rpm package
almalinux/ruby-default-gems
pkg:rpm/almalinux/ruby-default-gems
Vulnerabilities (31)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2023-28756 | — | < 2.7.8-139.module_el8.8.0+3578+2b4b06da | 2.7.8-139.module_el8.8.0+3578+2b4b06da | Mar 31, 2023 | A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. | ||
| CVE-2023-28755 | — | < 2.7.8-139.module_el8.8.0+3578+2b4b06da | 2.7.8-139.module_el8.8.0+3578+2b4b06da | Mar 31, 2023 | A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 | ||
| CVE-2021-33621 | — | < 2.7.8-139.module_el8.8.0+3578+2b4b06da | 2.7.8-139.module_el8.8.0+3578+2b4b06da | Nov 18, 2022 | The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. | ||
| CVE-2022-28739 | — | < 2.7.6-138.module_el8.6.0+3263+904da987 | 2.7.6-138.module_el8.6.0+3263+904da987 | May 9, 2022 | There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. | ||
| CVE-2022-28738 | — | < 3.0.4-141.module_el8.6.0+3263+41cde0c0 | 3.0.4-141.module_el8.6.0+3263+41cde0c0 | May 9, 2022 | A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations. | ||
| CVE-2021-41819 | — | < 2.7.6-138.module_el8.6.0+3263+904da987 | 2.7.6-138.module_el8.6.0+3263+904da987 | Jan 1, 2022 | CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. | ||
| CVE-2021-41817 | — | < 2.7.6-138.module_el8.6.0+3263+904da987 | 2.7.6-138.module_el8.6.0+3263+904da987 | Jan 1, 2022 | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | ||
| CVE-2021-32066 | — | < 2.7.4-137.module_el8.4.0+2515+f744ca41 | 2.7.4-137.module_el8.4.0+2515+f744ca41 | Aug 1, 2021 | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network po | ||
| CVE-2021-31799 | — | < 2.7.4-137.module_el8.4.0+2515+f744ca41 | 2.7.4-137.module_el8.4.0+2515+f744ca41 | Jul 29, 2021 | In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. | ||
| CVE-2021-31810 | — | < 2.7.4-137.module_el8.4.0+2515+f744ca41 | 2.7.4-137.module_el8.4.0+2515+f744ca41 | Jul 13, 2021 | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that a | ||
| CVE-2020-36327 | — | < 2.7.4-137.module_el8.4.0+2515+f744ca41 | 2.7.4-137.module_el8.4.0+2515+f744ca41 | Apr 29, 2021 | Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another |
- CVE-2023-28756Mar 31, 2023affected < 2.7.8-139.module_el8.8.0+3578+2b4b06dafixed 2.7.8-139.module_el8.8.0+3578+2b4b06da
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
- CVE-2023-28755Mar 31, 2023affected < 2.7.8-139.module_el8.8.0+3578+2b4b06dafixed 2.7.8-139.module_el8.8.0+3578+2b4b06da
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2
- CVE-2021-33621Nov 18, 2022affected < 2.7.8-139.module_el8.8.0+3578+2b4b06dafixed 2.7.8-139.module_el8.8.0+3578+2b4b06da
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
- CVE-2022-28739May 9, 2022affected < 2.7.6-138.module_el8.6.0+3263+904da987fixed 2.7.6-138.module_el8.6.0+3263+904da987
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
- CVE-2022-28738May 9, 2022affected < 3.0.4-141.module_el8.6.0+3263+41cde0c0fixed 3.0.4-141.module_el8.6.0+3263+41cde0c0
A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
- CVE-2021-41819Jan 1, 2022affected < 2.7.6-138.module_el8.6.0+3263+904da987fixed 2.7.6-138.module_el8.6.0+3263+904da987
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
- CVE-2021-41817Jan 1, 2022affected < 2.7.6-138.module_el8.6.0+3263+904da987fixed 2.7.6-138.module_el8.6.0+3263+904da987
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
- CVE-2021-32066Aug 1, 2021affected < 2.7.4-137.module_el8.4.0+2515+f744ca41fixed 2.7.4-137.module_el8.4.0+2515+f744ca41
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network po
- CVE-2021-31799Jul 29, 2021affected < 2.7.4-137.module_el8.4.0+2515+f744ca41fixed 2.7.4-137.module_el8.4.0+2515+f744ca41
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
- CVE-2021-31810Jul 13, 2021affected < 2.7.4-137.module_el8.4.0+2515+f744ca41fixed 2.7.4-137.module_el8.4.0+2515+f744ca41
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that a
- CVE-2020-36327Apr 29, 2021affected < 2.7.4-137.module_el8.4.0+2515+f744ca41fixed 2.7.4-137.module_el8.4.0+2515+f744ca41
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another
Page 2 of 2