Vulnerabilities

 2 via 2 paths

Dependencies

 25

Source

 GitHub

Commit

 616c9547

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 2
Severity
  • 2
  • 2
Status
  • 4
  • 0
  • 0

high severity

Memory Allocation with Excessive Size Value

  • Vulnerable module: org.jruby:jruby-stdlib
  • Introduced through: org.jruby:jruby@9.4.12.0

Detailed paths

  • Introduced through: adaptris/interlok-jruby@adaptris/interlok-jruby#616c95477ebc47b5cf0386ad3f0b2574d662ecfb org.jruby:jruby@9.4.12.0 org.jruby:jruby-stdlib@9.4.12.0
    Remediation: Upgrade to org.jruby:jruby@9.4.13.0.

Overview

org.jruby:jruby-stdlib is a JRuby Lib Setup package.

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the ResponseReader class. An attacker can cause the application to allocate excessive memory and trigger a denial of service by including "literal" strings in responses sent to client-initiated connections and IMAP commands.

After implementing the fix, the default max_response_size is still high (512MiB) to accommodate backward compatibility. It is recommended to set a lower max_response_size if connecting to untrusted servers or using insecure connections.

Remediation

A fix was pushed into the master branch but not yet published.

References

Memory Allocation with Excessive Size Value vulnerability report

high severity

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1

  • Module: com.github.jnr:jnr-posix
  • Introduced through: org.jruby:jruby@9.4.12.0

Detailed paths

  • Introduced through: adaptris/interlok-jruby@adaptris/interlok-jruby#616c95477ebc47b5cf0386ad3f0b2574d662ecfb org.jruby:jruby@9.4.12.0 org.jruby:jruby-base@9.4.12.0 com.github.jnr:jnr-posix@3.1.20
  • Introduced through: adaptris/interlok-jruby@adaptris/interlok-jruby#616c95477ebc47b5cf0386ad3f0b2574d662ecfb org.jruby:jruby@9.4.12.0 org.jruby:jruby-base@9.4.12.0 com.github.jnr:jnr-unixsocket@0.38.23 com.github.jnr:jnr-posix@3.1.20

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1 vulnerability report

medium severity

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.jruby:jruby
  • Introduced through: org.jruby:jruby@9.4.12.0

Detailed paths

  • Introduced through: adaptris/interlok-jruby@adaptris/interlok-jruby#616c95477ebc47b5cf0386ad3f0b2574d662ecfb org.jruby:jruby@9.4.12.0
    Remediation: Upgrade to org.jruby:jruby@9.4.12.1.

Overview

org.jruby:jruby is a high performance, stable, fully threaded Java implementation of the Ruby programming language.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch in the SSL certificate validation process. An attacker can intercept secure communications by presenting a valid certificate for an unrelated domain that the attacker controls.

Note:

This is only exploitable if the attacker is in a "man-in-the-middle" (MITM) position before performing the attack.

PoC

require "net/http"
require "openssl"

uri   = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl      = true
https.verify_mode  = OpenSSL::SSL::VERIFY_PEER

body = https.start { https.get(uri.request_uri).body }
puts body

Remediation

Upgrade org.jruby:jruby to version 9.4.12.1, 10.0.0.1 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

medium severity

EPL-1.0 license

  • Module: org.jruby:dirgra
  • Introduced through: org.jruby:jruby@9.4.12.0

Detailed paths

  • Introduced through: adaptris/interlok-jruby@adaptris/interlok-jruby#616c95477ebc47b5cf0386ad3f0b2574d662ecfb org.jruby:jruby@9.4.12.0 org.jruby:jruby-base@9.4.12.0 org.jruby:dirgra@0.3

EPL-1.0 license

EPL-1.0 license vulnerability report