U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*
  • CPE Name Search: true
There are 37 matching records.
Displaying matches 21 through 37.
Vuln ID Summary CVSS Severity
CVE-2017-14033

The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.

Published: September 19, 2017; 1:29:00 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2017-10784

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

Published: September 19, 2017; 1:29:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 9.3 HIGH
CVE-2017-0898

Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

Published: September 15, 2017; 3:29:00 PM -0400
V3.0: 9.1 CRITICAL
V2.0: 6.4 MEDIUM
CVE-2017-14064

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is not the length stored in space_len.

Published: August 31, 2017; 1:29:00 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-2339

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow.

Published: January 06, 2017; 4:59:00 PM -0500
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-2337

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.

Published: January 06, 2017; 4:59:00 PM -0500
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2016-2336

Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution.

Published: January 06, 2017; 4:59:00 PM -0500
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2013-4413

Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step.

Published: March 11, 2014; 3:37:02 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-2119

CVE-2013-2119 rubygem-passenger: incorrect temporary file usage

Published: January 03, 2014; 1:54:11 PM -0500
V3.x:(not available)
V2.0: 4.6 MEDIUM
CVE-2013-4136

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.

Published: September 30, 2013; 5:55:07 PM -0400
V3.x:(not available)
V2.0: 4.4 MEDIUM
CVE-2013-5647

lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

Published: August 29, 2013; 8:07:56 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-1948

converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2013-1947

kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2013-1933

The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2013-0233

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-0175

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-1911

lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.

Published: April 02, 2013; 8:55:02 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM