VYPR

rpm package

almalinux/rubygem-pg

pkg:rpm/almalinux/rubygem-pg

Vulnerabilities (44)

  • CVE-2023-36617MedJun 29, 2023
    affected < 1.3.2-1.module_el8.7.0+3304+9392e77ffixed 1.3.2-1.module_el8.7.0+3304+9392e77f

    A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue

  • CVE-2023-28756MedMar 31, 2023
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

  • CVE-2023-28755MedMar 31, 2023
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2

  • CVE-2021-33621HigNov 18, 2022
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

  • CVE-2022-28739HigMay 9, 2022
    affected < 1.2.3-1.module_el8.5.0+2595+0c654ebcfixed 1.2.3-1.module_el8.5.0+2595+0c654ebc

    There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

  • CVE-2022-28738CriMay 9, 2022
    affected < 1.2.3-1.module_el8.5.0+2595+0c654ebcfixed 1.2.3-1.module_el8.5.0+2595+0c654ebc

    A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.

  • CVE-2021-41819HigJan 1, 2022
    affected < 1.1.4-1.module_el8.5.0+250+ba22dbf7fixed 1.1.4-1.module_el8.5.0+250+ba22dbf7

    CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

  • CVE-2021-41817HigJan 1, 2022
    affected < 1.1.4-1.module_el8.5.0+250+ba22dbf7fixed 1.1.4-1.module_el8.5.0+250+ba22dbf7

    Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

  • CVE-2021-43809MedDec 8, 2021
    affected < 1.0.0-3.module_el8.9.0+3635+c6f99506fixed 1.0.0-3.module_el8.9.0+3635+c6f99506

    `Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code ins

  • CVE-2021-32066HigAug 1, 2021
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network po

  • CVE-2021-31799HigJul 30, 2021
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

  • CVE-2021-31810MedJul 13, 2021
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that a

  • CVE-2020-36327HigApr 29, 2021
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another

  • CVE-2021-28965HigApr 21, 2021
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

  • CVE-2020-25613HigOct 6, 2020
    affected < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4fixed 1.2.3-1.module_el8.3.0+6147+d0dfc1e4

    An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (w

  • CVE-2019-3881HigSep 4, 2020
    affected < 1.1.4-1.module_el8.5.0+250+ba22dbf7fixed 1.1.4-1.module_el8.5.0+250+ba22dbf7

    Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an a

  • CVE-2020-10933MedMay 4, 2020
    affected < 1.0.0-2.module_el8.5.0+2625+ec418553fixed 1.0.0-2.module_el8.5.0+2625+ec418553

    An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string prov

  • CVE-2020-10663HigApr 28, 2020
    affected < 1.0.0-2.module_el8.5.0+2625+ec418553fixed 1.0.0-2.module_el8.5.0+2625+ec418553

    The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically,

  • CVE-2019-16255HigNov 26, 2019
    affected < 1.0.0-2.module_el8.5.0+2625+ec418553fixed 1.0.0-2.module_el8.5.0+2625+ec418553

    Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.

  • CVE-2019-16254MedNov 26, 2019
    affected < 1.0.0-2.module_el8.5.0+2625+ec418553fixed 1.0.0-2.module_el8.5.0+2625+ec418553

    Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content t