openEuler 24.03 LTS update for ruby



Risk Medium
Patch available YES
Number of vulnerabilities 3
CVE-ID CVE-2025-27219
CVE-2025-27220
CVE-2025-27221
CWE-ID CWE-20
CWE-1333
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
 openEuler
Operating systems & Components / Operating system

rubygems-devel
Operating systems & Components / Operating system package or component

rubygems
Operating systems & Components / Operating system package or component

rubygem-typeprof
Operating systems & Components / Operating system package or component

rubygem-test-unit
Operating systems & Components / Operating system package or component

rubygem-rss
Operating systems & Components / Operating system package or component

rubygem-rexml
Operating systems & Components / Operating system package or component

rubygem-rdoc
Operating systems & Components / Operating system package or component

rubygem-rake
Operating systems & Components / Operating system package or component

rubygem-minitest
Operating systems & Components / Operating system package or component

rubygem-did_you_mean
Operating systems & Components / Operating system package or component

ruby-irb
Operating systems & Components / Operating system package or component

ruby-help
Operating systems & Components / Operating system package or component

rubygem-rbs
Operating systems & Components / Operating system package or component

rubygem-psych
Operating systems & Components / Operating system package or component

rubygem-openssl
Operating systems & Components / Operating system package or component

rubygem-json
Operating systems & Components / Operating system package or component

rubygem-io-console
Operating systems & Components / Operating system package or component

rubygem-bigdecimal
Operating systems & Components / Operating system package or component

ruby-devel
Operating systems & Components / Operating system package or component

ruby-debugsource
Operating systems & Components / Operating system package or component

ruby-debuginfo
Operating systems & Components / Operating system package or component

ruby-bundled-gems
Operating systems & Components / Operating system package or component

ruby
Operating systems & Components / Operating system package or component

Vendor openEuler

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Input validation error

EUVDB-ID: #VU105106

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-27219

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in CGI::Cookie.parse. A remote attacker can send a specially crafted HTTP request to the application and perform a denial of service (DoS) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 24.03 LTS

rubygems-devel: before 3.4.10-149

rubygems: before 3.4.10-149

rubygem-typeprof: before 0.21.3-149

rubygem-test-unit: before 3.5.7-149

rubygem-rss: before 0.2.9-149

rubygem-rexml: before 3.2.5-149

rubygem-rdoc: before 6.5.0-149

rubygem-rake: before 13.0.6-149

rubygem-minitest: before 5.16.3-149

rubygem-did_you_mean: before 1.6.3-149

ruby-irb: before 3.2.2-149

ruby-help: before 3.2.2-149

rubygem-rbs: before 2.8.2-149

rubygem-psych: before 5.0.1-149

rubygem-openssl: before 3.1.0-149

rubygem-json: before 2.6.3-149

rubygem-io-console: before 0.6.0-149

rubygem-bigdecimal: before 3.1.3-149

ruby-devel: before 3.2.2-149

ruby-debugsource: before 3.2.2-149

ruby-debuginfo: before 3.2.2-149

ruby-bundled-gems: before 3.2.2-149

ruby: before 3.2.2-149

CPE2.3 External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1262


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inefficient regular expression complexity

EUVDB-ID: #VU105107

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-27220

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions in CGI::Util#escapeElement. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 24.03 LTS

rubygems-devel: before 3.4.10-149

rubygems: before 3.4.10-149

rubygem-typeprof: before 0.21.3-149

rubygem-test-unit: before 3.5.7-149

rubygem-rss: before 0.2.9-149

rubygem-rexml: before 3.2.5-149

rubygem-rdoc: before 6.5.0-149

rubygem-rake: before 13.0.6-149

rubygem-minitest: before 5.16.3-149

rubygem-did_you_mean: before 1.6.3-149

ruby-irb: before 3.2.2-149

ruby-help: before 3.2.2-149

rubygem-rbs: before 2.8.2-149

rubygem-psych: before 5.0.1-149

rubygem-openssl: before 3.1.0-149

rubygem-json: before 2.6.3-149

rubygem-io-console: before 0.6.0-149

rubygem-bigdecimal: before 3.1.3-149

ruby-devel: before 3.2.2-149

ruby-debugsource: before 3.2.2-149

ruby-debuginfo: before 3.2.2-149

ruby-bundled-gems: before 3.2.2-149

ruby: before 3.2.2-149

CPE2.3 External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1262


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Information disclosure

EUVDB-ID: #VU105105

Risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2025-27221

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to URI#join, URI#merge, and URI#+ methods retain sensitive information, such as user:password, even after the host is replaced. A remote attacker can gain access to sensitive information.

Mitigation

Install updates from vendor's repository.

Vulnerable software versions

openEuler: 24.03 LTS

rubygems-devel: before 3.4.10-149

rubygems: before 3.4.10-149

rubygem-typeprof: before 0.21.3-149

rubygem-test-unit: before 3.5.7-149

rubygem-rss: before 0.2.9-149

rubygem-rexml: before 3.2.5-149

rubygem-rdoc: before 6.5.0-149

rubygem-rake: before 13.0.6-149

rubygem-minitest: before 5.16.3-149

rubygem-did_you_mean: before 1.6.3-149

ruby-irb: before 3.2.2-149

ruby-help: before 3.2.2-149

rubygem-rbs: before 2.8.2-149

rubygem-psych: before 5.0.1-149

rubygem-openssl: before 3.1.0-149

rubygem-json: before 2.6.3-149

rubygem-io-console: before 0.6.0-149

rubygem-bigdecimal: before 3.1.3-149

ruby-devel: before 3.2.2-149

ruby-debugsource: before 3.2.2-149

ruby-debuginfo: before 3.2.2-149

ruby-bundled-gems: before 3.2.2-149

ruby: before 3.2.2-149

CPE2.3 External links

https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2025-1262


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###