Search for packages
| purl | pkg:deb/debian/ruby2.7@2.7.4-1%2Bdeb11u1?distro=bullseye |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1vp9-6q85-5ffv | Reliance on Cookies without Validation and Integrity Checking in a Security Decision CGI::Cookie.parse in Ruby mishandles security prefixes in cookie names. This also affects the CGI gem for Ruby. |
CVE-2021-41819
GHSA-4vf4-qmvg-mh7h |
| VCID-2sv2-6snv-2bd3 | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2022-28739
GHSA-mvgc-rxvg-hqc6 |
| VCID-3d14-jf3q-xqbf | ruby: BasicSocket#read_nonblock method leads to information disclosure |
CVE-2020-10933
GHSA-g5hm-28jr-53fh |
| VCID-5mfh-yzfk-cqaa | StringIO buffer overread vulnerability An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value. This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `stringio` 3.0.1.1 * For Ruby 3.1 users: Update to `stringio` 3.1.0.2 You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`. |
CVE-2024-27280
GHSA-v5h6-c2hv-hv3r |
| VCID-9g2w-sc9w-eyce | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2021-33621
GHSA-vc47-6rqg-c7f5 |
| VCID-9x9w-2k98-wydm | Ruby Time component ReDoS issue A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. |
CVE-2023-28756
GHSA-fg7x-g82r-94qc |
| VCID-a1z8-2fdu-1uhd | Arbitrary Code Execution in Rdoc In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename. |
CVE-2021-31799
GHSA-ggxm-pgc9-g7fp |
| VCID-ajtx-8w3u-rkae | URI gem has ReDoS vulnerability A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. [The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: - For Ruby 3.0: Update to uri 0.10.3 - For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile. |
CVE-2023-36617
GHSA-hww2-5g85-429m |
| VCID-bdar-wgfe-qqgf | REXML round-trip instability The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. |
CVE-2021-28965
GHSA-8cr8-4vfw-mr7h |
| VCID-c5xq-bv4t-73ff | REXML contains a denial of service vulnerability ### Impact The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many `>`s in an attribute value. If you need to parse untrusted XMLs, you may be impacted to this vulnerability. ### Patches The REXML gem 3.2.7 or later include the patch to fix this vulnerability. ### Workarounds Don't parse untrusted XMLs. ### References * https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/ |
CVE-2024-35176
GHSA-vg3r-rm7w-2xgh |
| VCID-d6tn-s1q2-a3hc | Unsafe object creation in json RubyGem The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269/GHSA-x457-cw4h-hq5f, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent. |
CVE-2020-10663
GHSA-jphg-qwrw-7w9g |
| VCID-exq5-cnrm-3uhd | CGI has Denial of Service (DoS) potential in Cookie.parse There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem. ## Details CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service. Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later. ## Affected versions cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1. ## Credits Thanks to lio346 for discovering this issue. Also thanks to mame for fixing this vulnerability. |
CVE-2025-27219
GHSA-gh9q-2xrm-x6qv |
| VCID-gfjn-m9zp-57c5 | Duplicate This advisory duplicates another. |
CVE-2021-41816
GHSA-5cqm-crxm-6qpv GMS-2021-17 |
| VCID-h4mf-99f4-9bdw | CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem. ## Details The regular expression used in `CGI::Util#escapeElement` is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption. This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later. ## Affected versions cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1. ## Credits Thanks to svalkanov for discovering this issue. Also thanks to nobu for fixing this vulnerability. |
CVE-2025-27220
GHSA-mhwm-jh88-3gjf |
| VCID-jdtw-bn8z-e3b6 | REXML denial of service vulnerability ### Impact The REXML gem before 3.3.6 has a DoS vulnerability when it parses an XML that has many deep elements that have same local name attributes. If you need to parse untrusted XMLs with tree parser API like `REXML::Document.new`, you may be impacted to this vulnerability. If you use other parser APIs such as stream parser API and SAX2 parser API, this vulnerability is not affected. ### Patches The REXML gem 3.3.6 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with tree parser API. ### References * https://www.ruby-lang.org/en/news/2024/08/22/dos-rexml-cve-2024-43398/ : An announce on www.ruby-lang.org |
CVE-2024-43398
GHSA-vmwr-mc7x-5vc3 |
| VCID-jgyw-q58q-7qgm | Tempfile on Windows path traversal vulnerability There is an unintentional directory creation vulnerability in `tmpdir` library bundled with Ruby on Windows. And there is also an unintentional file creation vulnerability in tempfile library bundled with Ruby on Windows, because it uses tmpdir internally. |
CVE-2021-28966
GHSA-46f2-3v63-3xrp |
| VCID-m4a8-ya4v-tkgm | RDoc RCE vulnerability with .rdoc_options An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache. We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1 * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1 * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1 You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them. |
CVE-2024-27281
GHSA-592j-995h-p23j |
| VCID-m6hy-vnf9-hyfe | REXML DoS vulnerability ### Impact The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API. If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability. ### Patches The REXML gem 3.3.3 or later include the patch to fix the vulnerability. ### Workarounds Don't parse untrusted XMLs with SAX2 or pull parser API. ### References * https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org |
CVE-2024-41946
GHSA-5866-49gr-22v4 |
| VCID-mkq9-21q7-6kg6 | Regular expression denial of service vulnerability (ReDoS) in date Date includes a ReDoS vulnerability. |
CVE-2021-41817
GHSA-qg54-694p-wgpp |
| VCID-msc8-xjz2-2kb4 | REXML ReDoS vulnerability ### Impact The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between `&#` and `x...;` in a hex numeric character reference (`&#x...;`). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. Note that Ruby 3.1 will reach EOL on 2025-03. ### Patches The REXML gem 3.3.9 or later include the patch to fix the vulnerability. ### Workarounds Use Ruby 3.2 or later instead of Ruby 3.1. ### References * https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761/: An announce on www.ruby-lang.org |
CVE-2024-49761
GHSA-2rxp-v6pw-ch6m |
| VCID-n1ja-n53g-fycm | URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability. |
CVE-2025-27221
GHSA-22h5-pq3x-2gf2 |
| VCID-qu1w-yd76-t7c1 | REXML denial of service vulnerability ### Impact The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as `<`, `0` and `%>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/ |
CVE-2024-39908
GHSA-4xqq-m2hx-25v8 |
| VCID-qwh3-25yu-qfga | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2022-28738
GHSA-8pqg-8p79-j5j8 |
| VCID-t9y5-hd9b-bkc4 | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2021-31810
GHSA-wr95-679j-87v9 |
| VCID-uxdx-abx7-fkdy | Ruby URI component ReDoS issue A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. |
CVE-2023-28755
GHSA-hv5j-3h9f-99c2 |
| VCID-vcz9-dvf4-47am | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2020-25613
GHSA-gwfg-cqmg-cf8f |
| VCID-x126-x9qm-e7d3 | ruby: Arbitrary memory address read vulnerability with Regex search |
CVE-2024-27282
GHSA-63cq-cj6g-qfr2 |
| VCID-xkby-43zv-x3f7 | Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. |
CVE-2021-32066
GHSA-gx49-h5r3-q3xj |
| VCID-yj1t-rga1-x3ev | REXML DoS vulnerability ### Impact The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character, `>]` and `]>`. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities. ### Patches The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities. ### Workarounds Don't parse untrusted XMLs. ### References * https://github.com/ruby/rexml/security/advisories/GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability * https://github.com/ruby/rexml/security/advisories/GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability * https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org |
CVE-2024-41123
GHSA-r55c-59qm-vjw6 |