CentOS 8 : ruby:2.5 (CESA-2019:1972)

The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the CESA-2019:1972 advisory. - rubygems: Installing a malicious gem may lead to arbitrary code execution CVE-2019-8324 Note that Nessus has not tested for this issue but has instead relied...

RubyGems Packages Laced with Bitcoin-Stealing Malware

RubyGems, an open-source package repository and manager for the Ruby web programming language, has taken two of its software packages offline after they were found to be laced with malware. RubyGems provides a standard format for distributing Ruby programs and libraries in the service of building...

CVE-2020-15244

CVE-2020-15244 affects OpenMage/magento-lts within Magento: prior to versions 19.4.8 and 20.0.4, an admin can generate SOAP credentials that enable PHP Object Injection through product attributes and a product, leading to remote code execution. The issue is patched in 19.4.8 and 20.0.4.

CVE-2020-15240

omniauth-auth0 rubygems versions = 2.3.0 and 2.4.1 improperly validate the JWT token signature when using the jwtvalidator.verify method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all ...

CVE-2020-15240

omniauth-auth0 rubygems versions = 2.3.0 and 2.4.1 improperly validate the JWT token signature when using the jwtvalidator.verify method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all ...

CVE-2020-15240

omniauth-auth0 rubygems versions = 2.3.0 and 2.4.1 improperly validate the JWT token signature when using the jwtvalidator.verify method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all ...

CVE-2020-15240

Summary: The vulnerability CVE-2020-15240 affects the Ruby gem omniauth-auth0 (versions >= 2.3.0 and

CVE-2020-15240 Regression in JWT Signature Validation

omniauth-auth0 rubygems versions = 2.3.0 and 2.4.1 improperly validate the JWT token signature when using the jwtvalidator.verify method. Improper validation of the JWT token signature can allow an attacker to bypass authentication and authorization. You are affected by this vulnerability if all ...

Missing TLS certificate verification in faye-websocket

The Faye::WebSocket::Client class uses the EM::Connectionstarttls1 method in EventMachine2 to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a...

GHSA-2V5C-755P-P4GV Missing TLS certificate verification in faye-websocket

The Faye::WebSocket::Client class uses the EM::Connectionstarttls1 method in EventMachine2 to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a...

Missing TLS certificate verification in faye-websocket

The Faye::WebSocket::Client class uses the EM::Connectionstarttls1 method in EventMachine2 to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a...

rubygems: Escape sequence injection vulnerability in errors

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManagerrun calls alerterror without escaping, escape sequence injection is possible. There are many ways to cause an error...

rubygems: Escape sequence injection vulnerability in gem owner

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur...

rubygems: Escape sequence injection vulnerability in API response handling

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilitieswithresponse may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur...

rubygems: Escape sequence injection vulnerability in verbose

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is possible...

rubygems: Installing a malicious gem may lead to arbitrary code execution

A flaw was found in RubyGems. A crafted gem with a multi-line name is not handled correctly allowing an attacker to inject arbitrary code to the stub line of gemspec. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

MGASA-2020-0243 Updated ruby-RubyGems packages fix security vulnerability

Updated ruby-RubyGems package fixes security vulnerabilities The following vulnerabilities have been reported. CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in verbose CVE-2019-8322: Escape sequence injection...

Updated ruby-RubyGems packages fix security vulnerability

Updated ruby-RubyGems package fixes security vulnerabilities The following vulnerabilities have been reported. CVE-2019-8320: Delete directory using symlink when decompressing tar CVE-2019-8321: Escape sequence injection vulnerability in verbose CVE-2019-8322: Escape sequence injection...

Malicious Package

Overview active-model-policy is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...

Malicious Package

Overview campaign-monitorsubscriber is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...