Updated advisory posts against rubysec/ruby-advisory-db@4b6766f

Author: jasnow

advisories/_posts/2025-02-26-CVE-2025-27219.md

@@ -0,0 +1,43 @@
+---
+layout: advisory
+title: 'CVE-2025-27219 (cgi): CVE-2025-27219 - Denial of Service in CGI::Cookie.parse'
+comments: false
+categories:
+- cgi
+advisory:
+  gem: cgi
+  cve: 2025-27219
+  url: https://www.cve.org/CVERecord?id=CVE-2025-27219
+  title: CVE-2025-27219 - Denial of Service in CGI::Cookie.parse
+  date: 2025-02-26
+  description: |
+    There is a possibility for DoS by in the cgi gem.
+    This vulnerability has been assigned the CVE identifier
+    CVE-2025-27219. We recommend upgrading the cgi gem.
+
+    ## Details
+
+    CGI::Cookie.parse took super-linear time to parse a cookie string
+    in some cases. Feeding a maliciously crafted cookie string into
+    the method could lead to a Denial of Service.
+
+    Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
+
+    ## Affected versions
+
+    cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
+
+    ## Credits
+
+    Thanks to lio346 for discovering this issue.
+    Also thanks to mame for fixing this vulnerability.
+  patched_versions:
+  - "~> 0.3.5.1"
+  - "~> 0.3.7"
+  - ">= 0.4.2"
+  related:
+    url:
+    - https://www.cve.org/CVERecord?id=CVE-2025-27219
+    - https://www.suse.com/security/cve/CVE-2025-27219.html
+    - https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
+---

advisories/_posts/2025-02-26-CVE-2025-27220.md

@@ -0,0 +1,43 @@
+---
+layout: advisory
+title: 'CVE-2025-27220 (cgi): CVE-2025-27220 - ReDoS in CGI::Util#escapeElement.'
+comments: false
+categories:
+- cgi
+advisory:
+  gem: cgi
+  cve: 2025-27220
+  url: https://www.cve.org/CVERecord?id=CVE-2025-27220
+  title: CVE-2025-27220 - ReDoS in CGI::Util#escapeElement.
+  date: 2025-02-26
+  description: |
+    There is a possibility for Regular expression Denial of Service (ReDoS)
+    by in the cgi gem. This vulnerability has been assigned the CVE
+    identifier CVE-2025-27220. We recommend upgrading the cgi gem.
+
+    ## Details
+
+    The regular expression used in CGI::Util#escapeElement is vulnerable
+    to ReDoS. The crafted input could lead to a high CPU consumption.
+
+    This vulnerability only affects Ruby 3.1 and 3.2. If you
+    are using these versions, please update CGI gem to version
+    0.3.5.1, 0.3.7, 0.4.2 or later.
+
+    ## Affected versions
+
+    cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
+
+    ## Credits
+
+    Thanks to svalkanov for discovering this issue.
+    Also thanks to nobu for fixing this vulnerability.
+  patched_versions:
+  - "~> 0.3.5.1"
+  - "~> 0.3.7"
+  - ">= 0.4.2"
+  related:
+    url:
+    - https://www.cve.org/CVERecord?id=CVE-2025-27220
+    - https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
+---

advisories/_posts/2025-02-26-CVE-2025-27221.md

@@ -0,0 +1,48 @@
+---
+layout: advisory
+title: 'CVE-2025-27221 (uri): CVE-2025-27221 - userinfo leakage in URI#join, URI#merge
+  and URI#+.'
+comments: false
+categories:
+- uri
+advisory:
+  gem: uri
+  cve: 2025-27221
+  url: https://www.cve.org/CVERecord?id=CVE-2025-27221
+  title: CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+.
+  date: 2025-02-26
+  description: |2
+
+    There is a possibility for userinfo leakage by in the uri gem.
+    This vulnerability has been assigned the CVE identifier
+    CVE-2025-27221. We recommend upgrading the uri gem.
+
+    ## Details
+
+    The methods URI#join, URI#merge, and URI#+ retained userinfo, such
+    as user:password, even after the host is replaced. When generating
+    a URL to a malicious host from a URL containing secret userinfo
+    using these methods, and having someone access that URL, an
+    unintended userinfo leak could occur.
+
+    Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.
+
+    ## Affected versions
+
+    uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and
+    1.0.0 to 1.0.2.
+
+    ## Credits
+
+    Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
+    Also thanks to nobu for additional fixes of this vulnerability.
+  patched_versions:
+  - "~> 0.11.3"
+  - "~> 0.12.4"
+  - "~> 0.13.2"
+  - ">= 1.0.3"
+  related:
+    url:
+    - https://www.cve.org/CVERecord?id=CVE-2025-27221
+    - https://www.ruby-lang.org/en/news/2025/02/26/security-advisories
+---