Page 3 of 26 results (0.009 seconds)

CVSS: 7.5EPSS: 1%CPEs: 5EXPL: 0

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: versiones 2.5.0 y anteriores, anteriores a la revisión del trunk 62422 contiene un bucle infinito provocado por una vulnerabilidad de tamaño negativo en la cabecera tar del paquete de ruby gem que puede resultar en un tamaño negativo que desemboque en un bucle infinito. La vulnerabilidad parece haber sido solucionada en la versión 2.7.6. • http://blog.rubygems.org/2018/02/15/2.7.6-released.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2019:2028 https://access.redhat.com/errata/RHSA-2020:0542 https://access.redhat.com/errata/RHSA-2020:0591 https://access.redhat.com/errata/RHSA-2020:0663 https& • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: versiones 2.5.0 y anteriores, anteriores a la revisión del trunk 62422 contiene una vulnerabilidad de Cross-Site Scripting (XSS) en la visualización del servidor gem del atributo homepage que podría resultar en XSS. El ataque parece ser explotable mediante una víctima que navegue hasta una gema maliciosa en un servidor gem vulnerable. • http://blog.rubygems.org/2018/02/15/2.7.6-released.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2019:2028 https://access.redhat.com/errata/RHSA-2020:0542 https://access.redhat.com/errata/RHSA-2020:0591 https://access.redhat.com/errata/RHSA-2020:0663 https& • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: 2.5.0 y anteriores, anteriores a la revisión del trunk 62422 contiene una vulnerabilidad de salto de directorio en la función install_location de package.rb que puede resultar en un salto de directorio al escribir en un basedir vinculado simbólicamente fuera del root. La vulnerabilidad parece haber sido solucionada en la versión 2.7.6. • http://blog.rubygems.org/2018/02/15/2.7.6-released.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2019:2028 https://access.redhat.com/errata/RHSA-2020:0542 https://access.redhat.com/errata/RHSA-2020:0591 https://access.redhat.com/errata/RHSA-2020:0663 https& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •

CVSS: 5.5EPSS: 1%CPEs: 4EXPL: 0

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. Las versiones de RubyGems de la serie Ruby 2.2: 2.2.9 y anteriores, de la serie Ruby 2.3: 2.3.6 y anteriores, de la serie Ruby 2.4: 2.4.3 y anteriores, y de la serie Ruby 2.5: versiones 2.5.0 y anteriores, anteriores a la revisión del trunk 62422 contiene una vulnerabilidad de salto de directorio en la instalación de gemas que puede resultar en que la gema podría escribir en ubicaciones arbitrarias del sistema de archivos durante la instalación. El ataque parece ser explotable mediante una víctima que instale una gema maliciosa. • http://blog.rubygems.org/2018/02/15/2.7.6-released.html http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html https://access.redhat.com/errata/RHSA-2018:3729 https://access.redhat.com/errata/RHSA-2018:3730 https://access.redhat.com/errata/RHSA-2018:3731 https://access.redhat.com/errata/RHSA-2019:2028 https://access.redhat.com/errata/RHSA-2020:0542 https://access.redhat.com/errata/RHSA-2020:0591 https://access.redhat.com/errata/RHSA-2020:0663 https& • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 9.8EPSS: 13%CPEs: 87EXPL: 0

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. Las versiones de RubyGems entre la 2.0.0 y la 2.6.13 son vulnerables a una posible vulnerabilidad de ejecución remota de código. La deserialización YAML de especificaciones de gemas puede omitir listas blancas de clases. • http://blog.rubygems.org/2017/10/09/2.6.14-released.html http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html http://www.securityfocus.com/bid/101275 https://access.redhat.com/errata/RHSA-2017:3485 https://access.redhat.com/errata/RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0583 https://access.redhat.com/errata/RHSA-2018:0585 https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49 https://hackerone.com/reports/27499 • CWE-20: Improper Input Validation CWE-502: Deserialization of Untrusted Data •