Ruby SAML allows a SAML authentication bypass due to DOCTYPE handling (parser differential)

Summary An authentication bypass vulnerability was found in ruby-saml due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely different document structures from the same XML input. That allows an attacker to be able to execute a Signature Wrapping...

Out-of-bounds Read in Ruby JSON Parser

Impact A specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions 2.10.0 and 2.10.1 are impacted. Older versions are not. Patches Version 2.10.2 fixes the problem. Workarounds None...

OPENSUSE-SU-2025:14875-1 ruby3.4-rubygem-rack-3.1.12-1.1 on GA media

These are all security issues fixed in the ruby3.4-rubygem-rack-3.1.12-1.1 package on the GA media of openSUSE Tumbleweed...

UBUNTU-CVE-2025-27610

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly. The vulnerability occurs becaus...

GHSA-7WQH-767X-R66V vulnerabilities

Vulnerabilities for packages: ruby4.0-rack, ruby3.4-rails, ruby3.3-rails, kube-fluentd-operator, ruby3.2-rails, ruby3.3-rack, ruby3.4-rack, ruby3.2-rack, logstash...

GHSA-7WQH-767X-R66V vulnerabilities

Vulnerabilities for packages: ruby3.3-rack, kube-fluentd-operator, ruby4.0-rack, logstash, ruby3.2-rack, ruby3.4-rails, ruby3.4-rack, ruby3.2-rails...

CVE-2025-27610 Local File Inclusion in Rack::Static

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly. The vulnerability occurs becaus...

CVE-2025-27610

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly. The vulnerability occurs becaus...

CVE-2025-27610 Local File Inclusion in Rack::Static

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly. The vulnerability occurs becaus...

CVE-2025-27610 Local File Inclusion in Rack::Static

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly. The vulnerability occurs becaus...

Rack 安全漏洞

Rack is a modular Ruby web server interface open-sourced by Rack. A security vulnerability exists in Rack versions prior to 2.2.13, prior to 3.0.14, and prior to 3.1.12, which stems from Rack::Static not properly cleaning up user-supplied paths, which could lead to file exposure...

Debian dla-4082 : libruby2.7 - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4082 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-4082-1 [email protected]...

DLA-4082-1 ruby2.7 - security update

Bulletin has no description...

ruby3.4-rubygem-rack-2.2-2.2.12-1.1 on GA media (moderate)

ruby3.4-rubygem-rack-2.2-2.2.12-1.1 on GA media Announcement ID: openSUSE-SU-2025:14859-1 Rating: moderate Cross-References: CVE-2025-27111 CVSS scores: CVE-2025-27111 SUSE : 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVE-2025-27111 SUSE : 6.9...

Malicious code in poc-by-shahwar (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 6381347b8b3c6e2f8f2d7aa1b39647e7f7444e10122cd821b80ae6b3d05c5a7e The OpenSSF Package Analysis project identified 'poc-by-shahwar' @ 0.1.0 rubygems as malicious. It is considered malicious because: - The packag...

Malicious code in poc-genrateed-by-noob (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 2adff977f2503f0afe5fb20e3154fa4f8c9a3d0fa5dc7a96613fb5b9434673b4 The OpenSSF Package Analysis project identified 'poc-genrateed-by-noob' @ 0.1.0 rubygems as malicious. It is considered malicious because: - The...

Malicious code in evil_gem (RubyGems)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis e1cbacc9bc6d36bcde7b6cb93df89df1fae5c8f70a841dc916a8ba6cdad2ff95 The OpenSSF Package Analysis project identified 'evilgem' @ 0.1.0 rubygems as malicious. It is considered malicious because: - The package...

Linux Distros Unpatched Vulnerability : CVE-2017-17917

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SQL injection vulnerability in the 'where' method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the 'id'...

Linux Distros Unpatched Vulnerability : CVE-2010-3299

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks. CVE-2010-3299 Note that Nessus relies on the presence of the packag...

Linux Distros Unpatched Vulnerability : CVE-2025-0306

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted...