Search Results (Refine Search)
- CPE Product Version: cpe:/a:ruby-lang:ruby:2.0.0:rc1
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2015-9096 |
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. Published: June 12, 2017; 4:29:00 PM -0400 |
V3.0: 6.1 MEDIUM V2.0: 4.3 MEDIUM |
CVE-2014-4975 |
Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. Published: November 15, 2014; 3:59:01 PM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-2734 |
The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher Published: April 24, 2014; 7:55:05 PM -0400 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2013-2065 |
(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions. Published: November 02, 2013; 3:55:04 PM -0400 |
V3.x:(not available) V2.0: 6.4 MEDIUM |
CVE-2013-4363 |
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287. Published: October 17, 2013; 7:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4287 |
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. Published: October 17, 2013; 7:55:04 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4073 |
The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. Published: August 17, 2013; 10:52:22 PM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2012-4466 |
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. Published: April 25, 2013; 7:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2012-4464 |
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression. Published: April 25, 2013; 7:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-1821 |
lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. Published: April 09, 2013; 5:55:01 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2013-1655 |
Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." Published: March 20, 2013; 12:55:01 PM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-0256 |
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. Published: March 01, 2013; 12:40:17 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |