Search Results (Refine Search)
- Keyword (text search): Ruby
- Search Type: Search All
Vuln ID | Summary | CVSS Severity |
---|---|---|
CVE-2014-0130 |
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request. Published: May 07, 2014; 6:55:04 AM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-2322 |
lib/string_utf_support.rb in the Arabic Prawn 0.0.1 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) downloaded_file or (2) url variable. Published: May 02, 2014; 10:55:07 AM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-7111 |
The put_call function in the API client (api/api_client.rb) in the BaseSpace Ruby SDK (aka bio-basespace-sdk) gem 0.1.7 for Ruby uses the API_KEY on the command line, which allows remote attackers to obtain sensitive information by listing the processes. Published: April 29, 2014; 10:38:46 AM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-2734 |
The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher Published: April 24, 2014; 7:55:05 PM -0400 |
V3.x:(not available) V2.0: 5.8 MEDIUM |
CVE-2014-2888 |
lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request. Published: April 23, 2014; 11:55:04 AM -0400 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-2105 |
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html. Published: April 22, 2014; 10:23:33 AM -0400 |
V3.x:(not available) V2.0: 3.3 LOW |
CVE-2014-0036 |
The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors. Published: April 17, 2014; 10:55:06 AM -0400 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-2538 |
Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack. Published: March 25, 2014; 2:21:48 PM -0400 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-4413 |
Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step. Published: March 11, 2014; 3:37:02 PM -0400 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0082 |
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. Published: February 20, 2014; 10:27:09 AM -0500 |
V3.x:(not available) V2.0: 5.0 MEDIUM |
CVE-2014-0081 |
Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. Published: February 20, 2014; 10:27:09 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2014-0080 |
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL is used, allows remote attackers to execute "add data" SQL commands via vectors involving \ (backslash) characters that are not properly handled in operations on array columns. Published: February 20, 2014; 10:27:02 AM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2013-6443 |
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request. Published: January 22, 2014; 8:55:03 PM -0500 |
V3.x:(not available) V2.0: 6.8 MEDIUM |
CVE-2014-1234 |
The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process. Published: January 10, 2014; 7:02:51 AM -0500 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2014-1233 |
The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process. Published: January 10, 2014; 7:02:51 AM -0500 |
V3.x:(not available) V2.0: 2.1 LOW |
CVE-2013-2119 |
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. Published: January 03, 2014; 1:54:11 PM -0500 |
V3.x:(not available) V2.0: 4.6 MEDIUM |
CVE-2013-6459 |
Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links. Published: December 31, 2013; 11:04:23 AM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |
CVE-2013-7086 |
The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message. Published: December 18, 2013; 11:24:57 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-6421 |
The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path. Published: December 12, 2013; 1:55:16 PM -0500 |
V3.x:(not available) V2.0: 7.5 HIGH |
CVE-2013-1812 |
The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack. Published: December 12, 2013; 1:55:10 PM -0500 |
V3.x:(not available) V2.0: 4.3 MEDIUM |