ALPINE-CVE-2021-41816

CGI.escapehtml in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms such as Windows where sizet and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby...

CVE-2021-41819

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby...

Bundler 参数注入漏洞

Bundler is a package for managing application dependencies in Ruby. It provides a consistent environment for Ruby projects by tracking and installing the exact gem and version required. Bundler suffers from a code injection vulnerability that stems from the fact that when using Gemfile, an attack...

Ruby 安全漏洞

Ruby is a cross-platform, object-oriented, dynamically typed programming language. versions prior to Ruby 3.0.3 contain a security vulnerability that can be exploited by attackers to spoof the security prefix in cookie names so that vulnerable applications can be spoofed...

Trusting FTP PASV responses vulnerability in Net::FTP

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise...

UBUNTU-CVE-2021-32740

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted templat...

ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?

A flaw was discovered in Ruby in the way certain functions handled strings containing NULL bytes. Specifically, the built-in methods File.fnmatch and its alias File.fnmatch? did not properly handle path patterns containing the NULL byte. A remote attacker could exploit this flaw to make a Ruby...

The vulnerability of the kramdown gem interpreter for Ruby, allowing a hacker to execute arbitrary code.

The vulnerability of the kramdown gem interpreter for Ruby exists due to the lack of measures taken to neutralize special elements. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

Ruby Parameter Injection Vulnerability

Ruby is a cross-platform, object-oriented, dynamically-typed programming language from the individual developer, Yukihiro Matsumoto. A parameter injection vulnerability exists in Ruby versions prior to 1.4.0, which can be exploited by an attacker to read and write arbitrary files via a crafted UR...

USN-4922-1: Ruby vulnerability | Cloud Foundry

Severity Medium Vendor Canonical Ubuntu Versions Affected Canonical Ubuntu 18.04 Description Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to perform an XML round-trip attack. CVEs...

USN-4922-2: Ruby vulnerability

USN-4922-1 fixed a vulnerability in Ruby. This update provides the corresponding update for Ubuntu 21.04. Original advisory details: Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to...

Ubuntu 21.04 : Ruby vulnerability (USN-4922-2)

The remote Ubuntu 21.04 host has packages installed that are affected by a vulnerability as referenced in the USN-4922-2 advisory. USN-4922-1 fixed a vulnerability in Ruby. This update provides the corresponding update for Ubuntu 21.04. Tenable has extracted the preceding description block direct...

USN-4922-1: Ruby vulnerability

Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could possibly use this issue to perform an XML round-trip attack...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS : Ruby vulnerability (USN-4922-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-4922-1 advisory. Juho Nurminen discovered that the REXML gem bundled with Ruby incorrectly parsed and serialized XML documents. A remote attacker could...

Amazon Linux AMI : ruby24 (ALAS-2020-1451)

The version of ruby24 installed on the remote host is prior to 2.4.10-2.13. It is, therefore, affected by a vulnerability as referenced in the ALAS-2020-1451 advisory. An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundle...

Field Test gem Cross-Site Request Forgery Vulnerability

Field Test gem is an A/B testing software package. A cross-site request forgery vulnerability exists in Field Test gem versions 0.2.0 through 0.3.2 Ruby. The vulnerability stems from a WEB application that does not adequately validate that a request is coming from a trusted user. An attacker coul...

The vulnerability of the implementation of the Ruby interpreter’s method allows a perpetrator to execute arbitrary code.

The vulnerability of the Ruby interpreter’s implementation is related to the incorrect elimination of special elements in the output data used by the input component. Exploiting this vulnerability allows a malicious actor to execute arbitrary code using the arguments for Shell or Shelltest from t...

Ruby has an unspecified vulnerability

Ruby is a simple and fast object-oriented object-oriented programming scripting language. An unspecified vulnerability exists in Ruby. An attacker can exploit this vulnerability to invoke arbitrary Ruby methods...

Ruby has an unspecified vulnerability (CNVD-2020-12798)

Ruby is a simple and fast object-oriented object-oriented programming scripting language. An unspecified vulnerability exists in Ruby. An attacker could exploit the vulnerability by inserting line breaks to split headers and inject malicious content to spoof the client...

ALPINE-CVE-2019-16255

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument aka the "command" argument to Shell or Shelltest in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method...