Search CVE reports
11 – 20 of 51 results
CVE-2023-28755
Medium prioritySome fixes available 8 of 19
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI...
9 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3, ruby2.5...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
jruby | Needs evaluation | Not in release | Vulnerable | Vulnerable | Vulnerable |
ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
ruby2.5 | Not in release | Not in release | Not in release | Fixed | Ignored |
ruby2.7 | Not in release | Not in release | Fixed | Not in release | Ignored |
ruby3.0 | Not in release | Fixed | Not in release | Not in release | Not in release |
ruby3.1 | Not in release | Not in release | Not in release | Not in release | Ignored |
rubygems | Not affected | Vulnerable | Not in release | Not in release | Ignored |
CVE-2021-33621
Medium prioritySome fixes available 6 of 14
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create...
8 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3, ruby2.5...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
jruby | Needs evaluation | Not in release | Needs evaluation | Needs evaluation | Needs evaluation |
ruby1.9.1 | — | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | — | Not in release | Not in release | Not in release | Fixed |
ruby2.5 | — | Not in release | Not in release | Fixed | Not in release |
ruby2.7 | — | Not in release | Fixed | Not in release | Not in release |
ruby3.0 | Not in release | Fixed | Not in release | Not in release | Not in release |
ruby3.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
CVE-2016-2338
Medium priorityAn exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length....
6 affected packages
ruby-psych, ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby-psych | — | — | — | Not affected | Not in release |
ruby1.9.1 | — | — | — | Not in release | Not in release |
ruby2.0 | — | — | — | Not in release | Not in release |
ruby2.3 | — | — | — | Not in release | Not affected |
ruby2.5 | — | — | — | Not affected | Not in release |
ruby2.7 | — | — | — | Not in release | Not in release |
CVE-2022-28739
Low priorityThere is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby2.3 | — | — | — | — | Fixed |
ruby2.5 | — | — | — | Fixed | — |
ruby2.7 | — | Not in release | Fixed | — | — |
ruby3.0 | — | Fixed | — | — | — |
CVE-2022-28738
Medium priorityA double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby2.3 | — | — | — | — | Not affected |
ruby2.5 | — | — | — | Not affected | — |
ruby2.7 | — | Not in release | Not affected | — | — |
ruby3.0 | — | Fixed | — | — | — |
CVE-2021-41819
Medium priorityCGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby2.3 | — | — | — | — | Fixed |
ruby2.5 | — | — | — | Fixed | Ignored |
ruby2.7 | — | — | Fixed | — | Ignored |
ruby3.0 | — | Fixed | — | — | Ignored |
CVE-2021-41817
Medium priorityDate.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby2.3 | — | — | — | — | Fixed |
ruby2.5 | — | — | — | Fixed | Ignored |
ruby2.7 | — | — | Fixed | — | Ignored |
ruby3.0 | — | Fixed | — | — | Ignored |
CVE-2021-41816
Medium priorityCGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also...
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby2.3 | — | — | — | — | Not affected |
ruby2.5 | — | — | — | Not affected | Ignored |
ruby2.7 | — | — | Fixed | — | Ignored |
ruby3.0 | — | Fixed | — | — | Ignored |
CVE-2021-32066
Medium priorityAn issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to...
5 affected packages
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | — | Not in release | Not in release | Not in release | Fixed |
ruby2.5 | — | Not in release | Not in release | Fixed | Not in release |
ruby2.7 | — | — | Fixed | Not in release | Not in release |
CVE-2021-31799
Medium priorityIn RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
5 affected packages
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | — | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | — | Not in release | Not in release | Not in release | Fixed |
ruby2.5 | — | Not in release | Not in release | Fixed | Not in release |
ruby2.7 | — | — | Fixed | Not in release | Not in release |