Lucene search
K
RubygemsRecent

1252 matches found

RubySec
RubySec
added 3 days ago2 views

Decidim - Private exports can be downloaded through reusable links

Description The normal downloadyourdata flow requires the requester to be logged in as the export owner, but the resulting Active Storage blob redirect URL can be replayed without authentication by anyone who obtains it. Impact Personal data exports can be retrieved through leakage channels such ...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - Forms admin question editor lacks authorization

Description A participant can load the demographics questionnaire admin editor and make changes. Impact - Low-privilege users can access questionnaire-admin interfaces. - They can read question-management surfaces that should remain limited to questionnaire managers. Credits This issue was...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - CSV census record endpoints improper authorization

Description A participant manager can access and modify the CSV census record admin forms. Impact Any participant admin can create, alter, or remove CSV census rows, which can corrupt verification data relied on by authorization workflows. Credits This issue was discovered in a security audit...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - Verification documents can be downloaded through reusable links

Description Scanned identity-document images provided by participants and shown in the verification admin workflow are exposed through signed /rails/activestorage/disk/ URLs that can be fetched without any authenticated session. Anyone who obtains one of those URLs can retrieve the document until...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - JWT-backed authentication can be replayed across organizations

Description A JWT issued to an Org 1 account is accepted on the Org 2 API and can read the admin-only GraphQL participantDetails field for an Org 2 participant. The same trust-boundary problem also affects API-user authentication: an Org 1 API user can use a JWT on the Org 1 host and replay that...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - Verification admins can access supplied IDs from other organizations

Description The verification admin mutation flow allows accessing, verifying, and rejecting participants records from another tenant. Impact A tenant admin can access, reject or approve another tenant's iddocuments requests. Credits This issue was discovered in a security audit organized by the...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - Admin user search allows SQL injection through similarity-based sorting

Description The admin organization user search uses the untrusted term value inside raw SQL ORDER BY expressions. Because the value is interpolated before Rails sanitization is applied, a crafted search string is executed by PostgreSQL as part of the sort expression. Impact - Exploitation require...

6.2AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - HTML content blocks allow stored script execution

Description A privileged admin user who can edit an affected landing page can store arbitrary HTML/JavaScript in an HTML block, and the public page renders it with htmlsafe and no output escaping. Impact - A user with landing-page editing rights for an affected scope can persist JavaScript that...

6.2AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 3 days ago2 views

Decidim - Push subscriptions can be abused for server-side requests

Description The push-subscription endpoint stores an attacker-controlled delivery URL, and the notification send path becomes an outbound-request sink when VAPID delivery is enabled. The practical result is an authenticated, stored, mostly blind SSRF primitive to arbitrary HTTPS endpoints reachab...

6.2AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/07/02 12:0 a.m.6 views

ruby webrick through v1.9.2 WEBrick reparses trailer

ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length into canonical request state, enabling request smuggling...

7.5CVSS5.9AI score0.00352EPSS
Exploits0References1
RubySec
RubySec
added 2026/06/30 12:0 a.m.6 views

JSON generator heap buffer overflow when streaming to an IO

Ruby JSON is a JSON implementation for Ruby. Versions 2.9.0 through 2.19.8 are vulnerable to heap buffer overflow when the JSON generator is provided with an oversized streamed object. When streaming to an IO JSON.dumpobj, io and JSON::Stategenerateobj, io can write past the internal JSON generat...

3.7CVSS6.1AI score0.00301EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/26 12:0 a.m.4 views

Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

7.5CVSS5.8AI score0.00482EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/26 12:0 a.m.4 views

Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

Fluentd's inhttp and inforward plugins support receiving gzip-compressed data. While Fluentd correctly enforces size limits on the incoming compressed payloads e.g., via bodysizelimit or chunksizelimit, it was discovered that there is no limit enforced on the size of the decompressed data. If a...

7.5CVSS5.8AI score0.0062EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/26 12:0 a.m.6 views

Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder

Fluentd allows dynamically constructing file paths using the $tag placeholder. It was discovered that validation for this placeholder was insufficient. If a Fluentd instance is configured to receive logs from untrusted sources and uses the $tag placeholder in file configurations such as the path...

9.8CVSS6.1AI score0.01085EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/26 12:0 a.m.6 views

Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`

The outhttp output plugin allows the use of placeholders such as $tag in the endpoint configuration parameter. It was discovered that if the placeholder value is derived from untrusted user input, an attacker can maliciously control the destination hostname of the outbound HTTP requests made by...

7.2CVSS5.9AI score0.00442EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/25 12:0 a.m.7 views

fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`

"The fluent-plugin-s3 plugin specifically the ins3 input plugin supports reading and decompressing heavily compressed files such as gzip, lzma2, and lzop from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limi...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/25 12:0 a.m.5 views

fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`

The fluent-plugin-opentelemetry plugin specifically the inopentelemetry HTTP input lacked strict size limits on incoming requests. It was discovered that the plugin read the entire request body and decompressed payloads into memory without enforcing maximum size thresholds. If the OpenTelemetry...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/23 12:0 a.m.5 views

YARD static cache reads raw traversal paths before router sanitization

Summary YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static...

5.3CVSS5.9AI score0.00273EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.6 views

Concurrent Ruby - `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity

Summary Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITELOCKHELD...

5.5CVSS5.8AI score0.00106EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.7 views

Concurrent Ruby - `AtomicReference#update` livelocks when the stored value is `Float::NAN`

Summary Concurrent::AtomicReferenceupdate can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between: - AtomicReferenceupdate, which retries until compareandsetoldvalue, newvalue succeeds. - Numeric compareandset, which checks old ==...

8.2CVSS5.9AI score0.00278EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Concurrent Ruby - ReadWriteLock allows wrong-thread write release and stray read-release counter corruption

Summary Concurrent::ReadWriteLockreleasewritelock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still...

9.8CVSS5.9AI score0.0016EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj- Use-After-Free in 'Oj::Parser' array_class/hash_class GC Marking

Summary Oj::Parser in usual mode does not mark arrayclass and hashclass references during garbage collection. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed...

6.3CVSS5.8AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Stack Buffer Overflow in Oj.dump via Large Indent

Summary Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fillindent in dump.h calls memsetindentstr, ' ', sizetopts-indent without validating the size. When opts-indent is set to INTMAX 2,147,483,647, the sizet cast preserves the larg...

6.3CVSS6.3AI score0.00257EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle

Summary Disabling symbolkeys on a reused Oj::Parser instance triggers a heap use-after-free. When symbolkeys is toggled from true to false, optsymbolkeysset frees the internal key cache cachefree but does not clear the pointer. The next parse call reads from the freed cache via cacheintern,...

6.3CVSS5.8AI score0.00428EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.8 views

Oj - intern.c form_attr (uninitialized stack read)

Summary Oj.load in :object mode reads uninitialized stack memory and, for long keys, reads out of bounds when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. Impact Information disclosure of process stack memor...

5.3CVSS5.9AI score0.00197EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.7 views

Oj - Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent

Summary Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the...

2.1CVSS6.1AI score0.00119EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.7 views

Oj - Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input

Summary Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. Impact Reliable denial of service: any endpoint that calls Oj::Doc.openuntrusted |d|...

7.5CVSS6AI score0.00263EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.7 views

Oj - Use-After-Free in Oj::Doc Iterators via Reentrant Close

Summary Oj::Doc iterators eachvalue, eachchild, eachleaf are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator rea...

2.1CVSS5.8AI score0.00117EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.7 views

Oj - Use-After-Free in Oj::Parser SAJ Callback via Input Mutation

Summary Oj::Parserparse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte pointer into the Ruby string's internal buffer. If a callback e.g. hashstart resizes the string — for example by calling...

2.1CVSS5.9AI score0.00117EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.6 views

Oj - Negative-Size memcpy in 'Oj::Parser' create_id Attribute Handling

Summary Oj::Parserparse in usual mode with createid enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in formattr usual.c:63 converts the length to -1 before passing it to memcpy. This causes memcpy to...

6.3CVSS5.8AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.7 views

Oj - Use-After-Free in 'Oj::Parser' SAJ Long Key Callback

Summary Oj::Parser in SAJ mode does not protect cached object keys ≥ 35 bytes from garbage collection. A Ruby callback that triggers GC inside hashend can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results i...

6.3CVSS5.7AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Integer Overflow in Oj.load 2GB String Handling

Summary Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in bufappendstring buf.h:61 converts the string length to a large negative sizet, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process...

6.3CVSS5.9AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Faraday - Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters

Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters Summary Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query...

7.5CVSS6AI score0.00391EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/06/17 12:0 a.m.6 views

Avo - Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation

Summary A critical missing authorization flaw exists in Avo's association attach workflow. The UI and GET /resources/:resource/:id/:related/new path can check attach?, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating...

6AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/17 12:0 a.m.4 views

katello - missing repository authorization in content_uploads exposes cross-product content existence

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the editproducts permission to query content information for repositories outside the products they were authorized to...

4.3CVSS5.8AI score0.00197EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/10 12:0 a.m.9 views

Savon::Model evaluates WSDL operation names as Ruby source

Savon::Model generated SOAP operation methods by interpolating operation names into Ruby source passed to moduleeval. An attacker who can control the operation names of a WSDL, can inject Ruby code that executes in the application process. This affects only the .alloperations class method provide...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.9 views

DFVULN-839 - Use-After-Free in MessagePack::Buffer#clear Enables Cross-Buffer Disclosure

Summary MessagePack::Bufferclear shifts out every chunk and returns its 4 KiB rmem page to the shared pool, but does not reset the buffer's rmem cursor rmemlast, rmemend, rmemowner. The next write sees "unused rmem space" left over from the freed page and hands back a slice of memory that has...

5.9AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.13 views

Net::IMAP: Command Injection via ID command argument

Summary Two Net::IMAP commands, id and enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon. Details Whe...

5.8CVSS5.4AI score0.00131EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.11 views

Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument

Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. Details Raw...

5.8CVSS5.7AI score0.00491EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.12 views

Net::IMAP: Denial of Service via incomplete raw argument validation

Summary Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will...

2.1CVSS5.7AI score0.00239EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/07 12:0 a.m.6 views

Use-After-Free in SQLite Aggregate Function Callbacks

Summary Using Databasecreateaggregate, createaggregatehandler, or Databasedefineaggregator to define an aggregate function, and then using an open statement calling that function after the database has been explicitly closed will result in an invalid memory read and a segmentation fault. Severity...

6AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/07 12:0 a.m.6 views

Use-After-Free When Redefining SQLite Functions with Different Arity

Summary Using Databasecreatefunction or Databasedefinefunction to define the same function name more than once with different numbers of arguments "arity" or text encodings will result in a invalid memory read and a segmentation fault. Severity The sqlite3-ruby repo maintainers assess this as Low...

6AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/04 12:0 a.m.4 views

around_render HTML-Safety Bypass

Summary ViewComponent::Basearoundrender can return HTML-unsafe strings that bypass the escaping behavior applied to normal call return values. This creates an XSS risk when downstream applications use aroundrender to wrap, replace, instrument, or conditionally return content that includes...

6AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/04 12:0 a.m.4 views

Reused Component Instances Retain Stale Render Context

Summary ViewComponent::Base instances retain multiple render-scoped objects across calls to renderin. If the same component, collection, or spacer component instance is reused across requests, users, tenants, or threads, later renders can use stale helpers, controller, request, viewflow,...

5.9AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/04 12:0 a.m.4 views

Resource limit bypass via message compression

Impact If this library is used in tandem with the permessage-deflate extension, a WebSocket server or client can be made to accept messages that are larger than the configured maximum message size. This is because this limit is checked against the message frames' length headers, which give the si...

5.9AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/04 12:0 a.m.4 views

Memory exhaustion in HTTP header parser

Impact If this library is used to implement a WebSocket server on top of a TCP server rather than an HTTP server or framework using the WebSocket::Driver.server method, or, if it is used to complement a WebSocket client, then a peer can make a single connection consume an unbounded amount of memo...

6AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/04 12:0 a.m.4 views

Memory exhaustion via abuse of protocol length headers

Impact The frame format in draft versions of the WebSocket protocol includes a length header that allows an arbitrarily large integer to be encoded as a sequence of bytes with the high bit set. By sending an indefinite sequence of bytes with values 0x80 or above, a server or client can make the...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/04 12:0 a.m.10 views

Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...

5.5AI score0.00058EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/03 12:0 a.m.12 views

redact additional sensitive/risky headers when following redirects

Impact The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip. What kind of vulnerability is it? Who is impacted? This could cause inadvertent leakage of sensitive data f...

5.3AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/02 12:0 a.m.6 views

Direct attachment upload endpoint lacks upload authorization and bypasses field-level upload policy

Summary Avo's direct attachment upload endpoint lacks server-side upload authorization and bypasses the documented field-level upload policy methods such as uploadFIELDID?. An authenticated Avo user who can reach the Avo attachment upload endpoint can replace or add attachment content, including...

6.1AI score
Exploits0References1Affected Software1
Total number of security vulnerabilities1252