Corrective releases of the Ruby programming language have been generated , ΠΈ , which fixed four vulnerabilities. The most dangerous vulnerability (CVE-2019-16255) in the standard library (lib/shell.rb), which perform code substitution. If data received from the user is processed in the first argument of the Shell#[] or Shell#test methods used to check the presence of a file, an attacker can cause an arbitrary Ruby method to be called.
Other problems:
- - exposure to the built-in http server HTTP response splitting attack (if a program inserts unverified data into the HTTP response header, then the header can be split by inserting a newline character);
- substitution of the null character (\0) into those checked through the βFile.fnmatchβ and βFile.fnmatch?β methods. file paths can be used to falsely trigger the check;
- β denial of service in the Diges authentication module for WEBrick.
Source: opennet.ru