Page 9 of 139 results (0.009 seconds)

CVSS: 5.3EPSS: 1%CPEs: 5EXPL: 0

CVE-2019-16254 – ruby: HTTP response splitting in WEBrick

https://notcve.org/view.php?id=CVE-2019-16254

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. Ruby versiones hasta 2.4.7, versiones 2.5.x hasta 2.5.6 y versiones 2.6.x hasta 2.6.4, permite HTTP Response Splitting. Si un programa que utiliza WEBrick inserta información no segura en el encabezado de respuesta, un atacante puede explotarlo para insertar un carácter newline para dividir un encabezado e inyectar contenido malicioso para engañar a los clientes. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html https://hackerone.com/reports/331984 https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html https://seclists.org/bugtraq/2019/Dec/31 https://seclists.org/bugtraq/2019/Dec/32 https://security • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •

CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0

CVE-2019-16201 – ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication

https://notcve.org/view.php?id=CVE-2019-16201

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network. La función WEBrick::HTTPAuth::DigestAuth en Ruby versiones hasta la versión 2.4.7, versiones 2.5.x hasta 2.5.6 y versiones 2.6.x hasta 2.6.4, tiene una expresión regular de denegación de servicio causada mediante looping/backtracking. Una víctima debe exponer un servidor WEBrick que usa DigestAuth en Internet o una red no segura. • http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html https://hackerone.com/reports/661722 https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html https://seclists.org/bugtraq/2019/Dec/31 https://seclists.org/bugtraq/2019/Dec/32 https://security • CWE-287: Improper Authentication CWE-400: Uncontrolled Resource Consumption •

CVSS: 9.8EPSS: 14%CPEs: 1EXPL: 2

CVE-2011-5331

https://notcve.org/view.php?id=CVE-2011-5331

Distributed Ruby (aka DRuby) 1.8 mishandles instance_eval. Distributed Ruby (también se conoce como DRuby) versión 1.8, maneja inapropiadamente a instance_eval. • https://github.com/tomquinn8/CVE-2011-5331 https://www.exploit-db.com/exploits/17058 •

CVSS: 9.8EPSS: 14%CPEs: 1EXPL: 1

CVE-2011-5330

https://notcve.org/view.php?id=CVE-2011-5330

Distributed Ruby (aka DRuby) 1.8 mishandles the sending of syscalls. Distributed Ruby (también se conoce como DRuby) versión 1.8, maneja inapropiadamente el envío de syscalls. • https://www.exploit-db.com/exploits/17031 •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2010-2446

https://notcve.org/view.php?id=CVE-2010-2446

Rbot Reaction plugin allows command execution El plugin Rbot Reaction, permite una ejecución de comandos • https://security-tracker.debian.org/tracker/CVE-2010-2446 https://www.securityfocus.com/archive/1/509719/30/0/threaded • CWE-20: Improper Input Validation •