File tree Expand file tree Collapse file tree 2 files changed +53
-0
lines changed
Expand file tree Collapse file tree 2 files changed +53
-0
lines changed Original file line number Diff line number Diff line change 1+ ---
2+ engine : ruby
3+ cve : 2011-3624
4+ ghsa : rc82-v3mm-rhj2
5+ url : https://nvd.nist.gov/vuln/detail/CVE-2011-3624
6+ title : Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7
7+ date : 2019-11-25
8+ description : |
9+ Various methods in WEBrick::HTTPRequest in Ruby
10+ 1.9.2-p290 and 1.8.7-p352 and earlier do not validate the
11+ X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in
12+ requests, which might allow remote attackers to inject arbitrary text
13+ into log files or bypass intended address parsing via a crafted header.
14+
15+ ## Can only have one "notes:" field for adding these notes here:
16+ - https://redmine.ruby-lang.org/issues/5418 mentioned CVE-2011-3187
17+ - https://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html
18+ - https://redmine.ruby-lang.org/issues/5418 says:
19+ - "WEBrick has been removed from ruby repository. If anyone interest
20+ this, Please file this to https://github.com/ruby/webrick"
21+ - Unclear when or if this was patched.
22+ cvss_v2 : 5.0
23+ cvss_v3 : 5.3
24+ notes : Never patched
25+ related :
26+ url :
27+ - https://nvd.nist.gov/vuln/detail/CVE-2011-3624
28+ - https://access.redhat.com/security/cve/cve-2011-3624
29+ - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624
30+ - https://security-tracker.debian.org/tracker/CVE-2011-3624
31+ - https://github.com/ruby/webrick
32+ - https://github.com/advisories/GHSA-rc82-v3mm-rhj2
Original file line number Diff line number Diff line change 1+ ---
2+ engine : ruby
3+ cve : 2016-2336
4+ ghsa : f46g-7w88-2qv4
5+ url : https://nvd.nist.gov/vuln/detail/CVE-2016-2336
6+ title : Type confusion exists in ole_invoke and ole_query_interface
7+ methods of Ruby's WIN32OLE class
8+ date : 2017-01-06
9+ description : |
10+ Type confusion exists in two methods of Ruby's WIN32OLE class,
11+ ole_invoke and ole_query_interface.
12+ Attacker passing different type of object than this assumed by
13+ developers can cause arbitrary code execution.
14+ cvss_v2 : 7.5
15+ cvss_v3 : 9.8
16+ notes : " Never patched"
17+ related :
18+ url :
19+ - https://nvd.nist.gov/vuln/detail/CVE-2016-2336
20+ - http://www.talosintelligence.com/reports/TALOS-2016-0029
21+ - https://github.com/advisories/GHSA-f46g-7w88-2qv4
You can’t perform that action at this time.
0 commit comments