File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2023-37463 (commonmarker): Several quadratic complexity bugs may lead
4+ to denial of service in Commonmarker'
5+ comments : false
6+ categories :
7+ - commonmarker
8+ advisory :
9+ gem : commonmarker
10+ cve : 2023-37463
11+ ghsa : 7vh7-fw88-wj87
12+ url : https://nvd.nist.gov/vuln/detail/CVE-2023-37463
13+ title : Several quadratic complexity bugs may lead to denial of service in Commonmarker
14+ date : 2023-08-08
15+ description : |-
16+ ## Impact
17+
18+ Several quadratic complexity bugs in commonmarker's underlying
19+ [`cmark-gfm`](https://github.com/github/cmark-gfm) library may
20+ lead to unbounded resource exhaustion and subsequent denial of service.
21+
22+ The following vulnerabilities were addressed:
23+
24+ * [CVE-2023-37463](https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5)
25+
26+ For more information, consult the release notes for version
27+ [`0.29.0.gfm.12`](https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12).
28+
29+ ## Mitigation
30+
31+ Users are advised to upgrade to commonmarker version
32+ [`0.23.10`](https://rubygems.org/gems/commonmarker/versions/0.23.10).
33+ cvss_v3 : 7.5
34+ patched_versions :
35+ - " >= 0.23.10"
36+ related :
37+ url :
38+ - https://nvd.nist.gov/vuln/detail/CVE-2023-37463
39+ - https://rubygems.org/gems/commonmarker/versions/0.23.10
40+ - https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.12
41+ - https://github.com/gjtorikian/commonmarker/commit/db8cd377b54541f7fd484d168b7682a282a680f7
42+ - https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-7vh7-fw88-wj87
43+ - https://github.com/github/cmark-gfm/security/advisories/GHSA-w4qg-3vf7-m9x5
44+ - https://github.com/advisories/GHSA-7vh7-fw88-wj87
45+ notes : " - cvss_v3 came from nvd.nist.gov URL.\n "
46+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-2302 (mongoid): Mongoid::Criteria.from_hash method allows arbitrary
4+ method calls'
5+ comments : false
6+ categories :
7+ - mongoid
8+ advisory :
9+ gem : mongoid
10+ cve : 2026-2302
11+ ghsa : 68xj-h57p-gg5j
12+ url : https://nvd.nist.gov/vuln/detail/CVE-2026-2302
13+ title : Mongoid::Criteria.from_hash method allows arbitrary method calls
14+ date : 2026-02-27
15+ description : |-
16+ Under specific conditions when processing a maliciously crafted
17+ value of type Hash r, Mongoid::Criteria.from_hash may allow for
18+ executing arbitrary Ruby code.
19+ cvss_v3 : 6.5
20+ cvss_v4 : 6.9
21+ patched_versions :
22+ - " ~> 7.6.1"
23+ - " ~> 8.0.12"
24+ - " ~> 8.1.12"
25+ - " >= 9.0.10"
26+ related :
27+ url :
28+ - https://nvd.nist.gov/vuln/detail/CVE-2026-2302
29+ - https://github.com/mongodb/mongoid/releases/tag/v9.0.10
30+ - https://github.com/mongodb/mongoid/pull/6099
31+ - https://rubygems.org/gems/mongoid/versions/8.1.12 - https://github.com/mongodb/mongoid/releases/tag/v8.1.12
32+ - https://github.com/mongodb/mongoid/pull/6100
33+ - https://rubygems.org/gems/mongoid/versions/8.0.12 - https://github.com/mongodb/mongoid/releases/tag/v8.0.12
34+ - https://github.com/mongodb/mongoid/pull/6101
35+ - https://rubygems.org/gems/mongoid/versions/7.6.1 - https://github.com/mongodb/mongoid/releases/tag/v7.6.1
36+ - https://github.com/mongodb/mongoid/pull/6102
37+ - https://github.com/mongodb/mongoid/pull/6087
38+ - https://github.com/mongodb/mongoid/pull/6086
39+ - https://github.com/mongodb/mongoid/pull/6085
40+ - https://github.com/mongodb/mongoid/pull/6084
41+ - https://github.com/mongodb/mongoid/pull/6083
42+ - https://jira.mongodb.org/browse/MONGOID-5919
43+ - https://github.com/advisories/GHSA-68xj-h57p-gg5j
44+ notes : |
45+ - GHSA is unreviewed.
46+ - date from nvd.nist.gov URL.
47+ ---
Original file line number Diff line number Diff line change 1+ ---
2+ layout : advisory
3+ title : ' CVE-2026-38969 (webrick): ruby webrick through v1.9.2 WEBrick reparses trailer'
4+ comments : false
5+ categories :
6+ - webrick
7+ advisory :
8+ gem : webrick
9+ cve : 2026-38969
10+ ghsa : h4w6-wx8r-p68v
11+ url : https://nvd.nist.gov/vuln/detail/CVE-2026-38969
12+ title : ruby webrick through v1.9.2 WEBrick reparses trailer
13+ date : 2026-07-02
14+ description : |-
15+ ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length
16+ into canonical request state, enabling request smuggling.
17+ related :
18+ url :
19+ - https://nvd.nist.gov/vuln/detail/CVE-2026-38969
20+ - https://github.com/ruby/webrick/pull/199
21+ - https://github.com/ruby/webrick/issues/198
22+ - https://nvd.nist.gov/vuln/detail/CVE-2015-7519
23+ - https://github.com/advisories/GHSA-h4w6-wx8r-p68v
24+ notes : |2
25+
26+ - Not patched (last release was 1.9.2)
27+ - https://rubygems.org/gems/webrick/versions/1.9.2
28+ - https://github.com/ruby/webrick/releases/tag/v1.9.2
29+ - No CVSS value in nvd.nist.gov URL.
30+ - GHSA is unreviewed.
31+ ---
You can’t perform that action at this time.
0 commit comments