 |
Inicial ▼ Bookkeeping
Online ▼ Auditorias ▼
DNS
Administrado ▼
Acerca de DNS
Ordenar/Renovar
Preguntas Frecuentes
AUP
Dynamic DNS Clients
Configurar Dominios Dynamic DNS Update Password Monitoreo
de Redes ▼
Enterprise
Avanzado
Estándarr
Prueba
Preguntas Frecuentes
Resumen de Precio/Funciones
Ordenar
Muestras
Configure/Status Alert Profiles | ||
| ID de Prueba: | 1.3.6.1.4.1.25623.1.1.2.2020.1443 |
| Categoría: | Huawei EulerOS Local Security Checks |
| Título: | Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1443) |
| Resumen: | The remote host is missing an update for the Huawei EulerOS 'ruby' package(s) announced via the EulerOS-SA-2020-1443 advisory. |
| Descripción: | Summary: The remote host is missing an update for the Huawei EulerOS 'ruby' package(s) announced via the EulerOS-SA-2020-1443 advisory. Vulnerability Insight: An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.(CVE-2019-8321) An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service condition.(CVE-2017-9229) An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in mbc_enc_len() during regular expression searching. Invalid handling of reg->dmin in forward_search_range() could result in an invalid pointer dereference, as an out-of-bounds read from a stack buffer.(CVE-2017-9227) An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state transition. An incorrect state transition in parse_char_class() could create an execution path that leaves a critical local variable uninitialized until it's used as an index, resulting in an out-of-bounds write memory corruption.(CVE-2017-9228) An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.(CVE-2017-9224) A SMTP command injection flaw was found in the way Ruby's Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campaigns.(CVE-2015-9096) Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion. This could result in a Denial Of Service attack. There are no such structures used within SSL/TLS that come from untrusted sources so this is considered safe. Fixed in OpenSSL 1.1.0h (Affected 1.1.0-1.1.0g). Fixed in OpenSSL 1.0.2o (Affected 1.0.2b-1.0.2n).(CVE-2016-7798) RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'ruby' package(s) on Huawei EulerOS Virtualization 3.0.2.2. Solution: Please install the updated package(s). CVSS Score: 7.5 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P |
| Referencia Cruzada: |
Common Vulnerability Exposure (CVE) ID: CVE-2015-9096 Debian Security Information: DSA-3966 (Google Search) https://www.debian.org/security/2017/dsa-3966 http://www.mbsd.jp/Whitepaper/smtpi.pdf https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee https://github.com/rubysec/ruby-advisory-db/issues/215 https://hackerone.com/reports/137631 https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html Common Vulnerability Exposure (CVE) ID: CVE-2016-7798 BugTraq ID: 93031 http://www.securityfocus.com/bid/93031 http://www.openwall.com/lists/oss-security/2016/09/19/9 http://www.openwall.com/lists/oss-security/2016/09/30/6 http://www.openwall.com/lists/oss-security/2016/10/01/2 Common Vulnerability Exposure (CVE) ID: CVE-2017-9224 BugTraq ID: 101244 http://www.securityfocus.com/bid/101244 RedHat Security Advisories: RHSA-2018:1296 https://access.redhat.com/errata/RHSA-2018:1296 Common Vulnerability Exposure (CVE) ID: CVE-2017-9227 BugTraq ID: 100538 http://www.securityfocus.com/bid/100538 Common Vulnerability Exposure (CVE) ID: CVE-2017-9228 Common Vulnerability Exposure (CVE) ID: CVE-2017-9229 Common Vulnerability Exposure (CVE) ID: CVE-2019-8321 https://hackerone.com/reports/317330 https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html SuSE Security Announcement: openSUSE-SU-2019:1771 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html |
| Copyright | Copyright (C) 2020 Greenbone Networks GmbH |
| Esta es sólo una de 99761 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora. |