CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also affects the CGI gem before 0.3.1 for Ruby.

The remote host is affected by the vulnerability described in GLSA-202401-27 (Ruby: Multiple vulnerabilities)

  - An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a     simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An     attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header     check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613)

  - An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP     server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port.
    This potentially makes curl extract information about services that are otherwise private and not     disclosed (e.g., the attacker can conduct port scans and service banner extractions). (CVE-2021-31810)

  - An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does     not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-     middle attackers to bypass the TLS protections by leveraging a network position between the client and the     registry to block the StartTLS command, aka a StartTLS stripping attack. (CVE-2021-32066)

  - The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response     splitting. This is relevant to applications that use untrusted user input either to generate an HTTP     response or to create a CGI::Cookie object. (CVE-2021-33621)

  - CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer     overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of     bytes. This also affects the CGI gem before 0.3.1 for Ruby. (CVE-2021-41816)

  - Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via     a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. (CVE-2021-41817)

  - CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects     the CGI gem through 0.3.0 for Ruby. (CVE-2021-41819)

  - A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a     victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to     unexpected memory locations. (CVE-2022-28738)

  - There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before     3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. (CVE-2022-28739)

  - A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser     mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing     strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. (CVE-2023-28755)

  - A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser     mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing     strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. (CVE-2023-28756)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of ruby installed on the remote host is prior to 3.0.3-154. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2RUBY3.0-2023-003 advisory.

    CGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer     overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of     bytes. This also affects the CGI gem before 0.3.1 for Ruby. (CVE-2021-41816)

    A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial     of service (ReDoS) during the parsing of dates. This flaw allows an attacker to hang a ruby application by     providing a specially crafted date string. The highest threat to this vulnerability is system     availability. (CVE-2021-41817)

    CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects     the CGI gem through 0.3.0 for Ruby. (CVE-2021-41819)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6856 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    The following packages have been upgraded to a later upstream version: rh-ruby27-ruby (2.7.6).
    (BZ#2128631)

    Security Fix(es):

    * ruby: buffer overflow in CGI.escape_html (CVE-2021-41816)

    * ruby: Regular expression denial of service vulnerability of Date parsing methods (CVE-2021-41817)

    * ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)

    * Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:6855 advisory.

    Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text     files and to perform system management tasks.

    The following packages have been upgraded to a later upstream version: rh-ruby30-ruby (3.0.4).
    (BZ#2128628)

    Security Fix(es):

    * ruby: buffer overflow in CGI.escape_html (CVE-2021-41816)

    * ruby: Regular expression denial of service vulnerability of Date parsing methods (CVE-2021-41817)

    * ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819)

    * Ruby: Double free in Regexp compilation (CVE-2022-28738)

    * Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * rh-ruby30 ruby: User-installed rubygems plugins are not being loaded (BZ#2128629)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5067 advisory.

    Several vulnerabilities have been discovered in the interpreter for the Ruby language and the Rubygems     included, which may result in information disclosure or denial of service. For the stable distribution     (bullseye), these problems have been fixed in version 2.7.4-1+deb11u1. We recommend that you upgrade your     ruby2.7 packages. For the detailed security status of ruby2.7 please refer to its security tracker page     at: https://security-tracker.debian.org/tracker/ruby2.7

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5235-1 advisory.

    It was discovered that Ruby incorrectly handled certain HTML files. An attacker could possibly use this     issue to cause a crash. This issue only affected Ubuntu 20.04 LTS, Ubuntu 21.04, and Ubuntu 21.10.
    (CVE-2021-41816)

    It was discovered that Ruby incorrectly handled certain regular expressions. An attacker could possibly     use this issue to cause a regular expression denial of service. (CVE-2021-41817)

    It was discovered that Ruby incorrectly handled certain cookie names. An attacker could possibly use this     issue to access or expose sensitive information. (CVE-2021-41819)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
189405	GLSA-202401-27 : Ruby: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
181933	Amazon Linux 2 : ruby (ALASRUBY3.0-2023-003)	Nessus	Amazon Linux Local Security Checks	critical
166011	RHEL 7 : rh-ruby27-ruby (RHSA-2022:6856)	Nessus	Red Hat Local Security Checks	critical
166007	RHEL 7 : rh-ruby30-ruby (RHSA-2022:6855)	Nessus	Red Hat Local Security Checks	critical
157380	Debian DSA-5067-1 : ruby2.7 - security update	Nessus	Debian Local Security Checks	critical
156802	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS : Ruby vulnerabilities (USN-5235-1)	Nessus	Ubuntu Local Security Checks	critical

Detections

Analytics

CVE-2021-41816

critical

Tenable Plugins

critical

critical

critical

critical

critical

critical