CVE-2022-23633

A flaw was found in the Rack middleware package of RubyGems, where response bodies will not close under certain circumstances. This flaw allows an attacker to iterate requests to force ActionDispatch::Executor to not close, allowing subsequent requests to leak data from...

CVE-2022-23634

A flaw was found in Puma and Rails rubygems when response bodies were not closed under certain situations. This flaw allows an attacker, by iterating certain requests, to take advantage of this issue and affect CurrentAttributes, leading to leaked data...

PT-2022-13238 · Rubygems +1 · Rubygems +1

Name of the Vulnerable Software and Affected Versions: Publify versions prior to 9.2.7 Description: The issue concerns business logic errors in the Publify repository. This affects the Rubygems typo package as well. There is no information provided about the estimated number of potentially affect...

[SECURITY] [DSA 5066-1] ruby2.5 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5066-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff February 03, 2022 https://www.debian.org/security/faq -...

Mageia: Security Advisory (MGASA-2017-0482)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mageia: Security Advisory (MGASA-2013-0297)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Mageia: Security Advisory (MGASA-2020-0243)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Over a Dozen Malicious NPM Packages Caught Hijacking Discord Servers

At least 17 malware-laced packages have been discovered on the NPM package Registry, adding to a recent barrage of malicious software hosted and delivered through open-source software repositories such as PyPi and RubyGems. DevOps firm JFrog said the libraries, now taken down, were designed to gr...

CVE-2021-41819

A flaw was found in Ruby. RubyGems cgi gem could allow a remote attacker to conduct spoofing attacks caused by the mishandling of security prefixes in cookie names in the CGI::Cookie.parse function. By sending a specially-crafted request, an attacker could perform cookie prefix spoofing attacks...

SUSE: Security Advisory (SUSE-SU-2016:1146-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Ruby: XSS in HTML generated by RDoc

Vulnerability description not provided...

Cross-Site Request Forgery (CSRF) in trestle-auth

Impact A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account...

CVE-2021-29435

trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially...

Design/Logic Flaw

trestle-auth is an authentication plugin for the Trestle admin framework. A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially...

GHSA-H8HX-2C5R-32CF Cross-Site Request Forgery (CSRF) in trestle-auth

Impact A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account...

Cross-Site Request Forgery (CSRF) in trestle-auth

Impact A vulnerability in trestle-auth versions 0.4.0 and 0.4.1 allows an attacker to create a form that will bypass Rails' built-in CSRF protection when submitted by a victim with a trestle-auth admin session. This potentially allows an attacker to alter protected data, including admin account...

CVE-2021-29435

CVE-2021-29435 affects the trestle-auth Ruby gem (versions 0.4.0 and 0.4.1) used with the Trestle admin framework. The issue allows an attacker to craft a form that bypasses Rails CSRF protection when submitted by a victim who has a trestle-auth admin session, potentially enabling alteration of p...

RubyGems: Bundler's RCE with response using Marshal

A vulnerability was found in Bundler's dependency API endpoint, which uses Marshal serialization. This could allow for remote code execution if a client receives a specially crafted response. The impact is increased risk from specifying an untrusted source or man-in-the-middle attack...

Basecamp: Insecure Bundler configuration fetching internal Gems (okra) from Rubygems.org

I believe most likely that one of your projects is not set up correctly to only pull internal gems from your internal gem server, and instead will pull gems from Rubygems.org if the version number there is higher. Specifically, the "okra" gem. At around 15:21 today UTC the okra gem that I wrote –...

Unsafe Dependency Resolution

Overview Affected versions of this package are vulnerable to Unsafe Dependency Resolution. An issue exist in bundler regarding the priority for transitive dependencies and split lockfile rubygems source sections. This could lead to a dependency confusion attack where gems are resolved incorrectly...