13977 matches found
Astra Linux - уязвимость в ruby2.5
A issue was discovered in RDoc versions 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdocoptions used for configuration in RDoc as a YAML file, object injection and resulting remote code execution are possible because there are no restrictions on the classes that c...
Astra Linux - уязвимость в ruby-rails-html-sanitizer
Rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version 1.4.4, there was a potential XSS vulnerability with certain configurations of Rails::Html::Sanitizer, due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer might allow an attacke...
Astra Linux - уязвимость в ruby2.5
There is a buffer over-read issue in Ruby before version 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. This issue occurs during the conversion from strings to floats, including in methods like KernelFloat and Stringtof...
Astra Linux - уязвимость в ruby-sinatra
In versions of Sinatra before 2.2.0, it does not validate that the expanded path matches publicdir when serving static files...
Astra Linux - уязвимость в ruby2.5
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as . If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or later include the patches to fix...
Astra Linux - уязвимость в ruby2.5
A buffer-overread issue was discovered in StringIO 3.0.1, which is available in Ruby 3.0.x through 3.0.6, and in Ruby 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.3 is...
Astra Linux - уязвимость в ruby-rack
A security vulnerability exists in versions of Rack 2.2.3 and Rack 2.1.4, where reliance on cookies without validation/integrity checks allows an attacker to forge a secure or host-only cookie prefix...
Astra Linux - уязвимость в ruby2.5
A vulnerability was discovered in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service...
Astra Linux - уязвимость в ruby2.5
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to this vulnerability...
Astra Linux - уязвимость в ruby2.5
In the URI gem before version 1.0.3 for Ruby, the URI handling methods URI.join, URImerge, URI+ inadvertently allowed authentication credentials to be leaked, as the userinfo was retained even after changing the host...
Astra Linux - уязвимость в ruby2.5
In Ruby, the CGI::Cookie.parse method used from version 2.6.8 mishandles security prefixes in cookie names. This issue also affects the CGI gem used from version 0.3.0 in Ruby...
Astra Linux - уязвимость в ruby-rack
There is a denial-of-service vulnerability in the header parsing component of Rack...
Astra Linux - уязвимость в ruby-rack
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser buffers the entire multipart preamble bytes before the first boundary in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing...
Astra Linux - уязвимость в ruby2.5
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allow HTTP response splitting. This is relevant for applications that use untrusted user input, either to generate an HTTP response or to create a CGI::Cookie object...
Astra Linux - уязвимость в ruby2.5, jruby
A issue was discovered in Ruby between versions 2.6.7, 2.7.x up to 2.7.3, and 3.x up to 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a specified IP address and port. This potentially allows curl to extract information about services that would...
Astra Linux - уязвимость в ruby2.5
In the CGI gem before version 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service DoS vulnerability. This method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumpti...
Astra Linux - уязвимость в ruby-rack
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the...
Astra Linux - уязвимость в ruby-rails-html-sanitizer
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions = 1.0.3, = 2.1.0. This issue is patched in version 1.4.4...
Astra Linux - уязвимость в ruby-nokogiri
A command injection vulnerability exists in Nokogiri v1.10.3 and earlier. This vulnerability allows commands to be executed in a subprocess via Ruby’s Kernel.open method. Processes become vulnerable only if the undocumented method Nokogiri::CSS::Tokenizerloadfile is called with unsafe user input ...
Astra Linux - уязвимость в ruby-rack
There is a DoS vulnerability in Rack versions v3.0.4.2, v2.2.6.3, v2.1.4.3, and v2.0.9.3, particularly in the Multipart MIME parsing code. This vulnerability could allow an attacker to craft requests that can be abused to cause the multipart parsing to take longer than expected...