rpm package
suse/ruby2.5&distro=SUSE Linux Enterprise High Performance Computing 15-LTSS
pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2022-28739 | — | < 2.5.9-150000.4.23.1 | 2.5.9-150000.4.23.1 | May 9, 2022 | There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. | ||
| CVE-2021-41817 | — | < 2.5.9-150000.4.23.1 | 2.5.9-150000.4.23.1 | Jan 1, 2022 | Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | ||
| CVE-2021-32066 | — | < 2.5.9-150000.4.23.1 | 2.5.9-150000.4.23.1 | Aug 1, 2021 | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network po | ||
| CVE-2021-31799 | — | < 2.5.9-150000.4.23.1 | 2.5.9-150000.4.23.1 | Jul 29, 2021 | In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. | ||
| CVE-2021-31810 | — | < 2.5.9-150000.4.23.1 | 2.5.9-150000.4.23.1 | Jul 13, 2021 | An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that a | ||
| CVE-2020-25613 | — | < 2.5.8-4.14.1 | 2.5.8-4.14.1 | Oct 6, 2020 | An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (w | ||
| CVE-2020-8130 | — | < 2.5.7-4.8.1 | 2.5.7-4.8.1 | Feb 24, 2020 | There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`. | ||
| CVE-2019-15845 | — | < 2.5.7-4.8.1 | 2.5.7-4.8.1 | Nov 26, 2019 | Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. | ||
| CVE-2019-16255 | — | < 2.5.7-4.8.1 | 2.5.7-4.8.1 | Nov 26, 2019 | Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. | ||
| CVE-2019-16254 | — | < 2.5.7-4.8.1 | 2.5.7-4.8.1 | Nov 26, 2019 | Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content t | ||
| CVE-2019-16201 | — | < 2.5.7-4.8.1 | 2.5.7-4.8.1 | Nov 26, 2019 | WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network. | ||
| CVE-2015-9251 | — | < 2.5.7-4.8.1 | 2.5.7-4.8.1 | Jan 18, 2018 | jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. | ||
| CVE-2012-6708 | — | < 2.5.7-4.8.1 | 2.5.7-4.8.1 | Jan 18, 2018 | jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere |
- CVE-2022-28739May 9, 2022affected < 2.5.9-150000.4.23.1fixed 2.5.9-150000.4.23.1
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
- CVE-2021-41817Jan 1, 2022affected < 2.5.9-150000.4.23.1fixed 2.5.9-150000.4.23.1
Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
- CVE-2021-32066Aug 1, 2021affected < 2.5.9-150000.4.23.1fixed 2.5.9-150000.4.23.1
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network po
- CVE-2021-31799Jul 29, 2021affected < 2.5.9-150000.4.23.1fixed 2.5.9-150000.4.23.1
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
- CVE-2021-31810Jul 13, 2021affected < 2.5.9-150000.4.23.1fixed 2.5.9-150000.4.23.1
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that a
- CVE-2020-25613Oct 6, 2020affected < 2.5.8-4.14.1fixed 2.5.8-4.14.1
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (w
- CVE-2020-8130Feb 24, 2020affected < 2.5.7-4.8.1fixed 2.5.7-4.8.1
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
- CVE-2019-15845Nov 26, 2019affected < 2.5.7-4.8.1fixed 2.5.7-4.8.1
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
- CVE-2019-16255Nov 26, 2019affected < 2.5.7-4.8.1fixed 2.5.7-4.8.1
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method.
- CVE-2019-16254Nov 26, 2019affected < 2.5.7-4.8.1fixed 2.5.7-4.8.1
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content t
- CVE-2019-16201Nov 26, 2019affected < 2.5.7-4.8.1fixed 2.5.7-4.8.1
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
- CVE-2015-9251Jan 18, 2018affected < 2.5.7-4.8.1fixed 2.5.7-4.8.1
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
- CVE-2012-6708Jan 18, 2018affected < 2.5.7-4.8.1fixed 2.5.7-4.8.1
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere