Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*
There are 32 matching records.
Displaying matches 21 through 32.
Vuln ID Summary CVSS Severity
CVE-2017-9225

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in unicode_unfold_key(). A malformed regular expression could result in 4 bytes being written off the end of a stack buffer of expand_case_fold_string() during the call to onigenc_unicode_get_case_fold_codes_by_str(), a typical stack buffer overflow.

Published: May 24, 2017; 11:29:00 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2017-9224

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds read occurs in match_at() during regular expression searching. A logical error involving order of validation and access in match_at() could result in an out-of-bounds read from a stack buffer.

Published: May 24, 2017; 11:29:00 AM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2013-4413

Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step.

Published: March 11, 2014; 3:37:02 PM -0400
V3.x:(not available)
V2.0: 5.0 MEDIUM
CVE-2013-2119

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.

Published: January 03, 2014; 1:54:11 PM -0500
V3.x:(not available)
V2.0: 4.6 MEDIUM
CVE-2013-4136

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/.

Published: September 30, 2013; 5:55:07 PM -0400
V3.x:(not available)
V2.0: 4.4 MEDIUM
CVE-2013-5647

lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

Published: August 29, 2013; 8:07:56 AM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-1948

converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 10.0 HIGH
CVE-2013-1947

kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2013-1933

The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 9.3 HIGH
CVE-2013-0233

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM
CVE-2013-0175

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.

Published: April 25, 2013; 7:55:01 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH
CVE-2013-1911

lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.

Published: April 02, 2013; 8:55:02 PM -0400
V3.x:(not available)
V2.0: 6.8 MEDIUM