Search CVE reports
1 – 10 of 17 results
REXML is an XML toolkit for Ruby. The REXML gems from 3.3.3 to 3.4.1 has a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities....
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | — | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Needs evaluation | — |
| ruby3.0 | Not in release | Needs evaluation | — | — |
| ruby3.2 | Needs evaluation | Not in release | — | — |
| ruby3.3 | Not in release | Not in release | — | — |
Some fixes available 6 of 13
The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet...
8 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | — | — |
| ruby3.2 | Fixed | Not in release | — | — |
| ruby3.3 | Not in release | Not in release | — | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| rubygems | Not affected | Not affected | — | — |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Needs evaluation | — |
| ruby3.0 | Not in release | Needs evaluation | Not in release | — |
| ruby3.2 | Needs evaluation | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 7 of 14
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 7 of 14
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Some fixes available 7 of 14
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion...
6 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Not affected |
| ruby2.7 | Not in release | Not in release | Not affected | — |
| ruby3.0 | Not in release | Not affected | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with...
6 affected packages
ruby3.0, ruby2.3, ruby2.5, ruby2.7, ruby3.2, ruby3.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby3.0 | Not in release | Not affected | Not in release | — |
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Not affected |
| ruby2.7 | Not in release | Not in release | Not affected | — |
| ruby3.2 | Not affected | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
Some fixes available 7 of 14
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |
Some fixes available 5 of 7
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API...
6 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Fixed | Not in release | — |
| ruby3.2 | Fixed | Not in release | Not in release | — |
| ruby3.3 | Not in release | Not in release | Not in release | — |