{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "CVE-2025-27219: fix a potential Denial of Service (DoS) vulnerability in\n cookie parsing\n- CVE-2025-27220: fix ReDoS vulnerability exists in the escapeElement\n method\n- CVE-2025-27221: fix he URI handling methods (URI.join, URI#merge, URI#+)", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos7els/advisories/2025/clsa-2025_1745585192.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1745585192", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1745585192" } ], "tracking": { "current_release_date": "2025-05-19T15:41:00Z", "generator": { "date": "2025-05-19T15:41:00Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1745585192", "initial_release_date": "2025-04-25T12:46:34Z", "revision_history": [ { "date": "2025-04-25T12:46:34Z", "number": "1", "summary": "Initial version" }, { "date": "2025-05-19T15:41:00Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "ruby: Fix of 3 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 7", "product": { "name": "Community Enterprise Operating System 7", "product_id": "CentOS-7", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:7:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "product": { "name": "rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "product_id": "rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rubygem-io-console@0.4.2-39.el7_9.tuxcare.els7?arch=x86_64" } } }, { "category": "product_version", "name": "rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "product": { "name": "rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "product_id": "rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rubygem-bigdecimal@1.2.0-39.el7_9.tuxcare.els7?arch=x86_64" } } }, { "category": "product_version", "name": "rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "product": { "name": "rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "product_id": "rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rubygem-psych@2.0.0-39.el7_9.tuxcare.els7?arch=x86_64" } } }, { "category": "product_version", "name": "ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "product": { "name": "ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "product_id": "ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ruby-devel@2.0.0.648-39.el7_9.tuxcare.els7?arch=x86_64" } } }, { "category": "product_version", "name": "ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "product": { "name": "ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "product_id": "ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ruby@2.0.0.648-39.el7_9.tuxcare.els7?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "product": { "name": "rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "product_id": "rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rubygem-rake@0.9.6-39.el7_9.tuxcare.els7?arch=noarch" } } }, { "category": "product_version", "name": "rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "product": { "name": "rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "product_id": "rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/rubygem-rdoc@4.0.0-39.el7_9.tuxcare.els7?arch=noarch" } } }, { "category": "product_version", "name": "ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "product": { "name": "ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "product_id": "ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ruby-doc@2.0.0.648-39.el7_9.tuxcare.els7?arch=noarch" } } }, { "category": "product_version", "name": "ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "product": { "name": "ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "product_id": "ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ruby-irb@2.0.0.648-39.el7_9.tuxcare.els7?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686", "product": { "name": "ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686", "product_id": "ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/ruby-libs@2.0.0.648-39.el7_9.tuxcare.els7?arch=i686" } } } ], "category": "architecture", "name": "i686" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64" }, "product_reference": "rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch" }, "product_reference": "rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch" }, "product_reference": "rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64" }, "product_reference": "rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64" }, "product_reference": "rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64" }, "product_reference": "ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch" }, "product_reference": "ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch" }, "product_reference": "ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64" }, "product_reference": "ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "relates_to_product_reference": "CentOS-7" }, { "category": "default_component_of", "full_product_name": { "name": "ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686 as a component of Community Enterprise Operating System 7", "product_id": "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" }, "product_reference": "ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686", "relates_to_product_reference": "CentOS-7" } ] }, "vulnerabilities": [ { "cve": "CVE-2025-27221", "cwe": { "id": "CWE-212", "name": "Improper Removal of Sensitive Information Before Storage or Transfer" }, "notes": [ { "category": "description", "text": "In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-27221" }, { "category": "external", "summary": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml" }, { "category": "external", "summary": "https://hackerone.com/reports/2957667", "url": "https://hackerone.com/reports/2957667" } ], "release_date": "2025-03-04T00:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2024-49761", "cwe": { "id": "CWE-1333", "name": "Inefficient Regular Expression Complexity" }, "notes": [ { "category": "description", "text": "REXML is an XML toolkit for Ruby. The REXML gem before 3.3.9 has a ReDoS vulnerability when it parses an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). This does not happen with Ruby 3.2 or later. Ruby 3.1 is the only affected maintained Ruby. The REXML gem 3.3.9 or later include the patch to fix the vulnerability.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2024-49761" }, { "category": "external", "summary": "https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f", "url": "https://github.com/ruby/rexml/commit/ce59f2eb1aeb371fe1643414f06618dbe031979f" }, { "category": "external", "summary": "https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m", "url": "https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m" }, { "category": "external", "summary": "https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761", "url": "https://www.ruby-lang.org/en/news/2024/10/28/redos-rexml-cve-2024-49761" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20241227-0004/", "url": "https://security.netapp.com/advisory/ntap-20241227-0004/" } ], "release_date": "2024-10-28T15:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2025-27219", "cwe": { "id": "CWE-770", "name": "Allocation of Resources Without Limits or Throttling" }, "notes": [ { "category": "description", "text": "In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-27219" }, { "category": "external", "summary": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml" }, { "category": "external", "summary": "https://hackerone.com/reports/2936778", "url": "https://hackerone.com/reports/2936778" } ], "release_date": "2025-03-04T00:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2025-27220", "cwe": { "id": "CWE-1333", "name": "Inefficient Regular Expression Complexity" }, "notes": [ { "category": "description", "text": "In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2025-27220" }, { "category": "external", "summary": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml", "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml" }, { "category": "external", "summary": "https://hackerone.com/reports/2890322", "url": "https://hackerone.com/reports/2890322" } ], "release_date": "2025-03-04T00:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "CentOS-7:rubygem-io-console-0:0.4.2-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-rake-0:0.9.6-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-rdoc-0:4.0.0-39.el7_9.tuxcare.els7.noarch", "CentOS-7:rubygem-bigdecimal-0:1.2.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:rubygem-psych-0:2.0.0-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-devel-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-doc-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-irb-0:2.0.0.648-39.el7_9.tuxcare.els7.noarch", "CentOS-7:ruby-0:2.0.0.648-39.el7_9.tuxcare.els7.x86_64", "CentOS-7:ruby-libs-0:2.0.0.648-39.el7_9.tuxcare.els7.i686" ] } ], "threats": [ { "category": "impact", "details": "High" } ] } ] }