Lucene search
K
RubygemsRecent

1230 matches found

RubySec
RubySec
added 2026/06/26 12:0 a.m.5 views

Fluentd is Vulnerable to Remote Code Execution (RCE) via Arbitrary File Write in `${tag}` Placeholder

Fluentd allows dynamically constructing file paths using the $tag placeholder. It was discovered that validation for this placeholder was insufficient. If a Fluentd instance is configured to receive logs from untrusted sources and uses the $tag placeholder in file configurations such as the path...

6.1AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/26 12:0 a.m.5 views

Fluentd is Vulnerable to Server-Side Request Forgery (SSRF) via Placeholder Expansion in `out_http`

The outhttp output plugin allows the use of placeholders such as $tag in the endpoint configuration parameter. It was discovered that if the placeholder value is derived from untrusted user input, an attacker can maliciously control the destination hostname of the outbound HTTP requests made by...

5.9AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/26 12:0 a.m.4 views

Fluentd is Vulnerable to Exposure of Sensitive Information via Monitor Agent API

Fluentd's Monitor Agent plugin inmonitoragent exposes internal metrics and plugin information via a REST API. It was discovered that the API response /api/plugins.json and related endpoints unintentionally includes internal instance variables of loaded plugins. If any plugins store sensitive...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/26 12:0 a.m.4 views

Fluentd is Vulnerable to Denial of Service (DoS) via Gzip Decompression Bomb in `in_http` and `in_forward`

Fluentd's inhttp and inforward plugins support receiving gzip-compressed data. While Fluentd correctly enforces size limits on the incoming compressed payloads e.g., via bodysizelimit or chunksizelimit, it was discovered that there is no limit enforced on the size of the decompressed data. If a...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/25 12:0 a.m.5 views

fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`

The fluent-plugin-opentelemetry plugin specifically the inopentelemetry HTTP input lacked strict size limits on incoming requests. It was discovered that the plugin read the entire request body and decompressed payloads into memory without enforcing maximum size thresholds. If the OpenTelemetry...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/25 12:0 a.m.7 views

fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression Bomb in `in_s3`

"The fluent-plugin-s3 plugin specifically the ins3 input plugin supports reading and decompressing heavily compressed files such as gzip, lzma2, and lzop from Amazon S3. It was discovered that the plugin read the entire decompressed payload into memory at once without enforcing a strict size limi...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/23 12:0 a.m.4 views

YARD static cache reads raw traversal paths before router sanitization

Summary YARD's static cache lookup reads a request path before the router's path cleanup runs. When a server is configured with a document root, a traversal path such as /../yard-cache-secret.html is joined against that root and can return a readable sibling .html file outside the intended static...

5.3CVSS5.9AI score0.00273EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Stack Buffer Overflow in Oj::Doc#each_child via Deeply Nested Input

Summary Oj::Doceachchild, when invoked recursively over a deeply nested JSON document, overflows a fixed-size stack buffer and aborts the process. This is a denial of service reachable from untrusted JSON. Impact Reliable denial of service: any endpoint that calls Oj::Doc.openuntrusted |d|...

7.5CVSS6AI score0.00263EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.4 views

Oj - Integer Overflow in Oj.load 2GB String Handling

Summary Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in bufappendstring buf.h:61 converts the string length to a large negative sizet, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process...

6.3CVSS5.9AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.6 views

Oj - Use-After-Free in Oj::Parser Symbol Key Cache Toggle

Summary Disabling symbolkeys on a reused Oj::Parser instance triggers a heap use-after-free. When symbolkeys is toggled from true to false, optsymbolkeysset frees the internal key cache cachefree but does not clear the pointer. The next parse call reads from the freed cache via cacheintern,...

6.3CVSS5.8AI score0.00428EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Use-After-Free in 'Oj::Parser' SAJ Long Key Callback

Summary Oj::Parser in SAJ mode does not protect cached object keys ≥ 35 bytes from garbage collection. A Ruby callback that triggers GC inside hashend can cause the key string to be reclaimed while the C parser still holds a pointer to it. The subsequent access to the freed string VALUE results i...

6.3CVSS5.7AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Heap Buffer Overflow in Oj.dump Exception Serialization via Large Indent

Summary Oj.dump in object mode is vulnerable to a heap buffer overflow when serializing Exception objects with a large :indent value. The serializer allocates a buffer sized for the object's attributes but does not account for the indent bytes added on each write. With indent: 5000, the...

2.1CVSS6.1AI score0.00119EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Negative-Size memcpy in 'Oj::Parser' create_id Attribute Handling

Summary Oj::Parserparse in usual mode with createid enabled is vulnerable to heap corruption via a negative-size memcpy. When a JSON object key is exactly 65,535 bytes long, an integer truncation in formattr usual.c:63 converts the length to -1 before passing it to memcpy. This causes memcpy to...

6.3CVSS5.8AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.6 views

Oj - Use-After-Free in Oj::Doc Iterators via Reentrant Close

Summary Oj::Doc iterators eachvalue, eachchild, eachleaf are vulnerable to a heap use-after-free. When a Ruby block yielded during iteration calls doc.close or d.close, the document's heap memory is freed while the C iterator is still running. When control returns from the block, the iterator rea...

2.1CVSS5.8AI score0.00117EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Stack Buffer Overflow in Oj.dump via Large Indent

Summary Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fillindent in dump.h calls memsetindentstr, ' ', sizetopts-indent without validating the size. When opts-indent is set to INTMAX 2,147,483,647, the sizet cast preserves the larg...

6.3CVSS6.3AI score0.00257EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj- Use-After-Free in 'Oj::Parser' array_class/hash_class GC Marking

Summary Oj::Parser in usual mode does not mark arrayclass and hashclass references during garbage collection. If GC runs after the class is assigned but before a parse, the class object is reclaimed, leaving the parser holding a dangling VALUE. The subsequent parse call dereferences the freed...

6.3CVSS5.8AI score0.00253EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - intern.c form_attr (uninitialized stack read)

Summary Oj.load in :object mode reads uninitialized stack memory and, for long keys, reads out of bounds when parsing a JSON object whose key is 254 bytes or longer. The interned bytes can surface to the caller, disclosing process stack memory. Impact Information disclosure of process stack memor...

5.3CVSS5.9AI score0.00197EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Oj - Use-After-Free in Oj::Parser SAJ Callback via Input Mutation

Summary Oj::Parserparse is vulnerable to a heap use-after-free when a SAJ/SAJ2 callback mutates the input JSON string during parsing. The C engine holds a raw const byte pointer into the Ruby string's internal buffer. If a callback e.g. hashstart resizes the string — for example by calling...

2.1CVSS5.9AI score0.00117EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Faraday - Uncontrolled recursion in NestedParamsEncoder allows stack exhaustion DoS via deeply nested query parameters

Uncontrolled Recursion in NestedParamsEncoder Allows Stack Exhaustion DoS via Deeply Nested Query Parameters Summary Faraday::NestedParamsEncoder, the default nested query parameter encoder/decoder in Faraday, decodes nested query strings without enforcing a maximum nesting depth. A crafted query...

7.5CVSS6AI score0.00391EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Concurrent Ruby - `ReentrantReadWriteLock` read-count overflow grants a write lock without exclusivity

Summary Concurrent::ReentrantReadWriteLock can incorrectly grant a write lock after one thread acquires the read lock 32,768 times. The lock stores a thread's local read and write hold counts in one integer. The low 15 bits are used for the read hold count, and bit 15 is used as WRITELOCKHELD...

5.5CVSS5.8AI score0.00106EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.5 views

Concurrent Ruby - `AtomicReference#update` livelocks when the stored value is `Float::NAN`

Summary Concurrent::AtomicReferenceupdate can enter a permanent busy retry loop when the current value is Float::NAN. The issue is caused by the interaction between: - AtomicReferenceupdate, which retries until compareandsetoldvalue, newvalue succeeds. - Numeric compareandset, which checks old ==...

8.2CVSS5.9AI score0.00278EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/06/19 12:0 a.m.7 views

Concurrent Ruby - ReadWriteLock allows wrong-thread write release and stray read-release counter corruption

Summary Concurrent::ReadWriteLockreleasewritelock does not verify that the calling thread acquired the write lock. Any thread with access to the lock object can release an active write lock held by another thread. A second writer can then enter its critical section while the first writer is still...

9.8CVSS5.9AI score0.0016EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/17 12:0 a.m.4 views

katello - missing repository authorization in content_uploads exposes cross-product content existence

A flaw was found in Katello's of Red Hat Satellite. A content upload functionality where insufficient authorization checks in the ContentUploadsController allowed users with the editproducts permission to query content information for repositories outside the products they were authorized to...

4.3CVSS5.8AI score0.00197EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/17 12:0 a.m.4 views

Avo - Missing Authorization in Avo Association Attach Endpoint Allows Unauthorized Relationship Manipulation and Privilege Escalation

Summary A critical missing authorization flaw exists in Avo's association attach workflow. The UI and GET /resources/:resource/:id/:related/new path can check attach?, but the actual write endpoint, POST /resources/:resource/:id/:related, does not run the same authorization check before mutating...

6AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/10 12:0 a.m.8 views

Savon::Model evaluates WSDL operation names as Ruby source

Savon::Model generated SOAP operation methods by interpolating operation names into Ruby source passed to moduleeval. An attacker who can control the operation names of a WSDL, can inject Ruby code that executes in the application process. This affects only the .alloperations class method provide...

5.8AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.8 views

Net::IMAP: Command Injection via ID command argument

Summary Two Net::IMAP commands, id and enable, do not validate their arguments. Arguments to either command could be used by an attacker to inject arbitrary IMAP commands. Please note that passing untrusted inputs to these commands is usually inappropriate and expected to be uncommon. Details Whe...

5.8CVSS5.4AI score0.00131EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.8 views

Net::IMAP: Command Injection via non-synchronizing literal in "raw" argument

Several Net::IMAP commands accept a "raw data" argument that is sent verbatim after validation to prevent command injection. However, if a server does not support non-synchronizing literals, it may still be possible to inject arbitrary IMAP commands inside non-synchronizing literals. Details Raw...

5.8CVSS5.7AI score0.00491EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.8 views

Net::IMAP: Denial of Service via incomplete raw argument validation

Summary Several Net::IMAP commands accept a raw string argument which is only validated to prevent CRLF injection and then sent verbatim. If this string is derived from user-controlled input, an attacker can force the next command to be absorbed as a continuation of the first command. This will...

2.1CVSS5.7AI score0.00239EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/09 12:0 a.m.4 views

DFVULN-839 - Use-After-Free in MessagePack::Buffer#clear Enables Cross-Buffer Disclosure

Summary MessagePack::Bufferclear shifts out every chunk and returns its 4 KiB rmem page to the shared pool, but does not reset the buffer's rmem cursor rmemlast, rmemend, rmemowner. The next write sees "unused rmem space" left over from the freed page and hands back a slice of memory that has...

5.9AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/04 12:0 a.m.7 views

Dynamic Client Registration feature creates public clients with client_secret

Impact The DynamicClientRegistrationControllerregister action hard-codes confidential: false when creating applications dynamicclientregistrationcontroller.rb:18-25, yet the response includes a clientsecret and advertises tokenendpointauthmethodssupported: "clientsecretbasic", "clientsecretpost"...

5.5AI score0.00058EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/03 12:0 a.m.7 views

redact additional sensitive/risky headers when following redirects

Impact The redirect follower middleware previously failed to strip a number of headers that are known to be sensitive and did not provide a way to provide a custom list of headers to strip. What kind of vulnerability is it? Who is impacted? This could cause inadvertent leakage of sensitive data f...

5.3AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/06/01 12:0 a.m.5 views

SSRF and Local File Disclosure in `CssParser::Parser#read_remote_file`

Summary CssParser::Parserreadremotefile and therefore loaduri!, and the @import-following branch of addblock! issues HTTP/HTTPS requests against any host, port and URI it is handed, with no scheme allowlist, no host / IP filtering, and no protection against link-local, loopback or RFC‑1918...

5.9AI score
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/27 12:0 a.m.60 views

Puma PROXY Protocol v1 Parser Allows Remote Memory Exhaustion

Impact PROXY protocol support for Puma was added in version 5.5.0. When PROXY protocol v1 support is enabled, Puma reads incoming bytes into an internal buffer. It waits for "\r\n" to determine whether a PROXY v1 line is present. If an attacker opens a TCP connection and continuously sends bytes...

5.8AI score0.0007EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/27 12:0 a.m.10 views

Puma PROXY Protocol v1 Accepts Repeated Protocol Headers on Persistent Connections

Impact Puma is vulnerable to source IP spoofing when setremoteaddress proxyprotocol: :v1 is enabled and persistent connections are used. PROXY protocol v1 is a connection-level protocol. Support was added to Puma in v5.5.0. A proxy sends one PROXY header at the beginning of a TCP connection, befo...

5.6AI score0.00015EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/27 12:0 a.m.12 views

CarrierWave has a denylisted_content_type bypass via Unescaped Regex Metacharacters

Summary CarrierWave's contenttypedenylist check fails to escape regex metacharacters in string entries, causing the denylist to silently not match the content types it is intended to block. Note: CarrierWave is aware contenttypedenylist is deprecated for the security reason, but it still used by...

6.1CVSS5.8AI score0.00223EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/05/20 12:0 a.m.8 views

CVE-2026-46727 - Use-after-free in pthread-based getaddrinfo timeout handler

SUMMARY A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler rbgetaddrinfo in ext/socket/raddrinfo.c allows a remote attacker who can delay DNS responses near the user-specified timeout to crash a Ruby process that calls Addrinfo.getaddrinfo..., timeout: o...

8.1CVSS5.7AI score0.00478EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/18 12:0 a.m.16 views

ruby-jwt: Empty-key HMAC bypass; cross-language sibling of CVE-2026-44351

JWT.decodetoken, '', true, algorithm: 'HS256' accepts an attacker-forged token. OpenSSL::HMAC.digest'SHA256', '', payload returns a valid digest under an empty key, and no raise InvalidKeyError if key.empty? precondition exists in the HMAC algorithm. JWT.decodetoken, "", true, algorithm: 'HS256' ...

9.1CVSS5.7AI score0.00236EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/18 12:0 a.m.47 views

Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 - protocol-relative URI objects still bypass host scoping

Summary Faraday::Connectionbuildexclusiveurl still allows protocol-relative host override when the request target is provided as a URI object instead of a String. This bypasses the February 2026 fix for GHSA-33mh-2634-fwr2 and can redirect a request built from a fixed-base Faraday::Connection to ...

6.5CVSS5.9AI score0.00272EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/05/08 12:0 a.m.10 views

view_component - System Test Entry Point Path Check Allows Sibling Directory Escape

The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-route scope...

7.5CVSS5.8AI score0.00412EPSS
Exploits1References1Affected Software1
RubySec
RubySec
added 2026/05/08 12:0 a.m.9 views

view_component - Preview Route Can Dispatch Inherited Helper Methods'

The preview route derives an example name from the URL and calls it with publicsend. The code does not verify that the requested method is one of the preview examples explicitly defined by the preview class. As a result, inherited public methods on ViewComponent::Preview are route-reachable. The...

6.5CVSS5.9AI score0.00343EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/08 12:0 a.m.9 views

Devise has an Open Redirect via Unvalidated `request.referrer` in Timeoutable Session Timeout Handler

Summary When the Timeoutable module is enabled in Devise, the FailureAppredirecturl method returns request.referrer — the HTTP Referer header, which is attacker-controllable — without validation for any non-GET request that results in a session timeout. An attacker who hosts a page with an...

6.1CVSS6AI score0.00241EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/07 12:0 a.m.14 views

Improper Certificate Validation allows MITM injection of remote CSS content

Summary The CSS Parser gem does not validate HTTPS connections, allowing a Man-in-the-Middle MITM attacker to inject or modify CSS content when stylesheets are loaded via HTTPS. The connection is established with OpenSSL::SSL::VERIFYNONE, meaning any HTTPS certificate—even entirely untrusted—will...

5.8CVSS5.8AI score0.00146EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/07 12:0 a.m.5 views

Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting xss vulnerability via crafted URL being rended from cron.erb...

6.1CVSS5.6AI score0.00194EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/07 12:0 a.m.10 views

Session cookies can be replayed after user logout

Impact Admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This affects applications using Koi admin...

7.4CVSS5.8AI score0.00197EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/04 12:0 a.m.12 views

net-imap has quadratic complexity when reading response literals

Summary Net::IMAP::ResponseReader has quadratic time complexity when reading large responses containing many string literals. A hostile server can send responses which are crafted to exhaust the client's CPU for a denial of service attack. Details For each literal in a response, ResponseReader...

7.5CVSS5.8AI score0.0041EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/04 12:0 a.m.18 views

net-imap vulnerable to STARTTLS stripping via invalid response timing

Summary A man-in-the-middle attacker can cause Net::IMAPstarttls to return "successfully", without starting TLS. Details When using Net::IMAPstarttls to upgrade a plaintext connection to use TLS, a man-in-the-middle attacker can inject a tagged OK response with an easily predictable tag. By sendi...

7.6CVSS5.8AI score0.00324EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/04 12:0 a.m.9 views

net-imap vulnerable to command Injection via unvalidated Symbol inputs

Summary Symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via Symbol arguments passed to IMAP commands. Details Symbol arguments represent IMAP "system flags", which are formatted as "atoms" with no quoting with a "" prefix. Vulnerable versions of Net::IMAP...

7.1CVSS5.9AI score0.00813EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/04 12:0 a.m.10 views

net-imap vulnerable to command Injection via "raw" arguments to multiple commands

Summary Several Net::IMAP commands accept a raw string argument that is sent to the server without validation or escaping. If this string is derived from user-controlled input, it may contain contain CRLF sequences, which an attacker can use to inject arbitrary IMAP commands. Details Net::IMAP's...

9.8CVSS5.9AI score0.00429EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/05/04 12:0 a.m.14 views

net-imap vulnerable to denial of service via high iteration count for `SCRAM-*` authentication

Summary When authenticating a connection with SCRAM-SHA1 or SCRAM-SHA256, a hostile server can perform a computational denial-of-service attack on the client process by sending a big iteration count value. Details A hostile IMAP server can send an arbitrarily large PBKDF2 iteration count in the...

6.5CVSS5.8AI score0.00299EPSS
Exploits0References1Affected Software1
RubySec
RubySec
added 2026/04/24 12:0 a.m.16 views

Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources

Summary A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework v3.x. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of Avo::BaseAction on any resource, even if the action is not registered fo...

8.8CVSS5.9AI score0.00295EPSS
Exploits0References1Affected Software1
Total number of security vulnerabilities1230