rpm package
almalinux/rubygem-did_you_mean
pkg:rpm/almalinux/rubygem-did_you_mean
Vulnerabilities (18)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-49761 | — | < 1.2.0-113.module_el8.10.0+3932+2d440da3 | 1.2.0-113.module_el8.10.0+3932+2d440da3 | Oct 28, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected mainta | ||
| CVE-2024-35176 | — | < 1.2.0-112.module_el8.10.0+3871+342e2c2f | 1.2.0-112.module_el8.10.0+3871+342e2c2f | May 16, 2024 | REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include t | ||
| CVE-2024-27282 | Med | 6.6 | < 1.2.0-112.module_el8.10.0+3871+342e2c2f | 1.2.0-112.module_el8.10.0+3871+342e2c2f | May 14, 2024 | An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2 | |
| CVE-2024-27281 | Med | 4.5 | < 1.2.0-112.module_el8.10.0+3871+342e2c2f | 1.2.0-112.module_el8.10.0+3871+342e2c2f | May 14, 2024 | An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the cl | |
| CVE-2024-27280 | Cri | 9.8 | < 1.2.0-112.module_el8.10.0+3871+342e2c2f | 1.2.0-112.module_el8.10.0+3871+342e2c2f | May 14, 2024 | A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0. | |
| CVE-2023-36617 | — | < 1.2.0-112.module_el8.10.0+3871+342e2c2f | 1.2.0-112.module_el8.10.0+3871+342e2c2f | Jun 29, 2023 | A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue | ||
| CVE-2023-28756 | — | < 1.2.0-111.module_el8.9.0+3635+c6f99506 | 1.2.0-111.module_el8.9.0+3635+c6f99506 | Mar 31, 2023 | A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. | ||
| CVE-2023-28755 | — | < 1.2.0-111.module_el8.9.0+3635+c6f99506 | 1.2.0-111.module_el8.9.0+3635+c6f99506 | Mar 31, 2023 | A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 | ||
| CVE-2021-33621 | — | < 1.2.0-111.module_el8.9.0+3635+c6f99506 | 1.2.0-111.module_el8.9.0+3635+c6f99506 | Nov 18, 2022 | The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object. | ||
| CVE-2022-28739 | — | < 1.2.0-111.module_el8.9.0+3635+c6f99506 | 1.2.0-111.module_el8.9.0+3635+c6f99506 | May 9, 2022 | There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. | ||
| CVE-2021-41819 | — | < 1.3.0-108.module_el8.5.0+2623+08a8ba32 | 1.3.0-108.module_el8.5.0+2623+08a8ba32 | Jan 1, 2022 | CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby. | ||
| CVE-2021-41817 | — | < 1.3.0-108.module_el8.5.0+2623+08a8ba32 | 1.3.0-108.module_el8.5.0+2623+08a8ba32 | Jan 1, 2022 | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | ||
| CVE-2021-43809 | — | < 1.2.0-114.module_el8.10.0+3991+5e651d4e | 1.2.0-114.module_el8.10.0+3991+5e651d4e | Dec 8, 2021 | `Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code ins | ||
| CVE-2021-32066 | — | < 1.3.0-108.module_el8.5.0+2623+08a8ba32 | 1.3.0-108.module_el8.5.0+2623+08a8ba32 | Aug 1, 2021 | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network po | ||
| CVE-2021-31799 | — | < 1.3.0-108.module_el8.5.0+2623+08a8ba32 | 1.3.0-108.module_el8.5.0+2623+08a8ba32 | Jul 29, 2021 | In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. | ||
| CVE-2021-31810 | — | < 1.3.0-108.module_el8.5.0+2623+08a8ba32 | 1.3.0-108.module_el8.5.0+2623+08a8ba32 | Jul 13, 2021 | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that a | ||
| CVE-2020-36327 | — | < 1.3.0-108.module_el8.5.0+2623+08a8ba32 | 1.3.0-108.module_el8.5.0+2623+08a8ba32 | Apr 29, 2021 | Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another | ||
| CVE-2019-19012 | — | < 1.2.0-114.module_el8.10.0+3991+5e651d4e | 1.2.0-114.module_el8.10.0+3991+5e651d4e | Nov 16, 2019 | An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a d |
- CVE-2024-49761Oct 28, 2024affected < 1.2.0-113.module_el8.10.0+3932+2d440da3fixed 1.2.0-113.module_el8.10.0+3932+2d440da3
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected mainta
- CVE-2024-35176May 16, 2024affected < 1.2.0-112.module_el8.10.0+3871+342e2c2ffixed 1.2.0-112.module_el8.10.0+3871+342e2c2f
REXML is an XML toolkit for Ruby. The REXML gem before 3.2.6 has a denial of service vulnerability when it parses an XML that has many `<`s in an attribute value. Those who need to parse untrusted XMLs may be impacted to this vulnerability. The REXML gem 3.2.7 or later include t
- affected < 1.2.0-112.module_el8.10.0+3871+342e2c2ffixed 1.2.0-112.module_el8.10.0+3871+342e2c2f
An issue was discovered in Ruby 3.x through 3.3.0. If attacker-supplied data is provided to the Ruby regex compiler, it is possible to extract arbitrary heap data relative to the start of the text, including pointers and sensitive strings. The fixed versions are 3.0.7, 3.1.5, 3.2
- affected < 1.2.0-112.module_el8.10.0+3871+342e2c2ffixed 1.2.0-112.module_el8.10.0+3871+342e2c2f
An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing .rdoc_options (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the cl
- affected < 1.2.0-112.module_el8.10.0+3871+342e2c2ffixed 1.2.0-112.module_el8.10.0+3871+342e2c2f
A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may return the memory value. 3.0.
- CVE-2023-36617Jun 29, 2023affected < 1.2.0-112.module_el8.10.0+3871+342e2c2ffixed 1.2.0-112.module_el8.10.0+3871+342e2c2f
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue
- CVE-2023-28756Mar 31, 2023affected < 1.2.0-111.module_el8.9.0+3635+c6f99506fixed 1.2.0-111.module_el8.9.0+3635+c6f99506
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.
- CVE-2023-28755Mar 31, 2023affected < 1.2.0-111.module_el8.9.0+3635+c6f99506fixed 1.2.0-111.module_el8.9.0+3635+c6f99506
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2
- CVE-2021-33621Nov 18, 2022affected < 1.2.0-111.module_el8.9.0+3635+c6f99506fixed 1.2.0-111.module_el8.9.0+3635+c6f99506
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
- CVE-2022-28739May 9, 2022affected < 1.2.0-111.module_el8.9.0+3635+c6f99506fixed 1.2.0-111.module_el8.9.0+3635+c6f99506
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
- CVE-2021-41819Jan 1, 2022affected < 1.3.0-108.module_el8.5.0+2623+08a8ba32fixed 1.3.0-108.module_el8.5.0+2623+08a8ba32
CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
- CVE-2021-41817Jan 1, 2022affected < 1.3.0-108.module_el8.5.0+2623+08a8ba32fixed 1.3.0-108.module_el8.5.0+2623+08a8ba32
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
- CVE-2021-43809Dec 8, 2021affected < 1.2.0-114.module_el8.10.0+3991+5e651d4efixed 1.2.0-114.module_el8.10.0+3991+5e651d4e
`Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code ins
- CVE-2021-32066Aug 1, 2021affected < 1.3.0-108.module_el8.5.0+2623+08a8ba32fixed 1.3.0-108.module_el8.5.0+2623+08a8ba32
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network po
- CVE-2021-31799Jul 29, 2021affected < 1.3.0-108.module_el8.5.0+2623+08a8ba32fixed 1.3.0-108.module_el8.5.0+2623+08a8ba32
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
- CVE-2021-31810Jul 13, 2021affected < 1.3.0-108.module_el8.5.0+2623+08a8ba32fixed 1.3.0-108.module_el8.5.0+2623+08a8ba32
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that a
- CVE-2020-36327Apr 29, 2021affected < 1.3.0-108.module_el8.5.0+2623+08a8ba32fixed 1.3.0-108.module_el8.5.0+2623+08a8ba32
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another
- CVE-2019-19012Nov 16, 2019affected < 1.2.0-114.module_el8.10.0+3991+5e651d4efixed 1.2.0-114.module_el8.10.0+3991+5e651d4e
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a d