Skip to content

Commit 71b990b

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@6177cf5 
1 parent e112fc1 commit 71b990b

4 files changed

Lines changed: 12 additions & 1 deletion

File tree

advisories/_posts/2025-10-07-CVE-2025-61594.md

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ advisory:
99
gem: uri
1010
cve: 2025-61594
1111
ghsa: j4pr-3wm6-xx2r
12-
url: https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
12+
url: https://github.com/advisories/GHSA-j4pr-3wm6-xx2r
1313
title: CVE-2025-61594 - URI Credential Leakage Bypass over CVE-2025-27221
1414
date: 2025-10-07
1515
description: |-
@@ -35,15 +35,19 @@ advisory:
3535
3636
Thanks to junfuchong (chongfujun) for discovering this issue.
3737
Also thanks to nobu for additional fixes of this vulnerability.
38+
cvss_v3: 7.5
39+
cvss_v4: 2.1
3840
patched_versions:
3941
- "~> 0.12.5"
4042
- "~> 0.13.3"
4143
- ">= 1.0.4"
4244
related:
4345
url:
46+
- https://nvd.nist.gov/vuln/detail/CVE-2025-61594
4447
- https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
4548
- https://rubygems.org/gems/uri/versions/1.0.4
4649
- https://rubygems.org/gems/uri/versions/0.13.3
4750
- https://rubygems.org/gems/uri/versions/0.12.5
4851
- https://github.com/ruby/uri
52+
- https://github.com/advisories/GHSA-j4pr-3wm6-xx2r
4953
---

advisories/_posts/2026-03-10-CVE-2026-1776.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@ advisory:
2626
access sensitive files such as /etc/passwd. This issue represents a
2727
bypass of the incomplete fix for CVE-2024-46987 and affects
2828
deployments using the AWS S3 storage backend.
29+
cvss_v3: 6.5
2930
cvss_v4: 6.0
3031
unaffected_versions:
3132
- "< 2.4.5.0"

advisories/_posts/2026-03-25-CVE-2026-33658.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,12 +22,15 @@ advisory:
2222
ranges in an HTTP Range header. A request with thousands of small
2323
ranges causes disproportionate CPU usage compared to a normal
2424
request for the same file, possibly resulting in a DoS vulnerability.
25+
cvss_v3: 6.5
26+
cvss_v4: 2.3
2527
patched_versions:
2628
- "~> 7.2.3, >= 7.2.3.1"
2729
- "~> 8.0.4, >= 8.0.4.1"
2830
- ">= 8.1.2.1"
2931
related:
3032
url:
33+
- https://nvd.nist.gov/vuln/detail/CVE-2026-33658
3134
- https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906
3235
- https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released
3336
- https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch

advisories/_posts/2026-04-13-CVE-2026-23891.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,11 +38,14 @@ advisory:
3838
[octree](https://octree.ch/) and made by
3939
[Secu Labs](https://seculabs.ch/) against Decidim financed
4040
by the city of Lausanne (Switzerland).
41+
cvss_v3: 8.7
42+
cvss_v4: 9.3
4143
patched_versions:
4244
- "~> 0.30.5"
4345
- ">= 0.31.1"
4446
related:
4547
url:
48+
- https://nvd.nist.gov/vuln/detail/CVE-2026-23891
4649
- https://github.com/decidim/decidim/releases/tag/v0.31.1
4750
- https://github.com/decidim/decidim/releases/tag/v0.30.5
4851
- https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g

0 commit comments

Comments
 (0)