Skip to content

Commit 47f885c

Browse files
jasnowRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@150311a
1 parent 932023f commit 47f885c

3 files changed

Lines changed: 124 additions & 0 deletions

File tree

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2023-37463 (commonmarker): Several quadratic complexity bugs may lead
4+
to denial of service in Commonmarker'
5+
comments: false
6+
categories:
7+
- commonmarker
8+
advisory:
9+
gem: commonmarker
10+
cve: 2023-37463
11+
ghsa: 7vh7-fw88-wj87
12+
url: https://nvd.nist.gov/vuln/detail/CVE-2023-37463
13+
title: Several quadratic complexity bugs may lead to denial of service in Commonmarker
14+
date: 2023-08-08
15+
description: |-
16+
## Impact
17+
18+
Several quadratic complexity bugs in commonmarker's underlying
19+
[`cmark-gfm`](https://github.com/github/cmark-gfm) library may
20+
lead to unbounded resource exhaustion and subsequent denial of service.
21+
22+
The following vulnerabilities were addressed:
23+
24+
* [CVE-2023-37463](https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5)
25+
26+
For more information, consult the release notes for version
27+
[`0.29.0.gfm.12`](https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12).
28+
29+
## Mitigation
30+
31+
Users are advised to upgrade to commonmarker version
32+
[`0.23.10`](https://rubygems.org/gems/commonmarker/versions/0.23.10).
33+
cvss_v3: 7.5
34+
patched_versions:
35+
- ">= 0.23.10"
36+
related:
37+
url:
38+
- https://nvd.nist.gov/vuln/detail/CVE-2023-37463
39+
- https://rubygems.org/gems/commonmarker/versions/0.23.10
40+
- https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12
41+
- https://github.com/gjtorikian/commonmarker/commit/db8cd377b54541f7fd484d168b7682a282a680f7
42+
- https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-7vh7-fw88-wj87
43+
- https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5
44+
- https://github.com/advisories/GHSA-7vh7-fw88-wj87
45+
notes: "- cvss_v3 came from nvd.nist.gov URL.\n"
46+
---
Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,47 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-2302 (mongoid): Mongoid::Criteria.from_hash method allows arbitrary
4+
method calls'
5+
comments: false
6+
categories:
7+
- mongoid
8+
advisory:
9+
gem: mongoid
10+
cve: 2026-2302
11+
ghsa: 68xj-h57p-gg5j
12+
url: https://nvd.nist.gov/vuln/detail/CVE-2026-2302
13+
title: Mongoid::Criteria.from_hash method allows arbitrary method calls
14+
date: 2026-02-27
15+
description: |-
16+
Under specific conditions when processing a maliciously crafted
17+
value of type Hash r, Mongoid::Criteria.from_hash may allow for
18+
executing arbitrary Ruby code.
19+
cvss_v3: 6.5
20+
cvss_v4: 6.9
21+
patched_versions:
22+
- "~> 7.6.1"
23+
- "~> 8.0.12"
24+
- "~> 8.1.12"
25+
- ">= 9.0.10"
26+
related:
27+
url:
28+
- https://nvd.nist.gov/vuln/detail/CVE-2026-2302
29+
- https://github.com/mongodb/mongoid/releases/tag/v9.0.10
30+
- https://github.com/mongodb/mongoid/pull/6099
31+
- https://rubygems.org/gems/mongoid/versions/8.1.12 - https://github.com/mongodb/mongoid/releases/tag/v8.1.12
32+
- https://github.com/mongodb/mongoid/pull/6100
33+
- https://rubygems.org/gems/mongoid/versions/8.0.12 - https://github.com/mongodb/mongoid/releases/tag/v8.0.12
34+
- https://github.com/mongodb/mongoid/pull/6101
35+
- https://rubygems.org/gems/mongoid/versions/7.6.1 - https://github.com/mongodb/mongoid/releases/tag/v7.6.1
36+
- https://github.com/mongodb/mongoid/pull/6102
37+
- https://github.com/mongodb/mongoid/pull/6087
38+
- https://github.com/mongodb/mongoid/pull/6086
39+
- https://github.com/mongodb/mongoid/pull/6085
40+
- https://github.com/mongodb/mongoid/pull/6084
41+
- https://github.com/mongodb/mongoid/pull/6083
42+
- https://jira.mongodb.org/browse/MONGOID-5919
43+
- https://github.com/advisories/GHSA-68xj-h57p-gg5j
44+
notes: |
45+
- GHSA is unreviewed.
46+
- date from nvd.nist.gov URL.
47+
---
Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-38969 (webrick): ruby webrick through v1.9.2 WEBrick reparses trailer'
4+
comments: false
5+
categories:
6+
- webrick
7+
advisory:
8+
gem: webrick
9+
cve: 2026-38969
10+
ghsa: h4w6-wx8r-p68v
11+
url: https://nvd.nist.gov/vuln/detail/CVE-2026-38969
12+
title: ruby webrick through v1.9.2 WEBrick reparses trailer
13+
date: 2026-07-02
14+
description: |-
15+
ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length
16+
into canonical request state, enabling request smuggling.
17+
related:
18+
url:
19+
- https://nvd.nist.gov/vuln/detail/CVE-2026-38969
20+
- https://github.com/ruby/webrick/pull/199
21+
- https://github.com/ruby/webrick/issues/198
22+
- https://nvd.nist.gov/vuln/detail/CVE-2015-7519
23+
- https://github.com/advisories/GHSA-h4w6-wx8r-p68v
24+
notes: |2
25+
26+
- Not patched (last release was 1.9.2)
27+
- https://rubygems.org/gems/webrick/versions/1.9.2
28+
- https://github.com/ruby/webrick/releases/tag/v1.9.2
29+
- No CVSS value in nvd.nist.gov URL.
30+
- GHSA is unreviewed.
31+
---

0 commit comments

Comments
 (0)