Search for packages
Package details: pkg:deb/debian/rubygems@3.3.15-2
purl pkg:deb/debian/rubygems@3.3.15-2
Next non-vulnerable version 3.3.15-2+deb12u1
Latest non-vulnerable version 3.3.15-2+deb12u1
Risk 4.0
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-qfe5-w7ge-skfa
Aliases:
CVE-2023-28755
GHSA-hv5j-3h9f-99c2
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
3.3.15-2+deb12u1
Affected by 0 other vulnerabilities.
VCID-ug6n-hxax-xfgp
Aliases:
CVE-2025-27221
GHSA-22h5-pq3x-2gf2
URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.
3.3.15-2+deb12u1
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (4)
Vulnerability Summary Aliases
VCID-6t9d-2n3y-nbgv insufficient validation CVE-2020-36327
GHSA-fp4w-jxhp-m23p
VCID-hk69-vd9p-wfb3 arbitrary command execution CVE-2021-43809
GHSA-fj7f-vq84-fh43
VCID-qfe5-w7ge-skfa A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. CVE-2023-28755
GHSA-hv5j-3h9f-99c2
VCID-ug6n-hxax-xfgp URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability. CVE-2025-27221
GHSA-22h5-pq3x-2gf2

Date Actor Action Vulnerability Source VulnerableCode Version
2025-07-05T16:11:48.203598+00:00 Debian Oval Importer Fixing VCID-hk69-vd9p-wfb3 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-07-05T11:35:36.467677+00:00 Debian Oval Importer Fixing VCID-ug6n-hxax-xfgp https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-07-05T01:41:13.254428+00:00 Debian Oval Importer Fixing VCID-qfe5-w7ge-skfa https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 37.0.0
2025-07-03T18:41:46.856377+00:00 Debian Importer Affected by VCID-qfe5-w7ge-skfa https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-07-03T17:12:28.978543+00:00 Debian Importer Fixing VCID-6t9d-2n3y-nbgv https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-07-03T16:27:36.199987+00:00 Debian Importer Affected by VCID-ug6n-hxax-xfgp https://security-tracker.debian.org/tracker/data/json 37.0.0
2025-07-02T04:46:33.888953+00:00 Debian Oval Importer Fixing VCID-hk69-vd9p-wfb3 https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.1.3
2025-07-02T02:26:42.999723+00:00 Debian Oval Importer Fixing VCID-ug6n-hxax-xfgp https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.1.3
2025-07-01T22:48:55.667016+00:00 Debian Oval Importer Fixing VCID-qfe5-w7ge-skfa https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2 36.1.3
2025-07-01T16:10:14.341166+00:00 Debian Importer Affected by VCID-qfe5-w7ge-skfa https://security-tracker.debian.org/tracker/data/json 36.1.3
2025-07-01T15:53:24.738924+00:00 Debian Importer Fixing VCID-6t9d-2n3y-nbgv https://security-tracker.debian.org/tracker/data/json 36.1.3
2025-07-01T15:32:12.038351+00:00 Debian Importer Affected by VCID-ug6n-hxax-xfgp https://security-tracker.debian.org/tracker/data/json 36.1.3