almalinux/ruby-libs

Vulnerabilities (30)

• CVE-2026-41316HigApr 24, 2026
  affected < 3.3.10-6.module_el9.7.0+245+447713a2fixed 3.3.10-6.module_el9.7.0+245+447713a2

  ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is reconstructed via `Marshal.load` (deserialization). Howeve

• CVE-2025-58767Sep 17, 2025
  affected < 3.3.10-5.module_el8.10.0+4075+e5f6dad1fixed 3.3.10-5.module_el8.10.0+4075+e5f6dad1

  REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. The REXML gem 3.4.2 or later include the patches

• CVE-2025-24294HigJul 12, 2025
  affected < 3.3.10-5.module_el8.10.0+4075+e5f6dad1fixed 3.3.10-5.module_el8.10.0+4075+e5f6dad1

  The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet containing a highly compressed domain name. When the res

• CVE-2025-27221Mar 3, 2025
  affected < 3.3.8-4.module_el8.10.0+4022+8b66723cfixed 3.3.8-4.module_el8.10.0+4022+8b66723c

  In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

• CVE-2025-27220Mar 3, 2025
  affected < 3.1.7-145.module_el8.10.0+3984+cf55e3dffixed 3.1.7-145.module_el8.10.0+3984+cf55e3df

  In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.

• CVE-2025-27219Mar 3, 2025
  affected < 3.3.8-4.module_el8.10.0+4022+8b66723cfixed 3.3.8-4.module_el8.10.0+4022+8b66723c

  In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource

• CVE-2025-25186MedFeb 10, 2025
  affected < 3.3.8-4.module_el8.10.0+4022+8b66723cfixed 3.3.8-4.module_el8.10.0+4022+8b66723c

  Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time whi

• CVE-2024-49761Oct 28, 2024
  affected < 3.1.5-144.module_el8.10.0+3933+43481280fixed 3.1.5-144.module_el8.10.0+3933+43481280

  REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected mainta

• CVE-2024-43398Aug 22, 2024
  affected < 3.3.5-3.module_el8.10.0+3894+6d587c81fixed 3.3.5-3.module_el8.10.0+3894+6d587c81

  REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like REXML::Document.new, you may be impacted to t

• CVE-2024-41946Aug 1, 2024
  affected < 3.3.5-3.module_el8.10.0+3894+6d587c81fixed 3.3.5-3.module_el8.10.0+3894+6d587c81

  REXML is an XML toolkit for Ruby. The REXML gem 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. The REXML gem 3.3.3 or later include the patch to fix the vulnerability.

• CVE-2024-41123Aug 1, 2024
  affected < 3.3.5-3.module_el8.10.0+3894+6d587c81fixed 3.3.5-3.module_el8.10.0+3894+6d587c81

  REXML is an XML toolkit for Ruby. The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.

• CVE-2024-39908Jul 16, 2024
  affected < 3.3.5-3.module_el8.10.0+3894+6d587c81fixed 3.3.5-3.module_el8.10.0+3894+6d587c81

  REXML is an XML toolkit for Ruby. The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you many be impacted to these vulnerabilities. The REXML gem 3.3.2 or

• CVE-2024-35176May 16, 2024
  affected < 2.5.9-112.module_el8.10.0+3871+342e2c2ffixed 2.5.9-112.module_el8.10.0+3871+342e2c2f

  REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include t

• CVE-2024-27282MedMay 14, 2024
  affected < 3.0.7-143.module_el8.10.0+3852+ce828b19fixed 3.0.7-143.module_el8.10.0+3852+ce828b19

  An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2

• CVE-2024-27281MedMay 14, 2024
  affected < 3.0.7-143.module_el8.10.0+3852+ce828b19fixed 3.0.7-143.module_el8.10.0+3852+ce828b19

  An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the cl

• CVE-2024-27280CriMay 14, 2024
  affected < 3.0.7-143.module_el8.10.0+3852+ce828b19fixed 3.0.7-143.module_el8.10.0+3852+ce828b19

  A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.

• CVE-2023-36617Jun 29, 2023
  affected < 3.1.4-142.module_el8.9.0+3746+91b8233afixed 3.1.4-142.module_el8.9.0+3746+91b8233a

  A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue

• CVE-2023-28756Mar 31, 2023
  affected < 2.7.8-139.module_el8.8.0+3578+2b4b06dafixed 2.7.8-139.module_el8.8.0+3578+2b4b06da

  A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

• CVE-2023-28755Mar 31, 2023
  affected < 2.7.8-139.module_el8.8.0+3578+2b4b06dafixed 2.7.8-139.module_el8.8.0+3578+2b4b06da

  A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2

• CVE-2021-33621Nov 18, 2022
  affected < 2.7.8-139.module_el8.8.0+3578+2b4b06dafixed 2.7.8-139.module_el8.8.0+3578+2b4b06da

  The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.