Search CVE reports
1 – 10 of 94 results
An issue was discovered in Ruby 4 before 4.0.5. A race condition leading to a use-after-free in the pthread-based getaddrinfo timeout handler (rb_getaddrinfo in ext/socket/raddrinfo.c) allows a remote attacker who can delay DNS...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Not in release | Needs evaluation | — |
| ruby3.0 | Not in release | Not in release | Needs evaluation | — | — |
| ruby3.2 | Not in release | Needs evaluation | Not in release | — | — |
| ruby3.3 | Needs evaluation | Not in release | Not in release | — | — |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments to commands are vulnerable to a CRLF Injection / IMAP Command injection via...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Not in release | Needs evaluation | — |
| ruby3.0 | Not in release | Not in release | Needs evaluation | — | — |
| ruby3.2 | Not in release | Needs evaluation | Not in release | — | — |
| ruby3.3 | Needs evaluation | Not in release | Not in release | — | — |
Some fixes available 2 of 12
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, several Net::IMAP commands accept a raw string argument that is sent to the server without...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Vulnerable | — |
| ruby3.0 | Not in release | Not in release | Vulnerable | — | — |
| ruby3.2 | Not in release | Vulnerable | Not in release | — | — |
| ruby3.3 | Vulnerable | Not in release | Not in release | — | — |
| jruby | Vulnerable | Vulnerable | Not in release | Vulnerable | Vulnerable |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. From versions 0.4.0 to before 0.4.24, 0.5.0 to before 0.5.14, and 0.6.0 to before 0.6.4, when authenticating a connection with SCRAM-SHA1...
7 affected packages
ruby2.7, ruby3.0, ruby3.2, ruby3.3, jruby...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.7 | Not in release | Not in release | Not in release | Not affected | — |
| ruby3.0 | Not in release | Not in release | Not affected | — | — |
| ruby3.2 | Not in release | Not affected | Not in release | — | — |
| ruby3.3 | Vulnerable | Not in release | Not in release | — | — |
| jruby | Not affected | Not affected | Not in release | Not affected | Not affected |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Not affected |
Some fixes available 2 of 12
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.3.10, 0.4.24, 0.5.14, and 0.6.4, a man-in-the-middle attacker can cause Net::IMAP#starttls to return "successfully",...
7 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.2...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Vulnerable | — |
| ruby3.0 | Not in release | Not in release | Vulnerable | — | — |
| ruby3.2 | Not in release | Vulnerable | Not in release | — | — |
| ruby3.3 | Vulnerable | Not in release | Not in release | — | — |
| jruby | Vulnerable | Vulnerable | Not in release | Vulnerable | Vulnerable |
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, Net::IMAP::ResponseReader has quadratic time complexity when reading large responses...
7 affected packages
ruby2.7, ruby3.0, ruby3.2, ruby3.3, jruby...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| ruby2.7 | Not in release | Not in release | Not in release | Not affected | — |
| ruby3.0 | Not in release | Not in release | Not affected | — | — |
| ruby3.2 | Not in release | Not affected | Not in release | — | — |
| ruby3.3 | Not affected | Not in release | Not in release | — | — |
| jruby | Not affected | Not affected | Not in release | Not affected | Not affected |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Not affected |
ERB is a templating system for Ruby. Ruby 2.7.0 (before ERB 2.2.0 was published on rubygems.org) introduced an `@_init` instance variable guard in `ERB#result` and `ERB#run` to prevent code execution when an ERB object is...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Not in release | Needs evaluation | — |
| ruby3.0 | Not in release | Not in release | Needs evaluation | — | — |
| ruby3.2 | Not in release | Needs evaluation | Not in release | — | — |
| ruby3.3 | Needs evaluation | Not in release | Not in release | — | — |
zlib is a Ruby interface for the zlib compression/decompression library. Versions 3.0.0 and below, 3.1.0, 3.1.1, 3.2.0 and 3.2.1 contain a buffer overflow vulnerability in the Zlib::GzipReader. The zstream_buffer_ungets function...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | Needs evaluation | Not in release | Needs evaluation | Needs evaluation |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Needs evaluation |
| ruby2.7 | Not in release | Not in release | Not in release | Needs evaluation | — |
| ruby3.0 | Not in release | Not in release | Needs evaluation | — | — |
| ruby3.2 | Not in release | Needs evaluation | Not in release | — | — |
| ruby3.3 | Needs evaluation | Not in release | Not in release | — | — |
A flaw was found in REXML. A remote attacker could exploit inefficient regular expression (regex) parsing when processing hex numeric character references (&#x...;) in XML documents. This could lead to a Regular Expression Denial...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | Vulnerable | Vulnerable | Not in release | Vulnerable | Vulnerable |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Vulnerable |
| ruby2.7 | Not in release | Not in release | Not in release | Vulnerable | — |
| ruby3.0 | Not in release | Not in release | Vulnerable | — | — |
| ruby3.2 | Not in release | Vulnerable | Not in release | — | — |
| ruby3.3 | Vulnerable | Not in release | Not in release | — | — |
Some fixes available 6 of 9
URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator...
7 affected packages
jruby, ruby2.3, ruby2.5, ruby2.7, ruby3.0...
| Package | 26.04 LTS | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS |
|---|---|---|---|---|---|
| jruby | Not affected | Not affected | Not in release | Not affected | Not affected |
| ruby2.3 | Not in release | Not in release | Not in release | — | — |
| ruby2.5 | Not in release | Not in release | Not in release | — | Fixed |
| ruby2.7 | Not in release | Not in release | Not in release | Fixed | — |
| ruby3.0 | Not in release | Not in release | Fixed | — | — |
| ruby3.2 | Not in release | Fixed | Not in release | — | — |
| ruby3.3 | Vulnerable | Not in release | Not in release | — | — |