U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Keyword (text search): Ruby
There are 512 matching records.
Displaying matches 361 through 380.
Vuln ID Summary CVSS Severity
CVE-2013-6414

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.

Published: December 06, 2013; 7:55:03 PM -0500
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-4492

Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call.

Published: December 06, 2013; 7:55:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4491

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.

Published: December 06, 2013; 7:55:03 PM -0500
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4164

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.

Published: November 23, 2013; 2:55:03 PM -0500
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-2065

(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.

Published: November 02, 2013; 3:55:04 PM -0400
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2013-4457

The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation.

Published: November 02, 2013; 2:55:03 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-4363

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.

Published: October 17, 2013; 7:55:04 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4287

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.

Published: October 17, 2013; 7:55:04 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4389

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.

Published: October 16, 2013; 8:55:03 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4203

The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

Published: October 11, 2013; 6:55:39 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2012-2126

RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.

Published: October 01, 2013; 1:55:03 PM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2012-2125

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.

Published: October 01, 2013; 1:55:03 PM -0400
V3.x:(not available)
V2.0: 5.8 MEDIUM
CVE-2013-4136

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.

Published: September 30, 2013; 5:55:07 PM -0400
V3.x:(not available)
V2.0: 4.4 MEDIUM
CVE-2013-5647

lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

Published: August 29, 2013; 8:07:56 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-4172

The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.

Published: August 23, 2013; 12:55:07 PM -0400
V3.x:(not available)
V2.0: 8.5 HIGH
CVE-2013-4761

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby programs from the master via the resource_type service. NOTE: this vulnerability can only be exploited utilizing unspecified "local file system access" to the Puppet Master.

Published: August 20, 2013; 6:55:04 PM -0400
V3.x:(not available)
V2.0: 5.1 MEDIUM
CVE-2013-3567

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arbitrary code via a crafted REST API call.

Published: August 19, 2013; 7:55:08 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-4073

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

Published: August 17, 2013; 10:52:22 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2012-4481

The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.

Published: May 02, 2013; 10:55:05 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-1948

converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 10.0 HIGH