Debian Jruby vulnerabilities

29 known vulnerabilities affecting debian/jruby.

Total CVEs
29
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH13MEDIUM11LOW4

Vulnerabilities

Page 2 of 2
CVE-2018-1000079MEDIUMCVSS 5.5fixed in jruby 9.1.17.0-1 (bookworm)2018
CVE-2018-1000079 [MEDIUM] CVE-2018-1000079: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack ap
debian
CVE-2018-1000078MEDIUMCVSS 6.1fixed in jruby 9.1.17.0-1 (bookworm)2018
CVE-2018-1000078 [MEDIUM] CVE-2018-1000078: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim m
debian
CVE-2018-1000077MEDIUMCVSS 5.3fixed in jruby 9.1.17.0-1 (bookworm)2018
CVE-2018-1000077 [MEDIUM] CVE-2018-1000077: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This v
debian
CVE-2017-17742MEDIUMCVSS 5.3fixed in jruby 9.3.9.0+ds-1 (bookworm)2017
CVE-2017-17742 [MEDIUM] CVE-2017-17742: jruby - Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, ... Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick. Scope: local bookworm: resolved (fixed in 9.3.9.0+ds-1) forky: resolved (fixed in 9.3.9.0+ds-1) sid: resolved (fixed in 9.3.9.
debian
CVE-2015-3900MEDIUMCVSS 5.0fixed in jruby 1.7.20.1-2 (bookworm)2015
CVE-2015-3900 [MEDIUM] CVE-2015-3900: jruby - RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does no... RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." Scope: local bookworm: resolved (fixed in 1.7.20.1-2) forky: resolved (fixed in 1.7.20.1-2) si
debian
CVE-2015-4020LOWCVSS 5.02015
CVE-2015-4020 [MEDIUM] CVE-2015-4020: jruby - RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does no... RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists b
debian
CVE-2012-5370MEDIUMCVSS 5.0fixed in jruby 1.5.6-5 (bookworm)2012
CVE-2012-5370 [MEDIUM] CVE-2012-5370: jruby - JRuby computes hash values without properly restricting the ability to trigger h... JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerabi
debian
CVE-2011-4838LOWCVSS 5.0fixed in jruby 1.5.6-4 (bookworm)2011
CVE-2011-4838 [MEDIUM] CVE-2011-4838: jruby - JRuby before 1.6.5.1 computes hash values without restricting the ability to tri... JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Scope: local bookworm: resolved (fixed in 1.5.6-4) forky: resolved (fixed in 1.5.6-4) sid: resolved (fi
debian
CVE-2010-1330MEDIUMCVSS 4.3fixed in jruby 1.5.0~rc1-1 (bookworm)2010
CVE-2010-1330 [MEDIUM] CVE-2010-1330: jruby - The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', ... The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string. Scope: local bookworm: resolved (fixed in 1.5.0~rc1-1) forky: resolved (fixed in 1.5.0~rc1-1) sid: resolved (fixed in 1
debian
← Previous2 / 2