From 5af4971b7f75238fe07a486fc767d0f78529797f Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 12 Jan 2026 20:59:45 -0500 Subject: [PATCH 1/6] GHSA SYNC: 2 modified advisories; 4 brand new advisories --- rubies/ruby/CVE-2011-4121.yml | 31 +++++++++++++++++++++++++++++++ rubies/ruby/CVE-2016-2337.yml | 22 ++++++++++++++++++++++ rubies/ruby/CVE-2016-2338.yml | 31 +++++++++++++++++++++++++++++++ rubies/ruby/CVE-2016-2339.yml | 33 +++++++++++++++++++++++++++++++++ rubies/ruby/CVE-2018-8780.yml | 12 ++++++++++++ rubies/ruby/CVE-2022-28738.yml | 25 ++++++++++++++++++++++--- 6 files changed, 151 insertions(+), 3 deletions(-) create mode 100644 rubies/ruby/CVE-2011-4121.yml create mode 100644 rubies/ruby/CVE-2016-2337.yml create mode 100644 rubies/ruby/CVE-2016-2338.yml create mode 100644 rubies/ruby/CVE-2016-2339.yml diff --git a/rubies/ruby/CVE-2011-4121.yml b/rubies/ruby/CVE-2011-4121.yml new file mode 100644 index 0000000000..483634a4f0 --- /dev/null +++ b/rubies/ruby/CVE-2011-4121.yml @@ -0,0 +1,31 @@ +--- +engine: ruby +cve: 2011-4121 +ghsa: mjg4-5rfj-952f +url: https://github.com/advisories/GHSA-mjg4-5rfj-952f +title: Private Ruby OpenSSL RSA key generation is alway "1" +date: 2019-11-26 +description: | + The OpenSSL extension of Ruby (Git trunk) versions after + 2011-09-01 up to 2011-11-03 always generated an exponent value + of '1' to be used for private RSA key generation. A remote + attacker could use this flaw to bypass or corrupt integrity + of services, depending on strong private RSA keys generation + mechanism. + + - "The fix was introduced via SVN revision 33633, resolving + the faulty random exponent generation." + - "fix was integrated into the Ruby 1.9.3 series" +cvss_v2: 7.5 +cvss_v3: 9.8 +patched_versions: + - ">= 1.9.3" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4121 + - https://github.com/saltstack/salt/commit/5dd304276ba5745ec21fc1e6686a0b28da29e6fc + - https://access.redhat.com/security/cve/cve-2011-4121 + - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4121 + - https://security-tracker.debian.org/tracker/CVE-2011-4121 + - http://www.openwall.com/lists/oss-security/2013/07/01/1 + - https://github.com/advisories/GHSA-mjg4-5rfj-952f diff --git a/rubies/ruby/CVE-2016-2337.yml b/rubies/ruby/CVE-2016-2337.yml new file mode 100644 index 0000000000..042f53123d --- /dev/null +++ b/rubies/ruby/CVE-2016-2337.yml @@ -0,0 +1,22 @@ +--- +engine: ruby +cve: 2016-2337 +ghsa: f58m-77qc-8gjv +url: https://github.com/advisories/GHSA-f58m-77qc-8gjv +title: Type confusion exists in _cancel_eval Ruby's TclTkIp class +date: 2017-01-06 +description: | + Type confusion exists in _cancel_eval Ruby's TclTkIp class method. + Attacker passing different type of object than String as "retval" + argument can cause arbitrary code execution. +cvss_v3: 9.8 +cvss_v4: 7.5 +patched_versions: + - ">= 2.2.8" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-2337 + - https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html + - https://security.gentoo.org/glsa/201710-18 + - http://www.talosintelligence.com/reports/TALOS-2016-0031 + - https://github.com/advisories/GHSA-f58m-77qc-8gjv diff --git a/rubies/ruby/CVE-2016-2338.yml b/rubies/ruby/CVE-2016-2338.yml new file mode 100644 index 0000000000..1657a823f4 --- /dev/null +++ b/rubies/ruby/CVE-2016-2338.yml @@ -0,0 +1,31 @@ +--- +engine: ruby +cve: 2016-2338 +ghsa: r46x-xjwr-8v2g +url: https://github.com/advisories/GHSA-r46x-xjwr-8v2g +title: Exploitable heap overflow vulnerability exists + in Ruby's Psych::Emitter start_document function +date: 2022-09-28 +description: | + An exploitable heap overflow vulnerability exists in the + Psych::Emitter start_document function of Ruby. In Psych::Emitter + start_document function heap buffer "head" allocation is made + based on tags array length. Specially constructed object passed + as element of tags array can increase this array size after + mentioned allocation and cause heap overflow. + + - "Ruby versions 2.2.2 (4/13/2015) and 2.3.0 (12/25/2015) + are susceptible" +cvss_v3: 9.8 +patched_versions: + - "~> 2.3.1" + - ">= 2.4.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-2338 + - https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html + - http://www.talosintelligence.com/reports/TALOS-2016-0032 + - https://security.netapp.com/advisory/ntap-20221228-0005 + - https://cve.reconshell.com/cve/CVE-2016-2338 + - https://alas.aws.amazon.com/AL2/ALAS2-2025-2990.html + - https://github.com/advisories/GHSA-r46x-xjwr-8v2g diff --git a/rubies/ruby/CVE-2016-2339.yml b/rubies/ruby/CVE-2016-2339.yml new file mode 100644 index 0000000000..9448ac43bc --- /dev/null +++ b/rubies/ruby/CVE-2016-2339.yml @@ -0,0 +1,33 @@ +--- +engine: ruby +cve: 2016-2339 +ghsa: c4w7-m676-pcvp +url: https://github.com/advisories/GHSA-c4w7-m676-pcvp +title: Ruby 2.1 has exploitable heap overflow vulnerability +date: 2017-01-06 +description: | + An exploitable heap overflow vulnerability exists in the + Fiddle::Function.new "initialize" function functionality of + Ruby. In Fiddle::Function.new "initialize" heap buffer + "arg_types" allocation is made based on args array length. + Specially constructed object passed as element of args array + can increase this array size after mentioned allocation and + cause heap overflow. + + Versions affected: + - Ruby "2.0.0-p648, 2.1.0-p0 through 2.1.9, and 2.2.0 through 2.2.5." + - NOTE: Unclear where the patches where applied. + - "Fix was introduced in Ruby 2.1.9, with related packages like + ruby2.1 updated to version 2.1.9-19.3.2 or newer" +cvss_v3: 9.8 +patched_versions: + - ">= 2.1.9" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-2339 + - https://app.opencve.io/cve/CVE-2016-2339 + - http://www.talosintelligence.com/reports/TALOS-2016-0034 + - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html + - https://web.archive.org/web/20210123144757/https://www.securityfocus.com/bid/91234 + - https://www.cybersecurity-help.cz/vulnerabilities/39952/ + - https://github.com/advisories/GHSA-c4w7-m676-pcvp diff --git a/rubies/ruby/CVE-2018-8780.yml b/rubies/ruby/CVE-2018-8780.yml index 6948cfe5d4..bc15bdf9d4 100644 --- a/rubies/ruby/CVE-2018-8780.yml +++ b/rubies/ruby/CVE-2018-8780.yml @@ -1,6 +1,7 @@ --- engine: ruby cve: 2018-8780 +ghsa: fphx-j9v2-w2cx url: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/ title: Unintentional directory traversal by poisoned NUL byte in Dir date: 2018-03-28 @@ -14,9 +15,20 @@ description: | attacker can make the unintentional directory traversal. All users running an affected release should upgrade immediately. +cvss_v2: 7.5 +cvss_v3: 9.1 patched_versions: - "~> 2.2.10" - "~> 2.3.7" - "~> 2.4.4" - "~> 2.5.1" - "> 2.6.0-preview1" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-8780 + - https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780 + - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released + - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released + - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released + - https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released + - https://github.com/advisories/GHSA-fphx-j9v2-w2cx diff --git a/rubies/ruby/CVE-2022-28738.yml b/rubies/ruby/CVE-2022-28738.yml index b7280846f2..8d9e1dcb31 100644 --- a/rubies/ruby/CVE-2022-28738.yml +++ b/rubies/ruby/CVE-2022-28738.yml @@ -1,18 +1,37 @@ --- engine: ruby cve: 2022-28738 +ghsa: 8pqg-8p79-j5j8 url: https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738/ title: Double free in Regexp compilation date: 2022-04-12 description: | - A double-free vulnerability is discovered in Regexp compilation. This vulnerability has been assigned the CVE identifier CVE-2022-28738. We strongly recommend upgrading Ruby. + A double-free vulnerability is discovered in Regexp compilation. This + vulnerability has been assigned the CVE identifier CVE-2022-28738. + We strongly recommend upgrading Ruby. - Due to a bug in the Regexp compilation process, creating a Regexp object with a crafted source string could cause the same memory to be freed twice. This is known as a “double free” vulnerability. Note that, in general, it is considered unsafe to create and use a Regexp object generated from untrusted input. In this case, however, following a comprehensive assessment, we treat this issue as a vulnerability. + Due to a bug in the Regexp compilation process, creating a Regexp + object with a crafted source string could cause the same memory to + be freed twice. This is known as a “double free” vulnerability. Note + that, in general, it is considered unsafe to create and use a Regexp + object generated from untrusted input. In this case, however, + following a comprehensive assessment, we treat this issue as a vulnerability. - Please update Ruby to 3.0.4, or 3.1.2. + Please update Ruby to 3.0.4 or 3.1.2. +cvss_v2: 7.5 +cvss_v3: 9.8 patched_versions: - "~> 3.0.4" - ">= 3.1.2" unaffected_versions: - "~> 2.6.0" - "~> 2.7.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2022-28738 + - https://www.ruby-lang.org/en/news/2022/04/12/double-free-in-regexp-compilation-cve-2022-28738 + - https://hackerone.com/reports/1220911 + - https://security-tracker.debian.org/tracker/CVE-2022-28738 + - https://security.netapp.com/advisory/ntap-20220624-0002 + - https://security.gentoo.org/glsa/202401-27 + - https://github.com/advisories/GHSA-8pqg-8p79-j5j8 From 2c106a399104cf9e2f2bd28dd463bdcb421f7033 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Mon, 12 Jan 2026 18:13:29 -0800 Subject: [PATCH 2/6] Fix typo in the `title:` of CVE-2011-4121.yml --- rubies/ruby/CVE-2011-4121.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2011-4121.yml b/rubies/ruby/CVE-2011-4121.yml index 483634a4f0..947cc3e44f 100644 --- a/rubies/ruby/CVE-2011-4121.yml +++ b/rubies/ruby/CVE-2011-4121.yml @@ -3,7 +3,7 @@ engine: ruby cve: 2011-4121 ghsa: mjg4-5rfj-952f url: https://github.com/advisories/GHSA-mjg4-5rfj-952f -title: Private Ruby OpenSSL RSA key generation is alway "1" +title: Private Ruby OpenSSL RSA key generation is always "1" date: 2019-11-26 description: | The OpenSSL extension of Ruby (Git trunk) versions after From 74adf689e5b2740c5fefc07a690ed2b105990cea Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:46:22 -0500 Subject: [PATCH 3/6] Change URL for CVE-2011-4121 to NVD Updated CVE-2011-4121 YAML file to change the URL to the NVD. --- rubies/ruby/CVE-2011-4121.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2011-4121.yml b/rubies/ruby/CVE-2011-4121.yml index 947cc3e44f..9a75056eed 100644 --- a/rubies/ruby/CVE-2011-4121.yml +++ b/rubies/ruby/CVE-2011-4121.yml @@ -2,7 +2,7 @@ engine: ruby cve: 2011-4121 ghsa: mjg4-5rfj-952f -url: https://github.com/advisories/GHSA-mjg4-5rfj-952f +url: https://nvd.nist.gov/vuln/detail/CVE-2011-4121 title: Private Ruby OpenSSL RSA key generation is always "1" date: 2019-11-26 description: | From 54e11e92d0cba5445dbb35f86755fd5947e5124c Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:47:03 -0500 Subject: [PATCH 4/6] Update CVE-2016-2337 URL to NVD --- rubies/ruby/CVE-2016-2337.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2016-2337.yml b/rubies/ruby/CVE-2016-2337.yml index 042f53123d..563d87071a 100644 --- a/rubies/ruby/CVE-2016-2337.yml +++ b/rubies/ruby/CVE-2016-2337.yml @@ -2,7 +2,7 @@ engine: ruby cve: 2016-2337 ghsa: f58m-77qc-8gjv -url: https://github.com/advisories/GHSA-f58m-77qc-8gjv +url: https://nvd.nist.gov/vuln/detail/CVE-2016-2337 title: Type confusion exists in _cancel_eval Ruby's TclTkIp class date: 2017-01-06 description: | From b0101aa2bdf597af8e3a2f62c8070c6ece1b7020 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:48:00 -0500 Subject: [PATCH 5/6] Change CVE-2016-2338 URL to NVD Updated the CVE URL to point to NVD instead of GitHub. --- rubies/ruby/CVE-2016-2338.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2016-2338.yml b/rubies/ruby/CVE-2016-2338.yml index 1657a823f4..0ba886b4e2 100644 --- a/rubies/ruby/CVE-2016-2338.yml +++ b/rubies/ruby/CVE-2016-2338.yml @@ -2,7 +2,7 @@ engine: ruby cve: 2016-2338 ghsa: r46x-xjwr-8v2g -url: https://github.com/advisories/GHSA-r46x-xjwr-8v2g +url: https://nvd.nist.gov/vuln/detail/CVE-2016-2338 title: Exploitable heap overflow vulnerability exists in Ruby's Psych::Emitter start_document function date: 2022-09-28 From 182e956a264fdac8ebc92b8b3a967dde2dfc1d0a Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 13 Jan 2026 09:48:59 -0500 Subject: [PATCH 6/6] Change CVE-2016-2339 URL to NVD Updated the URL for CVE-2016-2339 to point to NVD. --- rubies/ruby/CVE-2016-2339.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rubies/ruby/CVE-2016-2339.yml b/rubies/ruby/CVE-2016-2339.yml index 9448ac43bc..3b91566653 100644 --- a/rubies/ruby/CVE-2016-2339.yml +++ b/rubies/ruby/CVE-2016-2339.yml @@ -2,7 +2,7 @@ engine: ruby cve: 2016-2339 ghsa: c4w7-m676-pcvp -url: https://github.com/advisories/GHSA-c4w7-m676-pcvp +url: https://nvd.nist.gov/vuln/detail/CVE-2016-2339 title: Ruby 2.1 has exploitable heap overflow vulnerability date: 2017-01-06 description: |