CVE search results

71 – 80 of 84 results

Detailed view

Sort by:

CVE-2017-0901

Medium priority

Some fixes available 4 of 23

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

4 affected packages

jruby, ruby2.0, ruby1.9.1, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jruby	Needs evaluation	—	Vulnerable	Vulnerable
ruby2.0	Not in release	Not in release	Not in release	Not in release
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release

CVE-2017-0900

Negligible priority

Some fixes available 2 of 22

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.

4 affected packages

ruby1.9.1, ruby2.3, ruby2.0, jruby

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release
ruby2.0	Not in release	Not in release	Not in release	Not in release
jruby	Needs evaluation	—	Vulnerable	Vulnerable

CVE-2017-0899

Negligible priority

Some fixes available 2 of 22

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

4 affected packages

ruby1.9.1, jruby, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
jruby	Needs evaluation	—	Vulnerable	Vulnerable
ruby2.0	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release

CVE-2017-11465

Medium priority

Not affected

The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to...

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	—	—
ruby2.0	—	—	—	—
ruby2.3	—	—	—	—

CVE-2015-9096

Medium priority

Some fixes available 4 of 5

Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	—	—
ruby2.0	—	—	—	—
ruby2.3	—	—	—	—

CVE-2017-6181

Medium priority

Not affected

The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a...

4 affected packages

ruby1.8, ruby2.0, ruby1.9.1, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.8	—	—	—	—
ruby2.0	—	—	—	—
ruby1.9.1	—	—	—	—
ruby2.3	—	—	—	—

CVE-2009-5147

Low priority

Some fixes available 1 of 5

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

6 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.8	—	—	—	—
ruby1.9.1	—	—	—	—
ruby2.0	—	—	—	—
ruby2.1	—	—	—	—
ruby2.2	—	—	—	—
ruby2.3	—	—	—	—

CVE-2016-7798

Low priority

Some fixes available 5 of 16

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

7 affected packages

ruby-attr-encrypted, ruby-encryptor, ruby1.8, ruby1.9.1, ruby2.0...

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby-attr-encrypted	Not affected	Not affected	Not affected	Not in release
ruby-encryptor	Not affected	Not affected	Not affected	Not in release
ruby1.8	Not in release	Not in release	Not in release	Not in release
ruby1.9.1	Not in release	Not in release	Not in release	Not in release
ruby2.0	Not in release	Not in release	Not in release	Not in release
ruby2.1	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release

CVE-2016-2336

Medium priority

Not affected

Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution.

1 affected package

ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby2.3	—	—	—	—

CVE-2016-2339

Low priority

Some fixes available 2 of 4

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length....

4 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.3

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.8	—	—	—	—
ruby1.9.1	—	—	—	—
ruby2.0	—	—	—	—
ruby2.3	—	—	—	—

Export to JSON

Results by page:

Search CVE reports