Alpine: ruby: security update to 2.4.10-r0

high Tenable Self-Hosted Container Security Plugin ID 406970

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within
File.fnmatch functions. (CVE-2019-15845)

- WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a
regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server
that uses DigestAuth to the Internet or a untrusted network. (CVE-2019-16201)

- Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a
program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to
insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this
issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not
address an isolated CR or an isolated LF. (CVE-2019-16254)

- Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first
argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An
attacker can exploit this to call an arbitrary Ruby method. (CVE-2019-16255)

- The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through
2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not
rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead
to creation of a malicious object within the interpreter, with adverse effects that are application-
dependent. (CVE-2020-10663)

See Also

https://security.alpinelinux.org/vuln/CVE-2019-15845

https://security.alpinelinux.org/vuln/CVE-2019-16201

https://security.alpinelinux.org/vuln/CVE-2019-16254

https://security.alpinelinux.org/vuln/CVE-2019-16255

https://security.alpinelinux.org/vuln/CVE-2020-10663

Plugin Details

Severity: High

ID: 406970

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-16255

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 11/26/2019

Reference Information

CVE: CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2020-10663