National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Ruby
There are 422 matching records.
Displaying matches 281 through 300.
Vuln ID Summary CVSS Severity
CVE-2013-1948

converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.

Published: April 25, 2013; 07:55:01 PM -04:00
V2: 10.0 HIGH
CVE-2013-1947

kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb.

Published: April 25, 2013; 07:55:01 PM -04:00
V2: 9.3 HIGH
CVE-2013-1933

The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.

Published: April 25, 2013; 07:55:01 PM -04:00
V2: 9.3 HIGH
CVE-2013-0233

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Published: April 25, 2013; 07:55:01 PM -04:00
V2: 6.8 MEDIUM
CVE-2013-0175

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Published: April 25, 2013; 07:55:01 PM -04:00
V2: 7.5 HIGH
CVE-2012-4466

Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.

Published: April 25, 2013; 07:55:01 PM -04:00
V2: 5.0 MEDIUM
CVE-2012-4464

Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.

Published: April 25, 2013; 07:55:01 PM -04:00
V2: 5.0 MEDIUM
CVE-2013-3221

The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.

Published: April 21, 2013; 11:27:13 PM -04:00
V2: 6.4 MEDIUM
CVE-2013-1821

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.

Published: April 09, 2013; 05:55:01 PM -04:00
V2: 5.0 MEDIUM
CVE-2013-1898

lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Published: April 09, 2013; 04:55:02 PM -04:00
V2: 7.5 HIGH
CVE-2013-1802

The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Published: April 09, 2013; 04:55:01 PM -04:00
V2: 7.5 HIGH
CVE-2013-1801

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.

Published: April 09, 2013; 04:55:01 PM -04:00
V2: 7.5 HIGH
CVE-2013-1800

The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Published: April 09, 2013; 04:55:01 PM -04:00
V2: 7.5 HIGH
CVE-2013-0285

The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Published: April 09, 2013; 04:55:01 PM -04:00
V2: 7.5 HIGH
CVE-2013-0284

Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data.

Published: April 09, 2013; 04:55:01 PM -04:00
V2: 5.0 MEDIUM
CVE-2012-6134

Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state.

Published: April 09, 2013; 04:55:01 PM -04:00
V2: 6.8 MEDIUM
CVE-2013-1911

lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.

Published: April 02, 2013; 08:55:02 PM -04:00
V2: 6.8 MEDIUM
CVE-2013-2617

lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Published: March 20, 2013; 06:55:01 PM -04:00
V2: 7.5 HIGH
CVE-2013-2616

lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Published: March 20, 2013; 06:55:01 PM -04:00
V2: 7.5 HIGH
CVE-2013-2615

lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

Published: March 20, 2013; 06:55:01 PM -04:00
V2: 7.5 HIGH