Search CVE reports


Toggle filters

41 – 50 of 86 results


CVE-2017-14064

Low priority

Some fixes available 4 of 5

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a...

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.9.1 Not in release Not in release
ruby2.0 Not in release Not in release
ruby2.3 Not in release Fixed
Show less packages

CVE-2017-0902

Medium priority

Some fixes available 3 of 20

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

4 affected packages

jruby, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
jruby Needs evaluation Vulnerable Vulnerable Vulnerable
ruby1.9.1 Not in release Not in release Not in release Not in release Not in release
ruby2.0 Not in release Not in release Not in release Not in release Not in release
ruby2.3 Not in release Not in release Not in release Not in release Fixed
Show less packages

CVE-2017-0901

Medium priority

Some fixes available 4 of 21

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

4 affected packages

jruby, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
jruby Needs evaluation Vulnerable Vulnerable Vulnerable
ruby1.9.1 Not in release Not in release Not in release Not in release Not in release
ruby2.0 Not in release Not in release Not in release Not in release Not in release
ruby2.3 Not in release Not in release Not in release Not in release Fixed
Show less packages

CVE-2017-0900

Negligible priority

Some fixes available 2 of 20

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.

4 affected packages

jruby, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
jruby Needs evaluation Vulnerable Vulnerable Vulnerable
ruby1.9.1 Not in release Not in release Not in release Not in release Not in release
ruby2.0 Not in release Not in release Not in release Not in release Not in release
ruby2.3 Not in release Not in release Not in release Not in release Fixed
Show less packages

CVE-2017-0899

Negligible priority

Some fixes available 2 of 20

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

4 affected packages

jruby, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
jruby Needs evaluation Vulnerable Vulnerable Vulnerable
ruby1.9.1 Not in release Not in release Not in release Not in release Not in release
ruby2.0 Not in release Not in release Not in release Not in release Not in release
ruby2.3 Not in release Not in release Not in release Not in release Fixed
Show less packages

CVE-2017-11465

Medium priority
Not affected

The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to...

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.3 Not affected
Show less packages

CVE-2015-9096

Medium priority

Some fixes available 4 of 5

Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

3 affected packages

ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.3 Fixed
Show less packages

CVE-2017-6181

Medium priority
Not affected

The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a...

4 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.3 Not affected
Show less packages

CVE-2009-5147

Low priority

Some fixes available 1 of 5

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

6 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.1 Not in release
ruby2.2 Not in release
ruby2.3 Not affected
Show less packages

CVE-2016-7798

Low priority

Some fixes available 5 of 16

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

7 affected packages

ruby-attr-encrypted, ruby-encryptor, ruby1.8, ruby1.9.1, ruby2.0...

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby-attr-encrypted Not affected Not affected Not affected Not in release Vulnerable
ruby-encryptor Not affected Not affected Not affected Not in release Vulnerable
ruby1.8 Not in release Not in release Not in release Not in release Not in release
ruby1.9.1 Not in release Not in release Not in release Not in release Not in release
ruby2.0 Not in release Not in release Not in release Not in release Not in release
ruby2.1 Not in release Not in release Not in release Not in release Not in release
ruby2.3 Not in release Not in release Not in release Not in release Fixed
Show all 7 packages Show less packages