Possible DoS vulnerability in Rack

There is a possible DoS vulnerability in the multipart parser in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16470. Versions Affected: 2.0.4, 2.0.5 Not affected: = 2.0.3 Fixed Versions: 2.0.6 Impact ------ There is a possible DoS vulnerability in the multipart parser in...

Possible XSS vulnerability in Rack

There is a possible vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16471. Versions Affected: All. Not affected: None. Fixed Versions: 2.0.6, 1.6.11 Impact ------ There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data...

Loofah XSS Vulnerability

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished...

fat_free_crm gem XSS vulnerability via query parameter

FatFreeCRM version =0.15.0 =0.16.0 =0.17.0 =0.17.2, ==0.18.0 contains a Cross Site Scripting XSS vulnerability in commit 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. This attack appear to be exploitable via Content with Javascript payload will be executed on e...

mysql-binuuid-rails allows SQL Injection by removing default string escaping

mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes default string escaping for affected database columns. ActiveRecord does not explicitly escape the Binary data type Type::Binary::Data for mysql. mysql-binuuid-rails uses a data type that is derived from the base Binary...

Incorrect value comparison in Ruby openssl

An issue was discovered in the OpenSSL library in Ruby when two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may return true. When the first argument is one character longer than the second, or the second argument contains a character that is one...

Incorrect equality check in OpenSSL::X509::Name

The equality check of OpenSSL::X509::Name is not correctly in openssl extension library bundled with Ruby. An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is ...

Tainted flags not always propogated in Array#pack and String#unpack

In Arraypack and Stringunpack with some formats, the tainted flags of the original data are not propagated to the returned string/array. Arraypack method converts the receiver’s contents into a string with specified format. If the receiver contains some tainted objects, the returned string also...

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities

Nokogiri 1.8.5 has been released. This is a security and bugfix release. It addresses two CVEs in upstream libxml2 rated as "medium" by Red Hat, for which details are below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to...

Jekyll _config.yml privilege escalation

Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "config.yml" file...

smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature

An authentication bypass flaw was found in the smartproxydynflow component used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary commands on machines managed by vulnerable Foreman instances, in a highly privileged context...

Bootstrap Cross-site Scripting vulnerability

In Bootstrap starting in version 2.3.0 and prior to versions 3.4.0 and 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041...

Bootstrap Cross-site Scripting vulnerability

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip. This is similar to CVE-2018-14041...

Bootstrap vulnerable to Cross-Site Scripting (XSS)

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute...

Malicious ruby gem - active-support

The gem duplicates official activesupport no hyphen code, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain, downloads a payload, and executes. Replace this gem with the official activesupport gem...

Insufficient URI encoding in restforce

A flaw in how restforce constructs URL's may allow an attacker to inject additional parameters into Salesforce API requests. Impact ------ This flaw is only exploitable in applications that pass user input directly to restforce's select, find, describe, update, upsert, and destroy methods...

Prototype Pollution in lodash

Versions of lodash before 4.17.5 are vulnerable to prototype pollution. The vulnerable functions are 'defaultsDeep', 'merge', and 'mergeWith' which allow a malicious user to modify the prototype of Object via proto causing the addition or modification of an existing property that will exist on al...

Signed integer overflow in mrb_str_format

The CHECK macro in mrbgems/mruby-sprintf/src/sprintf.c in mruby 1.4.1 contains a signed integer overflow, possibly leading to out-of-bounds memory access because the mrbstrresize function in string.c does not check for a negative length...

Doorkeeper gem does not revoke token for public clients

Any OAuth application that uses public/non-confidential authentication when interacting with Doorkeeper is unable to revoke its tokens when calling the revocation endpoint. A bug in the token revocation API would cause it to attempt to authenticate the public OAuth client as if it was a...

XSS vulnerabilities via data-parent, data-target, data-container in bootstrap

In Bootstrap before 4.1.2, XSS is possible in collapse data-parent attribute CVE-2018-14040, data-target property of scrollspy CVE-2018-14041, data-container property of tooltip CVE-2018-14042...

ruby-ffi DDL loading issue on Windows OS

ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later...

Path Traversal in Sprockets

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately. Workaround:...

Directory Traversal in rubyzip

rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. If a site allows uploading of .zip files, an attacker can upload a malicious file which contains symlinks or files with absolute...

Insecure Permissions in Phusion Passenger

"An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 causes information disclosure in the following situation: given a Passenger-spawned application process that reports that it listens on a certain Unix domain socket, if any of the parent directories of...

CHMOD race vulnerability

The file system access race condition allows for local privilege escalation and affects the Nginx module for Passenger versions 5.3.1, all the way back to 3.0.0 the chown command entered the code in 2010. The vulnerability was exploitable only when running a non-standard...

Incorrect Access Control in Phusion Passenger

An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning a child process, to report an arbitrary different PID back to Passenger's process manager. If the malicious application then generates a...

Heap buffer overflow in OP_ENTER

An issue was discovered in mruby 1.4.1. There is a heap-based buffer over-read associated with OPENTER because a heap-based mrbgems/mruby-fiber/src/fiber.c does not extend the stack in cases of many arguments to fiber...

SpawningKit exploits

During the spawning of a malicious Passenger-managed application, SpawningKit in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace key files or directories in the spawning communication directory with symlinks. This then could result in arbitrary reads and writes, which in...

Null pointer dereference in mrb_class_real

An issue was discovered in mruby 1.4.1. There is a NULL pointer dereference in mrbclassreal because "class BasicObject" is not properly supported in class.c...

Null pointer dereference in mrb_class

An issue was discovered in mruby 1.4.1. There is a NULL pointer dereference in mrbclass, related to certain .clone usage, because mrbobjclone in kernel.c copies flags other than the MRBFLAGISFROZEN flag e.g., the embedded flag...

Use of uninitialized pointer in mrb_hash_keys

The initcopy function in kernel.c in mruby 1.4.1 makes initializecopy calls for TTICLASS objects, which allows attackers to cause a denial of service mrbhashkeys uninitialized pointer and application crash or possibly have unspecified other impact...

XSS via the 400 Bad Request page

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception...

ruby-grape Gem has XSS via "format" parameter

When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header. Example: http://example.com/api/endpoint?format=%3Cscript%3Ealertdocument.cookie%3C/script%3E...

private_address_check Ruby Gem Time-of-check Time-of-use race condition

privateaddresscheck ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use TOCTOU race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address by the subsequent resolution is a...

Auth tag forgery vulnerability with AES-GCM encrypted JWT

Ruby's OpenSSL bindings do not check the length of the supplied authentication tag when decrypting an authenticated encryption mode such as AES-GCM, leaving this up to the authors of a gem/app to implement for properly validating the message. json-jwt was not checking for the authentication tag...

Insecure path handling in Bundler

Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could pla...

Use after free in File#initilialize_copy

In versions of mruby up to and including 1.4.0, a use-after-free vulnerability exists in src/io.c::Fileinitilializecopy. An attacker that can cause Ruby code to be run can possibly use this to execute arbitrary code...

Use after free caused by integer overflow in environment stack

In versions of mruby up to and including 1.4.0, an integer overflow exists in src/vm.c::mrbvmexec when handling OPGETUPVAR in the presence of deep scope nesting, resulting in a use-after-free. An attacker that can cause Ruby code to be run can use this to possibly execute arbitrary code...

Moderate severity vulnerability that affects nokogiri

The xzhead function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service memory consumption via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file. References: -...

Buffer under-read in String#unpack

An attacker controlling the unpacking format similar to format string vulnerabilities can trigger a buffer under-read in the Stringunpack method, resulting in a massive and controlled information disclosure. Stringunpack receives format specifiers as its parameter, and can be specified the positi...

HTTP response splitting attack in WEBrick

Allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick...

Revert libxml2 behavior in Nokogiri gem that could cause XSS

MRI Behavior in libxml2 has been reverted which caused CVE-2018-8048 loofah gem, CVE-2018-3740 sanitize gem, and CVE-2018-3741 rails-html-sanitizer gem. The commit in question is here: https://github.com/GNOME/libxml2/commit/960f0e2 and more information is available about this commit and its impa...

Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket

There is a unintentional socket creation vulnerability in UNIXServer.open method of socket library bundled with Ruby. And there is also a unintentional socket access vulnerability in UNIXSocket.open method. UNIXServer.open accepts the path of the socket to be created at the first parameter. If th...

DoS by large request in WEBrick

There is a out-of-memory DoS vulnerability with a large request in WEBrick bundled with Ruby If an attacker sends a large request which contains huge HTTP headers, WEBrick try to process it on memory, so the request causes the out-of-memory DoS attack. All users running an affected release should...

Buffer under-read in String#unpack

Stringunpack receives format specifiers as its parameter, and can be specified the position of parsing the data by the specifier @. If a big number is passed with @, the number is treated as the negative value, and out-of-buffer read is occurred. So, if a script accepts an external input as the...

Unintentional directory traversal by poisoned NUL byte in Dir

There is an unintentional directory traversal in some methods in Dir Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the target directory as their parameter. If the parameter contains NUL \0 bytes, these methods recognize that the path is completed before the NUL bytes. So, if a...

Unintentional file and directory creation with directory traversal in tempfile and tmpdir

There is an unintentional directory creation vulnerability in tmpdir library bundled with Ruby. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby, because it uses tmpdir internally Dir.mktmpdir method introduced by tmpdir library accepts the pref...

HTTP response splitting in WEBrick

There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, a...

XSS vulnerability in rails-html-sanitizer

There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments, and these attributes can lead to an XSS attack on target applications. This issue is similar to CVE-2018-804...

HTML injection/XSS in Sanitize

When Sanitize gem is used in combination with libxml2 = 2.9.2, a specially crafted HTML fragment can cause libxml2 to generate improperly escaped output, allowing non-whitelisted attributes to be used on whitelisted elements. This can allow HTML and JavaScript injection, which could result in XSS...