Debian Rubygems vulnerabilities

CVE-2025-27221 [LOW] CVE-2025-27221: ruby2.7 - In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#me... In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. Scope: local bullseye: resolved (fixed in 2.7.4-1+deb11u5)

CVE-2025-61594 [LOW] CVE-2025-61594: ruby2.7 - URI is a module providing classes to handle Uniform Resource Identifiers. In ver... URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulner

CVE-2023-28755 [MEDIUM] CVE-2023-28755: jruby - A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through... A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. Scope: local bookworm: open forky: resolved (fixed in 9.4.5.0+ds-1) sid: r

CVE-2023-36617 [MEDIUM] CVE-2023-36617: jruby - A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The UR... A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed v

CVE-2021-43809 [MEDIUM] CVE-2021-43809: rubygems - `Bundler` is a package for managing application dependencies in Ruby. In `bundle... `Bundler` is a package for managing application dependencies in Ruby. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use t

CVE-2020-36327 [HIGH] CVE-2020-36327: rubygems - Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a depen... Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.16 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application. NOTE: it is not correct

CVE-2019-8324 [HIGH] CVE-2019-8324: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem w... An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. Scope: local bookworm: resolved (fixed in 9.1.17.0-3) forky: resolved (fixed in 9.1.17

CVE-2019-8322 [HIGH] CVE-2019-8322: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner c... An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. Scope: local bookworm: resolved (fixed in 9.1.17.0-3) forky: resolved (fixed in 9.1.17.0-3) sid: resolved (fixed in 9.1.17.0-3) trixie: resolved (fi

CVE-2019-8323 [HIGH] CVE-2019-8323: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterU... An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. Scope: local bookworm: resolved (fixed in 9.1.17.0-3) forky: resolved (fixed in 9.1.17.0-3) sid: resolved (fixed in 9.1.17.0-3) trixie

CVE-2019-8320 [HIGH] CVE-2019-8320: jruby - A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3... A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could

CVE-2019-8325 [HIGH] CVE-2019-8325: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::Comm... An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) Scope: local bookworm: resolved (fixed in 9.1.17.0-3) forky: resolved (fixed in 9.1.17.0-3) sid: resolved (fixed in 9.1.17.0-3) trixie: resolved (fixed in 9.1.17

CVE-2019-8321 [HIGH] CVE-2019-8321: jruby - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::User... An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible. Scope: local bookworm: resolved (fixed in 9.1.17.0-3) forky: resolved (fixed in 9.1.17.0-3) sid: resolved (fixed in 9.1.17.0-3) trixie: resolved (fixed in 9.1.17.0-3)

CVE-2018-1000076 [CRITICAL] CVE-2018-1000076: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contai

CVE-2018-1000075 [HIGH] CVE-2018-1000075: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerabil

CVE-2018-1000073 [HIGH] CVE-2018-1000073: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the ro

CVE-2018-1000074 [HIGH] CVE-2018-1000074: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `ge

CVE-2018-1000079 [MEDIUM] CVE-2018-1000079: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack ap

CVE-2018-1000078 [MEDIUM] CVE-2018-1000078: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim m

CVE-2018-1000077 [MEDIUM] CVE-2018-1000077: jruby - RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and ... RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This v

CVE-2017-0903 [CRITICAL] CVE-2017-0903: rubygems - RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote c... RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. Scope: local bookworm: resolved (fixed in 3.2.0~rc.1-1) bullseye: resolved (fixed in 3.