Amazon Linux 2 : ruby (ALASRUBY3.0-2023-004)

The version of ruby installed on the remote host is prior to 3.0.5-155. It is, therefore, affected by a vulnerability as referenced in the ALAS2RUBY3.0-2023-004 advisory. The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is releva...

Amazon Linux 2 : ruby (ALASRUBY2.6-2023-005)

The version of ruby installed on the remote host is prior to 2.6.7-126. It is, therefore, affected by a vulnerability as referenced in the ALAS2RUBY2.6-2023-005 advisory. An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious...

Amazon Linux 2 : ruby (ALASRUBY2.6-2023-002)

The version of ruby installed on the remote host is prior to 2.6.9-129. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2RUBY2.6-2023-002 advisory. A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service...

Amazon Linux 2 : ruby (ALASRUBY3.0-2023-001)

The version of ruby installed on the remote host is prior to 3.0.6-156. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2RUBY3.0-2023-001 advisory. A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles...

Amazon Linux 2 : ruby (ALASRUBY2.6-2023-003)

The version of ruby installed on the remote host is prior to 2.6.10-130. It is, therefore, affected by a vulnerability as referenced in the ALAS2RUBY2.6-2023-003 advisory. The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is...

Amazon Linux 2 : ruby (ALASRUBY3.0-2023-002)

The version of ruby installed on the remote host is prior to 3.0.4-155. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2RUBY3.0-2023-002 advisory. A double-free vulnerability was found in Ruby. The issue occurs during Regexp compilation. This flaw allows an attack...

Amazon Linux 2 : ruby (ALASRUBY2.6-2023-007)

The version of ruby installed on the remote host is prior to 2.6.6-125. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2RUBY2.6-2023-007 advisory. jQuery before 1.9.0 is vulnerable to Cross-site Scripting XSS attacks. The jQuerystrInput function does not...

Amazon Linux 2 : ruby (ALASRUBY3.0-2023-006)

The version of ruby installed on the remote host is prior to 3.0.1-148. It is, therefore, affected by a vulnerability as referenced in the ALAS2RUBY3.0-2023-006 advisory. An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious...

Medium: ruby

Issue Overview: An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious Ruby source code could lead to execution of arbitrary commands with the privileges of the user running rdoc. CVE-2021-31799 Affected Packages: ruby Note:...

Medium: ruby

Issue Overview: An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy whi...

The vulnerability of the `sanitize_html` function in Ruby Redcloth software allows a hacker to cause a service failure.

The vulnerability of the sanitizehtml function in Ruby Redcloth text processing software is related to the use of a regular expression with inefficient computational complexity. Exploiting this vulnerability could allow an attacker to cause service interruptions remotely...

Important: ruby

Issue Overview: CGI.escapehtml in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms such as Windows where sizet and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby. CVE-2021-41816 A...

Important: ruby

Issue Overview: The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. CVE-2021-33621 Affected Packages:...

Medium: ruby

Issue Overview: An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that ar...

Medium: ruby

Issue Overview: A buffer overrun vulnerability was found in Ruby. The issue occurs in a conversion algorithm from a String to a Float that causes process termination due to a segmentation fault, but under limited circumstances. This flaw may cause an illegal memory read. CVE-2022-28739 Affected...

Medium: ruby

Issue Overview: An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that ar...

Medium: ruby

Issue Overview: A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service ReDoS during the parsing of dates. This flaw allows an attacker to hang a ruby application by providing a specially crafted date string. The highest threat to this...

Medium: ruby

Issue Overview: An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious Ruby source code could lead to execution of arbitrary commands with the privileges of the user running rdoc. CVE-2021-31799 Affected Packages: ruby Note:...

Important: ruby

Issue Overview: A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 a...

Important: ruby

Issue Overview: The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. CVE-2021-33621 Affected Packages:...