USN-7256-1: Ruby vulnerabilities

It was discovered that Ruby incorrectly handled parsing of an XML document that has specific XML characters in an attribute value using REXML gem. An attacker could use this issue to cause Ruby to crash, resulting in a denial of service...

Amazon Linux 2023 : ruby3.2, ruby3.2-bundled-gems, ruby3.2-default-gems (ALAS2023-2025-839)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-839 advisory. A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings...

BIT-RUBY-MIN-2020-10933

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocketreadnonblockrequestedsize, buffer, exception: false, the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous valu...

BIT-RUBY-MIN-2021-31810

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise...

CVE-2025-0306

A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service...

CVE-2025-0306 Ruby: openssl: ruby marvin attack

A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service...

CVE-2025-0306

CVE-2025-0306 concerns the Ruby interpreter and a Marvin Attack that can decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service. The connected docs corroborate Ruby advisories for EulerOS (ruby package security advisories Eul...

CVE-2025-0306 Ruby: openssl: ruby marvin attack

A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service...

CVE-2025-0306

A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service...

CVE-2025-0306

A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service. Mitigation See the following possible...

Amazon Linux 2 : ruby (ALAS-2024-2706)

The version of ruby installed on the remote host is prior to 2.0.0.648-36. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2706 advisory. An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a...

RHEL 8 : ruby:2.5 (RHSA-2024:11028)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:11028 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management task...

Oracle Linux 9 : ruby:3.1 (ELSA-2024-10860)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2024-10860 advisory. - Fix REXML ReDoS vulnerability. CVE-2024-49761 Resolves: RHEL-68530 Tenable has extracted the preceding description block directly from the Oracle Linux...

RHEL 9 : ruby:3.1 (RHSA-2024:10860)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:10860 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management task...

RHEL 8 : ruby:3.1 (RHSA-2024:10834)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:10834 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management task...

Ubuntu 20.04 LTS / 22.04 LTS / 23.10 : Ruby vulnerability (USN-6853-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 23.10 host has packages installed that are affected by a vulnerability as referenced in the USN-6853-1 advisory. It was discovered that Ruby incorrectly handled the ungetbyte and ungetc methods. A remote attacker could use this issue to cause Ruby to cras...

Medium: ruby

Issue Overview: ruby: RCE vulnerability with .rdocoptions in RDoc CVE-2024-27281 Affected Packages: ruby Note: This advisory is applicable to Amazon Linux 2 - Ruby3.0 Extra. Visit this page to learn more about Amazon Linux 2 AL2 Extras and this FAQ section for the difference between AL2 Core and...

ruby: Arbitrary memory address read vulnerability with Regex search

A flaw was found in Ruby. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings...

AZL-40520 CVE-2024-27282 affecting package ruby for versions less than 3.3.3-1

An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2.4, and 3.3.1...

AZL-40675 CVE-2024-27281 affecting package ruby for versions less than 3.1.4-4

An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdocoptions used for configuration in RDoc as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be...