[Git][security-tracker-team/security-tracker][master] Add CVE-2025-54314/ruby-thor
Salvatore Bonaccorso (@carnil)
carnil at debian.org
Sun Jul 20 21:27:01 BST 2025
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
295b386a by Salvatore Bonaccorso at 2025-07-20T22:26:39+02:00
Add CVE-2025-54314/ruby-thor
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -115,7 +115,11 @@ CVE-2025-7855 (A vulnerability classified as critical was found in Tenda FH451 1
CVE-2025-7854 (A vulnerability classified as critical has been found in Tenda FH451 1 ...)
NOT-FOR-US: Tenda
CVE-2025-54314 (Thor before 1.4.0 can construct an unsafe shell command from library i ...)
- TODO: check
+ - ruby-thor <unfixed>
+ NOTE: https://hackerone.com/reports/3260153
+ NOTE: https://github.com/rails/thor/pull/897
+ NOTE: Fixed by: https://github.com/rails/thor/commit/f7418232b167cbb5c8071b7d0491aef82948feff (v1.4.0)
+ TODO: check security impact of embedded copies (e.g. ruby3.3, ruby-foreman, rubygems)
CVE-2025-53770 (Deserialization of untrusted data in on-premises Microsoft SharePoint ...)
NOT-FOR-US: Microsoft
CVE-2025-XXXX [exposes .zip passwords while (un)archiving]
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/295b386a04487a0941ac85d0e5242c6aa0590fbd
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/295b386a04487a0941ac85d0e5242c6aa0590fbd
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250720/97eaa2ee/attachment.htm>
More information about the debian-security-tracker-commits
mailing list