Amazon Linux 2 : ruby (ALAS-2024-2706)

The version of ruby installed on the remote host is prior to 2.0.0.648-36. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2706 advisory. An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a...

RHEL 8 : ruby:2.5 (RHSA-2024:11028)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:11028 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management task...

AlmaLinux 9 : ruby:3.1 (ALSA-2024:10860)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2024:10860 advisory. rexml: REXML ReDoS vulnerability CVE-2024-49761 Tenable has extracted the preceding description block directly from the AlmaLinux security advisory. Note that...

RHEL 9 : ruby:3.1 (RHSA-2024:10860)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:10860 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management task...

Oracle Linux 9 : ruby:3.1 (ELSA-2024-10860)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-10860 advisory. - Fix REXML ReDoS vulnerability. CVE-2024-49761 Resolves: RHEL-68530 Tenable has extracted the preceding description block directly from the Oracle Linux...

RHEL 8 : ruby:3.1 (RHSA-2024:10834)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:10834 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management task...

Ubuntu 20.04 LTS / 22.04 LTS / 23.10 : Ruby vulnerability (USN-6853-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by a vulnerability as referenced in the USN-6853-1 advisory. It was discovered that Ruby incorrectly handled the ungetbyte and ungetc methods. A remote attacker could use this issue to cause Ruby to cras...

Medium: ruby

Issue Overview: ruby: RCE vulnerability with .rdocoptions in RDoc CVE-2024-27281 Affected Packages: ruby Note: This advisory is applicable to Amazon Linux 2 - Ruby3.0 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and...

ruby: Arbitrary memory address read vulnerability with Regex search

A flaw was found in Ruby. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings...

AZL-40520 CVE-2024-27282 affecting package ruby for versions less than 3.3.3-1

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1...

DEBIAN-CVE-2024-27282

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1...

AZL-40675 CVE-2024-27281 affecting package ruby for versions less than 3.1.4-4

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdocoptions used for configuration in RDoc as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be...

Ruby Security Vulnerabilities

Ruby is a cross-platform, object-oriented, dynamically typed programming language from the individual developer, Yukihiro Matsumoto. A security vulnerability exists in Ruby versions 3.x through 3.3.0, which originates from a user-supplied data provided to the Ruby regular expression compiler can...

CVE-2024-27282

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1...

CVE-2024-27282

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1...

The vulnerability of the Ruby programming language components rfc2396 parser.rb and rfc3986 parser.rb allows a hacker to cause a service failure.

The vulnerability of the Ruby programming language components rfc2396 Parser.rb and rfc3986 Parser.rb is related to the incorrect handling of invalid URL addresses. Exploiting this vulnerability allows a remote attacker to cause service interruptions...

CVE-2015-8314

The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access...

VulnCheck KEV: CVE-2021-33564

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verifyurl option is disabled. This may lead to code execution. The problem occurs because the generate and process features...

Medium: ruby

Issue Overview: An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that ar...

Medium: ruby

Issue Overview: An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that ar...