Search CVE reports
11 – 20 of 71 results
Some fixes available 10 of 19
The attack vector is a potential Denial of Service (DoS). The vulnerability is caused by an insufficient check on the length of a decompressed domain name within a DNS packet. An attacker can craft a malicious DNS packet...
8 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Not in release | Fixed | — | — |
| ruby3.2 | Not in release | Fixed | Not in release | — | — |
| ruby3.3 | Fixed | Not in release | Not in release | — | — |
| jruby | Needs evaluation | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| rubygems | Fixed | Not affected | Not affected | — | — |
Some fixes available 8 of 13
Ruby WEBrick read_header HTTP Request Smuggling Vulnerability. This vulnerability allows remote attackers to smuggle arbitrary HTTP requests on affected installations of Ruby WEBrick. This issue is exploitable when the product is...
5 affected packages
ruby-webrick, jruby, ruby2.3, ruby2.5, ruby2.7
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby-webrick | Fixed | Fixed | Fixed | — | — |
| jruby | Not affected | Not affected | Not in release | Vulnerable | Vulnerable |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Fixed | — |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.5.7, 0.4.20, 0.3.9, and 0.2.5, there is a possibility for denial of service by memory exhaustion when net-imap reads...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Not in release | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Not in release | Ignored | — |
| ruby3.0 | Not in release | Not in release | Needs evaluation | Not in release | — |
| ruby3.2 | Not in release | Needs evaluation | Not in release | Not in release | — |
| ruby3.3 | Needs evaluation | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Needs evaluation | Not in release | Ignored | Needs evaluation |
Some fixes available 9 of 17
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Not in release | Fixed | Not in release | — |
| ruby3.2 | Not in release | Fixed | Not in release | Not in release | — |
| ruby3.3 | Fixed | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Needs evaluation | Not in release | Ignored | Needs evaluation |
Some fixes available 9 of 17
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | Needs evaluation | Not in release | Ignored | Needs evaluation |
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Not in release | Fixed | Not in release | — |
| ruby3.2 | Not in release | Fixed | Not in release | Not in release | — |
| ruby3.3 | Fixed | Not in release | Not in release | Not in release | — |
Some fixes available 9 of 17
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | — |
| ruby2.5 | Not in release | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Not in release | Fixed | Not in release | — |
| ruby3.2 | Not in release | Fixed | Not in release | Not in release | — |
| ruby3.3 | Fixed | Not in release | Not in release | Not in release | — |
| jruby | Needs evaluation | Needs evaluation | Not in release | Ignored | Needs evaluation |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion...
6 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2, ruby3.3
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | — | Not in release | Not in release | Not in release | — |
| ruby2.5 | — | Not in release | Not in release | Not in release | Not affected |
| ruby2.7 | — | Not in release | Not in release | Not affected | — |
| ruby3.0 | — | Not in release | Not affected | Not in release | — |
| ruby3.2 | — | Fixed | Not in release | Not in release | — |
| ruby3.3 | — | Not in release | Not in release | Not in release | — |
A vulnerability was found in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with...
6 affected packages
ruby3.0, ruby2.3, ruby2.5, ruby2.7, ruby3.2, ruby3.3
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby3.0 | — | Not in release | Not affected | Not in release | — |
| ruby2.3 | — | Not in release | Not in release | Not in release | — |
| ruby2.5 | — | Not in release | Not in release | Not in release | Not affected |
| ruby2.7 | — | Not in release | Not in release | Not affected | — |
| ruby3.2 | — | Not affected | Not in release | Not in release | — |
| ruby3.3 | — | Not in release | Not in release | Not in release | — |
Some fixes available 8 of 9
REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | — | Not affected | Not in release | Not affected | Not affected |
| ruby2.3 | — | Not in release | Not in release | Not in release | — |
| ruby2.5 | — | Not in release | Not in release | Not in release | Fixed |
| ruby2.7 | — | Not in release | Not in release | Fixed | — |
| ruby3.0 | — | Not in release | Fixed | Not in release | — |
| ruby3.2 | — | Fixed | Not in release | Not in release | — |
| ruby3.3 | — | Not in release | Not in release | Not in release | — |
Some fixes available 9 of 13
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST...
5 affected packages
ruby-webrick, jruby, ruby2.3, ruby2.5, ruby2.7
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby-webrick | Fixed | Fixed | Fixed | Not in release | — |
| jruby | Not affected | Not affected | Not in release | Vulnerable | Vulnerable |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Fixed | — |