1243 matches found
Buffer overflow in sponge queue functions
Impact The Keccak sponge function interface accepts partial inputs to be absorbed and partial outputs to be squeezed. A buffer can overflow when partial data with some specific sizes are queued, where at least one of them has a length of 2^32 - 200 bytes or more. Patches Yes, see commit fdc6fef0...
SQL Injection Vulnerability via ActiveRecord comments
There is a possible vulnerability in ActiveRecord related to the sanitization of comments. This vulnerability has been assigned the CVE identifier CVE-2023-22794. Versions Affected: = 6.0.0 Not affected: All users running an affected release should either upgrade or use one of the workarounds...
Sinatra vulnerable to Reflected File Download attack
An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download RFD attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input...
Sort order SQL injection via `direction` parameter in administrate
In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...
XSS Vulnerability in Chartkick Ruby Gem
Chartkick is vulnerable to a cross-site scripting XSS attack if both the following conditions are met: Condition 1: It's used with ActiveSupport.escapehtmlentitiesinjson = false this is not the default for Rails OR used with a non-Rails framework like Sinatra. Condition 2: Untrusted data or optio...
CSRF vulnerability in rails_admin
The railsadmin gem is vulnerable to cross-site request forgery CSRF attacks. Due to a bug, non-GET methods were not validating CSRF tokens and, as a result, an attacker could hypothetically gain access to the application administrative endpoints exposed by the gem...
XSS vulnerability via data-target in bootstrap-sass
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute...
CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service CPU and memory consumption a crafted XML document containing an empty string in an entity that is used in a large number of...
CVE-2013-2119 rubygem-passenger: incorrect temporary file usage
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service prevent application start or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem...
CVE-2012-3465 rubygem-actionpack: XSS Vulnerability in strip_tags
Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/sanitizehelper.rb in the striptags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup...
Chef Improper Access Control Vulnerability
chef-server-api/app/controllers/users.rb in the API in Chef before 0.9.0 does not require administrative privileges for the create, destroy, and update methods, which allows remote authenticated users to manage user accounts via requests to the /users URI...
CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe)
Cross-site scripting XSS vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods...
Algorithmic complexity vulnerability in the WEBrick
Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.splitheadervalue function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows context-dependent attackers to cause a denial of...
Rack has Content-Length mismatch in Rack::Files error responses
Summary Rack::Filesfail sets the Content-Length response header using Stringsize instead of Stringbytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the...
Possible DoS by memory exhaustion in net-imap
Summary There is a possibility for denial of service by memory exhaustion in net-imap's response parser. At any time while the client is connected, a malicious server can send can send highly compressed uid-set data which is automatically read by the client's receiver thread. The response parser...
REXML contains a denial of service vulnerability
Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many s in an attribute value. If you need to parse untrusted XMLs, you many be impacted to this vulnerability. Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. Workarounds Don...
Arbitrary memory address read vulnerability with Regex search
If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. We recommend to update the Ruby to version 3.3.1 or later. In order to ensure compatibility with older Ruby...
Improper Handling of Unexpected Data Type in Nokogiri
Summary Nokogiri v1.16.2 upgrades the version of its dependency libxml2 to v2.12.5. libxml2 v2.12.5 addresses the following vulnerability: CVE-2024-25062 / https://vulners.com/cve/CVE-2024-25062 described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 patched by...
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma
Impact Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. The following vulnerabilities are addressed by this advisory: - Incorrect parsing of trailing fields ...
ReDoS based DoS vulnerability in Active Support’s underscore
There is a possible regular expression based DoS vulnerability in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-22796. Versions Affected: All Not affected: None Fixed Versions: 6.1.7.1, 7.0.4.1 Impact A specially crafted string passed to the underscore method ca...
ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792. Versions Affected: = 3.0.0 Not affected: 3.0.0 Fixed Versions: 6.1.7.1, 7.0.4.1 Impact Specially crafted cookies, in combination with a...
PDFKit vulnerable to Command Injection
The package pdfkit from version 0.0.0 through version 0.8.6 is vulnerable to Command Injection where the URL is not properly sanitized...
Untrusted users able to run pending migrations in production
There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 = 6.0.3.2 Impact ------ Using this issu...
Keepalive thread overload/DoS in puma
A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough...
Moderate severity vulnerability that affects nokogiri
The xzhead function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service memory consumption via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. References: -...
Doorkeeper gem has stored XSS on authorization consent view
Stored XSS on the OAuth Client's name will cause users being prompted for consent via the "implicit" grant type to execute the XSS payload. The XSS attack could gain access to the user's active session, resulting in account compromise. Any user is susceptible if they click the authorization link...
Stored XSS in "gemirro" via injection in Gemspec "homepage" value
Stored cross-site scripting XSS vulnerability in Gemirro allows attackers to inject arbitrary web script via a crafted JavaScript URL in the "homepage" value of a ".gemspec" file. A ".gemspec" file must be created with a JavaScript URL in the homepage value. This can be used to build a gem for...
Nokogiri gem contains several vulnerabilities in libxml2
Nokogiri version 1.6.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2015-5312 CVSS v2 Base Score: 7.1 HIGH The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion,...
CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses
REST client for Ruby aka rest-client before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect...
CVE-2013-1821 ruby: entity expansion DoS vulnerability in REXML
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service memory consumption and crash via crafted text nodes in an XML document, aka an XML Entity Expansion XEE attack...
CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected
ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attrprotected protection mechanism and modify protected model attributes via a crafted request...
gRPC connection termination issue
gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin suffixed headers will result in a disconnection by the gRPC server, but is typically allowed by HTTP2 proxies. We recommend upgrading beyo...
Camaleon CMS vulnerable to Stored Cross-site Scripting
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false...
CVE-2022-25857 jruby/psych/snakeyaml: Denial of Service (DoS) due missing to nested depth limitation for collections
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service DoS due missing to nested depth limitation for collections. This package is bundled into Psych which is in turn bundled into jruby...
XSS in the `of` option of the `.position()` util in jquery-ui
Impact Accepting the value of the of option of the .position util from untrusted sources may execute untrusted code. For example, invoking the following code: js $"element".position my: "left top", at: "right bottom", of: "", collision: "none" ; will call the doEvilThing function. Patches The iss...
Minitar Directory Traversal Vulnerability
Minitar allows attackers to overwrite arbitrary files during archive extraction via a .. dot dot in an extracted filename. Analogous vulnerabilities for unzip and tar: https://www.cvedetails.com/cve/CVE-2001-1268/ and http://www.cvedetails.com/cve/CVE-2001-1267/ Credit: ecneladis...
Ember.js XSS Vulnerability with User-Supplied JSON
By default, Ember will escape any values in Handlebars templates that use double curlies value. Developers can specifically opt out of this escaping behavior by passing an instance of SafeString rather than a raw string, which tells Ember that it should not escape the string because the developer...
Ruby OpenSSL Hostname Verification
After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates. Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching o...
CVE-2012-5370 jruby: Murmur hash function collisions (oCERT-2012-001)
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service CPU consumption via crafted input to an application that maintains a hash table, as demonstrated by a universal...
Ruby name_err_mesg_to_str Method Safe Level Security Bypass
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the nameerrmesgtostr API function, which marks the string as tainted, a different vulnerability than...
CVE-2012-1099 rubygem-actionpack: XSS in the "select" helper
Cross-site scripting XSS vulnerability in actionpack/lib/actionview/helpers/formoptionshelper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain...
Denial of Service Vulnerability in Rack Content-Disposition parsing
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571. Versions Affected: = 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1 Impact Carefully crafted input...
ReDoS based DoS vulnerability in GlobalID
There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799. Versions Affected: = 0.2.1 Not affected: 0.2.1 Fixed Versions: 1.0.1 Impact There is a possible DoS vulnerability in the model name parsing section of the GlobalID...
protobuf-java has a potential Denial of Service issue
Summary A potential Denial of Service issue in protobuf-java core and lite was discovered in the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted...
Phusion Passenger information disclosure
In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 fixed in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10, if Passenger is running as root, it is possible to list the contents of arbitrary files on a system by symlinking a file named REVISION from the application root...
SQL injection for certain queries with variables
For some queries, specific variable values can modify the query rather than just the variable. This can occur if: 1. the query's data source uses different escaping than the Rails database OR 2. the query has a variable inside a string literal Since Blazer is designed to run arbitrary queries, th...
Cross-Site Scripting in Kaminari via `original_script_name` parameter
Impact There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links. For example, an attacker could craft pagination links that link to other domain or host:...
Potential denial of service in bson rubygem
The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service worker resource consumption via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410...
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Nokogiri 1.8.5 has been released. This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to...
Authentication bypass via incorrect XML canonicalization and DOM traversal
ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect XML canonicalization and DOM traversal. Specifically, there are inconsistencies in handling of comments within XML nodes, resulting in incorrect parsing of the inner text of XML nodes such that any inner text...