Search CVE reports
1 – 10 of 51 results
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities....
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | — | Not affected |
| ruby2.7 | Not in release | Not in release | Not affected | — |
| ruby3.0 | Not in release | Not affected | — | — |
| ruby3.2 | Not affected | Not in release | — | — |
| ruby3.3 | Not in release | Not in release | — | — |
Some fixes available 8 of 16
The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet...
8 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | — | — |
| ruby3.2 | Fixed | Not in release | — | — |
| ruby3.3 | Not in release | Not in release | — | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| rubygems | Not affected | Not affected | — | — |
Some fixes available 7 of 12
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is...
5 affected packages
ruby-webrick, jruby, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby-webrick | Fixed | Fixed | — | — |
| jruby | Not affected | Not in release | Vulnerable | Vulnerable |
| ruby2.3 | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1...
1 affected package
jruby-openssl
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| jruby-openssl | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Needs evaluation | — |
| ruby3.0 | Not in release | Needs evaluation | Not in release | — |
| ruby3.2 | Needs evaluation | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 8 of 16
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 8 of 16
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 8 of 16
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 8 of 16
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
Some fixes available 8 of 12
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST...
5 affected packages
ruby-webrick, jruby, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby-webrick | Fixed | Fixed | Not in release | — |
| jruby | Not affected | Not in release | Vulnerable | Vulnerable |
| ruby2.3 | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |