Corrective releases of the programming language Ruby 3.0.1, 2.7.3, 2.6.7 and 2.5.9 are formed, in which two vulnerabilities are eliminated:
- CVE-2021-28965 – Vulnerability in the rexml built-in module, which, when analyzing and serializing a specially decorated XML document, can lead to the creation of an incorrect XML document, the structure of which does not coincide with the original. The danger of vulnerability strongly depends on the context, but the organization of attacks on some applications using REXML are not excluded.
- CVE-2021-28966 – a Windows-specific vulnerability platform, which allows you to create an arbitrary directory or file in parts of the FS, in which the record is allowed for the user, with the rights of which runs the Ruby process. The problem is caused by incorrect processing of the prefix in the dir.mktmpdir method, in which the substitution of the design of the form “is not excluded.” \ “. For attack, the process should use external data when forming the prefix value.
/Media reports.