENSUSE-SU-2024:11315-1 ruby2.7-rubygem-actionmailer-5.2-5.2.6-1.2 on GA media

These are all security issues fixed in the ruby2.7-rubygem-actionmailer-5.2-5.2.6-1.2 package on the GA media of openSUSE Tumbleweed...

AZL-42070 CVE-2024-35176 affecting package ruby for versions less than 3.1.4-6

REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include the patch to fix this...

CVE-2024-27280

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is the main fix...

DSA-5677-1 ruby3.1 - security update

Bulletin has no description...

PT-2024-1928

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.0.9.4 Rack versions prior to 2.1.4.4 Rack versions prior to 2.2.8.1 Rack versions prior to 3.0.9.1 Description The issue is related to the header parsing in Rack, which can be exploited by carefully crafted headers,...

OESA-2024-1146 rubygem-actionpack security update

Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser. Security Fixes: A regular expression based DoS vulnerability in Action Dispatch 6.0.6.1,...

Metasploit Wrap-Up 12/8/2023

Are You Looking for ACTION? Our very own adfoster-r7 has added a new feature that adds module actions, targets, and aliases to the search feature in Metasploit Framework. As we continue to add modules with diverse goals or targets, we’ve found ourselves leaning on these flags more and more...

Important: ruby3.2

Issue Overview: A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 a...

PT-2023-2261 · Time +12 · Time +12

Name of the Vulnerable Software and Affected Versions: Time component versions through 0.2.1 Ruby versions through 3.2.1 Description: A ReDoS issue was discovered in the Time component, where the Time parser mishandles invalid URLs with specific characters, causing an increase in execution time f...

Regular Expression Denial of Service (ReDoS)

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

SUSE CVE-2010-3928

Ruby Version Manager RVM before 1.2.1 writes file contents to a terminal without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via a crafted file, related to an "escape sequence injection vulnerability." NOTE: some of these details are...