VYPR

rpm package

almalinux/pcs

pkg:rpm/almalinux/pcs

Vulnerabilities (33)

  • CVE-2026-4800HigMar 31, 2026
    affected < 0.11.10-1.el9_7.3fixed 0.11.10-1.el9_7.3

    Impact: The fix for CVE-2021-23337 (https://github.com/advisories/GHSA-35jh-r3h4-6jhm) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink. When an a

  • CVE-2026-31958HigMar 11, 2026
    affected < 0.10.18-2.el8_10.9.alma.1fixed 0.10.18-2.el8_10.9.alma.1

    Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the max_body_size setting (default 100MB). Since parsing occurs synchronously on the main thread, this cre

  • CVE-2025-13465Jan 21, 2026
    affected < 0.12.1-1.el10_1.2fixed 0.12.1-1.el10_1.2

    Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwritin

  • CVE-2025-67726Dec 12, 2025
    affected < 0.10.18-2.el8_10.8.alma.1fixed 0.10.18-2.el8_10.8.alma.1

    Tornado is a Python web framework and asynchronous networking library. Versions 6.5.2 and below use an inefficient algorithm when parsing parameters for HTTP header values, potentially causing a DoS. The _parseparam function in httputil.py is used to parse specific HTTP header va

  • CVE-2025-67725Dec 12, 2025
    affected < 0.10.18-2.el8_10.8.alma.1fixed 0.10.18-2.el8_10.8.alma.1

    Tornado is a Python web framework and asynchronous networking library. In versions 6.5.2 and below, a single maliciously crafted HTTP request can block the server's event loop for an extended period, caused by the HTTPHeaders.add method. The function accumulates values using stri

  • CVE-2025-61919Oct 10, 2025
    affected < 0.10.18-2.el8_10.7.alma.1fixed 0.10.18-2.el8_10.7.alma.1

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large

  • CVE-2025-61772Oct 7, 2025
    affected < 0.10.18-2.el8_10.7.alma.1fixed 0.10.18-2.el8_10.7.alma.1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin

  • CVE-2025-61771Oct 7, 2025
    affected < 0.10.18-2.el8_10.7.alma.1fixed 0.10.18-2.el8_10.7.alma.1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request

  • CVE-2025-61770Oct 7, 2025
    affected < 0.10.18-2.el8_10.7.alma.1fixed 0.10.18-2.el8_10.7.alma.1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid

  • CVE-2025-59830Sep 25, 2025
    affected < 0.10.18-2.el8_10.7.alma.1fixed 0.10.18-2.el8_10.7.alma.1

    Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submi

  • CVE-2025-47287May 15, 2025
    affected < 0.10.18-2.el8_10.5.alma.1fixed 0.10.18-2.el8_10.5.alma.1

    Tornado is a Python web framework and asynchronous networking library. When Tornado's ``multipart/form-data`` parser encounters certain errors, it logs a warning but continues trying to parse the remainder of the data. This allows remote attackers to generate an extremely high vo

  • CVE-2025-46727May 7, 2025
    affected < 0.10.18-2.el8_10.5.alma.1fixed 0.10.18-2.el8_10.5.alma.1

    Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers

  • CVE-2023-27539Jan 9, 2025
    affected < 0.11.4-7.el9_2fixed 0.11.4-7.el9_2

    There is a denial of service vulnerability in the header parsing component of Rack.

  • CVE-2024-52804Nov 22, 2024
    affected < 0.10.18-2.el8_10.4.alma.1fixed 0.10.18-2.el8_10.4.alma.1

    Tornado is a Python web framework and asynchronous networking library. The algorithm used for parsing HTTP cookies in Tornado versions prior to 6.4.2 sometimes has quadratic complexity, leading to excessive CPU consumption when parsing maliciously-crafted cookie headers. This par

  • CVE-2024-21510MedNov 1, 2024
    affected < 0.10.18-2.el8_10.3.alma.1fixed 0.10.18-2.el8_10.3.alma.1

    Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbit

  • CVE-2024-49761Oct 28, 2024
    affected < 0.10.18-2.el8_10.6.alma.1fixed 0.10.18-2.el8_10.6.alma.1

    REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected mainta

  • CVE-2024-43398Aug 22, 2024
    affected < 0.10.18-2.el8_10.2.alma.1fixed 0.10.18-2.el8_10.2.alma.1

    REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to t

  • CVE-2024-41946Aug 1, 2024
    affected < 0.10.18-2.el8_10.2.alma.1fixed 0.10.18-2.el8_10.2.alma.1

    REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

  • CVE-2024-41123Aug 1, 2024
    affected < 0.10.18-2.el8_10.2.alma.1fixed 0.10.18-2.el8_10.2.alma.1

    REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

  • CVE-2024-35176May 16, 2024
    affected < 0.10.18-2.el8_10.1fixed 0.10.18-2.el8_10.1

    REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include t

Page 1 of 2