var-202204-0855
Vulnerability from variot
There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. 7) - noarch, x86_64
Bug Fix(es):
-
rh-ruby30 ruby: User-installed rubygems plugins are not being loaded (BZ#2128629)
-
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
====================================================================
Red Hat Security Advisory
Synopsis: Moderate: ruby security, bug fix, and enhancement update Advisory ID: RHSA-2022:6585-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:6585 Issue date: 2022-09-20 CVE Names: CVE-2022-28738 CVE-2022-28739 ==================================================================== 1. Summary:
An update for ruby is now available for Red Hat Enterprise Linux 9.
Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat CodeReady Linux Builder (v. 9) - noarch Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64
- Description:
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
The following packages have been upgraded to a later upstream version: ruby (3.0.4). (BZ#2109428)
Security Fix(es):
-
Ruby: Double free in Regexp compilation (CVE-2022-28738)
-
Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2075685 - CVE-2022-28738 Ruby: Double free in Regexp compilation 2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion 2109428 - ruby:3.0/ruby: Rebase to the latest Ruby 3.0 release [rhel-9] [rhel-9.0.0.z]
- Package List:
Red Hat Enterprise Linux AppStream (v. 9):
Source: ruby-3.0.4-160.el9_0.src.rpm
aarch64: ruby-3.0.4-160.el9_0.aarch64.rpm ruby-debuginfo-3.0.4-160.el9_0.aarch64.rpm ruby-debugsource-3.0.4-160.el9_0.aarch64.rpm ruby-devel-3.0.4-160.el9_0.aarch64.rpm ruby-libs-3.0.4-160.el9_0.aarch64.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.aarch64.rpm rubygem-bigdecimal-3.0.0-160.el9_0.aarch64.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.aarch64.rpm rubygem-io-console-0.5.7-160.el9_0.aarch64.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.aarch64.rpm rubygem-json-2.5.1-160.el9_0.aarch64.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.aarch64.rpm rubygem-psych-3.3.2-160.el9_0.aarch64.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.aarch64.rpm
noarch: ruby-default-gems-3.0.4-160.el9_0.noarch.rpm rubygem-bundler-2.2.33-160.el9_0.noarch.rpm rubygem-irb-1.3.5-160.el9_0.noarch.rpm rubygem-minitest-5.14.2-160.el9_0.noarch.rpm rubygem-power_assert-1.2.0-160.el9_0.noarch.rpm rubygem-rake-13.0.3-160.el9_0.noarch.rpm rubygem-rbs-1.4.0-160.el9_0.noarch.rpm rubygem-rdoc-6.3.3-160.el9_0.noarch.rpm rubygem-rexml-3.2.5-160.el9_0.noarch.rpm rubygem-rss-0.2.9-160.el9_0.noarch.rpm rubygem-test-unit-3.3.7-160.el9_0.noarch.rpm rubygem-typeprof-0.15.2-160.el9_0.noarch.rpm rubygems-3.2.33-160.el9_0.noarch.rpm rubygems-devel-3.2.33-160.el9_0.noarch.rpm
ppc64le: ruby-3.0.4-160.el9_0.ppc64le.rpm ruby-debuginfo-3.0.4-160.el9_0.ppc64le.rpm ruby-debugsource-3.0.4-160.el9_0.ppc64le.rpm ruby-devel-3.0.4-160.el9_0.ppc64le.rpm ruby-libs-3.0.4-160.el9_0.ppc64le.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.ppc64le.rpm rubygem-bigdecimal-3.0.0-160.el9_0.ppc64le.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.ppc64le.rpm rubygem-io-console-0.5.7-160.el9_0.ppc64le.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.ppc64le.rpm rubygem-json-2.5.1-160.el9_0.ppc64le.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.ppc64le.rpm rubygem-psych-3.3.2-160.el9_0.ppc64le.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.ppc64le.rpm
s390x: ruby-3.0.4-160.el9_0.s390x.rpm ruby-debuginfo-3.0.4-160.el9_0.s390x.rpm ruby-debugsource-3.0.4-160.el9_0.s390x.rpm ruby-devel-3.0.4-160.el9_0.s390x.rpm ruby-libs-3.0.4-160.el9_0.s390x.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.s390x.rpm rubygem-bigdecimal-3.0.0-160.el9_0.s390x.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.s390x.rpm rubygem-io-console-0.5.7-160.el9_0.s390x.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.s390x.rpm rubygem-json-2.5.1-160.el9_0.s390x.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.s390x.rpm rubygem-psych-3.3.2-160.el9_0.s390x.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.s390x.rpm
x86_64: ruby-3.0.4-160.el9_0.i686.rpm ruby-3.0.4-160.el9_0.x86_64.rpm ruby-debuginfo-3.0.4-160.el9_0.i686.rpm ruby-debuginfo-3.0.4-160.el9_0.x86_64.rpm ruby-debugsource-3.0.4-160.el9_0.i686.rpm ruby-debugsource-3.0.4-160.el9_0.x86_64.rpm ruby-devel-3.0.4-160.el9_0.i686.rpm ruby-devel-3.0.4-160.el9_0.x86_64.rpm ruby-libs-3.0.4-160.el9_0.i686.rpm ruby-libs-3.0.4-160.el9_0.x86_64.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.i686.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.x86_64.rpm rubygem-bigdecimal-3.0.0-160.el9_0.x86_64.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.i686.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.x86_64.rpm rubygem-io-console-0.5.7-160.el9_0.x86_64.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.i686.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.x86_64.rpm rubygem-json-2.5.1-160.el9_0.x86_64.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.i686.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.x86_64.rpm rubygem-psych-3.3.2-160.el9_0.x86_64.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.i686.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.x86_64.rpm
Red Hat CodeReady Linux Builder (v. 9):
noarch: ruby-doc-3.0.4-160.el9_0.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-28738 https://access.redhat.com/security/cve/CVE-2022-28739 https://access.redhat.com/security/updates/classification/#moderate
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIVAwUBYypfvtzjgjWX9erEAQjaXQ/+LfzraWPwLDEBfxU87XekVmDQn/KHLw0Q TPgRpDtvfVkmSDDCEvYvvMOYSW3MdNmNJOwPhQyJT3cBrq0zHUog0ejoJO5jV3B1 rOStJ/EfwskmCVaPehhJvGfrKVr2l6Uo8SH0zrLMKBtqd42/GrO2eiDs/xxhVq5U wvgecfUQY8lfpJ25ELa/081aAe4Cg4NN7WShf7DFJ2tw+f/IguCWi+CHZoavv3AQ T7So/dbIjFJmliaPcTkvW02m+JHxNGduXJfelMXB72eyJR7/jEK7OvfE89a18yZ8 P38biUIPZFNaLW1SN62GnA8Qby6g9C/1x+pXssEQ6fo1qJPk/bW6qYfPWWM4Op5N VsTFDx7EAZRCQFnyczTcaUE7g9s4ZovK4qMqTZq9BhP25m9yisvV1jizNpSU6vMi h37/Mi0gcOOcjbtj8Nlbtx+QsHFJvOgTjDIiwPVllMpxygWjSRRnR+LBoTHCPlP2 ZG5q8MGwZAIfzKSP9Fjg58rJoiWnzyJWFLEym38lfrrjch21CtgaKm28wrKQ18PC 7GQ/A/rARWMfAKnFYEO4zF07kidgTwyVJI5RJv8b9x4vLo7/G80CVDXIYjEDP4FR 7fNpEfc9/owximR5WpTds3GfzTDSKzNonHX/oNhIaJLkQ27RTSPXORzxtAsz2a6j jbIYxx9rQto=komJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================= Ubuntu Security Notice USN-5462-1 June 06, 2022
ruby2.5, ruby2.7, ruby3.0 vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 22.04 LTS
- Ubuntu 21.10
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in Ruby. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-28738)
It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-28739)
Update instructions:
The problem can be corrected by updating your system to the following package versions:
Ubuntu 22.04 LTS: libruby3.0 3.0.2-7ubuntu2.1 ruby3.0 3.0.2-7ubuntu2.1
Ubuntu 21.10: libruby2.7 2.7.4-1ubuntu3.2 ruby2.7 2.7.4-1ubuntu3.2
Ubuntu 20.04 LTS: libruby2.7 2.7.0-5ubuntu1.7 ruby2.7 2.7.0-5ubuntu1.7
Ubuntu 18.04 LTS: libruby2.5 2.5.1-1ubuntu1.12 ruby2.5 2.5.1-1ubuntu1.12
In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
APPLE-SA-2022-10-27-6 Additional information for APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1
macOS Monterey 12.6.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213494.
AppleMobileFileIntegrity Available for: macOS Monterey Impact: An app may be able to modify protected parts of the file system Description: This issue was addressed by removing additional entitlements. CVE-2022-42825: Mickey Jin (@patch1t)
Audio Available for: macOS Monterey Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative Entry added October 27, 2022
Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai Entry added October 27, 2022
Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom) Entry added October 27, 2022
Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved checks. CVE-2022-42801: Ian Beer of Google Project Zero Entry added October 27, 2022
ppp Available for: macOS Monterey Impact: A buffer overflow may result in arbitrary code execution Description: The issue was addressed with improved bounds checks. CVE-2022-32941: an anonymous researcher Entry added October 27, 2022
Ruby Available for: macOS Monterey Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: A memory corruption issue was addressed by updating Ruby to version 2.6.10. CVE-2022-28739
Sandbox Available for: macOS Monterey Impact: An app with root privileges may be able to access private information Description: This issue was addressed with improved data protection. CVE-2022-32862: an anonymous researcher
zlib Available for: macOS Monterey Impact: A user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-37434: Evgeny Legerov CVE-2022-42800: Evgeny Legerov Entry added October 27, 2022
Additional recognition
Calendar We would like to acknowledge an anonymous researcher for their assistance.
macOS Monterey 12.6.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222
Show details on source website{ "@context": { "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#", "affected_products": { "@id": "https://www.variotdbs.pl/ref/affected_products" }, "configurations": { "@id": "https://www.variotdbs.pl/ref/configurations" }, "credits": { "@id": "https://www.variotdbs.pl/ref/credits" }, "cvss": { "@id": "https://www.variotdbs.pl/ref/cvss/" }, "description": { "@id": "https://www.variotdbs.pl/ref/description/" }, "exploit_availability": { "@id": "https://www.variotdbs.pl/ref/exploit_availability/" }, "external_ids": { "@id": "https://www.variotdbs.pl/ref/external_ids/" }, "iot": { "@id": "https://www.variotdbs.pl/ref/iot/" }, "iot_taxonomy": { "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/" }, "patch": { "@id": "https://www.variotdbs.pl/ref/patch/" }, "problemtype_data": { "@id": "https://www.variotdbs.pl/ref/problemtype_data/" }, "references": { "@id": "https://www.variotdbs.pl/ref/references/" }, "sources": { "@id": "https://www.variotdbs.pl/ref/sources/" }, "sources_release_date": { "@id": "https://www.variotdbs.pl/ref/sources_release_date/" }, "sources_update_date": { "@id": "https://www.variotdbs.pl/ref/sources_update_date/" }, "threat_type": { "@id": "https://www.variotdbs.pl/ref/threat_type/" }, "title": { "@id": "https://www.variotdbs.pl/ref/title/" }, "type": { "@id": "https://www.variotdbs.pl/ref/type/" } }, "@id": "https://www.variotdbs.pl/vuln/VAR-202204-0855", "affected_products": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/affected_products#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "model": "ruby", "scope": "lt", "trust": 1.0, "vendor": "ruby lang", "version": "2.6.10" }, { "model": "ruby", "scope": "lt", "trust": 1.0, "vendor": "ruby lang", "version": "3.1.2" }, { "model": "macos", "scope": "gte", "trust": 1.0, "vendor": "apple", "version": "11.0" }, { "model": "ruby", "scope": "gte", "trust": 1.0, "vendor": "ruby lang", "version": "2.7.0" }, { "model": "macos", "scope": "lt", "trust": 1.0, "vendor": "apple", "version": "12.6.1" }, { "model": "ruby", "scope": "lt", "trust": 1.0, "vendor": "ruby lang", "version": "3.0.4" }, { "model": "ruby", "scope": "gte", "trust": 1.0, "vendor": "ruby lang", "version": "3.0.0" }, { "model": "ruby", "scope": "lt", "trust": 1.0, "vendor": "ruby lang", "version": "2.7.6" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "10.0" }, { "model": "macos", "scope": "lt", "trust": 1.0, "vendor": "apple", "version": "11.7.1" }, { "model": "macos", "scope": "gte", "trust": 1.0, "vendor": "apple", "version": "12.0" }, { "model": "ruby", "scope": "gte", "trust": 1.0, "vendor": "ruby lang", "version": "3.1.0" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "11.0" }, { "model": "linux", "scope": "eq", "trust": 1.0, "vendor": "debian", "version": "9.0" } ], "sources": [ { "db": "NVD", "id": "CVE-2022-28739" } ] }, "configurations": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/configurations#", "children": { "@container": "@list" }, "cpe_match": { "@container": "@list" }, "data": { "@container": "@list" }, "nodes": { "@container": "@list" } }, "data": [ { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "3.1.2", "versionStartIncluding": "3.1.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "3.0.4", "versionStartIncluding": "3.0.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.7.6", "versionStartIncluding": "2.7.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "2.6.10", "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" }, { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "12.6.1", "versionStartIncluding": "12.0", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:o:apple:macos:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndExcluding": "11.7.1", "versionStartIncluding": "11.0", "vulnerable": true } ], "operator": "OR" } ] } ], "sources": [ { "db": "NVD", "id": "CVE-2022-28739" } ] }, "credits": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/credits#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat", "sources": [ { "db": "PACKETSTORM", "id": "168692" }, { "db": "PACKETSTORM", "id": "168445" }, { "db": "PACKETSTORM", "id": "168360" } ], "trust": 0.3 }, "cve": "CVE-2022-28739", "cvss": { "@context": { "cvssV2": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2" }, "cvssV3": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#" }, "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/" }, "severity": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/cvss/severity#" }, "@id": "https://www.variotdbs.pl/ref/cvss/severity" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" }, "@id": "https://www.variotdbs.pl/ref/sources" } }, "data": [ { "cvssV2": [ { "acInsufInfo": false, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.6, "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "trust": 1.0, "userInteractionRequired": false, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULHUB", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.6, "id": "VHN-420273", "impactScore": 2.9, "integrityImpact": "NONE", "severity": "MEDIUM", "trust": 0.1, "vectorString": "AV:N/AC:M/AU:N/C:P/I:N/A:N", "version": "2.0" }, { "acInsufInfo": null, "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "author": "VULMON", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "exploitabilityScore": 8.6, "id": "CVE-2022-28739", "impactScore": 2.9, "integrityImpact": "NONE", "obtainAllPrivilege": null, "obtainOtherPrivilege": null, "obtainUserPrivilege": null, "severity": "MEDIUM", "trust": 0.1, "userInteractionRequired": null, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" } ], "cvssV3": [ { "attackComplexity": "LOW", "attackVector": "NETWORK", "author": "NVD", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "exploitabilityScore": 3.9, "impactScore": 3.6, "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "trust": 1.0, "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" } ], "severity": [ { "author": "NVD", "id": "CVE-2022-28739", "trust": 1.0, "value": "HIGH" }, { "author": "VULHUB", "id": "VHN-420273", "trust": 0.1, "value": "MEDIUM" }, { "author": "VULMON", "id": "CVE-2022-28739", "trust": 0.1, "value": "MEDIUM" } ] } ], "sources": [ { "db": "VULHUB", "id": "VHN-420273" }, { "db": "VULMON", "id": "CVE-2022-28739" }, { "db": "NVD", "id": "CVE-2022-28739" } ] }, "description": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/description#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. 7) - noarch, x86_64\n\n3. \n\nBug Fix(es):\n\n* rh-ruby30 ruby: User-installed rubygems plugins are not being loaded\n(BZ#2128629)\n\n4. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n==================================================================== \nRed Hat Security Advisory\n\nSynopsis: Moderate: ruby security, bug fix, and enhancement update\nAdvisory ID: RHSA-2022:6585-01\nProduct: Red Hat Enterprise Linux\nAdvisory URL: https://access.redhat.com/errata/RHSA-2022:6585\nIssue date: 2022-09-20\nCVE Names: CVE-2022-28738 CVE-2022-28739\n====================================================================\n1. Summary:\n\nAn update for ruby is now available for Red Hat Enterprise Linux 9. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat CodeReady Linux Builder (v. 9) - noarch\nRed Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. Description:\n\nRuby is an extensible, interpreted, object-oriented, scripting language. It\nhas features to process text files and to perform system management tasks. \n\nThe following packages have been upgraded to a later upstream version: ruby\n(3.0.4). (BZ#2109428)\n\nSecurity Fix(es):\n\n* Ruby: Double free in Regexp compilation (CVE-2022-28738)\n\n* Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n2075685 - CVE-2022-28738 Ruby: Double free in Regexp compilation\n2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion\n2109428 - ruby:3.0/ruby: Rebase to the latest Ruby 3.0 release [rhel-9] [rhel-9.0.0.z]\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 9):\n\nSource:\nruby-3.0.4-160.el9_0.src.rpm\n\naarch64:\nruby-3.0.4-160.el9_0.aarch64.rpm\nruby-debuginfo-3.0.4-160.el9_0.aarch64.rpm\nruby-debugsource-3.0.4-160.el9_0.aarch64.rpm\nruby-devel-3.0.4-160.el9_0.aarch64.rpm\nruby-libs-3.0.4-160.el9_0.aarch64.rpm\nruby-libs-debuginfo-3.0.4-160.el9_0.aarch64.rpm\nrubygem-bigdecimal-3.0.0-160.el9_0.aarch64.rpm\nrubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.aarch64.rpm\nrubygem-io-console-0.5.7-160.el9_0.aarch64.rpm\nrubygem-io-console-debuginfo-0.5.7-160.el9_0.aarch64.rpm\nrubygem-json-2.5.1-160.el9_0.aarch64.rpm\nrubygem-json-debuginfo-2.5.1-160.el9_0.aarch64.rpm\nrubygem-psych-3.3.2-160.el9_0.aarch64.rpm\nrubygem-psych-debuginfo-3.3.2-160.el9_0.aarch64.rpm\n\nnoarch:\nruby-default-gems-3.0.4-160.el9_0.noarch.rpm\nrubygem-bundler-2.2.33-160.el9_0.noarch.rpm\nrubygem-irb-1.3.5-160.el9_0.noarch.rpm\nrubygem-minitest-5.14.2-160.el9_0.noarch.rpm\nrubygem-power_assert-1.2.0-160.el9_0.noarch.rpm\nrubygem-rake-13.0.3-160.el9_0.noarch.rpm\nrubygem-rbs-1.4.0-160.el9_0.noarch.rpm\nrubygem-rdoc-6.3.3-160.el9_0.noarch.rpm\nrubygem-rexml-3.2.5-160.el9_0.noarch.rpm\nrubygem-rss-0.2.9-160.el9_0.noarch.rpm\nrubygem-test-unit-3.3.7-160.el9_0.noarch.rpm\nrubygem-typeprof-0.15.2-160.el9_0.noarch.rpm\nrubygems-3.2.33-160.el9_0.noarch.rpm\nrubygems-devel-3.2.33-160.el9_0.noarch.rpm\n\nppc64le:\nruby-3.0.4-160.el9_0.ppc64le.rpm\nruby-debuginfo-3.0.4-160.el9_0.ppc64le.rpm\nruby-debugsource-3.0.4-160.el9_0.ppc64le.rpm\nruby-devel-3.0.4-160.el9_0.ppc64le.rpm\nruby-libs-3.0.4-160.el9_0.ppc64le.rpm\nruby-libs-debuginfo-3.0.4-160.el9_0.ppc64le.rpm\nrubygem-bigdecimal-3.0.0-160.el9_0.ppc64le.rpm\nrubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.ppc64le.rpm\nrubygem-io-console-0.5.7-160.el9_0.ppc64le.rpm\nrubygem-io-console-debuginfo-0.5.7-160.el9_0.ppc64le.rpm\nrubygem-json-2.5.1-160.el9_0.ppc64le.rpm\nrubygem-json-debuginfo-2.5.1-160.el9_0.ppc64le.rpm\nrubygem-psych-3.3.2-160.el9_0.ppc64le.rpm\nrubygem-psych-debuginfo-3.3.2-160.el9_0.ppc64le.rpm\n\ns390x:\nruby-3.0.4-160.el9_0.s390x.rpm\nruby-debuginfo-3.0.4-160.el9_0.s390x.rpm\nruby-debugsource-3.0.4-160.el9_0.s390x.rpm\nruby-devel-3.0.4-160.el9_0.s390x.rpm\nruby-libs-3.0.4-160.el9_0.s390x.rpm\nruby-libs-debuginfo-3.0.4-160.el9_0.s390x.rpm\nrubygem-bigdecimal-3.0.0-160.el9_0.s390x.rpm\nrubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.s390x.rpm\nrubygem-io-console-0.5.7-160.el9_0.s390x.rpm\nrubygem-io-console-debuginfo-0.5.7-160.el9_0.s390x.rpm\nrubygem-json-2.5.1-160.el9_0.s390x.rpm\nrubygem-json-debuginfo-2.5.1-160.el9_0.s390x.rpm\nrubygem-psych-3.3.2-160.el9_0.s390x.rpm\nrubygem-psych-debuginfo-3.3.2-160.el9_0.s390x.rpm\n\nx86_64:\nruby-3.0.4-160.el9_0.i686.rpm\nruby-3.0.4-160.el9_0.x86_64.rpm\nruby-debuginfo-3.0.4-160.el9_0.i686.rpm\nruby-debuginfo-3.0.4-160.el9_0.x86_64.rpm\nruby-debugsource-3.0.4-160.el9_0.i686.rpm\nruby-debugsource-3.0.4-160.el9_0.x86_64.rpm\nruby-devel-3.0.4-160.el9_0.i686.rpm\nruby-devel-3.0.4-160.el9_0.x86_64.rpm\nruby-libs-3.0.4-160.el9_0.i686.rpm\nruby-libs-3.0.4-160.el9_0.x86_64.rpm\nruby-libs-debuginfo-3.0.4-160.el9_0.i686.rpm\nruby-libs-debuginfo-3.0.4-160.el9_0.x86_64.rpm\nrubygem-bigdecimal-3.0.0-160.el9_0.x86_64.rpm\nrubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.i686.rpm\nrubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.x86_64.rpm\nrubygem-io-console-0.5.7-160.el9_0.x86_64.rpm\nrubygem-io-console-debuginfo-0.5.7-160.el9_0.i686.rpm\nrubygem-io-console-debuginfo-0.5.7-160.el9_0.x86_64.rpm\nrubygem-json-2.5.1-160.el9_0.x86_64.rpm\nrubygem-json-debuginfo-2.5.1-160.el9_0.i686.rpm\nrubygem-json-debuginfo-2.5.1-160.el9_0.x86_64.rpm\nrubygem-psych-3.3.2-160.el9_0.x86_64.rpm\nrubygem-psych-debuginfo-3.3.2-160.el9_0.i686.rpm\nrubygem-psych-debuginfo-3.3.2-160.el9_0.x86_64.rpm\n\nRed Hat CodeReady Linux Builder (v. 9):\n\nnoarch:\nruby-doc-3.0.4-160.el9_0.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2022-28738\nhttps://access.redhat.com/security/cve/CVE-2022-28739\nhttps://access.redhat.com/security/updates/classification/#moderate\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2022 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBYypfvtzjgjWX9erEAQjaXQ/+LfzraWPwLDEBfxU87XekVmDQn/KHLw0Q\nTPgRpDtvfVkmSDDCEvYvvMOYSW3MdNmNJOwPhQyJT3cBrq0zHUog0ejoJO5jV3B1\nrOStJ/EfwskmCVaPehhJvGfrKVr2l6Uo8SH0zrLMKBtqd42/GrO2eiDs/xxhVq5U\nwvgecfUQY8lfpJ25ELa/081aAe4Cg4NN7WShf7DFJ2tw+f/IguCWi+CHZoavv3AQ\nT7So/dbIjFJmliaPcTkvW02m+JHxNGduXJfelMXB72eyJR7/jEK7OvfE89a18yZ8\nP38biUIPZFNaLW1SN62GnA8Qby6g9C/1x+pXssEQ6fo1qJPk/bW6qYfPWWM4Op5N\nVsTFDx7EAZRCQFnyczTcaUE7g9s4ZovK4qMqTZq9BhP25m9yisvV1jizNpSU6vMi\nh37/Mi0gcOOcjbtj8Nlbtx+QsHFJvOgTjDIiwPVllMpxygWjSRRnR+LBoTHCPlP2\nZG5q8MGwZAIfzKSP9Fjg58rJoiWnzyJWFLEym38lfrrjch21CtgaKm28wrKQ18PC\n7GQ/A/rARWMfAKnFYEO4zF07kidgTwyVJI5RJv8b9x4vLo7/G80CVDXIYjEDP4FR\n7fNpEfc9/owximR5WpTds3GfzTDSKzNonHX/oNhIaJLkQ27RTSPXORzxtAsz2a6j\njbIYxx9rQto=komJ\n-----END PGP SIGNATURE-----\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://listman.redhat.com/mailman/listinfo/rhsa-announce\n. =========================================================================\nUbuntu Security Notice USN-5462-1\nJune 06, 2022\n\nruby2.5, ruby2.7, ruby3.0 vulnerabilities\n=========================================================================\nA security issue affects these releases of Ubuntu and its derivatives:\n\n- Ubuntu 22.04 LTS\n- Ubuntu 21.10\n- Ubuntu 20.04 LTS\n- Ubuntu 18.04 LTS\n\nSummary:\n\nSeveral security issues were fixed in Ruby. \nAn attacker could possibly use this issue to execute arbitrary code. This\nissue only affected Ubuntu 22.04 LTS. (CVE-2022-28738)\n\nIt was discovered that Ruby incorrectly handled certain inputs. \nAn attacker could possibly use this issue to expose sensitive information. \n(CVE-2022-28739)\n\nUpdate instructions:\n\nThe problem can be corrected by updating your system to the following\npackage versions:\n\nUbuntu 22.04 LTS:\n libruby3.0 3.0.2-7ubuntu2.1\n ruby3.0 3.0.2-7ubuntu2.1\n\nUbuntu 21.10:\n libruby2.7 2.7.4-1ubuntu3.2\n ruby2.7 2.7.4-1ubuntu3.2\n\nUbuntu 20.04 LTS:\n libruby2.7 2.7.0-5ubuntu1.7\n ruby2.7 2.7.0-5ubuntu1.7\n\nUbuntu 18.04 LTS:\n libruby2.5 2.5.1-1ubuntu1.12\n ruby2.5 2.5.1-1ubuntu1.12\n\nIn general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\nAPPLE-SA-2022-10-27-6 Additional information for APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1\n\nmacOS Monterey 12.6.1 addresses the following issues. \nInformation about the security content is also available at\nhttps://support.apple.com/HT213494. \n\nAppleMobileFileIntegrity\nAvailable for: macOS Monterey\nImpact: An app may be able to modify protected parts of the file\nsystem\nDescription: This issue was addressed by removing additional\nentitlements. \nCVE-2022-42825: Mickey Jin (@patch1t)\n\nAudio\nAvailable for: macOS Monterey\nImpact: Parsing a maliciously crafted audio file may lead to\ndisclosure of user information \nDescription: The issue was addressed with improved memory handling. \nCVE-2022-42798: Anonymous working with Trend Micro Zero Day\nInitiative\nEntry added October 27, 2022\n\nKernel\nAvailable for: macOS Monterey\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges\nDescription: A memory corruption issue was addressed with improved\nstate management. \nCVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai\nEntry added October 27, 2022\n\nKernel\nAvailable for: macOS Monterey\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges \nDescription: A race condition was addressed with improved locking. \nCVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom)\nEntry added October 27, 2022\n\nKernel\nAvailable for: macOS Monterey\nImpact: An app may be able to execute arbitrary code with kernel\nprivileges \nDescription: A logic issue was addressed with improved checks. \nCVE-2022-42801: Ian Beer of Google Project Zero\nEntry added October 27, 2022\n\nppp\nAvailable for: macOS Monterey\nImpact: A buffer overflow may result in arbitrary code execution\nDescription: The issue was addressed with improved bounds checks. \nCVE-2022-32941: an anonymous researcher\nEntry added October 27, 2022\n\nRuby\nAvailable for: macOS Monterey\nImpact: A remote user may be able to cause unexpected app termination\nor arbitrary code execution\nDescription: A memory corruption issue was addressed by updating Ruby\nto version 2.6.10. \nCVE-2022-28739\n\nSandbox\nAvailable for: macOS Monterey\nImpact: An app with root privileges may be able to access private\ninformation\nDescription: This issue was addressed with improved data protection. \nCVE-2022-32862: an anonymous researcher\n\nzlib\nAvailable for: macOS Monterey\nImpact: A user may be able to cause unexpected app termination or\narbitrary code execution \nDescription: This issue was addressed with improved checks. \nCVE-2022-37434: Evgeny Legerov\nCVE-2022-42800: Evgeny Legerov\nEntry added October 27, 2022\n\nAdditional recognition\n\nCalendar\nWe would like to acknowledge an anonymous researcher for their\nassistance. \n\nmacOS Monterey 12.6.1 may be obtained from the Mac App Store or\nApple\u0027s Software Downloads web site:\nhttps://support.apple.com/downloads/\nAll information is also posted on the Apple Security Updates\nweb site: https://support.apple.com/en-us/HT201222", "sources": [ { "db": "NVD", "id": "CVE-2022-28739" }, { "db": "VULHUB", "id": "VHN-420273" }, { "db": "VULMON", "id": "CVE-2022-28739" }, { "db": "PACKETSTORM", "id": "168692" }, { "db": "PACKETSTORM", "id": "168445" }, { "db": "PACKETSTORM", "id": "167421" }, { "db": "PACKETSTORM", "id": "168360" }, { "db": "PACKETSTORM", "id": "169566" }, { "db": "PACKETSTORM", "id": "169552" }, { "db": "PACKETSTORM", "id": "167425" } ], "trust": 1.71 }, "external_ids": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/external_ids#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "db": "NVD", "id": "CVE-2022-28739", "trust": 1.9 }, { "db": "HACKERONE", "id": "1248108", "trust": 1.2 }, { "db": "PACKETSTORM", "id": "168360", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "167425", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "168692", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "169552", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "167421", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "169566", "trust": 0.2 }, { "db": "PACKETSTORM", "id": "168357", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "169553", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "168691", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "167654", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "169577", "trust": 0.1 }, { "db": "VULHUB", "id": "VHN-420273", "trust": 0.1 }, { "db": "ICS CERT", "id": "ICSA-24-046-11", "trust": 0.1 }, { "db": "VULMON", "id": "CVE-2022-28739", "trust": 0.1 }, { "db": "PACKETSTORM", "id": "168445", "trust": 0.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-420273" }, { "db": "VULMON", "id": "CVE-2022-28739" }, { "db": "PACKETSTORM", "id": "168692" }, { "db": "PACKETSTORM", "id": "168445" }, { "db": "PACKETSTORM", "id": "167421" }, { "db": "PACKETSTORM", "id": "168360" }, { "db": "PACKETSTORM", "id": "169566" }, { "db": "PACKETSTORM", "id": "169552" }, { "db": "PACKETSTORM", "id": "167425" }, { "db": "NVD", "id": "CVE-2022-28739" } ] }, "id": "VAR-202204-0855", "iot": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/iot#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": true, "sources": [ { "db": "VULHUB", "id": "VHN-420273" } ], "trust": 0.01 }, "last_update_date": "2024-07-23T21:20:06.909000Z", "patch": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/patch#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "title": "Debian CVElist Bug Report Logs: ruby3.0: CVE-2022-28739", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs\u0026qid=4f290816c3711b33b2aedd7bdd7e13d8" }, { "title": "Ubuntu Security Notice: USN-5462-1: Ruby vulnerabilities", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-5462-1" }, { "title": "Ubuntu Security Notice: USN-5462-2: Ruby vulnerability", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice\u0026qid=usn-5462-2" }, { "title": "Amazon Linux AMI: ALAS-2022-1638", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami\u0026qid=alas-2022-1638" }, { "title": "Red Hat: Moderate: ruby:2.6 security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20225338 - security advisory" }, { "title": "Red Hat: Moderate: ruby security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20226585 - security advisory" }, { "title": "Red Hat: Moderate: ruby:2.7 security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20226447 - security advisory" }, { "title": "Red Hat: Moderate: ruby:3.0 security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20226450 - security advisory" }, { "title": "Red Hat: Moderate: rh-ruby27-ruby security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20226856 - security advisory" }, { "title": "Red Hat: Moderate: ruby:2.5 security update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20237025 - security advisory" }, { "title": "Arch Linux Issues: ", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues\u0026qid=cve-2022-28739" }, { "title": "Amazon Linux 2: ALASRUBY2.6-2023-001", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alasruby2.6-2023-001" }, { "title": "Amazon Linux 2: ALAS2-2022-1853", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alas2-2022-1853" }, { "title": "Red Hat: Moderate: rh-ruby30-ruby security, bug fix, and enhancement update", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories\u0026qid=rhsa-20226855 - security advisory" }, { "title": "Amazon Linux 2: ALASRUBY3.0-2023-002", "trust": 0.1, "url": "https://vulmon.com/vendoradvisory?qidtp=amazon_linux2\u0026qid=alasruby3.0-2023-002" }, { "title": "Ruby Advisory Database", "trust": 0.1, "url": "https://github.com/rubysec/ruby-advisory-db " }, { "title": "Ruby Advisory Database", "trust": 0.1, "url": "https://github.com/jasnow/585-652-ruby-advisory-db " }, { "title": "veracode-container-security-finding-parser", "trust": 0.1, "url": "https://github.com/vincent-deng/veracode-container-security-finding-parser " } ], "sources": [ { "db": "VULMON", "id": "CVE-2022-28739" } ] }, "problemtype_data": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "problemtype": "CWE-125", "trust": 1.1 } ], "sources": [ { "db": "VULHUB", "id": "VHN-420273" }, { "db": "NVD", "id": "CVE-2022-28739" } ] }, "references": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/references#", "data": { "@container": "@list" }, "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": [ { "trust": 1.2, "url": "http://seclists.org/fulldisclosure/2022/oct/28" }, { "trust": 1.2, "url": "http://seclists.org/fulldisclosure/2022/oct/29" }, { "trust": 1.2, "url": "http://seclists.org/fulldisclosure/2022/oct/30" }, { "trust": 1.2, "url": "http://seclists.org/fulldisclosure/2022/oct/41" }, { "trust": 1.2, "url": "http://seclists.org/fulldisclosure/2022/oct/42" }, { "trust": 1.2, "url": "https://hackerone.com/reports/1248108" }, { "trust": 1.2, "url": "https://security-tracker.debian.org/tracker/cve-2022-28739" }, { "trust": 1.2, "url": "https://security.netapp.com/advisory/ntap-20220624-0002/" }, { "trust": 1.2, "url": "https://support.apple.com/kb/ht213488" }, { "trust": 1.2, "url": "https://support.apple.com/kb/ht213493" }, { "trust": 1.2, "url": "https://support.apple.com/kb/ht213494" }, { "trust": 1.2, "url": "https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/" }, { "trust": 1.1, "url": "https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html" }, { "trust": 1.1, "url": "https://security.gentoo.org/glsa/202401-27" }, { "trust": 0.7, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-28739" }, { "trust": 0.3, "url": "https://ubuntu.com/security/notices/usn-5462-1" }, { "trust": 0.3, "url": "https://access.redhat.com/articles/11258" }, { "trust": 0.3, "url": "https://bugzilla.redhat.com/):" }, { "trust": 0.3, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-28738" }, { "trust": 0.3, "url": "https://access.redhat.com/security/team/contact/" }, { "trust": 0.3, "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "trust": 0.3, "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce" }, { "trust": 0.3, "url": "https://access.redhat.com/security/cve/cve-2022-28739" }, { "trust": 0.3, "url": "https://access.redhat.com/security/team/key/" }, { "trust": 0.2, "url": "https://ubuntu.com/security/notices/usn-5462-2" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-41819" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2022-28738" }, { "trust": 0.2, "url": "https://access.redhat.com/security/cve/cve-2021-41817" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41819" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41817" }, { "trust": 0.2, "url": "https://support.apple.com/ht213494." }, { "trust": 0.2, "url": "https://support.apple.com/en-us/ht201222." }, { "trust": 0.2, "url": "https://support.apple.com/downloads/" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32862" }, { "trust": 0.2, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42825" }, { "trust": 0.2, "url": "https://www.apple.com/support/security/pgp/" }, { "trust": 0.1, "url": "https://cwe.mitre.org/data/definitions/125.html" }, { "trust": 0.1, "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009956" }, { "trust": 0.1, "url": "https://nvd.nist.gov" }, { "trust": 0.1, "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-11" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:6855" }, { "trust": 0.1, "url": "https://access.redhat.com/security/cve/cve-2021-41816" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2021-41816" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:6585" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.1" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/ruby2.7/2.7.4-1ubuntu3.2" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.12" }, { "trust": 0.1, "url": "https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.7" }, { "trust": 0.1, "url": "https://access.redhat.com/errata/rhsa-2022:6447" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42798" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-37434" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42801" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32944" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42803" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-42800" }, { "trust": 0.1, "url": "https://nvd.nist.gov/vuln/detail/cve-2022-32941" } ], "sources": [ { "db": "VULHUB", "id": "VHN-420273" }, { "db": "VULMON", "id": "CVE-2022-28739" }, { "db": "PACKETSTORM", "id": "168692" }, { "db": "PACKETSTORM", "id": "168445" }, { "db": "PACKETSTORM", "id": "167421" }, { "db": "PACKETSTORM", "id": "168360" }, { "db": "PACKETSTORM", "id": "169566" }, { "db": "PACKETSTORM", "id": "169552" }, { "db": "PACKETSTORM", "id": "167425" }, { "db": "NVD", "id": "CVE-2022-28739" } ] }, "sources": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#", "data": { "@container": "@list" } }, "data": [ { "db": "VULHUB", "id": "VHN-420273" }, { "db": "VULMON", "id": "CVE-2022-28739" }, { "db": "PACKETSTORM", "id": "168692" }, { "db": "PACKETSTORM", "id": "168445" }, { "db": "PACKETSTORM", "id": "167421" }, { "db": "PACKETSTORM", "id": "168360" }, { "db": "PACKETSTORM", "id": "169566" }, { "db": "PACKETSTORM", "id": "169552" }, { "db": "PACKETSTORM", "id": "167425" }, { "db": "NVD", "id": "CVE-2022-28739" } ] }, "sources_release_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-05-09T00:00:00", "db": "VULHUB", "id": "VHN-420273" }, { "date": "2022-05-09T00:00:00", "db": "VULMON", "id": "CVE-2022-28739" }, { "date": "2022-10-11T16:06:57", "db": "PACKETSTORM", "id": "168692" }, { "date": "2022-09-21T13:50:28", "db": "PACKETSTORM", "id": "168445" }, { "date": "2022-06-07T15:13:54", "db": "PACKETSTORM", "id": "167421" }, { "date": "2022-09-13T15:44:10", "db": "PACKETSTORM", "id": "168360" }, { "date": "2022-10-31T14:25:29", "db": "PACKETSTORM", "id": "169566" }, { "date": "2022-10-31T14:19:21", "db": "PACKETSTORM", "id": "169552" }, { "date": "2022-06-07T15:15:31", "db": "PACKETSTORM", "id": "167425" }, { "date": "2022-05-09T18:15:08.540000", "db": "NVD", "id": "CVE-2022-28739" } ] }, "sources_update_date": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#", "data": { "@container": "@list" } }, "data": [ { "date": "2022-11-08T00:00:00", "db": "VULHUB", "id": "VHN-420273" }, { "date": "2024-01-24T00:00:00", "db": "VULMON", "id": "CVE-2022-28739" }, { "date": "2024-01-24T05:15:12.390000", "db": "NVD", "id": "CVE-2022-28739" } ] }, "title": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/title#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "Red Hat Security Advisory 2022-6855-01", "sources": [ { "db": "PACKETSTORM", "id": "168692" } ], "trust": 0.1 }, "type": { "@context": { "@vocab": "https://www.variotdbs.pl/ref/type#", "sources": { "@container": "@list", "@context": { "@vocab": "https://www.variotdbs.pl/ref/sources#" } } }, "data": "overflow, spoof", "sources": [ { "db": "PACKETSTORM", "id": "168692" } ], "trust": 0.1 } }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.