Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-16201 (GCVE-0-2019-16201)
Vulnerability from cvelistv5 – Published: 2019-11-26 00:00 – Updated: 2024-08-05 01:10
VLAI?
EPSS
Summary
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |
|---|---|---|
|
|
||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T01:10:41.604Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://hackerone.com/reports/661722"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"
},
{
"name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2027-1] jruby security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"name": "20191217 [SECURITY] [DSA 4587-1] ruby2.3 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Dec/31"
},
{
"name": "20191217 [SECURITY] [DSA 4586-1] ruby2.5 security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://seclists.org/bugtraq/2019/Dec/32"
},
{
"name": "DSA-4587",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2019/dsa-4587"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "GLSA-202003-06",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-06"
},
{
"name": "openSUSE-SU-2020:0395",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
},
{
"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update",
"tags": [
"mailing-list",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-30T00:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://hackerone.com/reports/661722"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"
},
{
"name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2027-1] jruby security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"name": "20191217 [SECURITY] [DSA 4587-1] ruby2.3 security update",
"tags": [
"mailing-list"
],
"url": "https://seclists.org/bugtraq/2019/Dec/31"
},
{
"name": "20191217 [SECURITY] [DSA 4586-1] ruby2.5 security update",
"tags": [
"mailing-list"
],
"url": "https://seclists.org/bugtraq/2019/Dec/32"
},
{
"name": "DSA-4587",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2019/dsa-4587"
},
{
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "GLSA-202003-06",
"tags": [
"vendor-advisory"
],
"url": "https://security.gentoo.org/glsa/202003-06"
},
{
"name": "openSUSE-SU-2020:0395",
"tags": [
"vendor-advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
},
{
"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update",
"tags": [
"mailing-list"
],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2019-16201",
"datePublished": "2019-11-26T00:00:00.000Z",
"dateReserved": "2019-09-10T00:00:00.000Z",
"dateUpdated": "2024-08-05T01:10:41.604Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GSD-2019-16201
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-16201",
"description": "WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.",
"id": "GSD-2019-16201",
"references": [
"https://www.suse.com/security/cve/CVE-2019-16201.html",
"https://www.debian.org/security/2019/dsa-4586",
"https://www.debian.org/security/2019/dsa-4587",
"https://access.redhat.com/errata/RHSA-2022:0582",
"https://access.redhat.com/errata/RHSA-2022:0581",
"https://access.redhat.com/errata/RHSA-2021:2588",
"https://access.redhat.com/errata/RHSA-2021:2587",
"https://access.redhat.com/errata/RHSA-2021:2230",
"https://access.redhat.com/errata/RHSA-2021:2104",
"https://ubuntu.com/security/CVE-2019-16201",
"https://advisories.mageia.org/CVE-2019-16201.html",
"https://security.archlinux.org/CVE-2019-16201",
"https://alas.aws.amazon.com/cve/html/CVE-2019-16201.html",
"https://linux.oracle.com/cve/CVE-2019-16201.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-16201"
],
"details": "WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.",
"id": "GSD-2019-16201",
"modified": "2023-12-13T01:23:40.695880Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/661722",
"refsource": "MISC",
"url": "https://hackerone.com/reports/661722"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html",
"refsource": "MISC",
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"
},
{
"name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2027-1] jruby security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"name": "20191217 [SECURITY] [DSA 4587-1] ruby2.3 security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Dec/31"
},
{
"name": "20191217 [SECURITY] [DSA 4586-1] ruby2.5 security update",
"refsource": "BUGTRAQ",
"url": "https://seclists.org/bugtraq/2019/Dec/32"
},
{
"name": "DSA-4587",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2019/dsa-4587"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "GLSA-202003-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-06"
},
{
"name": "openSUSE-SU-2020:0395",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
},
{
"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.6.4",
"versionStartIncluding": "2.6.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.5.6",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.7",
"versionStartIncluding": "2.4.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2019-16201"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/661722",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/661722"
},
{
"name": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html",
"refsource": "MISC",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"
},
{
"name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2027-1] jruby security update",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"name": "20191217 [SECURITY] [DSA 4586-1] ruby2.5 security update",
"refsource": "BUGTRAQ",
"tags": [],
"url": "https://seclists.org/bugtraq/2019/Dec/32"
},
{
"name": "20191217 [SECURITY] [DSA 4587-1] ruby2.3 security update",
"refsource": "BUGTRAQ",
"tags": [],
"url": "https://seclists.org/bugtraq/2019/Dec/31"
},
{
"name": "DSA-4587",
"refsource": "DEBIAN",
"tags": [],
"url": "https://www.debian.org/security/2019/dsa-4587"
},
{
"name": "https://www.oracle.com/security-alerts/cpujan2020.html",
"refsource": "MISC",
"tags": [],
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"name": "GLSA-202003-06",
"refsource": "GENTOO",
"tags": [],
"url": "https://security.gentoo.org/glsa/202003-06"
},
{
"name": "openSUSE-SU-2020:0395",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
},
{
"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"name": "[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update",
"refsource": "MLIST",
"tags": [],
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-04-30T23:15Z",
"publishedDate": "2019-11-26T18:15Z"
}
}
}
GHSA-26H5-QGG3-P324
Vulnerability from github – Published: 2022-05-24 17:02 – Updated: 2023-05-01 00:30
VLAI?
Details
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
Severity ?
7.5 (High)
{
"affected": [],
"aliases": [
"CVE-2019-16201"
],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-11-26T18:15:00Z",
"severity": "HIGH"
},
"details": "WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.",
"id": "GHSA-26h5-qgg3-p324",
"modified": "2023-05-01T00:30:16Z",
"published": "2022-05-24T17:02:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16201"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/661722"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Dec/31"
},
{
"type": "WEB",
"url": "https://seclists.org/bugtraq/2019/Dec/32"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-06"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2019/dsa-4587"
},
{
"type": "WEB",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
FKIE_CVE-2019-16201
Vulnerability from fkie_nvd - Published: 2019-11-26 18:15 - Updated: 2024-11-21 04:30
Severity ?
Summary
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "A2C45233-D18A-47C8-8D49-BB05ADD50D88",
"versionEndIncluding": "2.4.7",
"versionStartIncluding": "2.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6E259007-36E1-418F-8493-A5A7928129F6",
"versionEndIncluding": "2.5.6",
"versionStartIncluding": "2.5.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "E746C3E0-0162-4487-AB58-2579B2BE1FD4",
"versionEndIncluding": "2.6.4",
"versionStartIncluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network."
},
{
"lang": "es",
"value": "La funci\u00f3n WEBrick::HTTPAuth::DigestAuth en Ruby versiones hasta la versi\u00f3n 2.4.7, versiones 2.5.x hasta 2.5.6 y versiones 2.6.x hasta 2.6.4, tiene una expresi\u00f3n regular de denegaci\u00f3n de servicio causada mediante looping/backtracking. Una v\u00edctima debe exponer un servidor WEBrick que usa DigestAuth en Internet o una red no segura."
}
],
"id": "CVE-2019-16201",
"lastModified": "2024-11-21T04:30:15.713",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-11-26T18:15:15.100",
"references": [
{
"source": "cve@mitre.org",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/661722"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"source": "cve@mitre.org",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"source": "cve@mitre.org",
"url": "https://seclists.org/bugtraq/2019/Dec/31"
},
{
"source": "cve@mitre.org",
"url": "https://seclists.org/bugtraq/2019/Dec/32"
},
{
"source": "cve@mitre.org",
"url": "https://security.gentoo.org/glsa/202003-06"
},
{
"source": "cve@mitre.org",
"url": "https://www.debian.org/security/2019/dsa-4587"
},
{
"source": "cve@mitre.org",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://hackerone.com/reports/661722"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://seclists.org/bugtraq/2019/Dec/31"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://seclists.org/bugtraq/2019/Dec/32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.gentoo.org/glsa/202003-06"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.debian.org/security/2019/dsa-4587"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.oracle.com/security-alerts/cpujan2020.html"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-287"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2019-16201
Vulnerability from osv_almalinux
Published
2021-06-29 13:58
Modified
2022-02-17 11:19
Summary
Moderate: ruby:2.5 security, bug fix, and enhancement update
Details
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (2.5.9). (BZ#1952626)
Security Fix(es):
-
ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)
-
ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201)
-
ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)
-
rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)
-
ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)
-
ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)
-
ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)
-
ruby: HTTP response splitting in WEBrick (CVE-2019-16254)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0-2.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0-2.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0-2.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.3.0-2.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.1-2.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.1-2.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.1-2.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.5.1-2.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.10-4.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.10-4.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.10-4.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.4.10-4.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-2.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-2.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-2.module_el8.5.0+2625+ec418553"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.0-2.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: ruby (2.5.9). (BZ#1952626)\n\nSecurity Fix(es):\n\n* ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)\n\n* ruby: Regular expression denial of service vulnerability of WEBrick\u0027s Digest authentication (CVE-2019-16201)\n\n* ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)\n\n* rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)\n\n* ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)\n\n* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)\n\n* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)\n\n* ruby: HTTP response splitting in WEBrick (CVE-2019-16254)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
"id": "ALSA-2021:2587",
"modified": "2022-02-17T11:19:12Z",
"published": "2021-06-29T13:58:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2021-2587.html"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-15845"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-16201"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-16254"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-16255"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10663"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10933"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-25613"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2021-28965"
}
],
"related": [
"CVE-2019-15845",
"CVE-2019-16201",
"CVE-2019-16255",
"CVE-2020-10663",
"CVE-2020-10933",
"CVE-2020-25613",
"CVE-2021-28965",
"CVE-2019-16254"
],
"summary": "Moderate: ruby:2.5 security, bug fix, and enhancement update"
}
CVE-2019-16201
Vulnerability from osv_almalinux
Published
2021-06-29 13:58
Modified
2023-09-15 13:41
Summary
Moderate: ruby:2.6 security, bug fix, and enhancement update
Details
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (2.6.7). (BZ#1952627)
Security Fix(es):
-
rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code (CVE-2019-3881)
-
ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)
-
ruby: Regular expression denial of service vulnerability of WEBrick's Digest authentication (CVE-2019-16201)
-
ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)
-
rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)
-
ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)
-
ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)
-
ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)
-
ruby: HTTP response splitting in WEBrick (CVE-2019-16254)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Bug Fix(es):
- Resolv::DNS: ruby:2.6/ruby: timeouts if multiple IPv6 name servers are given and address contains leading zero [almalinux-8] (BZ#1954968)
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+259+8cec6917"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-abrt-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.0-4.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-bson-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.0-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mongo-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.0-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-mysql2-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.5.2-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4-1.module_el8.5.0+2623+08a8ba32"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "rubygem-pg-doc"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.1.4-1.module_el8.5.0+250+ba22dbf7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.\n\nThe following packages have been upgraded to a later upstream version: ruby (2.6.7). (BZ#1952627)\n\nSecurity Fix(es):\n\n* rubygem-bundler: Insecure permissions on directory in /tmp/ allows for execution of malicious code (CVE-2019-3881)\n\n* ruby: NUL injection vulnerability of File.fnmatch and File.fnmatch? (CVE-2019-15845)\n\n* ruby: Regular expression denial of service vulnerability of WEBrick\u0027s Digest authentication (CVE-2019-16201)\n\n* ruby: Code injection via command argument of Shell#test / Shell#[] (CVE-2019-16255)\n\n* rubygem-json: Unsafe object creation vulnerability in JSON (CVE-2020-10663)\n\n* ruby: BasicSocket#read_nonblock method leads to information disclosure (CVE-2020-10933)\n\n* ruby: Potential HTTP request smuggling in WEBrick (CVE-2020-25613)\n\n* ruby: XML round-trip vulnerability in REXML (CVE-2021-28965)\n\n* ruby: HTTP response splitting in WEBrick (CVE-2019-16254)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Resolv::DNS: ruby:2.6/ruby: timeouts if multiple IPv6 name servers are given and address contains leading zero [almalinux-8] (BZ#1954968)",
"id": "ALSA-2021:2588",
"modified": "2023-09-15T13:41:48Z",
"published": "2021-06-29T13:58:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2021-2588.html"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-15845"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-16201"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-16254"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-16255"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2019-3881"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10663"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-10933"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2020-25613"
},
{
"type": "REPORT",
"url": "https://vulners.com/cve/CVE-2021-28965"
}
],
"related": [
"CVE-2019-3881",
"CVE-2019-15845",
"CVE-2019-16201",
"CVE-2019-16255",
"CVE-2020-10663",
"CVE-2020-10933",
"CVE-2020-25613",
"CVE-2021-28965",
"CVE-2019-16254"
],
"summary": "Moderate: ruby:2.6 security, bug fix, and enhancement update"
}
CVE-2019-16201
Vulnerability from fstec - Published: 27.07.2019
VLAI Severity ?
Title
Уязвимость реализации класса WEBrick::HTTPAuth::DigestAuth библиотеки WEBrick интерпретатора языка программирования Ruby, позволяющая нарушителю вызвать отказ в обслуживании
Description
Уязвимость реализации класса WEBrick::HTTPAuth::DigestAuth библиотеки WEBrick интерпретатора языка программирования Ruby связана с недостатками процедуры аутентификации. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании
Severity ?
Vendor
ООО «РусБИТех-Астра», Сообщество свободного программного обеспечения, Novell Inc., Oracle Corp., Ruby Team, АО «ИВК», АО «Концерн ВНИИНС», АО "НППКТ"
Software Name
Astra Linux Special Edition (запись в едином реестре российских программ №369), Debian GNU/Linux, Astra Linux Common Edition (запись в едином реестре российских программ №4433), OpenSUSE Leap, Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156), GraalVM Enterprise Edition, Ruby, Альт 8 СП (запись в едином реестре российских программ №4305), ОС ОН «Стрелец» (запись в едином реестре российских программ №6177), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913)
Software Version
1.5 «Смоленск» (Astra Linux Special Edition), 9 (Debian GNU/Linux), 1.6 «Смоленск» (Astra Linux Special Edition), 2.12 «Орёл» (Astra Linux Common Edition), 15.1 (OpenSUSE Leap), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»), 19.3.0.2 (GraalVM Enterprise Edition), от 2.5.0 до 2.5.6 включительно (Ruby), от 2.6.0 до 2.6.4 включительно (Ruby), 2.4.7 (Ruby), - (Альт 8 СП), до 16.01.2023 (ОС ОН «Стрелец»), до 2.9 (ОСОН ОСнова Оnyx), до 2.12 (ОСОН ОСнова Оnyx)
Possible Mitigations
Использование рекомендаций:
Для Ruby:
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/
Для Debian:
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
Для программных продуктов Oracle Corp.:
https://www.oracle.com/security-alerts/cpujan2020.html
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2019-16201/
Для Astra Linux:
Обновление программного обеспечения (пакета ruby2.5) до 2.5.5-3+deb10u1 или более поздней версии
Для ОС ОН «Стрелец»:
Обновление программного обеспечения ruby2.3 до версии 2.3.3-1+deb9u9.osnova2
Обновление программного обеспечения jruby до версии 1.7.26+repack-1+deb9u3.osnova6
Для ОСОН ОСнова Оnyx:
Обновление программного обеспечения jruby до версии 9.1.17.0+repack-3+deb10u1osnova1
Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства
Обновление программного обеспечения ruby2.5 до версии 2.5.5.repack-3+deb10u6.osnova2u1
Reference
https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/
https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
https://www.oracle.com/security-alerts/cpujan2020.html
https://www.suse.com/security/cve/CVE-2019-16201/
https://wiki.astralinux.ru/astra-linux-se16-bulletin-20200327SE16
https://wiki.astralinux.ru/astra-linux-se81-bulletin-20200429SE81
https://wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15
https://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.9/
https://altsp.su/obnovleniya-bezopasnosti/
https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.12/
CWE
CWE-287
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Novell Inc., Oracle Corp., Ruby Team, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\"",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "1.5 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 9 (Debian GNU/Linux), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb (Astra Linux Common Edition), 15.1 (OpenSUSE Leap), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb), 19.3.0.2 (GraalVM Enterprise Edition), \u043e\u0442 2.5.0 \u0434\u043e 2.5.6 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Ruby), \u043e\u0442 2.6.0 \u0434\u043e 2.6.4 \u0432\u043a\u043b\u044e\u0447\u0438\u0442\u0435\u043b\u044c\u043d\u043e (Ruby), 2.4.7 (Ruby), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 16.01.2023 (\u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb), \u0434\u043e 2.9 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 2.12 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Ruby:\nhttps://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/\nhttps://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/\nhttps://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/\n\n\u0414\u043b\u044f Debian:\nhttps://lists.debian.org/debian-lts-announce/2019/11/msg00025.html\nhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Oracle Corp.:\nhttps://www.oracle.com/security-alerts/cpujan2020.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2019-16201/\n\n\u0414\u043b\u044f Astra Linux:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f (\u043f\u0430\u043a\u0435\u0442\u0430 ruby2.5) \u0434\u043e 2.5.5-3+deb10u1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u043f\u043e\u0437\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438\n\n\u0414\u043b\u044f \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f ruby2.3 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.3.3-1+deb9u9.osnova2\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f jruby \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 1.7.26+repack-1+deb9u3.osnova6\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f jruby \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 9.1.17.0+repack-3+deb10u1osnova1\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f ruby2.5 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.5.5.repack-3+deb10u6.osnova2u1",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "27.07.2019",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "21.03.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.03.2020",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2020-00865",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-16201",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Debian GNU/Linux, Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), OpenSUSE Leap, Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), GraalVM Enterprise Edition, Ruby, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.5 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 2.12 \u00ab\u041e\u0440\u0451\u043b\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), Novell Inc. OpenSUSE Leap 15.1 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f - (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u0410\u041e \u00ab\u041a\u043e\u043d\u0446\u0435\u0440\u043d \u0412\u041d\u0418\u0418\u041d\u0421\u00bb \u041e\u0421 \u041e\u041d \u00ab\u0421\u0442\u0440\u0435\u043b\u0435\u0446\u00bb \u0434\u043e 16.01.2023 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21166177), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.9 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.12 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043a\u043b\u0430\u0441\u0441\u0430 WEBrick::HTTPAuth::DigestAuth \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 WEBrick \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f Ruby, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u044f (CWE-287)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u043a\u043b\u0430\u0441\u0441\u0430 WEBrick::HTTPAuth::DigestAuth \u0431\u0438\u0431\u043b\u0438\u043e\u0442\u0435\u043a\u0438 WEBrick \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 \u044f\u0437\u044b\u043a\u0430 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f Ruby \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u044b \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/\nhttps://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/\nhttps://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/\nhttps://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/\nhttps://lists.debian.org/debian-lts-announce/2019/11/msg00025.html\nhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.html\nhttps://www.oracle.com/security-alerts/cpujan2020.html\nhttps://www.suse.com/security/cve/CVE-2019-16201/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20200327SE16\nhttps://wiki.astralinux.ru/astra-linux-se81-bulletin-20200429SE81\nhttps://wiki.astralinux.ru/astra-linux-se15-bulletin-20201201SE15\nhttps://strelets.net/patchi-i-obnovleniya-bezopasnosti#16012023\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.9/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.12/",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-287",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
CERTFR-2021-AVI-788
Vulnerability from certfr_avis - Published: 2021-10-14 - Updated: 2021-10-14
De multiples vulnérabilités ont été découvertes dans IBM Cloud Foundry Migration Runtime. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Cloud Foundry Migration Runtime versions ant\u00e9rieures \u00e0 4.1.2",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-16201",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16201"
},
{
"name": "CVE-2019-16255",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16255"
},
{
"name": "CVE-2020-25613",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25613"
},
{
"name": "CVE-2019-3881",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-3881"
},
{
"name": "CVE-2021-28965",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-28965"
},
{
"name": "CVE-2021-33910",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-33910"
},
{
"name": "CVE-2019-16254",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16254"
},
{
"name": "CVE-2020-10663",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10663"
},
{
"name": "CVE-2019-15845",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-15845"
},
{
"name": "CVE-2021-25217",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-25217"
},
{
"name": "CVE-2020-10933",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10933"
}
],
"initial_release_date": "2021-10-14T00:00:00",
"last_revision_date": "2021-10-14T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-788",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-10-14T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Ex\u00e9cution de code arbitraire"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM Cloud Foundry\nMigration Runtime. Certaines d\u0027entre elles permettent \u00e0 un attaquant de\nprovoquer une ex\u00e9cution de code arbitraire, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM Cloud Foundry Migration Runtime",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM 6498497 du 13 octobre 2021",
"url": "https://www.ibm.com/support/pages/node/6498497"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…