-
-
Notifications
You must be signed in to change notification settings - Fork 218
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
…r ruby (#418)
- Loading branch information
Showing
4 changed files
with
72 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
--- | ||
engine: ruby | ||
cve: 2019-15845 | ||
url: https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/ | ||
title: A NUL injection vulnerability of File.fnmatch and File.fnmatch? | ||
date: 2019-10-01 | ||
description: | | ||
Built-in methods File.fnmatch and its alias File.fnmatch? accept the path | ||
pattern as their first parameter. When the pattern contains NUL character | ||
(\0), the methods recognize that the path pattern ends immediately before the | ||
NUL byte. Therefore, a script that uses an external input as the pattern | ||
argument, an attacker can make it wrongly match a pathname that is the second | ||
parameter. | ||
patched_versions: | ||
- "~> 2.4.8" | ||
- "~> 2.5.7" | ||
- "~> 2.6.5" | ||
- "> 2.7.0-preview1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
--- | ||
engine: ruby | ||
cve: 2019-16201 | ||
url: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/ | ||
title: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication | ||
date: 2019-10-01 | ||
description: | | ||
Regular expression denial of service vulnerability of WEBrick’s Digest | ||
authentication module was found. An attacker can exploit this vulnerability | ||
to cause an effective denial of service against a WEBrick service. | ||
patched_versions: | ||
- "~> 2.4.8" | ||
- "~> 2.5.7" | ||
- "~> 2.6.5" | ||
- "> 2.7.0-preview1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
--- | ||
engine: ruby | ||
cve: 2019-16254 | ||
url: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/ | ||
title: HTTP response splitting in WEBrick (Additional fix) | ||
date: 2019-10-01 | ||
description: | | ||
If a program using WEBrick inserts untrusted input into the response header, | ||
an attacker can exploit it to insert a newline character to split a header, | ||
and inject malicious content to deceive clients. | ||
This is the same issue as CVE-2017-17742. The previous fix was incomplete, | ||
which addressed the CRLF vector, but did not address an isolated CR or an | ||
isolated LF. | ||
patched_versions: | ||
- "~> 2.4.8" | ||
- "~> 2.5.7" | ||
- "~> 2.6.5" | ||
- "> 2.7.0-preview1" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
--- | ||
engine: ruby | ||
cve: 2019-16255 | ||
url: https://www.ruby-lang.org/en/news/2019/10/01/code-injection-shell-test-cve-2019-16255/ | ||
title: A code injection vulnerability of Shell#[] and Shell#test | ||
date: 2019-10-01 | ||
description: | | ||
Shell#[] and its alias Shell#test defined in lib/shell.rb allow code | ||
injection if the first argument (aka the “command” argument) is untrusted | ||
data. An attacker can exploit this to call an arbitrary Ruby method. | ||
Note that passing untrusted data to methods of Shell is dangerous in general. | ||
Users must never do it. However, we treat this particular case as a | ||
vulnerability because the purpose of Shell#[] and Shell#[] is considered file | ||
testing. | ||
patched_versions: | ||
- "~> 2.4.8" | ||
- "~> 2.5.7" | ||
- "~> 2.6.5" | ||
- "> 2.7.0-preview1" |