Download
| Alert*
oval:org.secpod.oval:def:1200055
ruby22 is installed oval:org.secpod.oval:def:1600854 Unsafe object deserialization through YAML formatted gem specifications:A vulnerability was found where the rubygems module was vulnerable to an unsafe YAML deserialization when inspecting a gem. Applications inspecting gem files without installing them can be tricked to execute arbitrary code in th ... oval:org.secpod.oval:def:1200054 RubyGems provides the ability of a domain to direct clients to a separate host that is used to fetch gems and make API calls against. This mechanism is implemented via DNS, specificly a SRV record _rubygems._tcp under the original requested domain. RubyGems did not validate the hostname returned in ... oval:org.secpod.oval:def:1600779 SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTPA SMTP command injection flaw was found in the way Ruby#039;s Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session ... oval:org.secpod.oval:def:1600867 Path traversal when writing to a symlinked basedir outside of the rootRubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerab ... oval:org.secpod.oval:def:1600341 DL::dlopen could open a library with tainted library name even if $SAFE oval:org.secpod.oval:def:1200087 As discussed in an upstream announcement, Ruby"s OpenSSL extension suffers a vulnerability through overly permissive matching of hostnames, which can lead to similar bugs such as CVE-2014-1492 . |