AlmaLinux 8 : ruby:2.6 (ALSA-2021:2588)

high Nessus Plugin ID 179413

Synopsis

The remote AlmaLinux host is missing one or more security updates.

Description

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:2588 advisory.

- Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. (CVE-2019-15845)

- WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network. (CVE-2019-16201)

- Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. (CVE-2019-16254)

- Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the command argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. (CVE-2019-16255)

- Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with insecure permissions as a storage location for gems, if locations under the user's home directory are not available. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in this directory that would be later loaded and executed. (CVE-2019-3881)

- The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application- dependent. (CVE-2020-10663)

- An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the buffer string provides the previous value of the heap. This may expose possibly sensitive data from the interpreter. (CVE-2020-10933)

- An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. (CVE-2020-25613)

- The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing. (CVE-2021-28965)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://errata.almalinux.org/8/ALSA-2021-2588.html

Plugin Details

Severity: High

ID: 179413

File Name: alma_linux_ALSA-2021-2588.nasl

Version: 1.0

Type: local

Published: 8/7/2023

Updated: 8/7/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2019-16255

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:alma:linux:ruby, p-cpe:/a:alma:linux:ruby-devel, p-cpe:/a:alma:linux:ruby-doc, p-cpe:/a:alma:linux:ruby-libs, p-cpe:/a:alma:linux:rubygem-abrt, p-cpe:/a:alma:linux:rubygem-abrt-doc, p-cpe:/a:alma:linux:rubygem-bigdecimal, p-cpe:/a:alma:linux:rubygem-bson, p-cpe:/a:alma:linux:rubygem-bson-doc, p-cpe:/a:alma:linux:rubygem-bundler, p-cpe:/a:alma:linux:rubygem-did_you_mean, p-cpe:/a:alma:linux:rubygem-io-console, p-cpe:/a:alma:linux:rubygem-irb, p-cpe:/a:alma:linux:rubygem-json, p-cpe:/a:alma:linux:rubygem-minitest, p-cpe:/a:alma:linux:rubygem-mongo, p-cpe:/a:alma:linux:rubygem-mongo-doc, p-cpe:/a:alma:linux:rubygem-mysql2, p-cpe:/a:alma:linux:rubygem-mysql2-doc, p-cpe:/a:alma:linux:rubygem-net-telnet, p-cpe:/a:alma:linux:rubygem-openssl, p-cpe:/a:alma:linux:rubygem-pg, p-cpe:/a:alma:linux:rubygem-pg-doc, p-cpe:/a:alma:linux:rubygem-power_assert, p-cpe:/a:alma:linux:rubygem-psych, p-cpe:/a:alma:linux:rubygem-rake, p-cpe:/a:alma:linux:rubygem-rdoc, p-cpe:/a:alma:linux:rubygem-test-unit, p-cpe:/a:alma:linux:rubygem-xmlrpc, p-cpe:/a:alma:linux:rubygems, p-cpe:/a:alma:linux:rubygems-devel, cpe:/o:alma:linux:8, cpe:/o:alma:linux:8::appstream

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/AlmaLinux/release, Host/AlmaLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/29/2021

Vulnerability Publication Date: 11/26/2019

Reference Information

CVE: CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2019-3881, CVE-2020-10663, CVE-2020-10933, CVE-2020-25613, CVE-2021-28965

CWE: 113, 20, 200, 400, 41, 444, 552, 611, 626, 805, 94