Oooooo_Q

**Name of the Vulnerable Software and Affected Versions** Action Text versions 6.0.0 through 6.1.7.8 Action Text versions 7.0.0 through 7.0.8.4 Action Text versions 7.1.0 through 7.1.4.0 Action Text versions 7.2.0 through 7.2.1.0 **Description** The issue is related to the `plain text for blockquote node` helper in Action Text, which can cause a denial of service due to a possible ReDoS vulnerability. Carefully crafted text can make the `plain text for blockquote node` helper take an unexpected amount of time. This problem can be mitigated in Ruby 3.2 or newer, so Rails applications using Ruby 3.2 or newer are unaffected. **Recommendations** For Action Text versions 6.0.0 through 6.1.7.8, upgrade to version 6.1.7.9 or apply the relevant patch. For Action Text versions 7.0.0 through 7.0.8.4, upgrade to version 7.0.8.5 or apply the relevant patch. For Action Text versions 7.1.0 through 7.1.4.0, upgrade to version 7.1.4.1 or apply the relevant patch. For Action Text versions 7.2.0 through 7.2.1.0, upgrade to version 7.2.1.1 or apply the relevant patch. As a temporary workaround, users can avoid calling `plain text for blockquote node` or upgrade to Ruby 3.2.

**Name of the Vulnerable Software and Affected Versions** RDoc versions 6.3.3 through 6.6.2 **Description** The issue is related to the restoration of untrusted data in memory by the RDoc documentation generator for the Ruby programming language. This can be exploited to execute arbitrary code using specially crafted files with the .rdoc options extension. When parsing .rdoc options as a YAML file, object injection and resultant remote code execution are possible due to the lack of restrictions on the classes that can be restored. Additionally, when loading the documentation cache, object injection and resultant remote code execution are also possible if a crafted cache exists. **Recommendations** For Ruby 3.0 users, update to rdoc 6.3.4.1. For Ruby 3.1 users, update to rdoc 6.4.1.1. For Ruby 3.2 users, update to rdoc 6.5.1.1. For other users, update the RDoc gem to version 6.6.3.1 or later. You can use `gem update rdoc` to update it. If you are using bundler, please add `gem "rdoc", ">= 6.6.3.1"` to your `Gemfile`. As a temporary workaround, consider restricting access to the `.rdoc options` file to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** URI versions prior to 0.12.2 URI version 0.10.3 is a fixed version, implying versions prior to 0.10.3 and between 0.10.3 and 0.12.2 are vulnerable, but for clarity and conciseness, we focus on the range prior to 0.12.2 as the primary affected range. **Description** A ReDoS issue was discovered in the URI component for Ruby, related to the mishandling of invalid URLs containing specific characters by the URI parser. This leads to an increase in execution time for parsing strings to URI objects, particularly affecting rfc2396 parser.rb and rfc3986 parser.rb. The issue exists due to an incomplete fix for a previous problem. Exploitation of this vulnerability can allow a remote attacker to cause a denial of service. **Recommendations** For versions prior to 0.12.2, update to version 0.12.2 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `rfc2396 parser.rb` and `rfc3986 parser.rb` components until a patch is applied. Avoid using the vulnerable URI parser for handling untrusted or potentially malicious URLs until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Time component versions through 0.2.1 Ruby versions through 3.2.1 **Description** A ReDoS issue was discovered in the Time component, where the Time parser mishandles invalid URLs with specific characters, causing an increase in execution time for parsing strings to Time objects. This issue is related to the use of a regular expression with inefficient computational complexity, which can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Time component versions through 0.2.1, update to version 0.2.2 to resolve the issue. For Ruby versions through 3.2.1, ensure that the Time component is updated to a fixed version, such as 0.2.2, to mitigate the risk of exploitation. As a temporary workaround, consider restricting the use of the Time parser to minimize the risk of exploitation until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ruby versions through 2.6.8 CGI gem versions through 0.3.0 **Description** The issue is related to the CGI::Cookie.parse function in Ruby, which mishandles security prefixes in cookie names. This allows a remote attacker to impact data integrity. The estimated number of potentially affected devices worldwide is not specified. There is no information about real-world incidents where this issue was exploited. **Recommendations** For Ruby versions through 2.6.8, update to a version later than 2.6.8 to resolve the issue. For CGI gem versions through 0.3.0, update to a version later than 0.3.0 to resolve the issue. As a temporary workaround, consider restricting the use of the `CGI::Cookie.parse` function until a patch is available.