GHSA SYNC: 1 modified and 1 brand new advisory

jasnow · jasnow · commit bb0622bad82f · 2026-01-23T14:48:30.000-05:00
diff --git a/rubies/mruby/CVE-2025-7207.yml b/rubies/mruby/CVE-2025-7207.yml
@@ -0,0 +1,42 @@
+---
+engine: mruby
+cve: 2025-7207
+ghsa: 48pr-6hvf-39v3
+url: https://nvd.nist.gov/vuln/detail/CVE-2025-7207
+title: Heap-based buffer overflow vulnerability in mruby 3.4.0-rc2
+date: 2025-07-08
+description: |
+  A vulnerability, which was classified as problematic, was found
+  in mruby up to 3.4.0-rc2. Affected is the function scope_new of
+  the file mrbgems/mruby-compiler/core/codegen.c of the component
+  nregs Handler. The manipulation leads to heap-based buffer overflow.
+  An attack has to be approached locally. The exploit has been
+  disclosed to the public and may be used. The name of the patch
+  is 1fdd96104180cc0fb5d3cb086b05ab6458911bb9. It is recommended
+  to apply a patch to fix this issue.
+
+  - Text (not a link)
+    - https://github.com/user-attachments/files/19619499/mruby_crash.txt
+
+  ## RELEASE NOTES
+  - Found Issue #6509 listed in **unreleased** mruby 3.5 NEWS.md
+    file listed below.
+cvss_v2: 1.7
+cvss_v3: 5.5
+cvss_v4: 4.4
+patched_versions:
+  - ">= 3.5.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-7207
+    - https://github.com/mruby/mruby/blob/master/NEWS.md
+    - https://github.com/mruby/mruby/commit/1fdd96104180cc0fb5d3cb086b05ab6458911bb9
+    - https://github.com/mruby/mruby/issues/6509#event-17145516649
+    - https://github.com/mruby/mruby/issues/6509
+    - https://vuldb.com/?ctiid.315156
+    - https://vuldb.com/?id.315156
+    - https://vuldb.com/?submit.607683
+    - https://www.wiz.io/vulnerability-database/cve/cve-2025-7207
+    - https://github.com/advisories/GHSA-48pr-6hvf-39v3
+notes: |
+  - mruby 3.5.0 has not be released as 1/23/2026.
diff --git a/rubies/ruby/CVE-2024-27282.yml b/rubies/ruby/CVE-2024-27282.yml
@@ -1,6 +1,7 @@
 ---
 engine: ruby
 cve: 2024-27282
+ghsa: 63cq-cj6g-qfr2
 url: https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282/
 title: Arbitrary memory address read vulnerability with Regex search
 date: 2024-04-23
@@ -15,8 +16,19 @@ description: |
   * For Ruby 3.1 users: Update to 3.1.5
   * For Ruby 3.2 users: Update to 3.2.4
   * For Ruby 3.3 users: Update to 3.3.1
+cvss_v3: 6.6
 patched_versions:
   - "~> 3.0.7"
   - "~> 3.1.5"
   - "~> 3.2.4"
   - ">= 3.3.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-27282
+    - https://www.ruby-lang.org/en/news/2024/04/23/arbitrary-memory-address-read-regexp-cve-2024-27282
+    - https://hackerone.com/reports/2122624
+    - https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XYDHPHEZI7OQXTQKTDZHGZNPIJH7ZV5N
+    - https://security.netapp.com/advisory/ntap-20241011-0007
+    - https://github.com/advisories/GHSA-63cq-cj6g-qfr2
