VulnerableCode Package Details - pkg:deb/debian/ruby2.7@2.7.4-1%2Bdeb11u2?distro=bullseye

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-2sv2-6snv-2bd3	Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code.	CVE-2022-28739 GHSA-mvgc-rxvg-hqc6
VCID-5mfh-yzfk-cqaa	StringIO buffer overread vulnerability An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value. This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `stringio` 3.0.1.1 * For Ruby 3.1 users: Update to `stringio` 3.1.0.2 You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.	CVE-2024-27280 GHSA-v5h6-c2hv-hv3r
VCID-9g2w-sc9w-eyce	Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code.	CVE-2021-33621 GHSA-vc47-6rqg-c7f5
VCID-9x9w-2k98-wydm	Ruby Time component ReDoS issue A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.	CVE-2023-28756 GHSA-fg7x-g82r-94qc
VCID-ajtx-8w3u-rkae	URI gem has ReDoS vulnerability A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. [The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: - For Ruby 3.0: Update to uri 0.10.3 - For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile.	CVE-2023-36617 GHSA-hww2-5g85-429m
VCID-m4a8-ya4v-tkgm	RDoc RCE vulnerability with .rdoc_options An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache. We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1 * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1 * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1 You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.	CVE-2024-27281 GHSA-592j-995h-p23j
VCID-uxdx-abx7-fkdy	Ruby URI component ReDoS issue A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.	CVE-2023-28755 GHSA-hv5j-3h9f-99c2
VCID-x126-x9qm-e7d3	ruby: Arbitrary memory address read vulnerability with Regex search	CVE-2024-27282 GHSA-63cq-cj6g-qfr2

Vulnerability

Summary

Aliases

VCID-2sv2-6snv-2bd3

Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code.

CVE-2022-28739
GHSA-mvgc-rxvg-hqc6

VCID-5mfh-yzfk-cqaa

StringIO buffer overread vulnerability An issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The `ungetbyte` and `ungetc` methods on a StringIO can read past the end of a string, and a subsequent call to `StringIO.gets` may return the memory value. This vulnerability is not affected StringIO 3.0.3 and later, and Ruby 3.2.x and later. We recommend to update the StringIO gem to version 3.0.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `stringio` 3.0.1.1 * For Ruby 3.1 users: Update to `stringio` 3.1.0.2 You can use `gem update stringio` to update it. If you are using bundler, please add `gem "stringio", ">= 3.0.1.2"` to your `Gemfile`.

CVE-2024-27280
GHSA-v5h6-c2hv-hv3r

VCID-9g2w-sc9w-eyce

Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code.

CVE-2021-33621
GHSA-vc47-6rqg-c7f5

VCID-9x9w-2k98-wydm

Ruby Time component ReDoS issue A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

CVE-2023-28756
GHSA-fg7x-g82r-94qc

VCID-ajtx-8w3u-rkae

URI gem has ReDoS vulnerability A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. [The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: - For Ruby 3.0: Update to uri 0.10.3 - For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile.

CVE-2023-36617
GHSA-hww2-5g85-429m

VCID-m4a8-ya4v-tkgm

RDoc RCE vulnerability with .rdoc_options An issue was discovered in RDoc 6.3.3 through 6.6.2, as distributed in Ruby 3.x through 3.3.0. When parsing `.rdoc_options` (used for configuration in RDoc) as a YAML file, object injection and resultant remote code execution are possible because there are no restrictions on the classes that can be restored. When loading the documentation cache, object injection and resultant remote code execution are also possible if there were a crafted cache. We recommend to update the RDoc gem to version 6.6.3.1 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead: * For Ruby 3.0 users: Update to `rdoc` 6.3.4.1 * For Ruby 3.1 users: Update to `rdoc` 6.4.1.1 * For Ruby 3.2 users: Update to `rdoc` 6.5.1.1 You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. Note: 6.3.4, 6.4.1, 6.5.1 and 6.6.3 have a incorrect fix. We recommend to upgrade 6.3.4.1, 6.4.1.1, 6.5.1.1 and 6.6.3.1 instead of them.

CVE-2024-27281
GHSA-592j-995h-p23j

VCID-uxdx-abx7-fkdy

Ruby URI component ReDoS issue A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

CVE-2023-28755
GHSA-hv5j-3h9f-99c2

VCID-x126-x9qm-e7d3

ruby: Arbitrary memory address read vulnerability with Regex search

CVE-2024-27282
GHSA-63cq-cj6g-qfr2

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:14:09.390682+00:00	Debian Importer	Fixing	VCID-ajtx-8w3u-rkae	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:48:59.558532+00:00	Debian Importer	Fixing	VCID-2sv2-6snv-2bd3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:48:21.970477+00:00	Debian Importer	Fixing	VCID-m4a8-ya4v-tkgm	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:00:21.951018+00:00	Debian Importer	Fixing	VCID-uxdx-abx7-fkdy	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:48:40.013880+00:00	Debian Importer	Fixing	VCID-9x9w-2k98-wydm	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:20:37.739714+00:00	Debian Importer	Fixing	VCID-9g2w-sc9w-eyce	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:11:53.612578+00:00	Debian Importer	Fixing	VCID-x126-x9qm-e7d3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:43:38.136916+00:00	Debian Importer	Fixing	VCID-5mfh-yzfk-cqaa	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:22:12.801138+00:00	Debian Importer	Fixing	VCID-ajtx-8w3u-rkae	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:03:43.408394+00:00	Debian Importer	Fixing	VCID-2sv2-6snv-2bd3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:03:12.465262+00:00	Debian Importer	Fixing	VCID-m4a8-ya4v-tkgm	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:28:10.071794+00:00	Debian Importer	Fixing	VCID-uxdx-abx7-fkdy	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:33:20.178402+00:00	Debian Importer	Fixing	VCID-9x9w-2k98-wydm	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:14:30.908541+00:00	Debian Importer	Fixing	VCID-9g2w-sc9w-eyce	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:09:20.547829+00:00	Debian Importer	Fixing	VCID-x126-x9qm-e7d3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:51:49.993440+00:00	Debian Importer	Fixing	VCID-5mfh-yzfk-cqaa	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:52:24.826795+00:00	Debian Importer	Fixing	VCID-x126-x9qm-e7d3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:24.806476+00:00	Debian Importer	Fixing	VCID-m4a8-ya4v-tkgm	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:24.786378+00:00	Debian Importer	Fixing	VCID-5mfh-yzfk-cqaa	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:24.766247+00:00	Debian Importer	Fixing	VCID-ajtx-8w3u-rkae	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:24.746264+00:00	Debian Importer	Fixing	VCID-9x9w-2k98-wydm	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:24.726308+00:00	Debian Importer	Fixing	VCID-uxdx-abx7-fkdy	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:24.706160+00:00	Debian Importer	Fixing	VCID-2sv2-6snv-2bd3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:24.621660+00:00	Debian Importer	Fixing	VCID-9g2w-sc9w-eyce	https://security-tracker.debian.org/tracker/data/json	38.1.0