Search CVE reports
21 – 30 of 79 results
CVE-2022-28738
Medium priorityA double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | — | — | — | — | Not affected |
| ruby2.5 | — | — | — | Not affected | — |
| ruby2.7 | — | Not in release | Not affected | — | — |
| ruby3.0 | — | Fixed | — | — | — |
CVE-2021-41819
Medium priorityCGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | — | — | — | — | Fixed |
| ruby2.5 | — | — | — | Fixed | Ignored |
| ruby2.7 | — | — | Fixed | — | Ignored |
| ruby3.0 | — | Fixed | — | — | Ignored |
CVE-2021-41817
Medium priorityDate.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | — | — | — | — | Fixed |
| ruby2.5 | — | — | — | Fixed | Ignored |
| ruby2.7 | — | — | Fixed | — | Ignored |
| ruby3.0 | — | Fixed | — | — | Ignored |
CVE-2021-41816
Medium priorityCGI.escape_html in Ruby before 2.7.5 and 3.x before 3.0.3 has an integer overflow and resultant buffer overflow via a long string on platforms (such as Windows) where size_t and long have different numbers of bytes. This also...
4 affected packages
ruby2.3, ruby2.5, ruby2.7, ruby3.0
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby2.3 | — | — | — | — | Not affected |
| ruby2.5 | — | — | — | Not affected | Ignored |
| ruby2.7 | — | — | Fixed | — | Ignored |
| ruby3.0 | — | Fixed | — | — | Ignored |
CVE-2021-32066
Medium priorityAn issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to...
5 affected packages
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | — | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | — | Not in release | Not in release | Not in release | Fixed |
| ruby2.5 | — | Not in release | Not in release | Fixed | Not in release |
| ruby2.7 | — | — | Fixed | Not in release | Not in release |
CVE-2021-31799
Medium priorityIn RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
5 affected packages
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | — | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | — | Not in release | Not in release | Not in release | Fixed |
| ruby2.5 | — | Not in release | Not in release | Fixed | Not in release |
| ruby2.7 | — | — | Fixed | Not in release | Not in release |
CVE-2021-31810
Low priorityAn issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially...
5 affected packages
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | — | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | — | Not in release | Not in release | Not in release | Fixed |
| ruby2.5 | — | Not in release | Not in release | Fixed | Not in release |
| ruby2.7 | — | — | Fixed | Not in release | Not in release |
CVE-2021-28965
Medium prioritySome fixes available 6 of 9
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
4 affected packages
ruby-rexml, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby-rexml | — | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | — | Not in release | Not in release | Not in release | Fixed |
| ruby2.5 | — | Not in release | Not in release | Fixed | Not in release |
| ruby2.7 | — | — | Fixed | Not in release | Not in release |
CVE-2020-25613
Low priorityAn issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker...
5 affected packages
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | — | Not in release | Not in release | Not in release |
| ruby2.0 | — | — | Not in release | Not in release | Not in release |
| ruby2.3 | — | — | Not in release | Not in release | Fixed |
| ruby2.5 | — | — | Not in release | Fixed | Not in release |
| ruby2.7 | — | — | Fixed | Not in release | Not in release |
CVE-2020-10933
Low prioritySome fixes available 2 of 3
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size,...
5 affected packages
ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | — | Not in release | Not in release | Not in release |
| ruby2.0 | — | — | Not in release | Not in release | Not in release |
| ruby2.3 | — | — | Not in release | Not in release | Not affected |
| ruby2.5 | — | — | Not in release | Fixed | Not in release |
| ruby2.7 | — | — | Fixed | Not in release | Not in release |