ruby-lang cgi vulnerabilities and exploits

(subscribe to this query)

The cgi gem prior to 0.1.0.2, 0.2.x prior to 0.2.2, and 0.3.x prior to 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

Ruby-lang Cgi Fedoraproject Fedora 35 Fedoraproject Fedora 36 Fedoraproject Fedora 37 Ruby-lang Ruby

CGI::Cookie.parse in Ruby up to and including 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem up to and including 0.3.0 for Ruby.

Ruby-lang Ruby Ruby-lang Cgi 0.3.0 Ruby-lang Cgi 0.2.0 Ruby-lang Cgi 0.1.0 Redhat Enterprise Linux 8.0 Redhat Software Collections -Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0 Suse Linux Enterprise 12.0 Suse Linux Enterprise 15.0 Suse Linux Enterprise 11.0 Opensuse Factory -Opensuse Leap 15.2 Fedoraproject Fedora 34 Fedoraproject Fedora 35

CGI.escape_html in Ruby prior to 2.7.5 and 3.x prior to 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem prior to 0.3.1 for Ruby.

Ruby-lang Cgi Fedoraproject Fedora 34 Fedoraproject Fedora 35

Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and previous versions, 1.8.5 prior to 1.8.5-p231, 1.8.6 prior to 1.8.6-p230, 1.8.7 prior to 1.8.7-p22, and 1.9.0 prior to 1.9.0-2, when using NTFS or FAT filesystems, allows remote malicious users to read arbitrary CGI fi...

Ruby-lang Ruby 1.8.5 Ruby-lang Ruby 1.8.6 Ruby-lang Ruby

WEBrick::HTTPAuth::DigestAuth in Ruby up to and including 2.4.7, 2.5.x up to and including 2.5.6, and 2.6.x up to and including 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Intern...

Ruby-lang Ruby Debian Debian Linux 8.0

2 Github repositories

Ruby up to and including 2.4.7, 2.5.x up to and including 2.5.6, and 2.6.x up to and including 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a he...

Ruby-lang Ruby Debian Debian Linux 8.0

Date.parse in the date gem up to and including 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

Ruby-lang Date Ruby-lang Date 3.2.0 Ruby-lang Ruby Redhat Enterprise Linux 7.0 Redhat Enterprise Linux 8.0 Redhat Software Collections -Fedoraproject Fedora 34 Fedoraproject Fedora 35 Debian Debian Linux 9.0 Debian Debian Linux 10.0 Debian Debian Linux 11.0 Suse Linux Enterprise 12.0 Suse Linux Enterprise 15.0 Opensuse Factory -Opensuse Leap 15.2

Ruby up to and including 2.4.7, 2.5.x up to and including 2.5.6, and 2.6.x up to and including 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to cal...

Ruby-lang Ruby Debian Debian Linux 8.0 Debian Debian Linux 9.0 Opensuse Leap 15.1 Oracle Graalvm 19.3.0.2

Ruby up to and including 2.4.7, 2.5.x up to and including 2.5.6, and 2.6.x up to and including 2.6.4 mishandles path checking within File.fnmatch functions.

Ruby-lang Ruby Canonical Ubuntu Linux 16.04 Canonical Ubuntu Linux 18.04 Canonical Ubuntu Linux 19.04 Canonical Ubuntu Linux 19.10

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook