UBUNTU-CVE-2024-21647

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an...

CVE-2024-21647 HTTP Request/Response Smuggling in puma

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an...

CVE-2024-21647

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an...

OESA-2024-1007 rubygem-puma security update

A simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Security Fixes: Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the...

RDoc: Command Injection

Background RDoc produces HTML and command-line documentation for Ruby projects. Description A vulnerability has been discovered in RDoc. Please review the CVE identifier referenced below for details. Impact RDoc used to call Kernelopen to open a local file. If a Ruby project has a file whose name...

GLSA-202401-05 : RDoc: Command Injection

The remote host is affected by the vulnerability described in GLSA-202401-05 RDoc: Command Injection - In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. CVE-2021-31799 Note that Nessus has not test...

CVE-2024-21636

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the...

Cross site scripting

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the...

CVE-2024-21636 view_component Cross-site Scripting vulnerability

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the...

CVE-2024-21636 view_component Cross-site Scripting vulnerability

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the...

CVE-2024-21636 view_component Cross-site Scripting vulnerability

viewcomponent is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the...

CVE-2024-21636

CVE-2024-21636 affects the ViewComponent framework for Ruby on Rails. Versions prior to 3.9.0 and 2.83.0 allow cross-site scripting when a component defines a #call method and returns unescaped content, and when #output_postamble also returns unescaped content. The vulnerability applies to render...

PT-2024-18986 · View · View

Name of the Vulnerable Software and Affected Versions: view component versions prior to 3.9.0 and 2.83.0 Description: The view component framework for Ruby on Rails has a cross-site scripting issue that can impact anyone rendering a component directly from a controller with the view component gem...

NewStart CGSL MAIN 6.06 : ruby Vulnerability (NS-SA-2023-0084)

The remote NewStart CGSL host, running version MAIN 6.06, has ruby packages installed that are affected by a vulnerability: - There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including...

Improper Verification of Cryptographic Signature

Overview json-jwt is a JSON Web Token and its family JSON Web Signature, JSON Web Encryption and JSON Web Key in Ruby. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to a sign/encryption confusion attack via the JSON::JWT.decode function...

CVE-2023-51774

Removed by vendor...

CVE-2023-51774

The CVE-2023-51774 entry concerns the json-jwt (JSON::JWT) Ruby gem, with version 1.16.3 publicly reported as vulnerable to a sign/encryption confusion attack that can bypass identity checks (e.g., JSON::JWT.decode). The NVD entry confirms a high-severity impact (C/H/I/A) with local/low attack co...

Active Admin security vulnerability

Active Admin is Active Admin open source a Ruby on Rails framework . It is used to create the backend for website management. A security vulnerability exists in versions prior to Active Admin 3.2.0, which stems from a csv injection vulnerability in the file csvbuilder.rb...

CVE-2023-50727

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /". This issue has been patched in version 2.6.0...

Cross site scripting

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /". This issue has been patched in version 2.6.0...