Advisories

Feb 2014
Jan 2014

Marked multiple content injection vulnerabilities

Marked comes with an option to sanitize user output to help protect against content injection attacks. sanitize: true Even if this option is set, marked is vulnerable to content injection in multiple locations if untrusted user input is allowed to be provided into marked and that output is passed to the browser. Injection is possible in two locations - gfm codeblocks (language) - javascript url's

XML External Entity (XXE) injection

This package does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Improper Restriction of XML External Entity Reference

The Spring OXM wrapper when using the JAXB marshaller, does not disable entity resolution, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via an XML external entity declaration in conjunction with an entity reference in a (1) DOMSource, (2) StAXSource, (3) SAXSource, or (4) StreamSource, aka an XML External Entity (XXE) issue.

Uncontrolled Resource Consumption

libxml2 does not properly handle external entities expansion unless an application developer uses the xmlSAX2ResolveEntity or xmlSetExternalEntityLoader function, which allows remote attackers to cause a denial of service (resource consumption), send HTTP requests to intranet servers, or read arbitrary files via a crafted XML document, aka an XML External Entity (XXE) issue.

Possible XSS

The org.spring.web.util.JavaScriptUtils.javaScriptEscape method insufficiently escaped some characters. Applications using this method to escape user-supplied content that will be rendered in HTML 5 documents may expose cross-site scripting (XSS) flaws.

Uncontrolled Resource Consumption

The png_do_expand_palette function in libpng allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via (1) a PLTE chunk of zero bytes or (2) a NULL palette, related to pngrtran.c and pngset.c.

Incorrect temporary file usage

The passenger ruby gem, when used in standalone mode, does not use temporary files securely. If a local attacker were able to create a temporary directory that passenger uses and supply a custom nginx configuration file they could start a nginx instance with their own configuration file.

Known Session Secret

In config/initialiers/secret_token.rb a static secret token is defined, with the knowledge of this token an attacker is able to execute arbitrary Ruby code server side.

Dec 2013

Arbitrary Command Execution

The package flukso4r contains a flaw in /lib/flukso/R.rb that is due to the application failing to properly validate user-supplied input. This may allow a context-dependent attacker to execute arbitrary commands.

Cross-site Scripting

Cross-site scripting (XSS) vulnerability in the errorAction method in the ActionController base class in TYPO3 Flow (formerly FLOW3) allows remote attackers to inject arbitrary web script or HTML via unspecified input, which is returned in an error message.

Command injection vulnerability

The unpack_zip function in archive_unpacker.rb in the sprout gem for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename or path.

XML eXternal Entity (XXE) flaw in DocumentAnalysisRequestHandler

The DocumentAnalysisRequestHandler in this package does not properly use the EmptyEntityResolver, which allows remote attackers to have an unspecified impact via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-6407.

Path Traversal

Directory traversal vulnerability in SolrResourceLoader in Apache Solr allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT.

Improper Input Validation

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.

Directory traversal when loading XSL stylesheets and Velocity templates

Directory traversal vulnerability in SolrResourceLoader in this package allows remote attackers to read arbitrary files via a .. (dot dot) or full pathname in the tr parameter to solr/select/, when the response writer (wt parameter) is set to XSLT. NOTE: this can be leveraged using a separate XXE (XML eXternal Entity) vulnerability to allow access to files across restricted network boundaries.

XSS Vulnerability in simple_format helper

The simple_format helper converts user supplied text into html text which is intended to be safe for display. A change made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly. As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

Reflective XSS Vulnerability

There is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.

Reflective XSS Vulnerability

When a translation is missing, the HTML exception message raised does not escape the keys. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.

Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)

Due to the way that Rack::Request and Rails::Request interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries …

Denial of Service Vulnerability in Action View

There is a denial of service vulnerability in the header handling component of Action View. Strings sent in specially crafted headers will be cached indefinitely. This can cause the cache to grow infinitely, which will eventually consume all memory on the target machine, causing a denial of service.

Nov 2013

Recursive Interpolation Vulnerability

Due to the method of variable interpolation in Cocaine to, an attacker may be able to inject hostile commands into a command line via a crafted hash object which are not properly escaped. The impact is lessened on Ruby * because hashed are not ordered by default, and so an attacker must rely on luck for the attack to work. An attack of this sort cannot take place if there …

Permission Issues

The LDAP backend in OpenStack Identity (Keystone) Grizzly and Havana, when removing a role on a tenant for a user who does not have that role, adds the role to the user, which allows local users to gain privileges.

Oct 2013

Improper Access Control

When the download_image policy is configured, does not properly restrict access to cached images, which allows remote authenticated users to read otherwise restricted images via an image UUID.

Cryptographic Issues

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

Cryptographic Issues

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

Possible DoS Vulnerability

A carefully crafted email address in conjunction with the Action Mailer logger format string could take advantage of a bug in Ruby's sprintf implementation and possibly lead to a denial of service attack. Impacted Ruby code will look something like this: "some string #{user_input}" % some_number

Remote Command Injection

Some code does not sanitize user supplied input before passing it to the System() function for execution. If this API is used in the context of a RoR application remote commands can be injected into the shell if the user supplies shell meta characters like ; and &.

Uncontrolled Resource Consumption

Algorithmic complexity vulnerability in the ssl.match_hostname function and unspecified versions of python-backports-ssl_match_hostname as used for older Python versions, allows remote attackers to cause a denial of service (CPU consumption) via multiple wildcard characters in the common name in a certificate.

Sep 2013

MAC Bypass in Symmetric Encryption

The authenticated-encryption feature in the symmetric-encryption implementation in the this package does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Cross-site Scripting

This package is vulnerable to Cross-site Scripting (XSS). Strings parsed from the anchor in the address bar were not sanitized, allowing for arbitrary HTML to be embedded into the page.

/tmp file injection vulnerability

A malicious user creating /tmp/out.html first and repeatedly writing to it can inject malicious html into the file right before it is opened. PoC: nobody () sp0rk:/$ while (true); do echo " alert('Hello'); " >> /tmp/out.html; done Will pop up a javascript alert in other gem users browser.

Aug 2013

Passwordless login

Users are able to log themselves in with a blank password, even for users who are NOT currently in the users table (ie have never previously logged in).

Code Injection

Race condition in hawtjni-runtime/src/main/java/org/fusesource/hawtjni/runtime/Library.java allows local users to execute arbitrary Java code by overwriting a temporary JAR file with a predictable name in /tmp.

Improper Restriction of XML External Entity Reference

Auth/Yadis/XML.php in PHP OpenID allows remote attackers to read arbitrary files, send HTTP requests to intranet servers, or cause a denial of service (CPU and memory consumption) via XRDS data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

XML signature spoofing

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in this package allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

Cryptographic Issues

Attackers could spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature.

XSS in admin interface

The Django administrative application, django.contrib.admin, consider value of a URLField to be safe. Thus, when displaying it, Django does not escape it allowing an attacker to perform XSS in the administrative interface.

CSRF token fixation attacks

Devise has been reported to be vulnerable to CSRF token fixation attacks. The attack can only be exploited if the attacker can set the target session, either by subdomain cookies or by fixation over the same Wi-Fi network. If the user knows the CSRF token, cross-site forgery requests can be made.

Jul 2013

XSS via .swf files

In the vulnerable versions, the uploader.swf and io.swf utilities contain a vulnerability allowing cross-site scripting through the .swf files used in these components. Through a url accessing these files, and attacker can inject script in the context of these files, potentially exposing cookies or other sensitive information. The vulnerability resurfaced in v0.10.2, but only with io.swf.

Uncontrolled Resource Consumption

wsf/common/DOMUtils.java does not properly handle recursion during entity expansion, which allows remote attackers to cause a denial of service (memory and CPU consumption) via a crafted request containing an XML document with a DOCTYPE declaration and a large number of nested entity references, a similar issue to CVE-2003-1564.

Potential XSS Exploit When Binding tagName to User-Supplied Data

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, the tagName property of an Ember.View was inserted into such a string without being sanitized. This means that if an application assigns a view's tagName to user-supplied data, a specially-crafted payload could execute arbitrary JavaScript in the context of the current domain ("XSS"). This vulnerability only affects applications that …

Code Injection

Apache Struts 2 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

Remote arbitrary code execution

The BrokerFactory functionalitycreates local executable JSP files containing logging trace data produced during deserialization of certain crafted OpenJPA objects, which makes it easier for remote attackers to execute arbitrary code by creating a serialized object and leveraging improperly secured server programs.

Jun 2013

Symbol Creation Remote DoS

The package enum_column3 for Ruby contains a flaw that may allow a remote denial of service. The issue is due to the program typecasting unexpected strings to symbols. This may allow a remote attacker to crash the program.

May 2013
Apr 2013

Use After Free

Multiple use-after-free vulnerabilities in libxml2 and possibly other versions might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to the (1) htmlParseChunk and (2) xmldecl_done functions, as demonstrated by a buffer overflow in the xmlBufGetInputBase function.

Remote Command Injection

User supplied input isn't sanitized against shell metacharacters and is fed directly to the shell. If the user is tricked into extracting a file with shell characters, arbitrary code can be executed remotely.

Ruby Agent Sensitive Information Disclosure

A bug in the Ruby agent causes database connection information and raw SQL statements to be transmitted to New Relic servers. The database connection information includes the database IP address, username, and password. The information is not stored or retransmitted by New Relic and is immediately discarded.

Remote code execution

Specially crafted URLs can result in remote code execution if the URL contains shell metacharacters. This is due to the fact that the url is passed directly to the shell in the code thumbshooter.rb create method.

CSRF vulnerability, injecting state in session

The package omniauth-oauth2 for Ruby contains a flaw related to omniauth.state that allows a remote attacker to conduct a session injection attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session …

Mar 2013

Symbol DoS vulnerability in Active Record

When a hash is provided as the find value for a query, the keys of the hash may be converted to symbols. Carefully crafted requests can coerce params[:name] to return a hash, and the keys to that hash may be converted to symbols. All users running an affected release should either upgrade or use one of the work arounds immediately.

Improper Input Validation

The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.

Authenticated administrators to execute arbitrary commands

Spree Commerce allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.

XSS exploit of RDoc documentation generated by rdoc

This exploit may lead to cookie disclosure to third parties. The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation. RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit.

Uncontrolled Resource Consumption

lib/rack/multipart.rb in Rack uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

Incorrect temporary file usage

The ruby_parser Gem does not create temporary files securely. In the diff_pp function contained in lib/gauntlet_rubyparser.rb function, it creates files as /tmp/a.[pid] and /tmp/b.[pid] which can be predicted and used for either a denial of service (file cannot be overwritten), or to change the contents of files that are writable.

Feb 2013

Remote command execution

The ls interface can have commands injected into it if option or filename contain the shell character. This vulnerability requires that the file having commands injected in to it be in the Current Working Directory (CWD).

SQL Injection

ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the sql.gsub() function in lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before using it in SQL queries. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Man-in-the-Middle

This package is vulnerable to Man-in-the-middle (MitM) attacks due to attacks due to downloading gems over an insecure protocol. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. In serious cases, this may even lead to Remote Code Execution (RCE) on your host server.

Man-in-the-Middle

This package is vulnerable to Man-in-the-middle (MitM) attacks due to attacks due to downloading gems over an insecure protocol. Without a secure connection, it is possible for an attacker to intercept this connection and alter the packages received. In serious cases, this may even lead to Remote Code Execution (RCE) on your host server.

Denial of Service and Unsafe Object Creation Vulnerability

When parsing certain JSON documents, the JSON gem can be coerced in to creating Ruby symbols in a target system. Since Ruby symbols are not garbage collected, this can result in a denial of service attack. The same technique can be used to create objects in a target system that act like internal objects. These "act alike" objects can be used to bypass certain security mechanisms and can be used …

Denial of Service and SQL Injection

This package allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka.

Circumvention of attr_protected

The attr_protected method allows developers to exclude model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.

Circumvention of attr_protected

The attr_protected method allows developers to specify a denylist of model attributes which users should not be allowed to assign to. By using a specially crafted request, attackers could circumvent this protection and alter values that were meant to be protected.

Symlink path traversal in Rack::File

Affected versions allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

Jan 2013

Unsafe Query Generation Risk in Ruby on Rails

Due to the way Active Record interprets parameters in combination with the way that JSON parameters are parsed, it is possible for an attacker to issue unexpected database queries with "IS NULL" or empty where clauses. This issue does not let an attacker insert arbitrary values into an SQL query, however they can cause the query to check for NULL or eliminate a WHERE clause when most users wouldn't expect …

Remote attacker can conduct SQL injection attacks

Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered when the program makes an unsafe method call for find_by_id. With a specially crafted parameter in an environment that knows the secret_token value in secret_token.rb, a remote attacker to more easily conduct SQL injection attacks.

Dec 2012

Improper Access Control

Symfony does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.

Improper Access Control

Symfony does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.

Code Injection

Symfony, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring.

access_token Disclosure CSRF

Doorkeeper contains a flaw as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to disclose their access_token with an arbitrary scope.

Uncontrolled Resource Consumption

libxml2 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.

EL expressions double evaluation

When a container supports Expression Language (EL), this package evaluates EL expressions in tags twice, which allows remote attackers to obtain sensitive information via a name attribute in a spring:hasBindErrors tag; path attribute in a spring:bind or spring:nestedpath tag; arguments, code, text, var, scope, or message attribute in a spring:message or spring:theme tag; or var, scope, or value attribute in a spring:transform tag, aka Expression Language Injection.

Nov 2012

Improper Input Validation

Apache Libcloud uses an incorrect regular expression during verification of whether the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate.

Sep 2012

CSRF protection bypass

The token check mechanism in this package does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.

Aug 2012

Uncontrolled Resource Consumption

libxml2, as used in Google Chrome, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.

XSS Vulnerability in strip_tags

There is an XSS vulnerability in the strip_tags helper in Ruby on Rails, the helper does not correctly handle malformed html. As a result, an attacker can execute arbitrary javascript through the use of specially crafted malformed html. All users who rely on strip_tags for XSS protection should upgrade or use the work around immediately.

Potential XSS Vulnerability in Ruby on Rails

The HTML escaping code in Ruby on Rails does not escape all potentially dangerous characters. In particular the code does not escape the single quote character. The helpers used in Rails itself never use single quotes, so most applications are unlikely to be vulnerable, however all users running an affected release should still upgrade.

Jul 2012

Stack-based buffer overflow

Off-by-one error in the png_formatted_warning function in pngerror.c in libpng might allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via unspecified vectors, which trigger a stack-based buffer overflow.

Jun 2012

SQL Injection

Ruby on Rails contains a flaw related to the way ActiveRecord handles parameters in conjunction with the way Rack parses query parameters. This issue may allow an attacker to inject arbitrary IS NULL clauses in to application SQL queries. This may also allow an attacker to have the SQL query check for NULL in arbitrary places.

May 2012
Apr 2012

Insecure randomness

Because socket.io depends on Math.random() to create socket IDs, the IDs are predictable. An attacker is able to guess the socket ID and gain access to socket.io servers, potentially obtaining sensitive information.

Denial of Service

When using digest authentication with a wrong password, requests will retry the request for infinity. This makes the package vulnerable to Denial of Service (DoS).

Credentials Management Errors

Spree does not properly restrict the use of a hash to provide values for a model's attributes, which allows remote attackers to set the Order state value and bypass the intended payment step via a modified URL, related to a "mass assignment" vulnerability.

Credentials Management Errors

The session cookie store implementation in Spree uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.

Mar 2012

Integer Overflow or Wraparound

Integer signedness error in the png_inflate function in pngrutil.c in libpng beta01, as used in Google Chrome and other products, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file, a different vulnerability than CVE-2011-3026.

XSS via posted select tag options

Ruby on Rails is vulnerable to remote cross-site scripting because the application does not validate manually generated select tag options upon submission to actionpack/lib/action_view/helpers/form_options_helper.rb. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Direct Manipulation XSS

Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate direct manipulations of SafeBuffer objects via '[]' and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Feb 2012

Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in Apache Struts allow remote attackers to inject arbitrary web script or HTML via (1) the name parameter to struts-examples/upload/upload-submit.do, or the message parameter to (2) struts-cookbook/processSimple.do or (3) struts-cookbook/processDyna.do.

Jan 2012
Dec 2011

Information Exposure

This package is vulnerable to Information Exposure. Permissions on a file were set only after writing a files content, which gives the attackers a window to obtain the file content.

Hash Collision Form Parameter Parsing Remote DoS

This package contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.

Nov 2011
Oct 2011

Code Injection

PHP remote file inclusion vulnerability in dompdf.php in dompdf allows remote attackers to execute arbitrary PHP code via a URL in the input_file parameter.

Sep 2011

SQL Injection in doctrine orm

Multiple SQL injection vulnerabilities in the Doctrine\DBAL\Platforms\AbstractPlatform::modifyLimitQuery function in Doctrine 1.x before 1.2.4 and 2.x before 2.0.3 allow remote attackers to execute arbitrary SQL commands via the (1) limit or (2) offset field.

Integer Overflow

Integer overflow in xpath.c in libxml2, and libxml, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted XML file that triggers a heap-based buffer overflow when adding a new namespace node, related to handling of XPath expressions.

Windows Shell Escaping Weakness

The gem contains a flaw that is due to the program failing to properly escape a shell that contains injected characters. This may allow a context-dependent attacker to potentially execute arbitrary commands.

Aug 2011
Jul 2011

Out-of-bounds Read

The png_format_buffer function in pngerror.c in libpng allows remote attackers to cause a denial of service (application crash) via a crafted PNG image that triggers an out-of-bounds read during the copying of error-message data. NOTE: this vulnerability exists because of a CVE-2004-0421 regression. NOTE: this is called an off-by-one error by some sources.

NULL Pointer Dereference

The png_err function in pngerror.c in libpng makes a function call using a NULL pointer argument instead of an empty-string argument, which allows remote attackers to cause a denial of service (application crash) via a crafted PNG image.

Jun 2011
May 2011
Feb 2011

Improper Input Validation

The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address.

Jan 2011

Improper Restriction of Operations within the Bounds of a Memory Buffer

pngrtran.c in libpng allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted palette-based PNG image that triggers a buffer overflow, related to the png_do_expand_palette function, the png_do_rgb_to_gray function, and an integer underflow. NOTE: some of these details are obtained from third party information.

Dec 2010

Double Free

Double free vulnerability in libxml2 and other versions, as used in Google Chrome and other products, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to XPath handling.

Nov 2010

Exposure of Sensitive Information to an Unauthorized Actor

Spree exchanges data using JavaScript Object Notation (JSON) without a mechanism for validating requests, which allows remote attackers to obtain sensitive information via vectors involving (1) admin/products.json, (2) admin/users.json, or (3) admin/overview/get_report_data, related to a "JSON hijacking" issue.

Cross-site Scripting

Multiple cross-site scripting (XSS) vulnerabilities in HTML Purifier allow remote attackers to inject arbitrary web script or HTML via a crafted (1) background-image, (2) background, or (3) font-family Cascading Style Sheets (CSS) property, a different vulnerability than CVE-2010-2479.

Oct 2010
Aug 2010

XWork ParameterInterceptors bypass allows remote command execution

The OGNL extensive expression evaluation capability in this package as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive allowlist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the #context, #_memberAccess, #root, #this, #_typeResolver, #_classResolver, #_traceEvaluations, #_lastEvaluation, #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504.

Weak password hash generation

The password hash generation algorithm in this package performs a transformation that reduces the size of the set of inputs to SHA-1, which produces a small search space that makes it easier for local and possibly remote attackers to crack passwords by generating hash collisions, related to password substitution.

Jul 2010
Jun 2010
Apr 2010
Mar 2010

Uncontrolled Resource Consumption

The png_decompress_chunk function in pngrutil.c in libpng does not properly handle compressed ancillary-chunk data that has a disproportionately large uncompressed representation, which allows remote attackers to cause a denial of service (memory and CPU consumption, and application hang) via a crafted PNG file, as demonstrated by use of the deflate compression method on data composed of many occurrences of the same character, related to a "decompression bomb" attack.

Feb 2010

Bug reduced the entropy of hashed passwords containing non US-ASCII characters

This package suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters. An incorrect encoding step transparently replaced such characters by '?' prior to hashing. In the worst case of a password consisting solely of non-US-ASCII characters, this would cause its hash to be equivalent to all other such passwords of the same length. This issue only affects the JRuby …

Jan 2010
Dec 2009

Fails to do proper certificate validation

A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.

Aug 2009
Jul 2009
Apr 2009
Mar 2009
Feb 2009
Jan 2009
Oct 2008
Aug 2008

Remote code execution and potential Denial of Service Vulnerability

Activeresource contains a format string flaw in the request function of lib/active_resource/connection.rb. The issue is triggered as format string specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input when passed via the result.code and result.message variables. This may allow a remote attacker to cause a denial of service or potentially execute arbitrary code.

Nov 2007

Use of Externally-Controlled Format String

Format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2), and SVN, allows context-dependent attackers to execute arbitrary code via format string specifiers in the message parameter.

Jun 2007

Private Method Exposure

This package contains a flaw in the handling of tag names. The issue is triggered when the program reads tag names from XML data and then calls a method with that name. With a specially crafted file, a context-dependent attacker can call private methods and manipulate data.

May 2007

Data Handling Stack Buffer Overflow

This package contains an overflow condition that is triggered as user-supplied input is not properly validated when handling specially crafted data. This may allow a remote attacker to cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

Jan 2007

Uncontrolled Resource Consumption

The extract_files function in installer.rb in RubyGems does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages.

Jan 1970

liquidjs may leak properties of a prototype

The package liquidjs before 10.0.0 is vulnerable to Information Exposure when ownPropertyOnly parameter is set to False, which results in leaking properties of a prototype. Workaround For versions 9.34.0 and higher, an option to disable this functionality is provided.