National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • Keyword (text search): Ruby
There are 394 matching records.
Displaying matches 41 through 60.
Vuln ID Summary CVSS Severity
CVE-2018-1000075

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6.

Published: March 13, 2018; 11:29:00 AM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-1000074

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6.

Published: March 13, 2018; 11:29:00 AM -04:00
V3: 7.8 HIGH
V2: 6.8 MEDIUM
CVE-2018-1000073

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6.

Published: March 13, 2018; 11:29:00 AM -04:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-1000119

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Published: March 07, 2018; 09:29:00 AM -05:00
V3: 5.9 MEDIUM
V2: 4.3 MEDIUM
CVE-2017-16229

In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based buffer over-read in the read_from_str function in sax_buf.c when a crafted input is supplied to sax_parse.

Published: February 26, 2018; 05:29:00 PM -05:00
V3: 5.5 MEDIUM
V2: 4.3 MEDIUM
CVE-2017-16756

An issue was discovered in Userscape HelpSpot before 4.7.2. A cross-site request forgery vulnerability exists on POST requests to the "index.php?pg=password.change" endpoint. This allows an attacker to change the password of another user's HelpSpot account.

Published: February 19, 2018; 09:29:00 AM -05:00
V3: 8.8 HIGH
V2: 6.8 MEDIUM
CVE-2017-16755

An issue was discovered in Userscape HelpSpot before 4.7.2. A reflected cross-site scripting vulnerability exists in the "return" parameter of the "index.php?pg=moderated" endpoint. It executes when the return link is clicked.

Published: February 19, 2018; 09:29:00 AM -05:00
V3: 6.1 MEDIUM
V2: 4.3 MEDIUM
CVE-2018-0833

The Microsoft Server Message Block 2.0 and 3.0 (SMBv2/SMBv3) client in Windows 8.1 and RT 8.1 and Windows Server 2012 R2 allows a denial of service vulnerability due to how specially crafted requests are handled, aka "SMBv2/SMBv3 Null Dereference Denial of Service Vulnerability".

Published: February 14, 2018; 09:29:02 PM -05:00
V3: 5.3 MEDIUM
V2: 6.3 MEDIUM
CVE-2018-6574

Go before 1.8.7, Go 1.9.x before 1.9.4, and Go 1.10 pre-releases before Go 1.10rc2 allow "go get" remote command execution during source code build, by leveraging the gcc or clang plugin feature, because -fplugin= and -plugin= arguments were not blocked.

Published: February 07, 2018; 04:29:00 PM -05:00
V3: 7.8 HIGH
V2: 4.6 MEDIUM
CVE-2015-4412

BSON injection vulnerability in the legal? function in BSON (bson-ruby) gem before 3.0.4 for Ruby allows remote attackers to cause a denial of service (resource consumption) or inject arbitrary data via a crafted string.

Published: February 05, 2018; 11:29:00 AM -05:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2014-1835

The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to steal the login credentials by watching the process table.

Published: February 02, 2018; 04:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2014-1834

The perform_request function in /lib/echor/backplane.rb in echor 0.1.6 Ruby Gem allows local users to inject arbitrary code by adding a semi-colon in their username or password.

Published: February 02, 2018; 04:29:00 PM -05:00
V3: 7.8 HIGH
V2: 4.6 MEDIUM
CVE-2014-5004

lib/brbackup.rb in the brbackup gem 0.1.1 for Ruby places the database password on the mysql command line, which allows local users to obtain sensitive information by listing the process.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2014-5003

chef/travis-cookbooks/ci_environment/perlbrew/recipes/default.rb in the ciborg gem 3.0.0 for Ruby allows local users to write to arbitrary files and gain privileges via a symlink attack on /tmp/perlbrew-installer.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 5.5 MEDIUM
V2: 2.1 LOW
CVE-2014-5002

The lynx gem before 1.0.0 for Ruby places the configured password on command lines, which allows local users to obtain sensitive information by listing processes.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2014-5001

lib/ksymfony1.rb in the kcapifony gem 2.1.6 for Ruby places database user passwords on the (1) mysqldump, (2) pg_dump, (3) mysql, and (4) psql command lines, which allows local users to obtain sensitive information by listing the processes.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2014-5000

The login function in lib/lawn.rb in the lawn-login gem 0.0.7 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2014-4999

vendor/plugins/dataset/lib/dataset/database/mysql.rb in the kajam gem 1.0.3.rc2 for Ruby places the mysql user password on the (1) mysqldump command line in the capture function and (2) mysql command line in the restore function, which allows local users to obtain sensitive information by listing the process.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2014-4998

test/tc_database.rb in the lean-ruport gem 0.3.8 for Ruby places the mysql user password on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2014-4997

lib/commands/setup.rb in the point-cli gem 0.0.1 for Ruby places credentials on the curl command line, which allows local users to obtain sensitive information by listing the process.

Published: January 10, 2018; 01:29:00 PM -05:00
V3: 7.8 HIGH
V2: 2.1 LOW