Corrective releases of the Ruby programming language 3.0.1, 2.7.3, 2.6.7 and 2.5.9 have been generated, in which two vulnerabilities are eliminated:
- CVE-2021-28965 is a vulnerability in the built-in REXML module, which, when parsing and serializing a specially formatted XML document, can lead to the creation of an incorrect XML document whose structure does not match the original. The severity of the vulnerability depends heavily on the context, but attacks against some applications that use REXML cannot be ruled out.
- CVE-2021-28966 is a Windows platform-specific vulnerability that allows the creation of an arbitrary directory or file in parts of the file system that are writable by the user with whose rights the Ruby process is running. The problem is caused by incorrect processing of the prefix in the Dir.mktmpdir method, which does not exclude the substitution of constructions like β..\\β. To attack, the process must use external data when generating the prefix value.
Source: opennet.ru