Skip to content

Commit f7ab139

Browse files
jasnowRubySec CI
authored andcommitted
Updated advisory posts against rubysec/ruby-advisory-db@51a3111
1 parent 24ebb54 commit f7ab139

3 files changed

Lines changed: 142 additions & 0 deletions

File tree

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,40 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-49342 (yard): YARD static cache reads raw traversal paths before
4+
router sanitization'
5+
comments: false
6+
categories:
7+
- yard
8+
advisory:
9+
gem: yard
10+
cve: 2026-49342
11+
ghsa: pxcc-8665-phx8
12+
url: https://nvd.nist.gov/vuln/detail/CVE-2026-49342
13+
title: YARD static cache reads raw traversal paths before router sanitization
14+
date: 2026-06-23
15+
description: |-
16+
## Summary
17+
18+
YARD's static cache lookup reads a request path before the router's
19+
path cleanup runs. When a server is configured with a document root,
20+
a traversal path such as `/../yard-cache-secret.html` is joined
21+
against that root and can return a readable sibling `.html` file
22+
outside the intended static tree.
23+
24+
The potential security risk seems low, as only html-ending files can
25+
be read, but still the risk of reading arbitrary html files is a
26+
confiendtiality issue in itself, which is why we decided to report.
27+
Please let us know if this is out of your project's scope.
28+
cvss_v3: 5.3
29+
patched_versions:
30+
- ">= 0.9.44"
31+
related:
32+
url:
33+
- https://nvd.nist.gov/vuln/detail/CVE-2026-49342
34+
- https://rubygems.org/gems/yard/versions/0.9.44
35+
- https://github.com/lsegal/yard/compare/v0.9.43...v0.9.44
36+
- https://github.com/lsegal/yard/commit/f78c19f0dd33a407085b4ed181bb60c0aa0078b4
37+
- https://github.com/advisories/GHSA-pxcc-8665-phx8
38+
- https://github.com/lsegal/yard/security/advisories/GHSA-pxcc-8665-phx8
39+
notes: "- `date` value came from nvd.nist.gov web site.\n"
40+
---
Lines changed: 53 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,53 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-44162 (fluent-plugin-s3): fluent-plugin-s3 Vulnerable to Denial of
4+
Service (DoS) via Decompression Bomb in `in_s3`'
5+
comments: false
6+
categories:
7+
- fluent-plugin-s3
8+
advisory:
9+
gem: fluent-plugin-s3
10+
cve: 2026-44162
11+
ghsa: xv9w-7v6q-hpjh
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44162
13+
title: fluent-plugin-s3 Vulnerable to Denial of Service (DoS) via Decompression
14+
Bomb in `in_s3`
15+
date: 2026-06-25
16+
description: |-
17+
"The `fluent-plugin-s3` plugin (specifically the `in_s3` input plugin)
18+
supports reading and decompressing heavily compressed files (such as
19+
`gzip`, `lzma2`, and `lzop`) from Amazon S3. It was discovered that
20+
the plugin read the entire decompressed payload into memory at once
21+
without enforcing a strict size limit.
22+
23+
If an attacker has sufficient permissions to upload files to the
24+
monitored S3 bucket, they can upload a maliciously crafted, highly
25+
compressed file. When Fluentd attempts to decompress this file, it
26+
will expand to an excessive size and it will consume significant
27+
system resources.
28+
29+
## Impact
30+
31+
This vulnerability allows for a **Denial of Service (DoS)** attack
32+
via memory exhaustion. The rapid memory consumption during decompression
33+
can lead to an Out-of-Memory kill of the Fluentd process by the
34+
operating system, This results in the disruption of all log collection
35+
on the affected node.
36+
cvss_v3: 2.7
37+
unaffected_versions:
38+
- "< 0.7.0"
39+
patched_versions:
40+
- ">= 1.8.5"
41+
related:
42+
url:
43+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44162
44+
- https://rubygems.org/gems/fluent-plugin-s3/versions/1.8.5
45+
- https://github.com/fluent/fluent-plugin-s3/blob/master/ChangeLog
46+
- https://github.com/fluent/fluent-plugin-s3/commit/e085aee001d15bcc4bd073507e74075e30550fd0
47+
- https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163
48+
- https://github.com/fluent/fluent-plugin-s3/security/advisories/GHSA-xv9w-7v6q-hpjh
49+
- https://github.com/advisories/GHSA-xv9w-7v6q-hpjh
50+
notes: |
51+
- CVE is reserved, but not published so no non-GHSA cvss values.
52+
- `date` value cames from Rubygems.org URL release date.
53+
---
Lines changed: 49 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,49 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-44163 (fluent-plugin-opentelemetry): fluent-plugin-opentelemetry
4+
Has Denial of Service (DoS) via Large Payloads and Decompression Bombs in `in_opentelemetry`'
5+
comments: false
6+
categories:
7+
- fluent-plugin-opentelemetry
8+
advisory:
9+
gem: fluent-plugin-opentelemetry
10+
cve: 2026-44163
11+
ghsa: 2jc5-xhx8-qj6h
12+
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163
13+
title: fluent-plugin-opentelemetry Has Denial of Service (DoS) via Large Payloads
14+
and Decompression Bombs in `in_opentelemetry`
15+
date: 2026-06-25
16+
description: |-
17+
The `fluent-plugin-opentelemetry` plugin (specifically the
18+
`in_opentelemetry` HTTP input) lacked strict size limits on incoming
19+
requests. It was discovered that the plugin read the entire request
20+
body and decompressed payloads into memory without enforcing maximum
21+
size thresholds. If the OpenTelemetry ingestion endpoint is exposed to
22+
untrusted networks, an attacker can send an excessively large HTTP
23+
request or a maliciously crafted, highly compressed payload.
24+
When the plugin attempts to read or decompress this payload, it will
25+
expand to an excessive size and it will consume significant system resources.
26+
27+
### Impact
28+
29+
This vulnerability allows for a **Denial of Service (DoS)** attack
30+
via memory exhaustion. The rapid memory consumption during decompression
31+
can easily lead to an Out-of-Memory kill of the Fluentd process by the
32+
operating system. This results in the disruption of all log collection
33+
and forwarding capabilities on the affected node.
34+
cvss_v3: 5.3
35+
patched_versions:
36+
- ">= 0.5.3"
37+
related:
38+
url:
39+
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-44163
40+
- https://rubygems.org/gems/fluent-plugin-opentelemetry/versions/0.5.3
41+
- https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/blob/main/CHANGELOG.md#053---2026-06-25
42+
- https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/commit/ce6c1f2a7741592c8a79afbe75fded9e8ebfa92d
43+
- https://advisories.gitlab.com/gem/fluent-plugin-opentelemetry/CVE-2026-44163
44+
- https://github.com/advisories/GHSA-2jc5-xhx8-qj6h
45+
- https://github.com/fluent-plugins-nursery/fluent-plugin-opentelemetry/security/advisories/GHSA-2jc5-xhx8-qj6h
46+
notes: |
47+
- CVE is reserved, but not published so no non-GHSA cvss values.
48+
- `date` value cames from Rubygems.org URL release date.
49+
---

0 commit comments

Comments
 (0)