For example, JWE can sometimes be used to bypass JSON::JWT.decode. The json-jwt (aka JSON::JWT) gem 1.16.3 for Ruby sometimes allows bypass of identity checks via a sign/encryption confusion attack. This issue can lead to a denial of service (DOS) by memory exhaustion. As a workaround, sanitize the return value of `#call`.Ī memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. Versions 3.9.0 and 2.83.0 have been released and fully mitigate both the `#call` and the `#output_postamble` vulnerabilities. In addition, the return value of the `#output_postamble` methodis not sanitized, which can also lead to cross-site scripting issues. The return value of the `#call` method is not sanitized and can include user-defined content. instead of using a sidecar template) are affected. Note that only components that define a `#call` method (i.e. Versions prior to 3.9.0 and 2.83.0 have a cross-site scripting vulnerability that has the potential to impact anyone rendering a component directly from a controller with the view_component gem. View_component is a framework for building reusable, testable, and encapsulated view components in Ruby on Rails. This vulnerability has been fixed in versions 6.4.2 and 5.6.8. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. Fixed versions limits the size of chunk extensions. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Puma is a web server for Ruby/Rack applications built for parallelism. This vulnerability has been patched in commit 0b3272a. However, a workaround on the forgotten password form allows an attacker to bypass the MFA requirement and takeover the account. users with MFA enabled would normally be protected from account takeover in the case of email account takeover. is the Ruby community's gem hosting service.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |