CVE-2016-2338
https://notcve.org/view.php?id=CVE-2016-2338
An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow. Se presenta una vulnerabilidad de desbordamiento de pila explotable en la función Psych::Emitter start_document de Ruby. En la función Psych::Emitter start_document la asignación de "head" del buffer de heap es realizada en base a la longitud del array de etiquetas. • https://github.com/SpiralBL0CK/CVE-2016-2338-nday http://www.talosintelligence.com/reports/TALOS-2016-0032 https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html https://security.netapp.com/advisory/ntap-20221228-0005 • CWE-787: Out-of-bounds Write •
CVE-2019-15845 – ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch?
https://notcve.org/view.php?id=CVE-2019-15845
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. Ruby versiones hasta 2.4.7, versiones 2.5.x hasta 2.5.6 y versiones 2.6.x hasta 2.6.4, maneja inapropiadamente la comprobación de ruta dentro de las funciones File.fnmatch. A flaw was discovered in Ruby in the way certain functions handled strings containing NULL bytes. Specifically, the built-in methods File.fnmatch and its alias File.fnmatch? did not properly handle path patterns containing the NULL byte. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html https://hackerone.com/reports/449617 https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html https://seclists.org/bugtraq/2019/Dec/31 https://seclists.org/bugtraq/2019/Dec/32 https://security.gentoo.org/glsa/202003-06 https://usn.ubuntu.com/4201-1 https://www.debian.org/security/2019/dsa-4587 https://www.oracle.com/security-alerts/cpujan2020.html https://access.redhat.com/security/cve • CWE-41: Improper Resolution of Path Equivalence •
CVE-2011-4121
https://notcve.org/view.php?id=CVE-2011-4121
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism. La extensión OpenSSL de Ruby (Git trunk) versiones posteriores al 01-09-2011 hasta el 03-11-2011, siempre generó un valor de exponente de "1" para ser usado para la generación de claves RSA privadas. Un atacante remoto podría usar este fallo para omitir o dañar la integridad de los servicios, dependiendo de un mecanismo de generación de claves RSA privadas fuerte. • http://www.openwall.com/lists/oss-security/2013/07/01/1 https://access.redhat.com/security/cve/cve-2011-4121 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4121 https://security-tracker.debian.org/tracker/CVE-2011-4121 • CWE-326: Inadequate Encryption Strength •
CVE-2011-3624
https://notcve.org/view.php?id=CVE-2011-3624
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. Varios métodos en WEBrick::HTTPRequest en Ruby versiones 1.9.2 y versiones 1.8.7 y anteriores, no comprueban los encabezados X-Fordered-For, X-Fordered-Host y X-Fordered-Server en las peticiones, lo que podría permitir a los atacantes remotos inyectar texto arbitrario en archivos de registro o omitir el análisis de direcciones previsto por medio de un encabezado diseñado. • https://access.redhat.com/security/cve/cve-2011-3624 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624 https://redmine.ruby-lang.org/issues/5418 https://security-tracker.debian.org/tracker/CVE-2011-3624 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVE-2019-16255 – ruby: Code injection via command argument of Shell#test / Shell#[]
https://notcve.org/view.php?id=CVE-2019-16255
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. Ruby versiones hasta 2.4.7, versiones 2.5.x hasta 2.5.6 y versiones 2.6.x hasta 2.6.4, permite una inyección de código si el primer argumento (también conocido como el argumento "command") para Shell#[] o Shell#test en la biblioteca lib/shell.rb es un dato no seguro. Un atacante puede explotar esto para llamar a un método de Ruby arbitrario. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html https://hackerone.com/reports/327512 https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html https://seclists.org/bugtraq/2019/Dec/31 https://seclists.org/bugtraq/2019/Dec/32 https://security • CWE-94: Improper Control of Generation of Code ('Code Injection') •