Ubuntu update for ruby3.0

1) Input validation error

EUVDB-ID: #VU94361

Risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]

CVE-ID: CVE-2024-35176

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing XML that has multiple bracket character occurrences (e.g. "<") in an attribute value. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package ruby3.0 to the latest version.

Vulnerable software versions

Ubuntu: 22.04 - 24.10

ruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

libruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

ruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

libruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

ruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

libruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.10:*:*:*:*:*:*:*
• cpe:2.3::canonical:ruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3::canonical:libruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3:a:canonical:ruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:ruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7091-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Input validation error

EUVDB-ID: #VU94363

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-39908

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied XML input. A remote attacker can pass specially crafted characters, such as "<", "\0" and "%>" to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package ruby3.0 to the latest version.

Vulnerable software versions

Ubuntu: 22.04 - 24.10

ruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

libruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

ruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

libruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

ruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

libruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.10:*:*:*:*:*:*:*
• cpe:2.3::canonical:ruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3::canonical:libruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3:a:canonical:ruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:ruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7091-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Input validation error

EUVDB-ID: #VU95149

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-41123

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when parsing characters such as a whitespace character, >] and ]>. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Update the affected package ruby3.0 to the latest version.

Vulnerable software versions

Ubuntu: 22.04 - 24.10

ruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

libruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

ruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

libruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

ruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

libruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.10:*:*:*:*:*:*:*
• cpe:2.3::canonical:ruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3::canonical:libruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3:a:canonical:ruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:ruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7091-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) XML Entity Expansion

EUVDB-ID: #VU95148

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-41946

CWE-ID: CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper input validation when parsing XML with SAX2 or pull parser API. A remote attacker can pass specially crafted XML data to the application and perform a denial of service attack.

Mitigation

Update the affected package ruby3.0 to the latest version.

Vulnerable software versions

Ubuntu: 22.04 - 24.10

ruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

libruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

ruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

libruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

ruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

libruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.10:*:*:*:*:*:*:*
• cpe:2.3::canonical:ruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3::canonical:libruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3:a:canonical:ruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:ruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7091-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Inefficient regular expression complexity

EUVDB-ID: #VU99358

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-49761

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when parsing an XML that has many digits between &# and x...; in a hex numeric character reference (&#x...;). A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Update the affected package ruby3.0 to the latest version.

Vulnerable software versions

Ubuntu: 22.04 - 24.10

ruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

libruby3.0 (Ubuntu package): before 3.0.2-7ubuntu2.8

ruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

libruby3.2 (Ubuntu package): before 3.2.3-1ubuntu0.24.04.3

ruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

libruby3.3 (Ubuntu package): before 3.3.4-2ubuntu5.1

CPE2.3

• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.10:*:*:*:*:*:*:*
• cpe:2.3::canonical:ruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3::canonical:libruby3.0_ubuntu_package:*:*:*:*:*:*:*:*
• cpe:2.3:a:canonical:ruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.2_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:ruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:a:canonical:libruby3.3_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7091-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.