Search for packages
| purl | pkg:deb/debian/jruby@9.4.8.0%2Bds-3?distro=trixie |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1cad-uybu-2uau | security update |
CVE-2017-17742
GHSA-7p4c-jf2w-hc3w |
| VCID-4eas-fpqk-7ugd | JRuby denial of service via Hash Collision JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838. |
CVE-2012-5370
GHSA-fmmq-j7pq-f85c OSV-87864 |
| VCID-5fqj-uwnz-93af | Multiple vulnerabilities have been found in Ruby, the worst of which could lead to the remote execution of arbitrary code. |
CVE-2019-15845
|
| VCID-8d7n-bfhu-dkfd | Loop with Unreachable Exit Condition (Infinite Loop) RubyGems contains an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop. |
CVE-2018-1000075
GHSA-74pv-v9gh-h25p |
| VCID-8hm4-c4w4-gfen | Cross-site Scripting RubyGems contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appears to be exploitable by the victim browsing to a malicious gem on a vulnerable gem server. |
CVE-2018-1000078
GHSA-87qx-g5wg-mwmj |
| VCID-9t45-d5mf-3uar | Path Traversal RubyGems contains a Directory Traversal vulnerability in gem installation that can result in the gem being able to write to arbitrary filesystem locations during installation. This attack appears to be exploitable by a victim installing a malicious gem. |
CVE-2018-1000079
GHSA-8qxg-mff5-j3wc |
| VCID-9x9w-2k98-wydm | Ruby Time component ReDoS issue A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. |
CVE-2023-28756
GHSA-fg7x-g82r-94qc |
| VCID-af1f-xwwy-jfa8 | RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appears to be exploitable when the victim runs the `gem owner` command on a gem with a specially crafted YAML file. |
CVE-2018-1000074
GHSA-qj2w-mw2r-pv39 |
| VCID-ajtx-8w3u-rkae | URI gem has ReDoS vulnerability A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. [The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: - For Ruby 3.0: Update to uri 0.10.3 - For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile. |
CVE-2023-36617
GHSA-hww2-5g85-429m |
| VCID-djpm-b9q2-3qde | XSS in the regular expression engine when processing invalid UTF-8 byte sequences The regular expression engine in this package, when `$KCODE` is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. |
CVE-2010-1330
GHSA-wmq2-jc9m-xp4m OSV-77297 |
| VCID-ee8m-jtmh-dfbs | 7PK - Security Features RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." |
CVE-2015-3900
GHSA-wp3j-rvfp-624h OSV-122162 |
| VCID-f6d8-e8tp-c3am | Multiple vulnerabilities have been found in Ruby, the worst of which could lead to the remote execution of arbitrary code. |
CVE-2019-16255
GHSA-ph7w-p94x-9vvw |
| VCID-f7x5-hz5f-hyd3 | Improper Restriction of Operations within the Bounds of a Memory Buffer An issue was discovered in RubyGems. Since `Gem::CommandManager#run` calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) |
CVE-2019-8325
GHSA-4wm8-fjv7-j774 |
| VCID-ha3g-uyse-wybx | Injection Vulnerability An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. |
CVE-2019-8322
GHSA-mh37-8c3g-3fgc |
| VCID-jkwe-c323-3yez | Argument Injection or Modification An issue was discovered in RubyGems. Since `Gem::UserInteraction#verbose` calls say without escaping, escape sequence injection is possible. |
CVE-2019-8321
GHSA-fr32-gr5c-xq5c |
| VCID-kp26-vpgn-k7az | Multiple vulnerabilities have been found in Ruby, the worst of which could lead to the remote execution of arbitrary code. |
CVE-2019-16201
|
| VCID-ky5r-bch5-m7dv | Injection Vulnerability An issue was discovered in RubyGems. `Gem::GemcutterUtilities#with_response` may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. |
CVE-2019-8323
GHSA-3h4r-pjv6-cph9 |
| VCID-mamm-cvdr-subf | RubyGems contains an Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem being able to set an invalid homepage URL. |
CVE-2018-1000077
GHSA-gv86-43rv-79m2 |
| VCID-mgcb-jfts-xkge | A hash collision vulnerability in JRuby allows remote attackers to cause a Denial of Service condition. |
CVE-2011-4838
GHSA-cgqc-fqxr-q6r6 OSV-78116 |
| VCID-t78a-dw4s-vqf5 | Path Traversal A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (`/tmp`, `/usr`, etc.), this could likely lead to data loss or an unusable system. |
CVE-2019-8320
GHSA-5x32-c9mf-49cc |
| VCID-t9y5-hd9b-bkc4 | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2021-31810
GHSA-wr95-679j-87v9 |
| VCID-tq93-h2ag-s3bx | Path Traversal RubyGems contains a Directory Traversal vulnerability in install_location function of `package.rb` that can result in path traversal when writing to a symlinked basedir outside the root. |
CVE-2018-1000073
GHSA-gx69-6cp4-hxrj |
| VCID-uxdx-abx7-fkdy | Ruby URI component ReDoS issue A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. |
CVE-2023-28755
GHSA-hv5j-3h9f-99c2 |
| VCID-vcz9-dvf4-47am | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2020-25613
GHSA-gwfg-cqmg-cf8f |
| VCID-w4ns-f42m-pyec | RubyGems contains an Improper Verification of Cryptographic Signature vulnerability in `package.rb` that can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. |
CVE-2018-1000076
GHSA-mc6j-h948-v2p6 |
| VCID-xgmc-a5rk-zqag | Improper Input Validation A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is evaluated by `ensure_loadable_spec` during the pre-installation check. |
CVE-2019-8324
GHSA-76wm-422q-92mq |
| VCID-xkby-43zv-x3f7 | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2021-32066
GHSA-gx49-h5r3-q3xj |
| VCID-y56y-5am7-wkhr | Multiple vulnerabilities have been found in Ruby, the worst of which could lead to the remote execution of arbitrary code. |
CVE-2019-16254
GHSA-w9fp-2996-hhwx |
| VCID-zb9m-getz-3keh | Improper Input Validation RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900. |
CVE-2015-4020
GHSA-qv62-xfj6-32xm |