ID

VAR-202204-0855


CVE

CVE-2022-28739


TITLE

Ruby Buffer error vulnerability

Trust: 0.6

sources: CNNVD: CNNVD-202204-3369

DESCRIPTION

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: rh-ruby27-ruby security, bug fix, and enhancement update Advisory ID: RHSA-2022:6856-01 Product: Red Hat Software Collections Advisory URL: https://access.redhat.com/errata/RHSA-2022:6856 Issue date: 2022-10-11 CVE Names: CVE-2021-41816 CVE-2021-41817 CVE-2021-41819 CVE-2022-28739 ==================================================================== 1. Summary: An update for rh-ruby27-ruby is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch, ppc64le, s390x, x86_64 Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: rh-ruby27-ruby (2.7.6). (BZ#2128631) Security Fix(es): * ruby: buffer overflow in CGI.escape_html (CVE-2021-41816) * ruby: Regular expression denial of service vulnerability of Date parsing methods (CVE-2021-41817) * ruby: Cookie prefix spoofing in CGI::Cookie.parse (CVE-2021-41819) * Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2025104 - CVE-2021-41817 ruby: Regular expression denial of service vulnerability of Date parsing methods 2026752 - CVE-2021-41816 ruby: buffer overflow in CGI.escape_html 2026757 - CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse 2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion 2128631 - rh-ruby27-ruby: Rebase to the latest Ruby 2.7 release [rhscl-3] [rhscl-3.8.z] 6. Package List: Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7): Source: rh-ruby27-ruby-2.7.6-131.el7.src.rpm noarch: rh-ruby27-ruby-doc-2.7.6-131.el7.noarch.rpm rh-ruby27-rubygem-bundler-2.2.24-131.el7.noarch.rpm rh-ruby27-rubygem-did_you_mean-1.4.0-131.el7.noarch.rpm rh-ruby27-rubygem-irb-1.2.6-131.el7.noarch.rpm rh-ruby27-rubygem-minitest-5.13.0-131.el7.noarch.rpm rh-ruby27-rubygem-net-telnet-0.2.0-131.el7.noarch.rpm rh-ruby27-rubygem-power_assert-1.1.7-131.el7.noarch.rpm rh-ruby27-rubygem-rake-13.0.1-131.el7.noarch.rpm rh-ruby27-rubygem-rdoc-6.2.1.1-131.el7.noarch.rpm rh-ruby27-rubygem-test-unit-3.3.4-131.el7.noarch.rpm rh-ruby27-rubygem-xmlrpc-0.3.0-131.el7.noarch.rpm rh-ruby27-rubygems-3.1.6-131.el7.noarch.rpm rh-ruby27-rubygems-devel-3.1.6-131.el7.noarch.rpm ppc64le: rh-ruby27-ruby-2.7.6-131.el7.ppc64le.rpm rh-ruby27-ruby-debuginfo-2.7.6-131.el7.ppc64le.rpm rh-ruby27-ruby-devel-2.7.6-131.el7.ppc64le.rpm rh-ruby27-ruby-libs-2.7.6-131.el7.ppc64le.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-131.el7.ppc64le.rpm rh-ruby27-rubygem-io-console-0.5.6-131.el7.ppc64le.rpm rh-ruby27-rubygem-json-2.3.0-131.el7.ppc64le.rpm rh-ruby27-rubygem-openssl-2.1.3-131.el7.ppc64le.rpm rh-ruby27-rubygem-psych-3.1.0-131.el7.ppc64le.rpm rh-ruby27-rubygem-racc-1.4.16-131.el7.ppc64le.rpm s390x: rh-ruby27-ruby-2.7.6-131.el7.s390x.rpm rh-ruby27-ruby-debuginfo-2.7.6-131.el7.s390x.rpm rh-ruby27-ruby-devel-2.7.6-131.el7.s390x.rpm rh-ruby27-ruby-libs-2.7.6-131.el7.s390x.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-131.el7.s390x.rpm rh-ruby27-rubygem-io-console-0.5.6-131.el7.s390x.rpm rh-ruby27-rubygem-json-2.3.0-131.el7.s390x.rpm rh-ruby27-rubygem-openssl-2.1.3-131.el7.s390x.rpm rh-ruby27-rubygem-psych-3.1.0-131.el7.s390x.rpm rh-ruby27-rubygem-racc-1.4.16-131.el7.s390x.rpm x86_64: rh-ruby27-ruby-2.7.6-131.el7.x86_64.rpm rh-ruby27-ruby-debuginfo-2.7.6-131.el7.x86_64.rpm rh-ruby27-ruby-devel-2.7.6-131.el7.x86_64.rpm rh-ruby27-ruby-libs-2.7.6-131.el7.x86_64.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-131.el7.x86_64.rpm rh-ruby27-rubygem-io-console-0.5.6-131.el7.x86_64.rpm rh-ruby27-rubygem-json-2.3.0-131.el7.x86_64.rpm rh-ruby27-rubygem-openssl-2.1.3-131.el7.x86_64.rpm rh-ruby27-rubygem-psych-3.1.0-131.el7.x86_64.rpm rh-ruby27-rubygem-racc-1.4.16-131.el7.x86_64.rpm Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7): Source: rh-ruby27-ruby-2.7.6-131.el7.src.rpm noarch: rh-ruby27-ruby-doc-2.7.6-131.el7.noarch.rpm rh-ruby27-rubygem-bundler-2.2.24-131.el7.noarch.rpm rh-ruby27-rubygem-did_you_mean-1.4.0-131.el7.noarch.rpm rh-ruby27-rubygem-irb-1.2.6-131.el7.noarch.rpm rh-ruby27-rubygem-minitest-5.13.0-131.el7.noarch.rpm rh-ruby27-rubygem-net-telnet-0.2.0-131.el7.noarch.rpm rh-ruby27-rubygem-power_assert-1.1.7-131.el7.noarch.rpm rh-ruby27-rubygem-rake-13.0.1-131.el7.noarch.rpm rh-ruby27-rubygem-rdoc-6.2.1.1-131.el7.noarch.rpm rh-ruby27-rubygem-test-unit-3.3.4-131.el7.noarch.rpm rh-ruby27-rubygem-xmlrpc-0.3.0-131.el7.noarch.rpm rh-ruby27-rubygems-3.1.6-131.el7.noarch.rpm rh-ruby27-rubygems-devel-3.1.6-131.el7.noarch.rpm x86_64: rh-ruby27-ruby-2.7.6-131.el7.x86_64.rpm rh-ruby27-ruby-debuginfo-2.7.6-131.el7.x86_64.rpm rh-ruby27-ruby-devel-2.7.6-131.el7.x86_64.rpm rh-ruby27-ruby-libs-2.7.6-131.el7.x86_64.rpm rh-ruby27-rubygem-bigdecimal-2.0.0-131.el7.x86_64.rpm rh-ruby27-rubygem-io-console-0.5.6-131.el7.x86_64.rpm rh-ruby27-rubygem-json-2.3.0-131.el7.x86_64.rpm rh-ruby27-rubygem-openssl-2.1.3-131.el7.x86_64.rpm rh-ruby27-rubygem-psych-3.1.0-131.el7.x86_64.rpm rh-ruby27-rubygem-racc-1.4.16-131.el7.x86_64.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2021-41816 https://access.redhat.com/security/cve/CVE-2021-41817 https://access.redhat.com/security/cve/CVE-2021-41819 https://access.redhat.com/security/cve/CVE-2022-28739 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBY0UvxdzjgjWX9erEAQi9PA//fVhNa9hyZTb/kZrIXEt8OtDgZE/mhMod bvrJ9X6LmHS5C5WSGwjlN7qm5tZJ7Y45VT/l2qD/W6SiqG0nulMGDN97/B09vrOd XQk5Q6UmtSVJNju81MMqYL+ZS3SMTq69dKN9dGwj7YaA4QgJPL9ZQjPEmPvaabwd WbWnJmx1x4omc1+KTXlHpKSCFJSRXCo1YFJf90W3uDoWUiVlbTMxUMxJ1+BM/CvF 8YhuWH/aH7ubG2sGsiFpwaqM3t518WxIdhyQIbRsLhj3KaOFYkQQD5v9Zy9Wr9Ts svs74mbBIy4uxnbTdINb+jzSA3CvqXBJseV0e56ZCJ2zh7WPEtht0L+WgVEvdxrw o+gfV7fp95d5VPRfJR1hg+ScMFmqsQEkHe/AQT9dVztxgieD33TvC7ze2vXRiqra cr3XDBvFh5/guAsYtnduJa7JQzkEd2L0KS6pOWpnxdPIIIaL5wy4CT7OzCQzpCnI ZkO/pILOjh2sNc1sxADsTv8hUHQdYa4BRp+vM8bAcrKDRuYkT9Wv5vLOYy/9/lBj lPMk9q2XAc1jFZROFhFt37hCZadcqJlWIXqTURWxKKt4Hr/ULfNfQBhtmogqB02z wHNBJ0jIbjI9ED1cixhflDLRUMXZi5gerGvRoIjIVNMCd7Xfp26vii/zsDlzhUEN 3OLyXI8SVsQ=Z/DV -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-10-27-8 Additional information for APPLE-SA-2022-10-24-4 macOS Big Sur 11.7.1 macOS Big Sur 11.7.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213493. AppleMobileFileIntegrity Available for: macOS Big Sur Impact: An app may be able to modify protected parts of the file system Description: This issue was addressed by removing additional entitlements. CVE-2022-42825: Mickey Jin (@patch1t) Audio Available for: macOS Big Sur Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative Entry added October 27, 2022 Kernel Available for: macOS Big Sur Impact: An app may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai Entry added October 27, 2022 ppp Available for: macOS Big Sur Impact: A buffer overflow may result in arbitrary code execution Description: The issue was addressed with improved bounds checks. CVE-2022-32941: an anonymous researcher Entry added October 27, 2022 Ruby Available for: macOS Big Sur Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: A memory corruption issue was addressed by updating Ruby to version 2.6.10. CVE-2022-28739 Sandbox Available for: macOS Big Sur Impact: An app with root privileges may be able to access private information Description: This issue was addressed with improved data protection. CVE-2022-32862: an anonymous researcher zlib Available for: macOS Big Sur Impact: A user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-37434: Evgeny Legerov CVE-2022-42800: Evgeny Legerov Entry added October 27, 2022 macOS Big Sur 11.7.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. 8) - aarch64, noarch, ppc64le, s390x, x86_64 3. ========================================================================== Ubuntu Security Notice USN-5462-2 June 06, 2022 ruby2.3 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 16.04 ESM Summary: Ruby could be made to crash or read sensitive information when processing certain input. This update provides the corresponding CVE-2022-28739 update for ruby2.3 on Ubuntu 16.04 ESM. Original advisory details: It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 16.04 ESM: libruby2.3 2.3.1-2~ubuntu16.04.16+esm3 ruby2.3 2.3.1-2~ubuntu16.04.16+esm3 In general, a standard system update will make all the necessary changes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202401-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: Multiple vulnerabilities Date: January 24, 2024 Bugs: #747007, #801061, #827251, #838073, #882893, #903630 ID: 202401-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. It comes bundled with a HTTP server ("WEBrick"). Affected packages ================= Package Vulnerable Unaffected ------------- ------------ ------------ dev-lang/ruby < 2.5.9:2.5 Vulnerable! < 2.6.10:2.6 Vulnerable! < 2.7.8:2.7 Vulnerable! < 3.0.6:3.0 Vulnerable! < 3.1.4:3.1 >= 3.1.4:3.1 < 3.2.2:3.2 >= 3.2.2:3.2 Description =========== Multiple vulnerabilities have been discovered in Ruby. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby users should upgrade to the latest version: # emerge --sync # emerge --ask --depclean ruby:2.5 ruby:2.6 ruby:2.7 ruby:3.0 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-3.1.4:3.1" # emerge --ask --oneshot --verbose ">=dev-lang/ruby-3.2.2:3.2" References ========== [ 1 ] CVE-2020-25613 https://nvd.nist.gov/vuln/detail/CVE-2020-25613 [ 2 ] CVE-2021-31810 https://nvd.nist.gov/vuln/detail/CVE-2021-31810 [ 3 ] CVE-2021-32066 https://nvd.nist.gov/vuln/detail/CVE-2021-32066 [ 4 ] CVE-2021-33621 https://nvd.nist.gov/vuln/detail/CVE-2021-33621 [ 5 ] CVE-2021-41816 https://nvd.nist.gov/vuln/detail/CVE-2021-41816 [ 6 ] CVE-2021-41817 https://nvd.nist.gov/vuln/detail/CVE-2021-41817 [ 7 ] CVE-2021-41819 https://nvd.nist.gov/vuln/detail/CVE-2021-41819 [ 8 ] CVE-2022-28738 https://nvd.nist.gov/vuln/detail/CVE-2022-28738 [ 9 ] CVE-2022-28739 https://nvd.nist.gov/vuln/detail/CVE-2022-28739 [ 10 ] CVE-2023-28755 https://nvd.nist.gov/vuln/detail/CVE-2023-28755 [ 11 ] CVE-2023-28756 https://nvd.nist.gov/vuln/detail/CVE-2023-28756 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202401-27 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.71

sources: NVD: CVE-2022-28739 // VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // PACKETSTORM: 168691 // PACKETSTORM: 168360 // PACKETSTORM: 169553 // PACKETSTORM: 169577 // PACKETSTORM: 167654 // PACKETSTORM: 167425 // PACKETSTORM: 176686

AFFECTED PRODUCTS

vendor:applemodel:macosscope:ltversion:12.6.1

Trust: 1.0

vendor:ruby langmodel:rubyscope:ltversion:2.7.6

Trust: 1.0

vendor:ruby langmodel:rubyscope:ltversion:2.6.10

Trust: 1.0

vendor:ruby langmodel:rubyscope:gteversion:3.1.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:11.0

Trust: 1.0

vendor:applemodel:macosscope:gteversion:12.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:10.0

Trust: 1.0

vendor:ruby langmodel:rubyscope:gteversion:3.0.0

Trust: 1.0

vendor:applemodel:macosscope:ltversion:11.7.1

Trust: 1.0

vendor:ruby langmodel:rubyscope:gteversion:2.7.0

Trust: 1.0

vendor:ruby langmodel:rubyscope:ltversion:3.0.4

Trust: 1.0

vendor:applemodel:macosscope:gteversion:11.0

Trust: 1.0

vendor:debianmodel:linuxscope:eqversion:9.0

Trust: 1.0

vendor:ruby langmodel:rubyscope:ltversion:3.1.2

Trust: 1.0

sources: NVD: CVE-2022-28739

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2022-28739
value: HIGH

Trust: 1.0

CNNVD: CNNVD-202204-3369
value: HIGH

Trust: 0.6

VULHUB: VHN-420273
value: MEDIUM

Trust: 0.1

VULMON: CVE-2022-28739
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2022-28739
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

VULHUB: VHN-420273
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2022-28739
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.1

Trust: 1.0

sources: VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // CNNVD: CNNVD-202204-3369 // NVD: CVE-2022-28739

PROBLEMTYPE DATA

problemtype:CWE-125

Trust: 1.1

sources: VULHUB: VHN-420273 // NVD: CVE-2022-28739

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202204-3369

TYPE

buffer error

Trust: 0.6

sources: CNNVD: CNNVD-202204-3369

PATCH

title:Ruby Buffer error vulnerability fixurl:http://123.124.177.30/web/xxk/bdxqById.tag?id=193537

Trust: 0.6

title:Debian CVElist Bug Report Logs: ruby3.0: CVE-2022-28739url:https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=4f290816c3711b33b2aedd7bdd7e13d8

Trust: 0.1

title:Ubuntu Security Notice: USN-5462-1: Ruby vulnerabilitiesurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5462-1

Trust: 0.1

title:Ubuntu Security Notice: USN-5462-2: Ruby vulnerabilityurl:https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5462-2

Trust: 0.1

title:Amazon Linux AMI: ALAS-2022-1638url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2022-1638

Trust: 0.1

title:Red Hat: Moderate: ruby:2.6 security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20225338 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: ruby security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226585 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: ruby:2.7 security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226447 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: ruby:3.0 security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226450 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: rh-ruby27-ruby security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226856 - Security Advisory

Trust: 0.1

title:Red Hat: Moderate: ruby:2.5 security updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20237025 - Security Advisory

Trust: 0.1

title:Arch Linux Issues: url:https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2022-28739

Trust: 0.1

title:Amazon Linux 2: ALASRUBY2.6-2023-001url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASRUBY2.6-2023-001

Trust: 0.1

title:Amazon Linux 2: ALAS2-2022-1853url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2022-1853

Trust: 0.1

title:Red Hat: Moderate: rh-ruby30-ruby security, bug fix, and enhancement updateurl:https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226855 - Security Advisory

Trust: 0.1

title:Amazon Linux 2: ALASRUBY3.0-2023-002url:https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASRUBY3.0-2023-002

Trust: 0.1

title:Ruby Advisory Databaseurl:https://github.com/rubysec/ruby-advisory-db

Trust: 0.1

title:Ruby Advisory Databaseurl:https://github.com/jasnow/585-652-ruby-advisory-db

Trust: 0.1

title:veracode-container-security-finding-parserurl:https://github.com/vincent-deng/veracode-container-security-finding-parser

Trust: 0.1

sources: VULMON: CVE-2022-28739 // CNNVD: CNNVD-202204-3369

EXTERNAL IDS

db:NVDid:CVE-2022-28739

Trust: 2.5

db:HACKERONEid:1248108

Trust: 1.8

db:PACKETSTORMid:168360

Trust: 0.8

db:PACKETSTORMid:167425

Trust: 0.8

db:PACKETSTORMid:168691

Trust: 0.8

db:PACKETSTORMid:167654

Trust: 0.8

db:PACKETSTORMid:169577

Trust: 0.8

db:CS-HELPid:SB2022041404

Trust: 0.6

db:CS-HELPid:SB2022060723

Trust: 0.6

db:CS-HELPid:SB2022072010

Trust: 0.6

db:CS-HELPid:SB2022070105

Trust: 0.6

db:AUSCERTid:ESB-2022.4673

Trust: 0.6

db:AUSCERTid:ESB-2022.5061

Trust: 0.6

db:AUSCERTid:ESB-2023.3320

Trust: 0.6

db:AUSCERTid:ESB-2022.2802

Trust: 0.6

db:AUSCERTid:ESB-2022.5301

Trust: 0.6

db:PACKETSTORMid:168445

Trust: 0.6

db:CNNVDid:CNNVD-202204-3369

Trust: 0.6

db:PACKETSTORMid:169553

Trust: 0.2

db:PACKETSTORMid:168357

Trust: 0.1

db:PACKETSTORMid:168692

Trust: 0.1

db:PACKETSTORMid:169552

Trust: 0.1

db:PACKETSTORMid:167421

Trust: 0.1

db:PACKETSTORMid:169566

Trust: 0.1

db:VULHUBid:VHN-420273

Trust: 0.1

db:ICS CERTid:ICSA-24-046-11

Trust: 0.1

db:VULMONid:CVE-2022-28739

Trust: 0.1

db:PACKETSTORMid:176686

Trust: 0.1

sources: VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // PACKETSTORM: 168691 // PACKETSTORM: 168360 // PACKETSTORM: 169553 // PACKETSTORM: 169577 // PACKETSTORM: 167654 // PACKETSTORM: 167425 // PACKETSTORM: 176686 // CNNVD: CNNVD-202204-3369 // NVD: CVE-2022-28739

REFERENCES

url:http://seclists.org/fulldisclosure/2022/oct/28

Trust: 1.8

url:http://seclists.org/fulldisclosure/2022/oct/29

Trust: 1.8

url:http://seclists.org/fulldisclosure/2022/oct/30

Trust: 1.8

url:http://seclists.org/fulldisclosure/2022/oct/41

Trust: 1.8

url:http://seclists.org/fulldisclosure/2022/oct/42

Trust: 1.8

url:https://hackerone.com/reports/1248108

Trust: 1.8

url:https://security-tracker.debian.org/tracker/cve-2022-28739

Trust: 1.8

url:https://security.netapp.com/advisory/ntap-20220624-0002/

Trust: 1.8

url:https://support.apple.com/kb/ht213488

Trust: 1.8

url:https://support.apple.com/kb/ht213493

Trust: 1.8

url:https://support.apple.com/kb/ht213494

Trust: 1.8

url:https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/

Trust: 1.8

url:https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html

Trust: 1.7

url:https://security.gentoo.org/glsa/202401-27

Trust: 1.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-28739

Trust: 0.7

url:https://www.auscert.org.au/bulletins/esb-2022.2802

Trust: 0.6

url:https://packetstormsecurity.com/files/168360/red-hat-security-advisory-2022-6447-01.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb20220720108

Trust: 0.6

url:https://packetstormsecurity.com/files/167425/ubuntu-security-notice-usn-5462-2.html

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022060723

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022041404

Trust: 0.6

url:https://packetstormsecurity.com/files/168445/red-hat-security-advisory-2022-6585-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2023.3320

Trust: 0.6

url:https://packetstormsecurity.com/files/168691/red-hat-security-advisory-2022-6856-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5061

Trust: 0.6

url:https://support.apple.com/en-us/ht213494

Trust: 0.6

url:https://packetstormsecurity.com/files/169577/apple-security-advisory-2022-10-27-8.html

Trust: 0.6

url:https://packetstormsecurity.com/files/167654/red-hat-security-advisory-2022-5338-01.html

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.4673

Trust: 0.6

url:https://vigilance.fr/vulnerability/ruby-buffer-overflow-via-string-to-float-conversion-38079

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2022.5301

Trust: 0.6

url:https://www.cybersecurity-help.cz/vdb/sb2022070105

Trust: 0.6

url:https://cxsecurity.com/cveshow/cve-2022-28739/

Trust: 0.6

url:https://access.redhat.com/articles/11258

Trust: 0.3

url:https://bugzilla.redhat.com/):

Trust: 0.3

url:https://access.redhat.com/security/team/contact/

Trust: 0.3

url:https://access.redhat.com/security/updates/classification/#moderate

Trust: 0.3

url:https://listman.redhat.com/mailman/listinfo/rhsa-announce

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-41819

Trust: 0.3

url:https://access.redhat.com/security/cve/cve-2022-28739

Trust: 0.3

url:https://nvd.nist.gov/vuln/detail/cve-2021-41817

Trust: 0.3

url:https://access.redhat.com/security/team/key/

Trust: 0.3

url:https://ubuntu.com/security/notices/usn-5462-1

Trust: 0.2

url:https://ubuntu.com/security/notices/usn-5462-2

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-41819

Trust: 0.2

url:https://access.redhat.com/security/cve/cve-2021-41817

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2021-41816

Trust: 0.2

url:https://support.apple.com/en-us/ht201222.

Trust: 0.2

url:https://support.apple.com/downloads/

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-32862

Trust: 0.2

url:https://nvd.nist.gov/vuln/detail/cve-2022-42825

Trust: 0.2

url:https://www.apple.com/support/security/pgp/

Trust: 0.2

url:https://support.apple.com/ht213493.

Trust: 0.2

url:https://cwe.mitre.org/data/definitions/125.html

Trust: 0.1

url:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009956

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-11

Trust: 0.1

url:https://access.redhat.com/security/cve/cve-2021-41816

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6856

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:6447

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-42798

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-37434

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32944

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-42800

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-32941

Trust: 0.1

url:https://access.redhat.com/errata/rhsa-2022:5338

Trust: 0.1

url:https://security.gentoo.org/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-28756

Trust: 0.1

url:https://bugs.gentoo.org.

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-32066

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-31810

Trust: 0.1

url:https://creativecommons.org/licenses/by-sa/2.5

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2021-33621

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2022-28738

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2020-25613

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2023-28755

Trust: 0.1

sources: VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // PACKETSTORM: 168691 // PACKETSTORM: 168360 // PACKETSTORM: 169553 // PACKETSTORM: 169577 // PACKETSTORM: 167654 // PACKETSTORM: 167425 // PACKETSTORM: 176686 // CNNVD: CNNVD-202204-3369 // NVD: CVE-2022-28739

CREDITS

Red Hat

Trust: 0.3

sources: PACKETSTORM: 168691 // PACKETSTORM: 168360 // PACKETSTORM: 167654

SOURCES

db:VULHUBid:VHN-420273
db:VULMONid:CVE-2022-28739
db:PACKETSTORMid:168691
db:PACKETSTORMid:168360
db:PACKETSTORMid:169553
db:PACKETSTORMid:169577
db:PACKETSTORMid:167654
db:PACKETSTORMid:167425
db:PACKETSTORMid:176686
db:CNNVDid:CNNVD-202204-3369
db:NVDid:CVE-2022-28739

LAST UPDATE DATE

2024-11-07T19:31:06.193000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-420273date:2022-11-08T00:00:00
db:VULMONid:CVE-2022-28739date:2024-01-24T00:00:00
db:CNNVDid:CNNVD-202204-3369date:2023-06-13T00:00:00
db:NVDid:CVE-2022-28739date:2024-01-24T05:15:12.390

SOURCES RELEASE DATE

db:VULHUBid:VHN-420273date:2022-05-09T00:00:00
db:VULMONid:CVE-2022-28739date:2022-05-09T00:00:00
db:PACKETSTORMid:168691date:2022-10-11T16:06:47
db:PACKETSTORMid:168360date:2022-09-13T15:44:10
db:PACKETSTORMid:169553date:2022-10-31T14:19:37
db:PACKETSTORMid:169577date:2022-10-31T14:43:13
db:PACKETSTORMid:167654date:2022-07-01T14:58:20
db:PACKETSTORMid:167425date:2022-06-07T15:15:31
db:PACKETSTORMid:176686date:2024-01-24T15:01:18
db:CNNVDid:CNNVD-202204-3369date:2022-04-14T00:00:00
db:NVDid:CVE-2022-28739date:2022-05-09T18:15:08.540