Details of VAR-202204-0855

ID

VAR-202204-0855

CVE

CVE-2022-28739

TITLE

Red Hat Security Advisory 2022-6585-01

Trust: 0.1

sources: PACKETSTORM: 168445

DESCRIPTION

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ==================================================================== Red Hat Security Advisory Synopsis: Moderate: ruby security, bug fix, and enhancement update Advisory ID: RHSA-2022:6585-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2022:6585 Issue date: 2022-09-20 CVE Names: CVE-2022-28738 CVE-2022-28739 ==================================================================== 1. Summary: An update for ruby is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat CodeReady Linux Builder (v. 9) - noarch Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64 3. Description: Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. The following packages have been upgraded to a later upstream version: ruby (3.0.4). (BZ#2109428) Security Fix(es): * Ruby: Double free in Regexp compilation (CVE-2022-28738) * Ruby: Buffer overrun in String-to-Float conversion (CVE-2022-28739) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 2075685 - CVE-2022-28738 Ruby: Double free in Regexp compilation 2075687 - CVE-2022-28739 Ruby: Buffer overrun in String-to-Float conversion 2109428 - ruby:3.0/ruby: Rebase to the latest Ruby 3.0 release [rhel-9] [rhel-9.0.0.z] 6. Package List: Red Hat Enterprise Linux AppStream (v. 9): Source: ruby-3.0.4-160.el9_0.src.rpm aarch64: ruby-3.0.4-160.el9_0.aarch64.rpm ruby-debuginfo-3.0.4-160.el9_0.aarch64.rpm ruby-debugsource-3.0.4-160.el9_0.aarch64.rpm ruby-devel-3.0.4-160.el9_0.aarch64.rpm ruby-libs-3.0.4-160.el9_0.aarch64.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.aarch64.rpm rubygem-bigdecimal-3.0.0-160.el9_0.aarch64.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.aarch64.rpm rubygem-io-console-0.5.7-160.el9_0.aarch64.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.aarch64.rpm rubygem-json-2.5.1-160.el9_0.aarch64.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.aarch64.rpm rubygem-psych-3.3.2-160.el9_0.aarch64.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.aarch64.rpm noarch: ruby-default-gems-3.0.4-160.el9_0.noarch.rpm rubygem-bundler-2.2.33-160.el9_0.noarch.rpm rubygem-irb-1.3.5-160.el9_0.noarch.rpm rubygem-minitest-5.14.2-160.el9_0.noarch.rpm rubygem-power_assert-1.2.0-160.el9_0.noarch.rpm rubygem-rake-13.0.3-160.el9_0.noarch.rpm rubygem-rbs-1.4.0-160.el9_0.noarch.rpm rubygem-rdoc-6.3.3-160.el9_0.noarch.rpm rubygem-rexml-3.2.5-160.el9_0.noarch.rpm rubygem-rss-0.2.9-160.el9_0.noarch.rpm rubygem-test-unit-3.3.7-160.el9_0.noarch.rpm rubygem-typeprof-0.15.2-160.el9_0.noarch.rpm rubygems-3.2.33-160.el9_0.noarch.rpm rubygems-devel-3.2.33-160.el9_0.noarch.rpm ppc64le: ruby-3.0.4-160.el9_0.ppc64le.rpm ruby-debuginfo-3.0.4-160.el9_0.ppc64le.rpm ruby-debugsource-3.0.4-160.el9_0.ppc64le.rpm ruby-devel-3.0.4-160.el9_0.ppc64le.rpm ruby-libs-3.0.4-160.el9_0.ppc64le.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.ppc64le.rpm rubygem-bigdecimal-3.0.0-160.el9_0.ppc64le.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.ppc64le.rpm rubygem-io-console-0.5.7-160.el9_0.ppc64le.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.ppc64le.rpm rubygem-json-2.5.1-160.el9_0.ppc64le.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.ppc64le.rpm rubygem-psych-3.3.2-160.el9_0.ppc64le.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.ppc64le.rpm s390x: ruby-3.0.4-160.el9_0.s390x.rpm ruby-debuginfo-3.0.4-160.el9_0.s390x.rpm ruby-debugsource-3.0.4-160.el9_0.s390x.rpm ruby-devel-3.0.4-160.el9_0.s390x.rpm ruby-libs-3.0.4-160.el9_0.s390x.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.s390x.rpm rubygem-bigdecimal-3.0.0-160.el9_0.s390x.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.s390x.rpm rubygem-io-console-0.5.7-160.el9_0.s390x.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.s390x.rpm rubygem-json-2.5.1-160.el9_0.s390x.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.s390x.rpm rubygem-psych-3.3.2-160.el9_0.s390x.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.s390x.rpm x86_64: ruby-3.0.4-160.el9_0.i686.rpm ruby-3.0.4-160.el9_0.x86_64.rpm ruby-debuginfo-3.0.4-160.el9_0.i686.rpm ruby-debuginfo-3.0.4-160.el9_0.x86_64.rpm ruby-debugsource-3.0.4-160.el9_0.i686.rpm ruby-debugsource-3.0.4-160.el9_0.x86_64.rpm ruby-devel-3.0.4-160.el9_0.i686.rpm ruby-devel-3.0.4-160.el9_0.x86_64.rpm ruby-libs-3.0.4-160.el9_0.i686.rpm ruby-libs-3.0.4-160.el9_0.x86_64.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.i686.rpm ruby-libs-debuginfo-3.0.4-160.el9_0.x86_64.rpm rubygem-bigdecimal-3.0.0-160.el9_0.x86_64.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.i686.rpm rubygem-bigdecimal-debuginfo-3.0.0-160.el9_0.x86_64.rpm rubygem-io-console-0.5.7-160.el9_0.x86_64.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.i686.rpm rubygem-io-console-debuginfo-0.5.7-160.el9_0.x86_64.rpm rubygem-json-2.5.1-160.el9_0.x86_64.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.i686.rpm rubygem-json-debuginfo-2.5.1-160.el9_0.x86_64.rpm rubygem-psych-3.3.2-160.el9_0.x86_64.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.i686.rpm rubygem-psych-debuginfo-3.3.2-160.el9_0.x86_64.rpm Red Hat CodeReady Linux Builder (v. 9): noarch: ruby-doc-3.0.4-160.el9_0.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2022-28738 https://access.redhat.com/security/cve/CVE-2022-28739 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2022 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIVAwUBYypfvtzjgjWX9erEAQjaXQ/+LfzraWPwLDEBfxU87XekVmDQn/KHLw0Q TPgRpDtvfVkmSDDCEvYvvMOYSW3MdNmNJOwPhQyJT3cBrq0zHUog0ejoJO5jV3B1 rOStJ/EfwskmCVaPehhJvGfrKVr2l6Uo8SH0zrLMKBtqd42/GrO2eiDs/xxhVq5U wvgecfUQY8lfpJ25ELa/081aAe4Cg4NN7WShf7DFJ2tw+f/IguCWi+CHZoavv3AQ T7So/dbIjFJmliaPcTkvW02m+JHxNGduXJfelMXB72eyJR7/jEK7OvfE89a18yZ8 P38biUIPZFNaLW1SN62GnA8Qby6g9C/1x+pXssEQ6fo1qJPk/bW6qYfPWWM4Op5N VsTFDx7EAZRCQFnyczTcaUE7g9s4ZovK4qMqTZq9BhP25m9yisvV1jizNpSU6vMi h37/Mi0gcOOcjbtj8Nlbtx+QsHFJvOgTjDIiwPVllMpxygWjSRRnR+LBoTHCPlP2 ZG5q8MGwZAIfzKSP9Fjg58rJoiWnzyJWFLEym38lfrrjch21CtgaKm28wrKQ18PC 7GQ/A/rARWMfAKnFYEO4zF07kidgTwyVJI5RJv8b9x4vLo7/G80CVDXIYjEDP4FR 7fNpEfc9/owximR5WpTds3GfzTDSKzNonHX/oNhIaJLkQ27RTSPXORzxtAsz2a6j jbIYxx9rQto=komJ -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://listman.redhat.com/mailman/listinfo/rhsa-announce . ========================================================================= Ubuntu Security Notice USN-5462-1 June 06, 2022 ruby2.5, ruby2.7, ruby3.0 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 21.10 - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Several security issues were fixed in Ruby. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 22.04 LTS. (CVE-2022-28738) It was discovered that Ruby incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. (CVE-2022-28739) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS: libruby3.0 3.0.2-7ubuntu2.1 ruby3.0 3.0.2-7ubuntu2.1 Ubuntu 21.10: libruby2.7 2.7.4-1ubuntu3.2 ruby2.7 2.7.4-1ubuntu3.2 Ubuntu 20.04 LTS: libruby2.7 2.7.0-5ubuntu1.7 ruby2.7 2.7.0-5ubuntu1.7 Ubuntu 18.04 LTS: libruby2.5 2.5.1-1ubuntu1.12 ruby2.5 2.5.1-1ubuntu1.12 In general, a standard system update will make all the necessary changes. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 APPLE-SA-2022-10-27-6 Additional information for APPLE-SA-2022-10-24-3 macOS Monterey 12.6.1 macOS Monterey 12.6.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT213494. AppleMobileFileIntegrity Available for: macOS Monterey Impact: An app may be able to modify protected parts of the file system Description: This issue was addressed by removing additional entitlements. CVE-2022-42825: Mickey Jin (@patch1t) Audio Available for: macOS Monterey Impact: Parsing a maliciously crafted audio file may lead to disclosure of user information Description: The issue was addressed with improved memory handling. CVE-2022-42798: Anonymous working with Trend Micro Zero Day Initiative Entry added October 27, 2022 Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved state management. CVE-2022-32944: Tim Michaud (@TimGMichaud) of Moveworks.ai Entry added October 27, 2022 Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A race condition was addressed with improved locking. CVE-2022-42803: Xinru Chi of Pangu Lab, John Aakerblom (@jaakerblom) Entry added October 27, 2022 Kernel Available for: macOS Monterey Impact: An app may be able to execute arbitrary code with kernel privileges Description: A logic issue was addressed with improved checks. CVE-2022-42801: Ian Beer of Google Project Zero Entry added October 27, 2022 ppp Available for: macOS Monterey Impact: A buffer overflow may result in arbitrary code execution Description: The issue was addressed with improved bounds checks. CVE-2022-32941: an anonymous researcher Entry added October 27, 2022 Ruby Available for: macOS Monterey Impact: A remote user may be able to cause unexpected app termination or arbitrary code execution Description: A memory corruption issue was addressed by updating Ruby to version 2.6.10. CVE-2022-28739 Sandbox Available for: macOS Monterey Impact: An app with root privileges may be able to access private information Description: This issue was addressed with improved data protection. CVE-2022-32862: an anonymous researcher zlib Available for: macOS Monterey Impact: A user may be able to cause unexpected app termination or arbitrary code execution Description: This issue was addressed with improved checks. CVE-2022-37434: Evgeny Legerov CVE-2022-42800: Evgeny Legerov Entry added October 27, 2022 Additional recognition Calendar We would like to acknowledge an anonymous researcher for their assistance. macOS Monterey 12.6.1 may be obtained from the Mac App Store or Apple's Software Downloads web site: https://support.apple.com/downloads/ All information is also posted on the Apple Security Updates web site: https://support.apple.com/en-us/HT201222. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202401-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Ruby: Multiple vulnerabilities Date: January 24, 2024 Bugs: #747007, #801061, #827251, #838073, #882893, #903630 ID: 202401-27 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======== Multiple vulnerabilities have been discovered in Ruby, the worst of which could lead to execution of arbitrary code. It comes bundled with a HTTP server ("WEBrick"). Affected packages ================= Package Vulnerable Unaffected ------------- ------------ ------------ dev-lang/ruby < 2.5.9:2.5 Vulnerable! < 2.6.10:2.6 Vulnerable! < 2.7.8:2.7 Vulnerable! < 3.0.6:3.0 Vulnerable! < 3.1.4:3.1 >= 3.1.4:3.1 < 3.2.2:3.2 >= 3.2.2:3.2 Description =========== Multiple vulnerabilities have been discovered in Ruby. Please review the CVE identifiers referenced below for details. Impact ====== Please review the referenced CVE identifiers for details. Workaround ========== There is no known workaround at this time. Resolution ========== All Ruby users should upgrade to the latest version: # emerge --sync # emerge --ask --depclean ruby:2.5 ruby:2.6 ruby:2.7 ruby:3.0 # emerge --ask --oneshot --verbose ">=dev-lang/ruby-3.1.4:3.1" # emerge --ask --oneshot --verbose ">=dev-lang/ruby-3.2.2:3.2" References ========== [ 1 ] CVE-2020-25613 https://nvd.nist.gov/vuln/detail/CVE-2020-25613 [ 2 ] CVE-2021-31810 https://nvd.nist.gov/vuln/detail/CVE-2021-31810 [ 3 ] CVE-2021-32066 https://nvd.nist.gov/vuln/detail/CVE-2021-32066 [ 4 ] CVE-2021-33621 https://nvd.nist.gov/vuln/detail/CVE-2021-33621 [ 5 ] CVE-2021-41816 https://nvd.nist.gov/vuln/detail/CVE-2021-41816 [ 6 ] CVE-2021-41817 https://nvd.nist.gov/vuln/detail/CVE-2021-41817 [ 7 ] CVE-2021-41819 https://nvd.nist.gov/vuln/detail/CVE-2021-41819 [ 8 ] CVE-2022-28738 https://nvd.nist.gov/vuln/detail/CVE-2022-28738 [ 9 ] CVE-2022-28739 https://nvd.nist.gov/vuln/detail/CVE-2022-28739 [ 10 ] CVE-2023-28755 https://nvd.nist.gov/vuln/detail/CVE-2023-28755 [ 11 ] CVE-2023-28756 https://nvd.nist.gov/vuln/detail/CVE-2023-28756 Availability ============ This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202401-27 Concerns? ========= Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org. License ======= Copyright 2024 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. https://creativecommons.org/licenses/by-sa/2.5

Trust: 1.8

sources: NVD: CVE-2022-28739 // VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // PACKETSTORM: 168445 // PACKETSTORM: 167421 // PACKETSTORM: 168360 // PACKETSTORM: 169566 // PACKETSTORM: 169553 // PACKETSTORM: 169552 // PACKETSTORM: 167425 // PACKETSTORM: 176686

AFFECTED PRODUCTS

vendor:	apple	model:	macos	scope:	lt	version:	12.6.1	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	2.7.6	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	2.6.10	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	gte	version:	3.1.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	11.0	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	12.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	10.0	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	gte	version:	3.0.0	Trust: 1.0
vendor:	apple	model:	macos	scope:	lt	version:	11.7.1	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	gte	version:	2.7.0	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	3.0.4	Trust: 1.0
vendor:	apple	model:	macos	scope:	gte	version:	11.0	Trust: 1.0
vendor:	debian	model:	linux	scope:	eq	version:	9.0	Trust: 1.0
vendor:	ruby lang	model:	ruby	scope:	lt	version:	3.1.2	Trust: 1.0

sources: NVD: CVE-2022-28739

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2022-28739
value:	HIGH
Trust: 1.0
VULHUB:	VHN-420273
value:	MEDIUM
Trust: 0.1
VULMON:	CVE-2022-28739
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2022-28739
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.1
VULHUB:	VHN-420273
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2022-28739
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0

sources: VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // NVD: CVE-2022-28739

PROBLEMTYPE DATA

problemtype:

CWE-125

Trust: 1.1

sources: VULHUB: VHN-420273 // NVD: CVE-2022-28739

TYPE

arbitrary

Trust: 0.2

sources: PACKETSTORM: 167421 // PACKETSTORM: 176686

PATCH

title:	Debian CVElist Bug Report Logs: ruby3.0: CVE-2022-28739	url:	https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=4f290816c3711b33b2aedd7bdd7e13d8	Trust: 0.1
title:	Ubuntu Security Notice: USN-5462-1: Ruby vulnerabilities	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5462-1	Trust: 0.1
title:	Ubuntu Security Notice: USN-5462-2: Ruby vulnerability	url:	https://vulmon.com/vendoradvisory?qidtp=ubuntu_security_notice&qid=USN-5462-2	Trust: 0.1
title:	Amazon Linux AMI: ALAS-2022-1638	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux_ami&qid=ALAS-2022-1638	Trust: 0.1
title:	Red Hat: Moderate: ruby:2.6 security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20225338 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226585 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby:2.7 security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226447 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby:3.0 security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226450 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: rh-ruby27-ruby security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226856 - Security Advisory	Trust: 0.1
title:	Red Hat: Moderate: ruby:2.5 security update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20237025 - Security Advisory	Trust: 0.1
title:	Arch Linux Issues:	url:	https://vulmon.com/vendoradvisory?qidtp=arch_linux_issues&qid=CVE-2022-28739	Trust: 0.1
title:	Amazon Linux 2: ALASRUBY2.6-2023-001	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASRUBY2.6-2023-001	Trust: 0.1
title:	Amazon Linux 2: ALAS2-2022-1853	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALAS2-2022-1853	Trust: 0.1
title:	Red Hat: Moderate: rh-ruby30-ruby security, bug fix, and enhancement update	url:	https://vulmon.com/vendoradvisory?qidtp=red_hat_security_advisories&qid=RHSA-20226855 - Security Advisory	Trust: 0.1
title:	Amazon Linux 2: ALASRUBY3.0-2023-002	url:	https://vulmon.com/vendoradvisory?qidtp=amazon_linux2&qid=ALASRUBY3.0-2023-002	Trust: 0.1
title:	Ruby Advisory Database	url:	https://github.com/rubysec/ruby-advisory-db	Trust: 0.1
title:	Ruby Advisory Database	url:	https://github.com/jasnow/585-652-ruby-advisory-db	Trust: 0.1
title:	veracode-container-security-finding-parser	url:	https://github.com/vincent-deng/veracode-container-security-finding-parser	Trust: 0.1

sources: VULMON: CVE-2022-28739

EXTERNAL IDS

db:	NVD	id:	CVE-2022-28739	Trust: 2.0
db:	HACKERONE	id:	1248108	Trust: 1.2
db:	PACKETSTORM	id:	168360	Trust: 0.2
db:	PACKETSTORM	id:	169553	Trust: 0.2
db:	PACKETSTORM	id:	167425	Trust: 0.2
db:	PACKETSTORM	id:	169552	Trust: 0.2
db:	PACKETSTORM	id:	167421	Trust: 0.2
db:	PACKETSTORM	id:	169566	Trust: 0.2
db:	PACKETSTORM	id:	168357	Trust: 0.1
db:	PACKETSTORM	id:	168692	Trust: 0.1
db:	PACKETSTORM	id:	168691	Trust: 0.1
db:	PACKETSTORM	id:	167654	Trust: 0.1
db:	PACKETSTORM	id:	169577	Trust: 0.1
db:	VULHUB	id:	VHN-420273	Trust: 0.1
db:	ICS CERT	id:	ICSA-24-046-11	Trust: 0.1
db:	VULMON	id:	CVE-2022-28739	Trust: 0.1
db:	PACKETSTORM	id:	168445	Trust: 0.1
db:	PACKETSTORM	id:	176686	Trust: 0.1

sources: VULHUB: VHN-420273 // VULMON: CVE-2022-28739 // PACKETSTORM: 168445 // PACKETSTORM: 167421 // PACKETSTORM: 168360 // PACKETSTORM: 169566 // PACKETSTORM: 169553 // PACKETSTORM: 169552 // PACKETSTORM: 167425 // PACKETSTORM: 176686 // NVD: CVE-2022-28739

REFERENCES

url:	http://seclists.org/fulldisclosure/2022/oct/28	Trust: 1.2
url:	http://seclists.org/fulldisclosure/2022/oct/29	Trust: 1.2
url:	http://seclists.org/fulldisclosure/2022/oct/30	Trust: 1.2
url:	http://seclists.org/fulldisclosure/2022/oct/41	Trust: 1.2
url:	http://seclists.org/fulldisclosure/2022/oct/42	Trust: 1.2
url:	https://hackerone.com/reports/1248108	Trust: 1.2
url:	https://security-tracker.debian.org/tracker/cve-2022-28739	Trust: 1.2
url:	https://security.netapp.com/advisory/ntap-20220624-0002/	Trust: 1.2
url:	https://support.apple.com/kb/ht213488	Trust: 1.2
url:	https://support.apple.com/kb/ht213493	Trust: 1.2
url:	https://support.apple.com/kb/ht213494	Trust: 1.2
url:	https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/	Trust: 1.2
url:	https://security.gentoo.org/glsa/202401-27	Trust: 1.2
url:	https://lists.debian.org/debian-lts-announce/2023/06/msg00012.html	Trust: 1.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-28739	Trust: 0.8
url:	https://ubuntu.com/security/notices/usn-5462-1	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-28738	Trust: 0.3
url:	https://support.apple.com/en-us/ht201222.	Trust: 0.3
url:	https://support.apple.com/downloads/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32862	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42825	Trust: 0.3
url:	https://www.apple.com/support/security/pgp/	Trust: 0.3
url:	https://ubuntu.com/security/notices/usn-5462-2	Trust: 0.2
url:	https://listman.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.2
url:	https://access.redhat.com/security/team/key/	Trust: 0.2
url:	https://access.redhat.com/articles/11258	Trust: 0.2
url:	https://access.redhat.com/security/cve/cve-2022-28739	Trust: 0.2
url:	https://access.redhat.com/security/team/contact/	Trust: 0.2
url:	https://access.redhat.com/security/updates/classification/#moderate	Trust: 0.2
url:	https://bugzilla.redhat.com/):	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41817	Trust: 0.2
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41819	Trust: 0.2
url:	https://support.apple.com/ht213494.	Trust: 0.2
url:	https://cwe.mitre.org/data/definitions/125.html	Trust: 0.1
url:	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1009956	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-11	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2022-28738	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:6585	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby3.0/3.0.2-7ubuntu2.1	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.4-1ubuntu3.2	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.5/2.5.1-1ubuntu1.12	Trust: 0.1
url:	https://launchpad.net/ubuntu/+source/ruby2.7/2.7.0-5ubuntu1.7	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-41819	Trust: 0.1
url:	https://access.redhat.com/errata/rhsa-2022:6447	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2021-41817	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42798	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-37434	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42801	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32944	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42803	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-42800	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2022-32941	Trust: 0.1
url:	https://support.apple.com/ht213493.	Trust: 0.1
url:	https://security.gentoo.org/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2023-28756	Trust: 0.1
url:	https://bugs.gentoo.org.	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-41816	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-32066	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-31810	Trust: 0.1
url:	https://creativecommons.org/licenses/by-sa/2.5	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2021-33621	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2020-25613	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2023-28755	Trust: 0.1

CREDITS

Apple

Trust: 0.3

sources: PACKETSTORM: 169566 // PACKETSTORM: 169553 // PACKETSTORM: 169552

SOURCES

db:	VULHUB	id:	VHN-420273
db:	VULMON	id:	CVE-2022-28739
db:	PACKETSTORM	id:	168445
db:	PACKETSTORM	id:	167421
db:	PACKETSTORM	id:	168360
db:	PACKETSTORM	id:	169566
db:	PACKETSTORM	id:	169553
db:	PACKETSTORM	id:	169552
db:	PACKETSTORM	id:	167425
db:	PACKETSTORM	id:	176686
db:	NVD	id:	CVE-2022-28739

LAST UPDATE DATE

2024-09-19T00:45:41.582000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-420273	date:	2022-11-08T00:00:00
db:	VULMON	id:	CVE-2022-28739	date:	2024-01-24T00:00:00
db:	NVD	id:	CVE-2022-28739	date:	2024-01-24T05:15:12.390

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-420273	date:	2022-05-09T00:00:00
db:	VULMON	id:	CVE-2022-28739	date:	2022-05-09T00:00:00
db:	PACKETSTORM	id:	168445	date:	2022-09-21T13:50:28
db:	PACKETSTORM	id:	167421	date:	2022-06-07T15:13:54
db:	PACKETSTORM	id:	168360	date:	2022-09-13T15:44:10
db:	PACKETSTORM	id:	169566	date:	2022-10-31T14:25:29
db:	PACKETSTORM	id:	169553	date:	2022-10-31T14:19:37
db:	PACKETSTORM	id:	169552	date:	2022-10-31T14:19:21
db:	PACKETSTORM	id:	167425	date:	2022-06-07T15:15:31
db:	PACKETSTORM	id:	176686	date:	2024-01-24T15:01:18
db:	NVD	id:	CVE-2022-28739	date:	2022-05-09T18:15:08.540