VYPR

apk package

wolfi/ruby3.3-rails-8.0

pkg:apk/wolfi/ruby3.3-rails-8.0

Vulnerabilities (27)

  • CVE-2025-54314LowJul 20, 2025
    affected < 8.0.2-r7fixed 8.0.2-r7

    Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."

  • CVE-2025-49007Jun 4, 2025
    affected < 8.0.2-r5fixed 8.0.2-r5

    Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully craft

  • CVE-2025-46336MedMay 8, 2025
    affected < 8.0.2-r4fixed 8.0.2-r4

    Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attack

  • CVE-2025-46727May 7, 2025
    affected < 8.0.2-r4fixed 8.0.2-r4

    Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers

  • CVE-2025-27221Mar 3, 2025
    affected < 8.0.2-r1fixed 8.0.2-r1

    In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

  • CVE-2025-25184Feb 12, 2025
    affected < 8.0.1-r2fixed 8.0.1-r2

    Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting

  • CVE-2025-25186MedFeb 10, 2025
    affected < 8.0.1-r2fixed 8.0.1-r2

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time whi

Page 2 of 2