Alpine: ruby: security update to 2.3.5-r0

critical Tenable Self-Hosted Container Security Plugin ID 406966

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x
through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and
possibly execute arbitrary commands via a crafted user name. (CVE-2017-10784)

- Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious
specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap
memory corruption or an information disclosure from the heap. (CVE-2017-0898)

- RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include
terminal escape characters. Printing the gem specification would execute terminal escape sequences.
(CVE-2017-0899)

- RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a
denial of service attack against RubyGems clients who have issued a `query` command. (CVE-2017-0900)

- RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted
gem to potentially overwrite any file on the filesystem. (CVE-2017-0901)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-0898

https://security.alpinelinux.org/vuln/CVE-2017-0899

https://security.alpinelinux.org/vuln/CVE-2017-0900

https://security.alpinelinux.org/vuln/CVE-2017-0901

https://security.alpinelinux.org/vuln/CVE-2017-0902

https://security.alpinelinux.org/vuln/CVE-2017-10784

https://security.alpinelinux.org/vuln/CVE-2017-14033

https://security.alpinelinux.org/vuln/CVE-2017-14064

Plugin Details

Severity: Critical

ID: 406966

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.35

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 7.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2017-10784

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2017-14064

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 8/27/2017

Reference Information

CVE: CVE-2017-0898, CVE-2017-0899, CVE-2017-0900, CVE-2017-0901, CVE-2017-0902, CVE-2017-10784, CVE-2017-14033, CVE-2017-14064

BID: 100576, 100579, 100580, 100586, 100853, 100862, 100868, 100890