INFSA-2025:7539: ruby:2.5 security update
Information about definition
Identificator: INFSA-2025:7539
Type: security
Release date: 2025-06-09 06:17:33 UTC
Information about package
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks.
Vulnerabilities description
- CVE-2019-19012
An integer overflow vulnerability leading to an out-of-bounds read was found in the way Oniguruma handled regular expression quantifiers. A remote attacker could abuse this flaw by providing a malformed regular expression that, when processed by an application linked to Oniguruma, could crash the application, causing a denial of service.
- CVE-2021-43809
RubyGems Bundler package could allow a local authenticated attacker to execute arbitrary code on the system, caused by an argument injection flaw. By using a specially-crafted Gemfile file that contains a dash leading git url parameter, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Severity level
| CVE | Score CVSS 2.0 | Score CVSS 3.x | Score CVSS 4.0 |
|---|---|---|---|
|
NIST — CVE-2019-19012
|
no information | 7.5 | no information |
|
NIST — CVE-2021-43809
|
no information | 7.3 | no information |
Updated packages