apk package
chainguard/ruby3.3-rails-7.2
pkg:apk/chainguard/ruby3.3-rails-7.2
Vulnerabilities (27)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-54314 | Low | 2.8 | < 7.2.2.1-r10 | 7.2.2.1-r10 | Jul 20, 2025 | Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments." | |
| CVE-2025-49007 | — | < 7.2.2.1-r8 | 7.2.2.1-r8 | Jun 4, 2025 | Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully craft | ||
| CVE-2025-46336 | Med | 4.2 | < 7.2.2.1-r7 | 7.2.2.1-r7 | May 8, 2025 | Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attack | |
| CVE-2025-46727 | — | < 7.2.2.1-r7 | 7.2.2.1-r7 | May 7, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers | ||
| CVE-2025-27610 | — | < 7.2.2.1-r4 | 7.2.2.1-r4 | Mar 10, 2025 | Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu | ||
| CVE-2025-25184 | — | < 7.2.2.1-r2 | 7.2.2.1-r2 | Feb 12, 2025 | Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting | ||
| CVE-2025-25186 | Med | 6.5 | < 7.2.2.1-r2 | 7.2.2.1-r2 | Feb 10, 2025 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time whi |
- affected < 7.2.2.1-r10fixed 7.2.2.1-r10
Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
- CVE-2025-49007Jun 4, 2025affected < 7.2.2.1-r8fixed 7.2.2.1-r8
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully craft
- affected < 7.2.2.1-r7fixed 7.2.2.1-r7
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attack
- CVE-2025-46727May 7, 2025affected < 7.2.2.1-r7fixed 7.2.2.1-r7
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers
- CVE-2025-27610Mar 10, 2025affected < 7.2.2.1-r4fixed 7.2.2.1-r4
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu
- CVE-2025-25184Feb 12, 2025affected < 7.2.2.1-r2fixed 7.2.2.1-r2
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting
- affected < 7.2.2.1-r2fixed 7.2.2.1-r2
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time whi
Page 2 of 2