Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[GR-19691] Update the Known CVEs document #3588

Merged
merged 2 commits into from
Jun 12, 2024
Merged

[GR-19691] Update the Known CVEs document #3588

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
779e710
Add missing entries to the Known CVEs document
andrykonchin May 31, 2024
f109aea
Fix the Known CVEs document and remove wrong link to a test for CVE-2…
andrykonchin May 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion doc/user/known-cves.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,9 @@ Cross-reference with the details on [the MRI website](https://www.ruby-lang.org/

Number | Description | Their Mitigation | Test | Our Mitigation
--- | --- | --- | --- | ---
CVE-2024-35176 | DoS in REXML | [Fix](https://github.com/ruby/rexml/pull/126/commits/ba70cfefadf7e79885fe08228d1df4c0549ad0f8) | [Test](https://github.com/ruby/rexml/pull/126/commits/ba70cfefadf7e79885fe08228d1df4c0549ad0f8) | [same mitigation as CRuby](https://www.ruby-lang.org/en/news/2024/05/16/dos-rexml-cve-2024-35176/), users must update rexml to 3.2.7+ if they use it
CVE-2024-27282 | Arbitrary memory address read vulnerability with Regex search | [Fix](https://github.com/ruby/ruby/commit/989a2355808a63fc45367785c82ffd46d18c900a) | | Not applicable thanks to Java semantics
CVE-2024-27281 | RCE vulnerability with .rdoc_options in RDoc | [Fix](https://github.com/ruby/rdoc/compare/v6.3.3...v6.3.4.1) | [Test](https://github.com/ruby/rdoc/commit/60a6d74ebdbb7d585e379526e5639932fdca2904) | Not applicable because TruffleRuby does not generate rdoc on gem install
CVE-2024-27281 | RCE vulnerability with .rdoc_options in RDoc | [Fix](https://github.com/ruby/rdoc/compare/v6.3.3...v6.3.4.1) | | Not applicable because TruffleRuby does not generate rdoc on gem install
CVE-2024-27280 | Buffer overread vulnerability in StringIO | [Fix](https://github.com/ruby/stringio/compare/v3.0.1...v3.0.1.1) | [Test](https://github.com/ruby/stringio/commit/c58c5f54f1eab99665ea6a161d29ff6a7490afc8) | Not applicable, we use the Ruby implementation of StringIO
CVE-2023-36617 | ReDoS vulnerability in URI | [Fix](https://github.com/ruby/uri/compare/v0.12.1...v0.12.2) | [Test](https://github.com/ruby/uri/compare/v0.12.1...v0.12.2) | Not applicable thanks to TRegex
CVE-2023-28756 | ReDoS vulnerability in Time | [Fix](https://github.com/ruby/time/compare/v0.2.1...v0.2.2) | [Test](https://github.com/ruby/time/commit/c9b92a6e21f432528bddf65fbd132db3487d07bf) | Not applicable thanks to TRegex
Expand All @@ -35,6 +36,8 @@ CVE-2021-31810 | Trusting FTP PASV responses vulnerability in Net::FTP | [Fix](h
CVE-2021-32066 | A StartTLS stripping vulnerability in Net::IMAP | [Fix](https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a) | [Test](https://github.com/ruby/ruby/commit/a21a3b7d23704a01d34bd79d09dc37897e00922a) | Same
CVE-2021-31799 | A command injection vulnerability in RDoc | [Fix](https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7) [Backport](https://github.com/ruby/ruby/commit/483f303d02e768b69e476e0b9be4ab2f26389522) | [Test](https://github.com/ruby/rdoc/commit/a7f5d6ab88632b3b482fe10611382ff73d14eed7) | Same
CVE-2021-28966 | Path traversal in Tempfile on Windows | Sanitization of paths in tmpdir.rb | In `test/mri/tests/test_tmpdir.rb` | Sanitization of paths in tmpdir.rb
CVE-2020-25613 | Potential HTTP Request Smuggling Vulnerability in WEBrick | [Fix](https://github.com/ruby/webrick/commit/076ac636bf48b7a492887ce4de7041de23e6c00d) | | WEBrick no longer shipped in stdlib
CVE-2020-10933 | Heap exposure vulnerability in the socket library | [Fix](https://github.com/ruby/ruby/commit/61b7f86248bd121be2e83768be71ef289e8e5b90) | | Not applicable thanks to Java semantics
CVE-2021-28965 | XML round-trip vulnerability in REXML | Update to REXML 3.2.5 | In ruby/rexml | Update to REXML 3.2.5
CVE-2020-10663 | Unsafe Object Creation Vulnerability in JSON (Additional fix) | [Fix](https://bugs.ruby-lang.org/issues/16698) | [Spec](https://github.com/ruby/spec/pull/764) | The pure Ruby version of JSON we use is safe
CVE-2019-16255 | A code injection vulnerability of Shell#[] and Shell#test | [Fix](https://github.com/ruby/ruby/commit/d6adc68dc9c74a33b3ca012af171e2d59f0dea10) | MRI test | Same
Expand All @@ -49,6 +52,7 @@ CVE-2019-8322 | Escape sequence injection in `gem owner` | Sanitise message | Te
CVE-2019-8323 | Escape sequence injection vulnerability in API response handling | Sanitise message | Tested in `ruby/spec` `:security` | Applied the same patch
CVE-2019-8324 | Installing a malicious gem may lead to arbitrary code execution | Verifying gems before pre-install checks | Tested in MRI `test/rubygems/test_gem_installer.rb` | Applied the same patch
CVE-2019-8325 | Escape sequence injection in errors | Sanitise error messages | Tested in `ruby/spec` `:security` | Applied the same patch
None | Multiple vulnerabilities in RubyGems | | | Applied the same patch
CVE-2018-16395 | `OpenSSL::X509::Name` equality check does not work correctly | | |
CVE-2018-16396 | Tainted flags are not propagated in `Array#pack` and `String#unpack` with some directives | Additional taint operations | Tested in `ruby/spec` `:security` | Additional taint operations
CVE-2018-6914 | Unintentional file and directory creation with directory traversal in `tempfile` and `tmpdir` | Sanitization of paths | Tested in `ruby/spec` `:security` | Sanitization of paths
Expand Down
Loading