HTTP Response Splitting (Early Hints) in Puma

Impact If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting...

HTTP Response Splitting vulnerability in puma

If an application using Puma allows untrusted input in a response header, an attacker can use newline characters i.e. CR, LF to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While n...

OS command injection in BibTeX-Ruby

BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized user input being passed directly to the built-in Ruby Kernel.open method through BibTeX.open...

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation

Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8 CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions = v1.10.7 are vulnerable...

matestack-ui-core is vulnerable to XSS/Script injection

matestack-ui-core does not excape strings by default and does not cover this in the docs. matestack-ui-core should escape strings by default in order to prevent XSS/Script injection vulnerability. v0.7.4 fixes that by escaping strings by default...

Geocoder gem for Ruby contains possible SQL injection vulnerability

sql.rb in Geocoder allows Boolean-based SQL injection when withinboundingbox is used in conjunction with untrusted swlat, swlng, nelat, or nelng data...

secure_headers header injection due to newline

If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original...

secure_headers directive injection using semicolon

If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secureheaders...

stack overflow in mrb_str_len_to_dbl in src/string.c

In mruby 2.1.0, there is a stack-based buffer overflow in mrbstrlentodbl in string.c...

heap use after free in hash_values_at in mrbgems/mruby-hash-ext/src/hash-ext.c

In mruby 2.1.0, there is a use-after-free in hashvaluesat in mrbgems/mruby-hash-ext/src/hash-ext.c...

heap use after free in hash_slice in mrbgems/mruby-hash-ext/src/hash-ext.c

In mruby 2.1.0, there is a use-after-free in hashslice in mrbgems/mruby-hash-ext/src/hash-ext.c...

Publify vulnerable to DoS attack

Publify before 8.0.2 is vulnerable to a Denial of Service attack...

Prototype Pollution in handlebars

The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. Versions Affected: 0.3.3.5-0.3.3.8 Not affected: 0.3.3.5 Fixed Versions: None Versions of handlebar...

Possible information leak / session hijack vulnerability

There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that...

Race condition when using persistent connections

There was a race condition around persistent connections, where a connection which is interrupted such as by a timeout would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it...

Keepalive thread overload/DoS in puma

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough...

Private Ruby OpenSSL RSA key generation is always "1"

The OpenSSL extension of Ruby Git trunk versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation...

rack-cors directory traversal via path

An issue was discovered in the rack-cors aka Rack CORS Middleware gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format...

json-jwt improper input validation due to lack of element count when splitting string

The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string...

Prototype Pollution in Chartkick.js 3.1.x

A specially crafted response in data loaded via URL can cause prototype pollution in JavaScript...

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities

Nokogiri v1.10.5 has been released. This is a security release. It addresses three CVEs in upstream libxml2, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to upgrade at this time, though you may wan...

brakeman world writable files allow local privilege escalation

The rubyparser-legacy aka legacy gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem which has a legacy dependency 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the...

ruby_parser-legacy world writable files allow local privilege escalation

The rubyparser-legacy aka legacy gem 1.0.0 for Ruby allows local privilege escalation because of world-writable files. For example, if the brakeman gem which has a legacy dependency 4.5.0 through 4.7.0 is used, a local user can insert malicious code into the...

Loofah XSS Vulnerability

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished...

netaddr world-writeable file permissions

The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions, such that a gem install may result in 0777 permissions in the target filesystem...

Malicious URL drafting attack against iodines static file server may allow path traversal

Impact A path traversal vulnerability was detected in iodine's static file service. This vulnerability effects any application running iodine's static file server on an effected iodine version. Malicious URL drafting may cause the static file server to attempt a response containing data from file...

A code injection vulnerability of Shell#[] and Shell#test

Shell and its alias Shelltest defined in lib/shell.rb allow code injection if the first argument aka the “command” argument is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. Note that passing untrusted data to methods of Shell is dangerous in general. Users must...

A NUL injection vulnerability of File.fnmatch and File.fnmatch?

Built-in methods File.fnmatch and its alias File.fnmatch? accept the path pattern as their first parameter. When the pattern contains NUL character \0, the methods recognize that the path pattern ends immediately before the NUL byte. Therefore, a script that uses an external input as the pattern...

Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication

Regular expression denial of service vulnerability of WEBrick’s Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service...

HTTP response splitting in WEBrick (Additional fix)

If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the...

HTTP response splitting in WEBrick (Additional fix)

If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the...

simple_form Gem for Ruby Incorrect Access Control for forms based on user input

Simple Form before 5.0 has Incorrect Access Control in filemethod? in lib/simpleform/formbuilder.rb, because a user-supplied string is invoked as a method call. This only happens for pages that build forms based on user input...

Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly

With the consul ruby gem before 1.0.3, if a controller checks multiple powers using :if or :except conditions, these conditions are erroneously applied to all power checks in that controller. This can lead to skipped power checks and hence unauthenticated access to certain controller actions...

padrino-contrib XSS via caption parameter of breadcrumbs helper

The breadcrumbs contributed module through 0.2.0 for Padrino Framework allows XSS via a caption...

Denial of Service in rubyzip ("zip bombs")

In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service disk consumption...

Devise Gem for Ruby confirmation token validation with a blank string

Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmationtoken, if a database record has a blank value in the confirmationtoken column. However, there is no scenario within Devise itself in which such database records would exist...

OS Command Injection in Rake

There is an OS command injection vulnerability in Ruby Rake 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character |...

fat_free_crm XSS via query parameter of tags_helper method

Fat Free CRM before 0.18.1 has XSS in the tagshelper in app/helpers/tagshelper.rb...

Code execution backdoor in bitcoin_vanity

The bitcoinvanity gem 4.3.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in coming-soon

The coming-soon gem 0.2.8 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in coin_base

The coinbase gem 4.2.1 through 4.2.2 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in doge-coin

The doge-coin gem 1.0.2 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.0.1...

Code execution backdoor in awesome-bot

The awesome-bot gem 1.18.0 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.17.2 or upgrading to 1.19.x...

Code execution backdoor in cron_parser

The cronparser gem 0.1.4, 1.0.12, and 1.0.13 as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in capistrano-colors

The capistrano-colors 0.5.5 gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 0.5.4...

Code execution backdoor in lita_coin

The litacoin gem 0.0.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in blockchain_wallet

The blockchainwallet gem 0.0.6 through 0.0.7 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 0.0.5...

Code execution backdoor in omniauth_amazon

The omniauthamazon gem 1.0.1 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.0.1...

Code execution backdoor in rest-client

The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party...

Rexical Command Injection Vulnerability

A command injection vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. It allows commands to be executed in a subprocess by Ruby's Kernel.open method...