Alpine: multiple ruby packages: security update to 3.3.10-r0

low Tenable Self-Hosted Container Security Plugin ID 436150

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- URI is a module providing classes to handle Uniform Resource Identifiers. In versions 0.12.4 and earlier
(bundled in Ruby 3.2 series) 0.13.2 and earlier (bundled in Ruby 3.3 series), 1.0.3 and earlier (bundled
in Ruby 3.4 series), when using the + operator to combine URIs, sensitive information like passwords from
the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential
exposure. This is a a bypass for the fix to CVE-2025-27221 that can expose user credentials. This issue
has been fixed in versions 0.12.5, 0.13.3 and 1.0.4. (CVE-2025-61594)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-61594

Plugin Details

Severity: Low

ID: 436150

Version: Revision 1.9

Type: Local

Published: 11/22/2025

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.72

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2025-61594

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Low

Base Score: 2.1

Threat Score: 0.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/3/2025

Reference Information

CVE: CVE-2025-61594