Bundler 参数注入漏洞

Bundler is a package for managing application dependencies in Ruby. It provides a consistent environment for Ruby projects by tracking and installing the exact gem and version required. Bundler suffers from a code injection vulnerability that stems from the fact that when using Gemfile, an attack...

Ruby 安全漏洞

Ruby is a cross-platform, object-oriented, dynamically typed programming language. versions prior to Ruby 3.0.3 contain a security vulnerability that can be exploited by attackers to spoof the security prefix in cookie names so that vulnerable applications can be spoofed...

Trusting FTP PASV responses vulnerability in Net::FTP

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise...

UBUNTU-CVE-2021-32740

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted templat...

ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?

A flaw was discovered in Ruby in the way certain functions handled strings containing NULL bytes. Specifically, the built-in methods File.fnmatch and its alias File.fnmatch? did not properly handle path patterns containing the NULL byte. A remote attacker could exploit this flaw to make a Ruby...

Ruby Parameter Injection Vulnerability

Ruby is a cross-platform, object-oriented, dynamically-typed programming language from the individual developer, Yukihiro Matsumoto. A parameter injection vulnerability exists in Ruby versions prior to 1.4.0, which can be exploited by an attacker to read and write arbitrary files via a crafted UR...

USN-4922-1: Ruby vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to perform an XML round-trip attack. CVEs...

USN-4922-2: Ruby vulnerability

USN-4922-1 fixed a vulnerability in Ruby. This update provides the corresponding update for Ubuntu 21.04. Original advisory details: Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to...

Ubuntu 21.04 : Ruby vulnerability (USN-4922-2)

The remote Ubuntu 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-4922-2 advisory. USN-4922-1 fixed a vulnerability in Ruby. This update provides the corresponding update for Ubuntu 21.04. Tenable has extracted the preceding description block direct...

USN-4922-1: Ruby vulnerability

Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to perform an XML round-trip attack...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Ruby vulnerability (USN-4922-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4922-1 advisory. Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could...

Amazon Linux AMI : ruby24 (ALAS-2020-1451)

The version of ruby24 installed on the remote host is prior to 2.4.10-2.13. It is, therefore, affected by a vulnerability as referenced in the ALAS-2020-1451 advisory. An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundle...

Field Test gem Cross-Site Request Forgery Vulnerability

Field Test gem is an A/B testing software package. A cross-site request forgery vulnerability exists in Field Test gem versions 0.2.0 through 0.3.2 Ruby. The vulnerability stems from a WEB application that does not adequately validate that a request is coming from a trusted user. An attacker coul...

Ruby has an unspecified vulnerability

Ruby is a simple and fast object-oriented object-oriented programming scripting language. An unspecified vulnerability exists in Ruby. An attacker can exploit this vulnerability to invoke arbitrary Ruby methods...

Ruby has an unspecified vulnerability (CNVD-2020-12798)

Ruby is a simple and fast object-oriented object-oriented programming scripting language. An unspecified vulnerability exists in Ruby. An attacker could exploit the vulnerability by inserting line breaks to split headers and inject malicious content to spoof the client...

ALPINE-CVE-2019-16255

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument aka the "command" argument to Shell or Shelltest in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method...

DEBIAN-CVE-2019-16254

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients...

DEBIAN-CVE-2019-15587

In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished...

ruby: Unintentional socket creation by poisoned NULL byte in UNIXServer and UNIXSocket

It was found that the UNIXSocket::open and UNIXServer::open ruby methods did not handle the NULL byte properly. An attacker, able to inject NULL bytes in the socket path, could possibly trigger an unspecified behavior of the ruby script...

CVE-2015-9284

The request phase of the OmniAuth Ruby gem 1.9.1 and earlier is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able ...