Search Results (Refine Search)
- Keyword (text search): Ruby
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2013-2095 |
rubygem-openshift-origin-controller: API can be used to create applications via cartridge_cache.rb URI.prase() to perform command injection Published: December 10, 2019; 9:15:10 AM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2015-1855 |
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. Published: November 29, 2019; 4:15:10 PM -0500 |
V3.1: 5.9 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-16255 |
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to call an arbitrary Ruby method. Published: November 26, 2019; 1:15:15 PM -0500 |
V3.1: 8.1 HIGH V2.0: 6.8 MEDIUM |
CVE-2019-16254 |
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF. Published: November 26, 2019; 1:15:15 PM -0500 |
V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2019-16201 |
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network. Published: November 26, 2019; 1:15:15 PM -0500 |
V3.1: 7.5 HIGH V2.0: 7.8 HIGH |
CVE-2019-15845 |
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. Published: November 26, 2019; 12:15:11 PM -0500 |
V3.1: 6.5 MEDIUM V2.0: 6.4 MEDIUM |
CVE-2011-4121 |
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism. Published: November 26, 2019; 12:15:13 AM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2011-3624 |
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. Published: November 25, 2019; 10:15:10 PM -0500 |
V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2014-0084 |
Ruby gem openshift-origin-node before 2014-02-14 does not contain a cronjob timeout which could result in a denial of service in cron.daily and cron.weekly. Published: November 21, 2019; 10:15:11 AM -0500 |
V3.1: 5.5 MEDIUM V2.0: 2.1 LOW |
CVE-2014-0083 |
The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA passwords. Published: November 21, 2019; 9:15:13 AM -0500 |
V3.1: 5.5 MEDIUM V2.0: 2.1 LOW |
CVE-2012-6135 |
RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process. Published: November 19, 2019; 12:15:11 PM -0500 |
V3.1: 7.5 HIGH V2.0: 6.4 MEDIUM |
CVE-2011-5331 |
Distributed Ruby (aka DRuby) 1.8 mishandles instance_eval. Published: November 18, 2019; 1:15:09 PM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2011-5330 |
Distributed Ruby (aka DRuby) 1.8 mishandles the sending of syscalls. Published: November 18, 2019; 1:15:09 PM -0500 |
V3.1: 9.8 CRITICAL V2.0: 7.5 HIGH |
CVE-2019-18978 |
An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. Published: November 14, 2019; 4:15:12 PM -0500 |
V3.1: 5.3 MEDIUM V2.0: 5.0 MEDIUM |
CVE-2010-3299 |
The encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks. Published: November 12, 2019; 4:15:10 PM -0500 |
V3.1: 6.5 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2019-18848 |
The json-jwt gem before 1.11.0 for Ruby lacks an element count during the splitting of a JWE string. Published: November 12, 2019; 10:15:10 AM -0500 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2019-18841 |
Chartkick.js 3.1.0 through 3.1.3, as used in the Chartkick gem before 3.3.0 for Ruby, allows prototype pollution. Published: November 10, 2019; 8:15:10 PM -0500 |
V3.1: 7.3 HIGH V2.0: 7.5 HIGH |
CVE-2019-12410 |
While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365 it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data uninitialized when reading RLE null data from parquet. This affected the C++, Python, Ruby and R implementations. The uninitialized memory could potentially be shared if are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats. Published: November 08, 2019; 2:15:10 PM -0500 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2019-12408 |
It was discovered that the C++ implementation (which underlies the R, Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized memory bug when building arrays with null values in some cases. This can lead to uninitialized memory being unintentionally shared if Arrow Arrays are transmitted over the wire (for instance with Flight) or persisted in the streaming IPC and file formats. Published: November 08, 2019; 2:15:10 PM -0500 |
V3.1: 7.5 HIGH V2.0: 5.0 MEDIUM |
CVE-2013-1945 |
ruby193 uses an insecure LD_LIBRARY_PATH setting. Published: October 31, 2019; 4:15:10 PM -0400 |
V3.1: 3.3 LOW V2.0: 2.1 LOW |