Search criteria
12 vulnerabilities found for jruby by jruby
FKIE_CVE-2025-46551
Vulnerability from fkie_nvd - Published: 2025-05-07 17:15 - Updated: 2025-10-21 15:36
Severity ?
Summary
JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jruby:jruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "D217AD9C-EA41-4AA8-A3E3-EA3483EA2DF7",
"versionEndExcluding": "9.4.12.1",
"versionStartIncluding": "9.3.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:10.0.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5BDF8AF0-D6E3-4FAA-8236-792675DD7F58",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby-openssl:*:*:*:*:*:*:*:*",
"matchCriteriaId": "223D72E4-9CD6-4B53-9B98-6C34E0ABFE60",
"versionEndExcluding": "0.15.4",
"versionStartIncluding": "0.12.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1."
},
{
"lang": "es",
"value": "JRuby-OpenSSL es una gema complementaria para JRuby que emula la librer\u00eda nativa Ruby OpenSSL. A partir de la versi\u00f3n 0.12.1 de JRuby-OpenSSL y anteriores a la 0.15.4 (correspondientes a las versiones de JRuby 9.3.4.0 anteriores a la 9.4.12.1 y 10.0.0.0 anteriores a la 10.0.0.1), al verificar certificados SSL, JRuby-OpenSSL no verifica que el nombre de host presentado en el certificado coincida con el del usuario al que intenta conectarse. Esto significa que un intermediario podr\u00eda presentar cualquier certificado v\u00e1lido para un dominio completamente diferente al suyo, y JRuby lo aceptar\u00eda. Cualquiera que use JRuby para realizar solicitudes a API externas o para rastrear datos web que dependan de https para conectarse de forma segura. La versi\u00f3n 0.15.4 de JRuby-OpenSSL contiene una soluci\u00f3n para este problema. Esta correcci\u00f3n est\u00e1 incluida en las versiones 10.0.0.1 y 9.4.12.1 de JRuby."
}
],
"id": "CVE-2025-46551",
"lastModified": "2025-10-21T15:36:54.783",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "PROOF_OF_CONCEPT",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2025-05-07T17:15:58.153",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Vendor Advisory"
],
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-295"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
FKIE_CVE-2012-5370
Vulnerability from fkie_nvd - Published: 2012-11-28 13:03 - Updated: 2025-04-11 00:51
Severity ?
Summary
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jruby:jruby:-:*:*:*:*:*:*:*",
"matchCriteriaId": "C7AC52FE-91E7-40C9-B4DE-AD35FB630397",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."
},
{
"lang": "es",
"value": "JRuby calcula los valores de hash sin restringir la posibilidad de provocar colisiones hash previsibles, lo que permite a atacantes dependientes de contexto provocar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s de la manipulaci\u00f3n de una entrada para la aplicaci\u00f3n que mantiene la tabla de valores hash, como lo demuestra un ataque universal multicolision contra el algoritmo MurmurHash2, es una vulnerabilidad diferente a CVE-2011-4838."
}
],
"id": "CVE-2012-5370",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2012-11-28T13:03:10.057",
"references": [
{
"source": "cve@mitre.org",
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"source": "cve@mitre.org",
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"source": "cve@mitre.org",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"source": "cve@mitre.org",
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2010-1330
Vulnerability from fkie_nvd - Published: 2012-11-23 19:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| jruby | jruby | * | |
| jruby | jruby | 0.9.0 | |
| jruby | jruby | 0.9.1 | |
| jruby | jruby | 0.9.2 | |
| jruby | jruby | 0.9.8 | |
| jruby | jruby | 0.9.9 | |
| jruby | jruby | 1.0.0 | |
| jruby | jruby | 1.0.0 | |
| jruby | jruby | 1.0.0 | |
| jruby | jruby | 1.0.0 | |
| jruby | jruby | 1.0.1 | |
| jruby | jruby | 1.0.2 | |
| jruby | jruby | 1.0.3 | |
| jruby | jruby | 1.1 | |
| jruby | jruby | 1.1 | |
| jruby | jruby | 1.1 | |
| jruby | jruby | 1.1 | |
| jruby | jruby | 1.1 | |
| jruby | jruby | 1.1.1 | |
| jruby | jruby | 1.1.2 | |
| jruby | jruby | 1.1.3 | |
| jruby | jruby | 1.1.4 | |
| jruby | jruby | 1.1.5 | |
| jruby | jruby | 1.1.6 | |
| jruby | jruby | 1.1.6 | |
| jruby | jruby | 1.2.0 | |
| jruby | jruby | 1.2.0 | |
| jruby | jruby | 1.2.0 | |
| jruby | jruby | 1.3.0 | |
| jruby | jruby | 1.3.0 | |
| jruby | jruby | 1.3.0 | |
| jruby | jruby | 1.3.1 | |
| jruby | jruby | 1.4.0 | |
| jruby | jruby | 1.4.0 | |
| jruby | jruby | 1.4.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jruby:jruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "B80E8A57-557B-4D0D-B8E1-5ACFC3864076",
"versionEndIncluding": "1.4.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:0.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E8ECBD08-C9A8-4792-AA14-86DCF91ADD89",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:0.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "48B3DCBA-8AE8-4881-BC18-0E42744C1BA2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:0.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "07D80333-29EC-4B02-BA8E-C0AE60BE6995",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:0.9.8:*:*:*:*:*:*:*",
"matchCriteriaId": "19C4CED7-9603-4DCD-A4A2-E4C7347E6012",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:0.9.9:*:*:*:*:*:*:*",
"matchCriteriaId": "DA5DA067-102D-4E1D-B4AD-D8BF8AF91784",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "AE7F90C2-F634-44F7-AD72-87510766CA70",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.0.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "711C01B9-73B3-4AD9-B2EF-EB6B1CEB0CAC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.0.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "65C64ADD-B3D5-4B61-B14A-8DEEB2E1454E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.0.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "98C80996-F729-4995-9A47-8A702B1FE3E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "11128A71-8F6D-433A-AC80-676F9037A1C4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B3044A80-8363-4D7B-AB01-CADBFA3E1924",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "20D15245-4C9C-4908-B8E2-4A2911411D24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "61AC6C28-AFE2-452F-9A41-C2D6C8325F22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1:beta1:*:*:*:*:*:*",
"matchCriteriaId": "E1CD53B5-AF00-4BC0-8EFF-90A9B0E59AD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1:rc1:*:*:*:*:*:*",
"matchCriteriaId": "ABBB5044-5CE4-4468-AFFC-33EB990B439D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1:rc2:*:*:*:*:*:*",
"matchCriteriaId": "68690546-7A76-461F-BBE1-75A7623941C7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1:rc3:*:*:*:*:*:*",
"matchCriteriaId": "63D29E5A-E9D1-42E5-BC0C-178346C2BC9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "94054B2C-AB94-4933-93E5-614066161723",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E985731A-CBC1-4062-A7C4-2F024814EBEC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "448C60BB-3AA6-4ED5-A331-F44F03C1A73F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "12940080-34DE-423B-81FE-FE11077FD2E9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "9A2435BC-A0C7-4AFC-87A5-6D8DD61213BD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "FA36C6E8-FD6D-4837-9215-4E435002C872",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.1.6:rc1:*:*:*:*:*:*",
"matchCriteriaId": "FC70B7A2-C2A5-4C3F-A1EA-8E75615E427B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5DF36A49-C7CA-443A-A417-280E2A9441DA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.2.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "41A7FE25-F683-4F98-8775-87BA051ABCC8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.2.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "5589BD4B-5D43-48C7-81CE-3B2D95430862",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "56EAA3B9-30D0-4AF2-B62B-1EC7500A6FDA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.3.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "349F615A-2049-448E-BE34-97BA95B671AE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.3.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "25DFE1EC-A25C-4117-94AB-703F8BFA22B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "81F0914B-600F-4B85-B014-B31B9D04C5B8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.4.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "7CEDA605-20AC-4BA4-B5AF-F50F1E568A59",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.4.0:rc2:*:*:*:*:*:*",
"matchCriteriaId": "6007AD9D-D375-45C6-AC10-54EB3C493EDC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:jruby:jruby:1.4.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "54071574-B344-468D-B331-0B354B15633D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The regular expression engine in JRuby before 1.4.1, when $KCODE is set to \u0027u\u0027, does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string."
},
{
"lang": "es",
"value": "El motor de expresiones regulares en JRuby anterior a v1.4.1, cuando $KCODE est\u00e1 fijado en \u0027u\u0027, no trata correctamente los caracteres inmediatamente despu\u00e9s de caracteres UTF-8, permitiendo a atacantes remotos realizar ataques de tipo \"cross-site scripting\" (XSS) mediante una cadena manipulada."
}
],
"id": "CVE-2010-1330",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2012-11-23T19:55:01.273",
"references": [
{
"source": "cve@mitre.org",
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46891"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"source": "cve@mitre.org",
"url": "http://www.osvdb.org/77297"
},
{
"source": "cve@mitre.org",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"source": "cve@mitre.org",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"source": "cve@mitre.org",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/46891"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Patch",
"Vendor Advisory"
],
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.osvdb.org/77297"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2011-4838
Vulnerability from fkie_nvd - Published: 2011-12-30 01:55 - Updated: 2025-04-11 00:51
Severity ?
Summary
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
References
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:jruby:jruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F3DE8162-6FF2-4CDC-B66A-3D06AE5D7CB5",
"versionEndExcluding": "1.6.5.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table."
},
{
"lang": "es",
"value": "JRuby anterior a v1.6.5.1 calcula los valores de hash sin restringir la capacidad de desencadenar colisiones hash predecible, que permite a atacantes dependientes de contexto causar una denegaci\u00f3n de servicio (consumo de CPU) a trav\u00e9s de entrada dise\u00f1ado para una aplicaci\u00f3n que mantiene una tabla hash."
}
],
"id": "CVE-2011-4838",
"lastModified": "2025-04-11T00:51:21.963",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2011-12-30T01:55:01.500",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Vendor Advisory"
],
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/47407"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/50084"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/47407"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://secunia.com/advisories/50084"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2025-46551 (GCVE-0-2025-46551)
Vulnerability from cvelistv5 – Published: 2025-05-07 16:12 – Updated: 2025-05-07 20:17
VLAI?
Summary
JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.
Severity ?
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jruby | jruby-openssl |
Affected:
>= 0.12.1, < 0.15.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46551",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T20:15:30.815503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T20:17:32.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jruby-openssl",
"vendor": "jruby",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.12.1, \u003c 0.15.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T16:13:58.555Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
},
{
"name": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285"
}
],
"source": {
"advisory": "GHSA-72qj-48g4-5xgx",
"discovery": "UNKNOWN"
},
"title": "JRuby-OpenSSL has hostname verification disabled by default"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46551",
"datePublished": "2025-05-07T16:12:23.771Z",
"dateReserved": "2025-04-24T21:10:48.173Z",
"dateUpdated": "2025-05-07T20:17:32.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5370 (GCVE-0-2012-5370)
Vulnerability from cvelistv5 – Published: 2012-11-28 11:00 – Updated: 2024-08-06 21:05
VLAI?
Summary
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"name": "RHSA-2013:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-11-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-01-13T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"name": "RHSA-2013:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5370",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=880671",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"name": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf",
"refsource": "MISC",
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"name": "https://www.131002.net/data/talks/appsec12_slides.pdf",
"refsource": "MISC",
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
},
{
"name": "http://2012.appsec-forum.ch/conferences/#c17",
"refsource": "MISC",
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"name": "http://www.ocert.org/advisories/ocert-2012-001.html",
"refsource": "MISC",
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"name": "RHSA-2013:0533",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5370",
"datePublished": "2012-11-28T11:00:00",
"dateReserved": "2012-10-10T00:00:00",
"dateUpdated": "2024-08-06T21:05:47.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-1330 (GCVE-0-2010-1330)
Vulnerability from cvelistv5 – Published: 2012-11-23 19:00 – Updated: 2024-08-07 01:21
VLAI?
Summary
The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:21:18.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"name": "RHSA-2011:1456",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"name": "77297",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/77297"
},
{
"name": "46891",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46891"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"name": "jruby-expression-engine-xss(80277)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The regular expression engine in JRuby before 1.4.1, when $KCODE is set to \u0027u\u0027, does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"name": "RHSA-2011:1456",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"name": "77297",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/77297"
},
{
"name": "46891",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46891"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"name": "jruby-expression-engine-xss(80277)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-1330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The regular expression engine in JRuby before 1.4.1, when $KCODE is set to \u0027u\u0027, does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=750306",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"name": "RHSA-2011:1456",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=317435",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"name": "77297",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/77297"
},
{
"name": "46891",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46891"
},
{
"name": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html",
"refsource": "CONFIRM",
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"name": "jruby-expression-engine-xss(80277)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-1330",
"datePublished": "2012-11-23T19:00:00",
"dateReserved": "2010-04-08T00:00:00",
"dateUpdated": "2024-08-07T01:21:18.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4838 (GCVE-0-2011-4838)
Vulnerability from cvelistv5 – Published: 2011-12-30 01:00 – Updated: 2024-08-07 00:16
VLAI?
Summary
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:16:34.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "jruby-hash-dos(72019)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "47407",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/47407"
},
{
"name": "VU#903934",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "RHSA-2012:1232",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "GLSA-201207-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-12-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "jruby-hash-dos(72019)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "47407",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/47407"
},
{
"name": "VU#903934",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "RHSA-2012:1232",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "GLSA-201207-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4838",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.nruns.com/_downloads/advisory28122011.pdf",
"refsource": "MISC",
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "jruby-hash-dos(72019)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"name": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html",
"refsource": "CONFIRM",
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"name": "50084",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/50084"
},
{
"name": "47407",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/47407"
},
{
"name": "VU#903934",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "RHSA-2012:1232",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "GLSA-201207-06",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"name": "http://www.ocert.org/advisories/ocert-2011-003.html",
"refsource": "MISC",
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4838",
"datePublished": "2011-12-30T01:00:00",
"dateReserved": "2011-12-15T00:00:00",
"dateUpdated": "2024-08-07T00:16:34.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-46551 (GCVE-0-2025-46551)
Vulnerability from nvd – Published: 2025-05-07 16:12 – Updated: 2025-05-07 20:17
VLAI?
Summary
JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1.
Severity ?
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| jruby | jruby-openssl |
Affected:
>= 0.12.1, < 0.15.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-46551",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-07T20:15:30.815503Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T20:17:32.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "jruby-openssl",
"vendor": "jruby",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.12.1, \u003c 0.15.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby OpenSSL native library. Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, JRuby-OpenSSL does not verify that the hostname presented in the certificate matches the one the user tries to connect to. This means a man-in-the-middle could just present any valid cert for a completely different domain they own, and JRuby would accept the cert. Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely. JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix is included in JRuby versions 10.0.0.1 and 9.4.12.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295: Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-07T16:13:58.555Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
},
{
"name": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285"
}
],
"source": {
"advisory": "GHSA-72qj-48g4-5xgx",
"discovery": "UNKNOWN"
},
"title": "JRuby-OpenSSL has hostname verification disabled by default"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-46551",
"datePublished": "2025-05-07T16:12:23.771Z",
"dateReserved": "2025-04-24T21:10:48.173Z",
"dateUpdated": "2025-05-07T20:17:32.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2012-5370 (GCVE-0-2012-5370)
Vulnerability from nvd – Published: 2012-11-28 11:00 – Updated: 2024-08-06 21:05
VLAI?
Summary
JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.188Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"name": "RHSA-2013:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-11-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-01-13T17:57:00",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"name": "RHSA-2013:0533",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2012-5370",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=880671",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=880671"
},
{
"name": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf",
"refsource": "MISC",
"url": "http://asfws12.files.wordpress.com/2012/11/asfws2012-jean_philippe_aumasson-martin_bosslet-hash_flooding_dos_reloaded.pdf"
},
{
"name": "https://www.131002.net/data/talks/appsec12_slides.pdf",
"refsource": "MISC",
"url": "https://www.131002.net/data/talks/appsec12_slides.pdf"
},
{
"name": "http://2012.appsec-forum.ch/conferences/#c17",
"refsource": "MISC",
"url": "http://2012.appsec-forum.ch/conferences/#c17"
},
{
"name": "http://www.ocert.org/advisories/ocert-2012-001.html",
"refsource": "MISC",
"url": "http://www.ocert.org/advisories/ocert-2012-001.html"
},
{
"name": "RHSA-2013:0533",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-0533.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2012-5370",
"datePublished": "2012-11-28T11:00:00",
"dateReserved": "2012-10-10T00:00:00",
"dateUpdated": "2024-08-06T21:05:47.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2010-1330 (GCVE-0-2010-1330)
Vulnerability from nvd – Published: 2012-11-23 19:00 – Updated: 2024-08-07 01:21
VLAI?
Summary
The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T01:21:18.254Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"name": "RHSA-2011:1456",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"name": "77297",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://www.osvdb.org/77297"
},
{
"name": "46891",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46891"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"name": "jruby-expression-engine-xss(80277)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2010-04-26T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The regular expression engine in JRuby before 1.4.1, when $KCODE is set to \u0027u\u0027, does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-16T14:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"name": "RHSA-2011:1456",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"name": "77297",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://www.osvdb.org/77297"
},
{
"name": "46891",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46891"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"name": "jruby-expression-engine-xss(80277)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2010-1330",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The regular expression engine in JRuby before 1.4.1, when $KCODE is set to \u0027u\u0027, does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=750306",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=750306"
},
{
"name": "RHSA-2011:1456",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2011-1456.html"
},
{
"name": "https://bugs.gentoo.org/show_bug.cgi?id=317435",
"refsource": "MISC",
"url": "https://bugs.gentoo.org/show_bug.cgi?id=317435"
},
{
"name": "77297",
"refsource": "OSVDB",
"url": "http://www.osvdb.org/77297"
},
{
"name": "46891",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46891"
},
{
"name": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html",
"refsource": "CONFIRM",
"url": "http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"
},
{
"name": "jruby-expression-engine-xss(80277)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/80277"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2010-1330",
"datePublished": "2012-11-23T19:00:00",
"dateReserved": "2010-04-08T00:00:00",
"dateUpdated": "2024-08-07T01:21:18.254Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4838 (GCVE-0-2011-4838)
Vulnerability from nvd – Published: 2011-12-30 01:00 – Updated: 2024-08-07 00:16
VLAI?
Summary
JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:16:34.943Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "jruby-hash-dos(72019)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "47407",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/47407"
},
{
"name": "VU#903934",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN",
"x_transferred"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "RHSA-2012:1232",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ",
"x_transferred"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "GLSA-201207-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-12-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "jruby-hash-dos(72019)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"name": "50084",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/50084"
},
{
"name": "47407",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/47407"
},
{
"name": "VU#903934",
"tags": [
"third-party-advisory",
"x_refsource_CERT-VN"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "RHSA-2012:1232",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"tags": [
"mailing-list",
"x_refsource_BUGTRAQ"
],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "GLSA-201207-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4838",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.nruns.com/_downloads/advisory28122011.pdf",
"refsource": "MISC",
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "jruby-hash-dos(72019)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/72019"
},
{
"name": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html",
"refsource": "CONFIRM",
"url": "http://jruby.org/2011/12/27/jruby-1-6-5-1.html"
},
{
"name": "50084",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/50084"
},
{
"name": "47407",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/47407"
},
{
"name": "VU#903934",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "RHSA-2012:1232",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2012-1232.html"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "GLSA-201207-06",
"refsource": "GENTOO",
"url": "http://security.gentoo.org/glsa/glsa-201207-06.xml"
},
{
"name": "http://www.ocert.org/advisories/ocert-2011-003.html",
"refsource": "MISC",
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4838",
"datePublished": "2011-12-30T01:00:00",
"dateReserved": "2011-12-15T00:00:00",
"dateUpdated": "2024-08-07T00:16:34.943Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}