VuXML ID | Description |
06ed6a49-bad4-11ec-9cfe-0800270512f4 | Ruby -- Buffer overrun in String-to-Float conversion
piao reports:
Due to a bug in an internal function that converts a String
to a Float, some convertion methods like Kernel#Float
and String#to_f could cause buffer over-read.
A typical consequence is a process termination due to
segmentation fault, but in a limited circumstances, it may
be exploitable for illegal memory read.
Discovery 2022-04-12 Entry 2022-04-13 ruby
ge 2.7.0,1 lt 2.7.6,1
ge 3.0.0,1 lt 3.0.4,1
ge 3.1.0,1 lt 3.1.2,1
ge 3.2.0.p1,1 lt 3.2.0.p1_1,1
ruby27
ge 2.7.0,1 lt 2.7.6,1
ruby30
ge 3.0.0,1 lt 3.0.4,1
ruby31
ge 3.1.0,1 lt 3.1.2,1
ruby32
ge 3.2.0.p1,1 lt 3.2.0.p1_1,1
CVE-2022-28739
https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
|
1daea60a-4719-11da-b5c6-0004614cc33d | ruby -- vulnerability in the safe level settings
Ruby home page reports:
The Object Oriented Scripting Language Ruby supports
safely executing an untrusted code with two mechanisms:
safe level and taint flag on objects.
A vulnerability has been found that allows bypassing
these mechanisms.
By using the vulnerability, arbitrary code can be executed
beyond the restrictions specified in each safe level.
Therefore, Ruby has to be updated on all systems that use
safe level to execute untrusted code.
Discovery 2005-10-02 Entry 2005-10-27 ruby
ruby_static
gt 1.6.* lt 1.6.8.2004.07.28_2
gt 1.8.* lt 1.8.2_5
CVE-2005-2337
http://www.ruby-lang.org/en/20051003.html
|
2a093853-2495-11e2-b0c7-000d601460a4 | ruby -- $SAFE escaping vulnerability about Exception#to_s/NameError#to_s
The official ruby site reports:
Vulnerabilities found for Exception#to_s, NameError#to_s, and
name_err_mesg_to_s() which is Ruby interpreter-internal API. A
malicious user code can bypass $SAFE check by utilizing one of
those security holes.
Ruby's $SAFE mechanism enables untrusted user codes to run in
$SAFE >= 4 mode. This is a kind of sandboxing so some operations
are restricted in that mode to protect other data outside the
sandbox.
The problem found was around this mechanism. Exception#to_s,
NameError#to_s, and name_err_mesg_to_s() interpreter-internal API
was not correctly handling the $SAFE bits so a String object which
is not tainted can destructively be marked as tainted using them.
By using this an untrusted code in a sandbox can modify a
formerly-untainted string destructively.
Ruby 1.8 once had a similar security issue. It fixed
Exception#to_s and NameError#to_s, but name_err_mesg_to_str() issue
survived previous security fix
Discovery 2012-08-21 Entry 2012-11-01 ruby
gt 1.8.7,1 lt 1.8.7.371,1
gt 1.9.3,1 lt 1.9.3.286,1
CVE-2012-4464
CVE-2012-4466
http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/
https://access.redhat.com/security/cve/CVE-2012-4464/
|
2c6af5c3-4d36-11ec-a539-0800270512f4 | rubygem-cgi -- buffer overrun in CGI.escape_html
chamal reports:
A security vulnerability that causes buffer overflow when
you pass a very large string (> 700 MB) to
CGI.escape_html on a platform where
long type takes 4 bytes, typically, Windows.
Discovery 2021-11-24 Entry 2021-11-24 ruby
ge 2.7.0,1 lt 2.7.5,1
ge 3.0.0,1 lt 3.0.3,1
ruby27
ge 2.7.0,1 lt 2.7.5,1
ruby30
ge 3.0.0,1 lt 3.0.3,1
rubygem-cgi
< 0.3.1
CVE-2021-41816
https://www.ruby-lang.org/en/news/2021/11/24/buffer-overrun-in-cgi-escape_html-cve-2021-41816/
|
34e0316a-aa91-11df-8c2e-001517289bf8 | ruby -- UTF-7 encoding XSS vulnerability in WEBrick
The official ruby site reports:
WEBrick have had a cross-site scripting vulnerability that allows
an attacker to inject arbitrary script or HTML via a crafted URI.
This does not affect user agents that strictly implement HTTP/1.1,
however, some user agents do not.
Discovery 2010-08-16 Entry 2010-08-17 Modified 2010-08-20 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.7.248_3,1
ge 1.9.*,1 lt 1.9.1.430,1
40895
CVE-2010-0541
http://www.ruby-lang.org/en/news/2010/08/16/xss-in-webrick-cve-2010-0541/
|
3b50881d-1860-4721-aab1-503290e23f6c | Ruby -- unsafe tainted string vulnerability
Ruby developer reports:
There is an unsafe tainted string vulnerability in Fiddle and DL.
This issue was originally reported and fixed with CVE-2009-5147 in
DL, but reappeared after DL was reimplemented using Fiddle and
libffi.
And, about DL, CVE-2009-5147 was fixed at Ruby 1.9.1, but not
fixed at other branches, then rubies which bundled DL except Ruby
1.9.1 are still vulnerable.
Discovery 2015-12-16 Entry 2015-12-23 ruby
ge 2.0.0,1 lt 2.0.0.648,1
ge 2.1.0,1 lt 2.1.8,1
ge 2.2.0,1 lt 2.2.4,1
https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/
CVE-2015-7551
|
3decc87d-2498-11e2-b0c7-000d601460a4 | ruby -- Unintentional file creation caused by inserting an illegal NUL character
The official ruby site reports:
A vulnerability was found that file creation routines can create
unintended files by strategically inserting NUL(s) in file paths.
This vulnerability has been reported as CVE-2012-4522.
Ruby can handle arbitrary binary patterns as Strings, including
NUL chars. On the other hand OSes and other libraries tend not.
They usually treat a NUL as an End of String mark. So to interface
them with Ruby, NUL chars should properly be avoided.
However methods like IO#open did not check the filename passed to
them, and just passed those strings to lower layer routines. This
led to create unintentional files.
Discovery 2012-10-12 Entry 2012-11-01 ruby
gt 1.9.3,1 lt 1.9.3.286,1
CVE-2012-4522
http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/
https://access.redhat.com/security/cve/CVE-2012-4522/
|
4548ec97-4d38-11ec-a539-0800270512f4 | rubygem-cgi -- cookie prefix spoofing in CGI::Cookie.parse
ooooooo_q reports:
The old versions of CGI::Cookie.parse applied
URL decoding to cookie names. An attacker could exploit
this vulnerability to spoof security prefixes in cookie
names, which may be able to trick a vulnerable
application.
By this fix, CGI::Cookie.parse no longer
decodes cookie names. Note that this is an incompatibility
if cookie names that you are using include
non-alphanumeric characters that are URL-encoded.
Discovery 2021-11-24 Entry 2021-11-24 ruby
ge 2.6.0,1 lt 2.6.9,1
ge 2.7.0,1 lt 2.7.5,1
ge 3.0.0,1 lt 3.0.3,1
ruby26
ge 2.6.0,1 lt 2.6.9,1
ruby27
ge 2.7.0,1 lt 2.7.5,1
ruby30
ge 3.0.0,1 lt 3.0.3,1
rubygem-cgi
< 0.3.1
CVE-2021-41819
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
|
53802164-3f7e-11dd-90ea-0019666436c2 | ruby -- multiple integer and buffer overflow vulnerabilities
The official ruby site reports:
Multiple vulnerabilities in Ruby may lead to a denial of service
(DoS) condition or allow execution of arbitrary code.
Discovery 2008-06-19 Entry 2008-06-21 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_3,1
ruby_static
ge 1.8.*,1
CVE-2008-2726
http://www.ruby-lang.org/en/news/2008/06/20/arbitrary-code-execution-vulnerabilities/
|
594eb447-e398-11d9-a8bd-000cf18bbe54 | ruby -- arbitrary command execution on XMLRPC server
Nobuhiro IMAI reports:
the default value modification on
Module#public_instance_methods (from false to true) breaks
s.add_handler(XMLRPC::iPIMethods("sample"), MyHandler.new) style
security protection.
This problem could allow a remote attacker to execute arbitrary
commands on XMLRPC server of libruby.
Discovery 2005-06-22 Entry 2005-06-23 Modified 2005-11-06 ruby
ruby_static
gt 1.8.* lt 1.8.2_3
CVE-2005-1992
http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064
|
5e647ca3-2aea-11e2-b745-001fd0af1a4c | ruby -- Hash-flooding DoS vulnerability for ruby 1.9
The official ruby site reports:
Carefully crafted sequence of strings can cause a denial of service
attack on the service that parses the sequence to create a Hash
object by using the strings as keys. For instance, this
vulnerability affects web application that parses the JSON data
sent from untrusted entity.
This vulnerability is similar to CVS-2011-4815 for ruby 1.8.7. ruby
1.9 versions were using modified MurmurHash function but it's
reported that there is a way to create sequence of strings that
collide their hash values each other. This fix changes the Hash
function of String object from the MurmurHash to SipHash 2-4.
Discovery 2012-11-10 Entry 2012-11-10 ruby
ge 1.9 lt 1.9.3.327
CVE-2012-5371
http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/
|
62e0fbe5-5798-11de-bb78-001cc0377035 | ruby -- BigDecimal denial of service vulnerability
The official ruby site reports:
A denial of service (DoS) vulnerability was found on the
BigDecimal standard library of Ruby. Conversion from BigDecimal
objects into Float numbers had a problem which enables attackers
to effectively cause segmentation faults.
An attacker can cause a denial of service by causing BigDecimal
to parse an insanely large number, such as:
BigDecimal("9E69999999").to_s("F")
Discovery 2009-06-09 Entry 2009-06-13 Modified 2010-05-02 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.7.160_1,1
35278
CVE-2009-1904
http://www.ruby-lang.org/en/news/2009/06/09/dos-vulnerability-in-bigdecimal/
|
6916ea94-4628-11ec-bbe2-0800270512f4 | rubygem-date -- Regular Expression Denial of Service Vunlerability of Date Parsing Methods
Stanislav Valkanov reports:
Date's parsing methods including Date.parse
are using Regexps internally, some of which are vulnerable
against regular expression denial of service. Applications
and libraries that apply such methods to untrusted input
may be affected.
Discovery 2021-11-15 Entry 2021-11-15 Modified 2021-11-24 ruby
ge 2.6.0,1 lt 2.6.9,1
ge 2.7.0,1 lt 2.7.5,1
ge 3.0.0,1 lt 3.0.3,1
ruby26
ge 2.6.0,1 lt 2.6.9,1
ruby27
ge 2.7.0,1 lt 2.7.5,1
ruby30
ge 3.0.0,1 lt 3.0.3,1
rubygem-date
< 3.2.1
CVE-2021-41817
https://www.ruby-lang.org/en/news/2021/11/15/date-parsing-method-regexp-dos-cve-2021-41817/
|
76562594-1f19-11db-b7d4-0008743bf21a | ruby -- multiple vulnerabilities
Secunia reports:
Two vulnerabilities have been reported in Ruby, which can
be exploited by malicious people to bypass certain security
restrictions.
- An error in the handling of the "alias" functionality
can be exploited to bypass the safe level protection and
replace methods called in the trusted level.
- An error caused due to directory operations not being
properly checked can be exploited to bypass the safe
level protection and close untainted directory streams.
Discovery 2006-07-12 Entry 2006-07-29 Modified 2006-07-30 ruby
ruby_static
gt 1.6.* lt 1.8.*
gt 1.8.* lt 1.8.4_9,1
18944
CVE-2006-3694
http://secunia.com/advisories/21009/
http://jvn.jp/jp/JVN%2383768862/index.html
http://jvn.jp/jp/JVN%2313947696/index.html
|
7ed5779c-e4c7-11eb-91d7-08002728f74c | Ruby -- multiple vulnerabilities
Ruby news:
This release includes security fixes. Please check the topics below for details.
CVE-2021-31810: Trusting FTP PASV responses vulnerability in Net::FTP
CVE-2021-32066: A StartTLS stripping vulnerability in Net::IMAP
CVE-2021-31799: A command injection vulnerability in RDoc
Discovery 2021-07-07 Entry 2021-07-14 ruby26
< 2.6.8,1
ruby
< 2.7.4,1
ruby30
< 3.0.2,1
CVE-2021-31799
CVE-2021-31810
CVE-2021-32066
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-6-8-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-2-7-4-released/
https://www.ruby-lang.org/en/news/2021/07/07/ruby-3-0-2-released/
https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
https://www.ruby-lang.org/en/news/2021/07/07/starttls-stripping-in-net-imap/
https://www.ruby-lang.org/en/news/2021/07/07/trusting-pasv-responses-in-net-ftp/
|
7fe7df75-6568-11e6-a590-14dae9d210b8 | End of Life Ports
These packages have reached End of Life status and/or have
been removed from the Ports Tree. They may contain undocumented
security issues. Please take caution and find alternative
software as soon as possible.
Discovery 2016-08-18 Entry 2016-08-18 Modified 2016-10-18 python32
python31
python30
python26
python25
python24
python23
python22
python21
python20
python15
ge 0
php54
php53
php52
php5
php4
ge 0
perl5
< 5.18
perl5.16
perl5.14
perl5.12
perl
ge 0
ruby
ruby_static
< 2.1,1
unifi2
unifi3
ge 0
apache21
apache20
apache13
ge 0
tomcat55
tomcat41
ge 0
mysql51-client
mysql51-server
mysql50-client
mysql50-server
mysql41-client
mysql41-server
mysql40-client
mysql40-server
ge 0
postgresql90-client
postgresql90-server
postgresql84-client
postgresql84-server
postgresql83-client
postgresql83-server
postgresql82-client
postgresql82-server
postgresql81-client
postgresql81-server
postgresql80-client
postgresql80-server
postgresql74-client
postgresql74-server
postgresql73-client
postgresql73-server
postgresql72-client
postgresql72-server
postgresql71-client
postgresql71-server
postgresql7-client
postgresql7-server
ge 0
ports/211975
|
844cf3f5-9259-4b3e-ac9e-13ca17333ed7 | ruby -- DoS vulnerability in REXML
Ruby developers report:
Unrestricted entity expansion can lead to a DoS vulnerability in
REXML. (The CVE identifier will be assigned later.) We strongly
recommend to upgrade ruby.
When reading text nodes from an XML document, the REXML parser can
be coerced in to allocating extremely large string objects which
can consume all of the memory on a machine, causing a denial of
service.
Discovery 2013-02-22 Entry 2013-02-24 ruby
ge 1.9,1 lt 1.9.3.392,1
http://www.ruby-lang.org/en/news/2013/02/22/rexml-dos-2013-02-22/
|
84ab03b6-6c20-11ed-b519-080027f5fec9 | rubygem-cgi -- HTTP response splitting vulnerability
Hiroshi Tokumaru reports:
If an application that generates HTTP responses using the
cgi gem with untrusted user input, an attacker can exploit
it to inject a malicious HTTP response header and/or body.
Also, the contents for a CGI::Cookie object
were not checked properly. If an application creates a
CGI::Cookie object based on user input, an
attacker may exploit it to inject invalid attributes in
Set-Cookie header. We think such applications
are unlikely, but we have included a change to check
arguments for CGI::Cookie#initialize
preventatively.
Discovery 2022-11-22 Entry 2022-11-24 rubygem-cgi
< 0.3.4
ruby
ge 2.7.0,1 lt 2.7.7,1
ge 3.0.0,1 lt 3.0.5,1
ge 3.1.0,1 lt 3.1.3,1
ge 3.2.0.p1,1 lt 3.2.0.r1,1
ruby27
ge 2.7.0,1 lt 2.7.7,1
ruby30
ge 3.0.0,1 lt 3.0.5,1
ruby31
ge 3.1.0,1 lt 3.1.3,1
ruby32
ge 3.2.0.p1,1 lt 3.2.0.r1,1
CVE-2021-33621
https://www.ruby-lang.org/en/news/2022/11/22/http-response-splitting-in-cgi-cve-2021-33621/
|
91be81e7-3fea-11e1-afc7-2c4138874f7d | Multiple implementations -- DoS via hash algorithm collision
oCERT reports:
A variety of programming languages suffer from a denial-of-service
(DoS) condition against storage functions of key/value pairs in
hash data structures, the condition can be leveraged by exploiting
predictable collisions in the underlying hashing algorithms.
The issue finds particular exposure in web server applications
and/or frameworks. In particular, the lack of sufficient limits
for the number of parameters in POST requests in conjunction with
the predictable collision properties in the hashing functions of
the underlying languages can render web applications vulnerable
to the DoS condition. The attacker, using specially crafted HTTP
requests, can lead to a 100% of CPU usage which can last up to
several hours depending on the targeted application and server
performance, the amplification effect is considerable and
requires little bandwidth and time on the attacker side.
The condition for predictable collisions in the hashing functions
has been reported for the following language implementations:
Java, JRuby, PHP, Python, Rubinius, Ruby. In the case of the
Ruby language, the 1.9.x branch is not affected by the
predictable collision condition since this version includes a
randomization of the hashing function.
The vulnerability outlined in this advisory is practically
identical to the one reported in 2003 and described in the paper
Denial of Service via Algorithmic Complexity Attacks which
affected the Perl language.
Discovery 2011-12-28 Entry 2012-01-16 Modified 2012-01-20 jruby
< 1.6.5.1
ruby
ruby+nopthreads
ruby+nopthreads+oniguruma
ruby+oniguruma
< 1.8.7.357,1
rubygem-rack
< 1.3.6,3
v8
< 3.8.5
redis
le 2.4.6
node
< 0.6.7
CVE-2011-4838
CVE-2011-4815
CVE-2011-5036
CVE-2011-5037
http://www.ocert.org/advisories/ocert-2011-003.html
http://www.nruns.com/_downloads/advisory28122011.pdf
|
959d384d-6b59-11dd-9d79-001fc61c2a55 | ruby -- DNS spoofing vulnerability
The official ruby site reports:
resolv.rb allow remote attackers to spoof DNS answers. This risk
can be reduced by randomness of DNS transaction IDs and source
ports.
Discovery 2008-08-08 Entry 2008-08-16 Modified 2009-02-09 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_5,1
ge 1.9.*,1 lt 1.9.1.0,1
CVE-2008-1447
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
|
95b01379-9d52-11e7-a25c-471bafc3262f | ruby -- multiple vulnerabilities
Ruby blog:
CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
If a malicious format string which contains a precious specifier (*)
is passed and a huge minus value is also passed to the specifier,
buffer underrun may be caused. In such situation, the result may
contains heap, or the Ruby interpreter may crash.
CVE-2017-10784: Escape sequence injection vulnerability in the Basic
authentication of WEBrick
When using the Basic authentication of WEBrick, clients can pass an
arbitrary string as the user name. WEBrick outputs the passed user name
intact to its log, then an attacker can inject malicious escape
sequences to the log and dangerous control characters may be executed
on a victimâs terminal emulator.
This vulnerability is similar to a vulnerability already fixed, but
it had not been fixed in the Basic authentication.
CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
If a malicious string is passed to the decode method of OpenSSL::ASN1,
buffer underrun may be caused and the Ruby interpreter may crash.
CVE-2017-14064: Heap exposure vulnerability in generating JSON
The generate method of JSON module optionally accepts an instance of
JSON::Ext::Generator::State class. If a malicious instance is passed,
the result may include contents of heap.
Discovery 2017-09-14 Entry 2017-09-19 ruby
ge 2.2.0 lt 2.2.8
ge 2.3.0 lt 2.3.5
ge 2.4.0 lt 2.4.2
https://www.ruby-lang.org/en/security/
https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/
CVE-2017-0898
CVE-2017-10784
CVE-2017-14033
CVE-2017-14064
|
a8674c14-83d7-11db-88d5-0012f06707f0 | ruby -- cgi.rb library Denial of Service
The official ruby site reports:
Another vulnerability has been discovered in the CGI library
(cgi.rb) that ships with Ruby which could be used by a malicious
user to create a denial of service attack (DoS).
A specific HTTP request for any web application using cgi.rb
causes CPU consumption on the machine on which the web application
is running. Many such requests result in a denial of service.
Discovery 2006-12-04 Entry 2006-12-04 Modified 2010-05-12 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.5_5,1
ruby_static
ge 1.8.*,1
CVE-2006-6303
http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/
|
ab8dbe98-6be4-11db-ae91-0012f06707f0 | ruby -- cgi.rb library Denial of Service
Official ruby site reports:
A vulnerability has been discovered in the CGI library (cgi.rb)
that ships with Ruby which could be used by a malicious user to
create a denial of service attack (DoS). The problem is triggered
by sending the library an HTTP request that uses multipart MIME
encoding and as an invalid boundary specifier that begins with
"-" instead of "--". Once triggered it will
exhaust all available memory resources effectively creating a DoS
condition.
Discovery 2006-10-25 Entry 2006-11-04 Modified 2006-12-15 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.5_4,1
ruby_static
ge 1.8.*,1
20777
CVE-2006-5467
http://rubyforge.org/pipermail/mongrel-users/2006-October/001946.html
|
afc60484-0652-440e-b01a-5ef814747f06 | ruby -- multiple vulnerabilities
Ruby news:
CVE-2018-16395: OpenSSL::X509::Name equality check does not work
correctly
An instance of OpenSSL::X509::Name contains entities such as CN, C and
so on. Some two instances of OpenSSL::X509::Name are equal only when
all entities are exactly equal. However, there is a bug that the
equality check is not correct if the value of an entity of the
argument (right-hand side) starts with the value of the receiver
(left-hand side). So, if a malicious X.509 certificate is passed to
compare with an existing certificate, there is a possibility to be
judged incorrectly that they are equal.
CVE-2018-16396: Tainted flags are not propagated in Array#pack and
String#unpack with some directives
Array#pack method converts the receiver's contents into a string with
specified format. If the receiver contains some tainted objects, the
returned string also should be tainted. String#unpack method which
converts the receiver into an array also should propagate its tainted
flag to the objects contained in the returned array. But, with B, b, H
and h directives, the tainted flags are not propagated. So, if a script
processes unreliable inputs by Array#pack and/or String#unpack with
these directives and checks the reliability with tainted flags, the
check might be wrong.
Discovery 2018-10-17 Entry 2018-10-20 ruby
ge 2.3.0,1 lt 2.3.8,1
ge 2.4.0,1 lt 2.4.5,1
ge 2.5.0,1 lt 2.5.2,1
https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/
https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
CVE-2018-16395
CVE-2018-16396
|
c329712a-6b5b-11dd-9d79-001fc61c2a55 | ruby -- multiple vulnerabilities in safe level
The official ruby site reports:
Several vulnerabilities in safe level have been discovereds:.
- untrace_var is permitted at safe level 4;
- $PROGRAM_NAME may be modified at safe level 4;
- insecure methods may be called at safe level 1-3;
- syslog operations are permitted at safe level 4;
- dl doesn't check taintness, so it could allow attackers
to call dangerous functions.
Discovery 2008-08-08 Entry 2008-08-16 Modified 2010-05-12 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.287,1
ge 1.9.*,1 lt 1.9.1.0,1
CVE-2008-3655
CVE-2008-3656
CVE-2008-3905
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
|
c79eb109-a754-45d7-b552-a42099eb2265 | Ruby -- Denial of Service and Unsafe Object Creation Vulnerability in JSON
Aaron Patterson reports:
When parsing certain JSON documents, the JSON gem can be coerced in
to creating Ruby symbols in a target system. Since Ruby symbols
are not garbage collected, this can result in a denial of service
attack.
The same technique can be used to create objects in a target system
that act like internal objects. These "act alike" objects can be
used to bypass certain security mechanisms and can be used as a
spring board for SQL injection attacks in Ruby on Rails.
Discovery 2013-02-11 Entry 2013-02-16 ruby
ge 1.9,1 lt 1.9.3.385,1
rubygem18-json
< 1.7.7
rubygem19-json
< 1.7.7
rubygem18-json_pure
< 1.7.7
rubygem19-json_pure
< 1.7.7
CVE-2013-0269
|
d3e96508-056b-4259-88ad-50dc8d1978a6 | Ruby -- XSS exploit of RDoc documentation generated by rdoc
Ruby developers report:
RDoc documentation generated by rdoc bundled with ruby are
vulnerable to an XSS exploit. All ruby users are recommended to
update ruby to newer version which includes security-fixed RDoc. If
you are publishing RDoc documentation generated by rdoc, you are
recommended to apply a patch for the documentaion or re-generate it
with security-fixed RDoc.
Discovery 2013-02-06 Entry 2013-02-16 ruby
ge 1.9,1 lt 1.9.3.385,1
rubygem18-rdoc
< 3.12.1
rubygem19-rdoc
< 3.12.1
CVE-2013-0256
|
d4379f59-3e9b-49eb-933b-61de4d0b0fdb | Ruby -- OpenSSL Hostname Verification Vulnerability
Ruby Developers report:
After reviewing RFC 6125 and RFC 5280, we found multiple violations
of matching hostnames and particularly wildcard certificates.
Rubyâs OpenSSL extension will now provide a string-based matching
algorithm which follows more strict behavior, as recommended by
these RFCs. In particular, matching of more than one wildcard per
subject/SAN is no-longer allowed. As well, comparison of these
values are now case-insensitive.
Discovery 2015-04-13 Entry 2015-04-14 Modified 2015-09-23 ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1
ruby
ruby21
ge 2.1,1 lt 2.1.6,1
ruby
ruby22
ge 2.2,1 lt 2.2.2,1
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855
|
d4379f59-3e9b-49eb-933b-61de4d0b0fdb | Ruby -- OpenSSL Hostname Verification Vulnerability
Ruby Developers report:
After reviewing RFC 6125 and RFC 5280, we found multiple violations
of matching hostnames and particularly wildcard certificates.
Rubyâs OpenSSL extension will now provide a string-based matching
algorithm which follows more strict behavior, as recommended by
these RFCs. In particular, matching of more than one wildcard per
subject/SAN is no-longer allowed. As well, comparison of these
values are now case-insensitive.
Discovery 2015-04-13 Entry 2015-04-14 Modified 2015-09-23 ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1
ruby
ruby21
ge 2.1,1 lt 2.1.6,1
ruby
ruby22
ge 2.2,1 lt 2.2.2,1
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855
|
d4379f59-3e9b-49eb-933b-61de4d0b0fdb | Ruby -- OpenSSL Hostname Verification Vulnerability
Ruby Developers report:
After reviewing RFC 6125 and RFC 5280, we found multiple violations
of matching hostnames and particularly wildcard certificates.
Rubyâs OpenSSL extension will now provide a string-based matching
algorithm which follows more strict behavior, as recommended by
these RFCs. In particular, matching of more than one wildcard per
subject/SAN is no-longer allowed. As well, comparison of these
values are now case-insensitive.
Discovery 2015-04-13 Entry 2015-04-14 Modified 2015-09-23 ruby
ruby20
ge 2.0,1 lt 2.0.0.645,1
ruby
ruby21
ge 2.1,1 lt 2.1.6,1
ruby
ruby22
ge 2.2,1 lt 2.2.2,1
https://www.ruby-lang.org/en/news/2015/04/13/ruby-openssl-hostname-matching-vulnerability/
CVE-2015-1855
|
d656296b-33ff-11d9-a9e7-0001020eed82 | ruby -- CGI DoS
The Ruby CGI.rb module contains a bug which can cause the
CGI module to go into an infinite loop, thereby causing a
denial-of-service situation on the web server by using all
available CPU time.
Discovery 2004-11-06 Entry 2004-11-13 Modified 2004-11-25 ruby
ruby_r
gt 1.7.* lt 1.8.2.p2_2
< 1.6.8.2004.07.28_1
ruby-1.7.0
ge a2001.05.12 le a2001.05.26
CVE-2004-0983
http://www.debian.org/security/2004/dsa-586
|
dd644964-e10e-11e7-8097-0800271d4b9c | ruby -- Command injection vulnerability in Net::FTP
Etienne Stalmans from the Heroku product security team reports:
There is a command injection vulnerability in Net::FTP bundled with Ruby.
Net::FTP#get , getbinaryfile , gettextfile , put , putbinaryfile , and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|" , the command following the pipe character is executed. The default value of localfile is File.basename(remotefile) , so malicious FTP servers could cause arbitrary command execution.
Discovery 2017-12-14 Entry 2017-12-14 ruby
ge 2.2.0,1 lt 2.2.9,1
ge 2.3.0,1 lt 2.3.6,1
ge 2.4.0,1 lt 2.4.3,1
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
CVE-2017-17405
|
dec7e4b6-961a-11eb-9c34-080027f515ea | ruby -- XML round-trip vulnerability in REXML
Juho Nurminen reports:
When parsing and serializing a crafted XML document, REXML gem
(including the one bundled with Ruby) can create a wrong XML
document whose structure is different from the original one.
The impact of this issue highly depends on context, but it may
lead to a vulnerability in some programs that are using REXML.
Discovery 2021-04-05 Entry 2021-04-05 ruby
ge 2.5.0,1 lt 2.5.9,1
ge 2.6.0,1 lt 2.6.7,1
ge 2.7.0,1 lt 2.7.3,1
ge 3.0.0.p1,1 lt 3.0.1,1
rubygem-rexml
< 3.2.5
CVE-2021-28965
https://www.ruby-lang.org/en/news/2021/04/05/xml-round-trip-vulnerability-in-rexml-cve-2021-28965/
|
e811aaf1-f015-11d8-876f-00902714cc7c | Ruby insecure file permissions in the CGI session management
According to a Debian Security Advisory:
Andres Salomon noticed a problem in the CGI session
management of Ruby, an object-oriented scripting language.
CGI::Session's FileStore (and presumably PStore [...])
implementations store session information insecurely.
They simply create files, ignoring permission issues.
This can lead an attacker who has also shell access to the
webserver to take over a session.
Discovery 2004-08-16 Entry 2004-08-16 Modified 2004-08-28 ruby
< 1.6.8.2004.07.26
ge 1.7.0 lt 1.8.1.2004.07.23
CVE-2004-0755
http://xforce.iss.net/xforce/xfdb/16996
http://www.debian.org/security/2004/dsa-537
http://marc.theaimsgroup.com/?l=bugtraq&m=109267579822250&w=2
|
eab8c3bd-e50c-11de-9cd0-001a926c7637 | ruby -- heap overflow vulnerability
The official ruby site reports:
There is a heap overflow vulnerability in String#ljust,
String#center and String#rjust. This has allowed an attacker to run
arbitrary code in some rare cases.
Discovery 2009-11-30 Entry 2009-12-09 ruby
ge 1.9.1,1 lt 1.9.1.376,1
CVE-2009-4124
http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/
|
eb69bcf2-18ef-4aa2-bb0c-83b263364089 | ruby -- multiple vulnerabilities
Ruby news:
CVE-2017-17742: HTTP response splitting in WEBrick
If a script accepts an external input and outputs it without
modification as a part of HTTP responses, an attacker can use newline
characters to deceive the clients that the HTTP response header is
stopped at there, and can inject fake HTTP responses after the newline
characters to show malicious contents to the clients.
CVE-2018-6914: Unintentional file and directory creation with
directory traversal in tempfile and tmpdir
Dir.mktmpdir method introduced by tmpdir library accepts the prefix
and the suffix of the directory which is created as the first parameter.
The prefix can contain relative directory specifiers "../", so this
method can be used to target any directory. So, if a script accepts an
external input as the prefix, and the targeted directory has
inappropriate permissions or the ruby process has inappropriate
privileges, the attacker can create a directory or a file at any
directory.
CVE-2018-8777: DoS by large request in WEBrick
If an attacker sends a large request which contains huge HTTP headers,
WEBrick try to process it on memory, so the request causes the
out-of-memory DoS attack.
CVE-2018-8778: Buffer under-read in String#unpack
String#unpack receives format specifiers as its parameter, and can
be specified the position of parsing the data by the specifier @. If a
big number is passed with @, the number is treated as the negative
value, and out-of-buffer read is occurred. So, if a script accepts an
external input as the argument of String#unpack, the attacker can read
data on heaps.
CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in
UNIXServer and UNIXSocket
UNIXServer.open accepts the path of the socket to be created at the
first parameter. If the path contains NUL (\0) bytes, this method
recognize that the path is completed before the NUL bytes. So, if a
script accepts an external input as the argument of this method, the
attacker can make the socket file in the unintentional path. And,
UNIXSocket.open also accepts the path of the socket to be created at
the first parameter without checking NUL bytes like UNIXServer.open.
So, if a script accepts an external input as the argument of this
method, the attacker can accepts the socket file in the unintentional
path.
CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte
in Dir
Dir.open, Dir.new, Dir.entries and Dir.empty? accept the path of the
target directory as their parameter. If the parameter contains NUL (\0)
bytes, these methods recognize that the path is completed before the
NUL bytes. So, if a script accepts an external input as the argument of
these methods, the attacker can make the unintentional directory
traversal.
Discovery 2018-03-28 Entry 2018-03-29 ruby
ge 2.3.0,1 lt 2.3.7,1
ge 2.4.0,1 lt 2.4.4,1
ge 2.5.0,1 lt 2.5.1,1
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/
https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
CVE-2017-17742
CVE-2018-6914
CVE-2018-8777
CVE-2018-8778
CVE-2018-8779
CVE-2018-8780
|
ed8d5535-ca78-11e9-980b-999ff59c22ea | RDoc -- multiple jQuery vulnerabilities
Ruby news:
There are multiple vulnerabilities about Cross-Site Scripting (XSS) in
jQuery shipped with RDoc which bundled in Ruby. All Ruby users are
recommended to update Ruby to the latest release which includes the
fixed version of RDoc.
The following vulnerabilities have been reported.
CVE-2012-6708
CVE-2015-9251
Discovery 2019-08-28 Entry 2019-08-29 Modified 2019-08-31 ruby
ge 2.4.0,1 lt 2.4.7,1
ge 2.5.0,1 lt 2.5.6,1
ge 2.6.0,1 lt 2.6.3,1
rubygem-rdoc
< 6.1.2
https://www.ruby-lang.org/en/news/2019/08/28/multiple-jquery-vulnerabilities-in-rdoc/
CVE-2012-6708
CVE-2015-9251
|
f22144d7-bad1-11ec-9cfe-0800270512f4 | Ruby -- Double free in Regexp compilation
piao reports:
Due to a bug in the Regexp compilation process, creating
a Regexp object with a crafted source string could cause
the same memory to be freed twice. This is known as a
"double free" vulnerability. Note that, in general, it
is considered unsafe to create and use a Regexp object
generated from untrusted input. In this case, however,
following a comprehensive assessment, we treat this issue
as a vulnerability.
Discovery 2022-04-12 Entry 2022-04-13 ruby
ge 3.0.0,1 lt 3.0.4,1
ge 3.1.0,1 lt 3.1.2,1
ge 3.2.0.p1,1 lt 3.2.0.p1_1,1
ruby30
ge 3.0.0,1 lt 3.0.4,1
ruby31
ge 3.1.0,1 lt 3.1.2,1
ruby32
ge 3.2.0.p1,1 lt 3.2.0.p1_1,1
CVE-2022-28738
https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/
|
f7ba20aa-6b5a-11dd-9d79-001fc61c2a55 | ruby -- DoS vulnerability in WEBrick
The official ruby site reports:
WEBrick::HTTP::DefaultFileHandler is faulty of exponential time
taking requests due to a backtracking regular expression in
WEBrick::HTTPUtils.split_header_value.
Discovery 2008-08-08 Entry 2008-08-16 Modified 2010-05-12 ruby
ruby+pthreads
ruby+pthreads+oniguruma
ruby+oniguruma
ge 1.8.*,1 lt 1.8.6.111_5,1
ge 1.9.*,1 lt 1.9.1.0,1
CVE-2008-3655
CVE-2008-3656
CVE-2008-3905
http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
|
f7fcb75c-e537-11e9-863e-b9b7af01ba9e | ruby -- multiple vulnerabilities
Ruby news:
This release includes security fixes. Please check the topics below for
details.
CVE-2019-15845: A NUL injection vulnerability of File.fnmatch and
File.fnmatch?
A NUL injection vulnerability of Ruby built-in methods (File.fnmatch
and File.fnmatch?) was found. An attacker who has the control of the
path pattern parameter could exploit this vulnerability to make path
matching pass despite the intention of the program author.
CVE-2019-16201: Regular Expression Denial of Service vulnerability of
WEBrick's Digest access authentication
Regular expression denial of service vulnerability of WEBrick's Digest
authentication module was found. An attacker can exploit this
vulnerability to cause an effective denial of service against a WEBrick
service.
CVE-2019-16254: HTTP response splitting in WEBrick (Additional fix)
There is an HTTP response splitting vulnerability in WEBrick bundled
with Ruby.
CVE-2019-16255: A code injection vulnerability of Shell#[] and
Shell#test
A code injection vulnerability of Shell#[] and Shell#test in a standard
library (lib/shell.rb) was found.
Discovery 2019-10-01 Entry 2019-10-02 ruby
ge 2.4.0,1 lt 2.4.9,1
ge 2.5.0,1 lt 2.5.7,1
ge 2.6.0,1 lt 2.6.5,1
https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-6-5-released/
https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-5-7-released/
https://www.ruby-lang.org/en/news/2019/10/01/ruby-2-4-8-released/
https://www.ruby-lang.org/en/news/2019/10/02/ruby-2-4-9-released/
https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/
CVE-2019-15845
CVE-2019-16201
CVE-2019-16254
CVE-2019-16255
|