| Max CVSS | 7.8 | Min CVSS | 5.0 | Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published | |
| CVE-2019-8324 | 6.8 |
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadabl
|
24-08-2020 - 17:37 | 17-06-2019 - 19:15 | |
| CVE-2019-8325 | 5.0 |
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
|
19-08-2020 - 19:01 | 17-06-2019 - 19:15 | |
| CVE-2018-16395 | 7.5 |
An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared using ==, depending on the ordering, non-equal objects may
|
03-10-2019 - 00:03 | 16-11-2018 - 18:29 | |
| CVE-2018-8780 | 7.5 |
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. When using the corresponding method, unintentional director
|
21-07-2019 - 12:15 | 03-04-2018 - 22:29 | |
| CVE-2013-4073 | 6.8 |
The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name fie
|
13-08-2018 - 21:47 | 18-08-2013 - 02:52 | |
| CVE-2017-17790 | 7.5 |
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-201
|
03-08-2018 - 01:29 | 20-12-2017 - 09:29 | |
| CVE-2013-4164 | 6.8 |
Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute
|
09-01-2018 - 02:29 | 23-11-2013 - 19:55 | |
| CVE-2011-4815 | 7.8 |
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an applicatio
|
29-08-2017 - 01:30 | 30-12-2011 - 01:55 | |
| CVE-2011-3009 | 5.0 |
Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a
|
29-08-2017 - 01:29 | 05-08-2011 - 22:55 | |
| CVE-2014-8090 | 5.0 |
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string
|
03-01-2017 - 02:59 | 21-11-2014 - 15:59 | |
| CVE-2013-1821 | 5.0 |
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. Per: http://www.r
|
08-12-2016 - 03:03 | 09-04-2013 - 21:55 | |
| CVE-2011-1005 | 5.0 |
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
|
13-08-2013 - 17:00 | 02-03-2011 - 20:00 |