CVE Daily
← All tags

Tag: Ruby

All CVEs associated with "Ruby". Page 4/5 • 499 CVEs.

Subscribe CVEs: RSS for “Ruby”  ·  RSS (High+Critical only)

About “Ruby”

A curated feed of “Ruby”-related CVEs appears below. We currently track 499 CVEs for this tag (all time). In the last 365 days, 66 were published. Average CVSS is 7.1 (all time; 7.2 over 365d), and 58% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-400 - Uncontrolled Resource Consumption, CWE-347 - Improper Verification of Cryptographic Signature, CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

In our taxonomy this topic maps to a LOW impact class. Language runtimes and libraries cascade through dependency graphs. Upgrade runtime and toolchain, pin versions, rebuild images, and enable SAST or DAST and linters. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2016-06-10
Critical

CVE-2016-2785

Puppet Server before 2.3.2 and Ruby puppetmaster in Puppet 4.x before 4.4.2 and in Puppet Agent before 1.4.2 might allow remote attackers to bypass intended auth.conf access restrictions by leveragin…

CVSS: 9.8 CWE: CWE-284 - Improper Access Control View on NVD
2016-05-20
High

CVE-2016-3693

The Safemode gem before 1.2.4 for Ruby, when initialized with a delegate object that is a Rails controller, allows context-dependent attackers to obtain sensitive information via the inspect method.

CVSS: 8.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2016-04-07
High

CVE-2016-2098

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of t…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2016-03-24
High

CVE-2015-7551

The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles…

CVSS: 8.4 CWE: CWE-20 - Improper Input Validation View on NVD
2016-02-16
High

CVE-2015-7581

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous c…

CVSS: 7.5 CWE: CWE-399 View on NVD
Medium

CVE-2015-7577

activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta…

CVSS: 5.3 CWE: CWE-284 - Improper Access Control View on NVD
2016-01-08
Critical

CVE-2015-7541

The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metachar…

CVSS: 10.0 CWE: CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection') View on NVD
2015-07-26
Medium

CVE-2015-3225

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a…

CVSS: 5.0 CWE: CWE-19 View on NVD
2015-07-10
Medium

CVE-2015-2963

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2015-04-29
Low

CVE-2015-3448

REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log.

CVSS: 2.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2015-01-20
Medium

CVE-2014-9490

The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number.

CVSS: 5.0 CWE: CWE-399 View on NVD
2015-01-08
Medium

CVE-2012-6684

Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2014-12-06
Critical

CVE-2014-6140

IBM Tivoli Endpoint Manager Mobile Device Management (MDM) before 9.0.60100 uses the same secret HMAC token across different customers' installations, which allows remote attackers to execute arbitra…

CVSS: 9.3 CWE: CWE-310 View on NVD
2014-11-21
Medium

CVE-2014-8090

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption)…

CVSS: 5.0 CWE: N/A View on NVD
2014-11-16
Medium

CVE-2014-3916

The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string.

CVSS: 5.0 CWE: CWE-19 View on NVD
Medium

CVE-2014-3248

Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera before 1.3.4, and Mcollective before 2.5…

CVSS: 6.2 CWE: CWE-17 View on NVD
2014-11-15
Medium

CVE-2014-4975

Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial…

CVSS: 5.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2014-11-03
Medium

CVE-2014-8080

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document,…

CVSS: 5.0 CWE: N/A View on NVD
2014-06-09
High

CVE-2013-1756

The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2014-06-01
Critical

CVE-2014-3790

Ruby vSphere Console (RVC) in VMware vCenter Server Appliance allows remote authenticated users to execute arbitrary commands as root by escaping from a chroot jail.

CVSS: 9.0 CWE: CWE-264 View on NVD
2014-05-27
Critical

CVE-2013-2090

The set_meta_data function in lib/cremefraiche.rb in the Creme Fraiche gem before 0.6.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the file name of an…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2014-05-17
Medium

CVE-2013-4489

The Grit gem for Ruby, as used in GitLab 5.2 before 5.4.1 and 6.x before 6.2.3, allows remote authenticated users to execute arbitrary commands, as demonstrated by the search box for the GitLab code…

CVSS: 6.5 CWE: N/A View on NVD
2014-05-12
High

CVE-2013-5671

lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem 0.8.2 for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors.

CVSS: 7.5 CWE: N/A View on NVD
2014-05-02
High

CVE-2014-2322

lib/string_utf_support.rb in the Arabic Prawn 0.0.1 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) downloaded_file or (2) url variable.

CVSS: 7.5 CWE: N/A View on NVD
2014-04-29
Medium

CVE-2013-7111

The put_call function in the API client (api/api_client.rb) in the BaseSpace Ruby SDK (aka bio-basespace-sdk) gem 0.1.7 for Ruby uses the API_KEY on the command line, which allows remote attackers to…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-04-24
Medium

CVE-2014-2734

The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby scrip…

CVSS: 5.8 CWE: CWE-399 View on NVD
2014-04-23
High

CVE-2014-2888

lib/sfpagent/bsig.rb in the sfpagent gem before 0.4.15 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in the module name in a JSON request.

CVSS: 7.5 CWE: N/A View on NVD
2014-04-22
Low

CVE-2013-2105

The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVSS: 3.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2014-04-17
Medium

CVE-2014-0036

The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with SSL verification disabled, which allows remote attackers to conduct man-in-the-middle attacks via unspecified vectors.

CVSS: 6.8 CWE: CWE-310 View on NVD
2014-03-25
Medium

CVE-2014-2538

Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be prop…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2014-03-11
Medium

CVE-2013-4413

Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot sl…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2014-01-10
Low

CVE-2014-1234

The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process.

CVSS: 2.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2014-1233

The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process.

CVSS: 2.1 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2014-01-03
Medium

CVE-2013-2119

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config"…

CVSS: 4.6 CWE: CWE-264 View on NVD
2013-12-31
Medium

CVE-2013-6459

Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2013-12-19
High

CVE-2013-7086

The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growln…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-12-12
High

CVE-2013-6421

The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) pa…

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Medium

CVE-2013-1812

The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.

CVSS: 4.3 CWE: CWE-399 View on NVD
2013-12-07
Medium

CVE-2013-4492

Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationDa…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2013-11-23
Medium

CVE-2013-4164

Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial o…

CVSS: 6.8 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2013-11-02
Medium

CVE-2013-2065

(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to byp…

CVSS: 6.4 CWE: CWE-264 View on NVD
Medium

CVE-2013-4457

The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation.

CVSS: 6.8 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2013-10-17
Medium

CVE-2013-4363

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1…

CVSS: 4.3 CWE: CWE-310 View on NVD
Medium

CVE-2013-4287

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as use…

CVSS: 4.3 CWE: CWE-310 View on NVD
2013-10-11
High

CVE-2013-4203

The self.run_gpg function in lib/rgpg/gpg_helper.rb in the rgpg gem before 0.2.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in unspecified vectors.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-09-30
Medium

CVE-2013-4136

ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a…

CVSS: 4.4 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2013-08-29
High

CVE-2013-5647

lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-08-23
High

CVE-2013-4172

The Red Hat CloudForms Management Engine 5.1 allow remote administrators to execute arbitrary Ruby code via unspecified vectors.

CVSS: 8.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2013-08-20
Medium

CVE-2013-4761

Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute arbitrary Ruby prog…

CVSS: 5.1 CWE: N/A View on NVD
2013-08-19
High

CVE-2013-3567

Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet Enterprise before 2.8.2, deserializes untrusted YAML, which allows remote attackers to instantiate arbitrary Ruby classes and execute arb…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2013-08-18
Medium

CVE-2013-4073

The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character i…

CVSS: 6.8 CWE: CWE-310 View on NVD
2013-05-02
Medium

CVE-2012-4481

The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix f…

CVSS: 4.3 CWE: CWE-264 View on NVD
2013-04-25
Critical

CVE-2013-1948

converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.

CVSS: 10.0 CWE: N/A View on NVD
Critical

CVE-2013-1947

kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_imag…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Critical

CVE-2013-1933

The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shel…

CVSS: 9.3 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
Medium

CVE-2013-0233

Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing databas…

CVSS: 6.8 CWE: CWE-399 View on NVD
High

CVE-2013-0175

multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection a…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2012-4466

Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the…

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2012-4464

Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_…

CVSS: 5.0 CWE: CWE-264 View on NVD
2013-04-09
Medium

CVE-2013-1821

lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an X…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
High

CVE-2013-1898

lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2013-1802

The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cau…

CVSS: 7.5 CWE: CWE-264 View on NVD
High

CVE-2013-1801

The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or ca…

CVSS: 7.5 CWE: CWE-264 View on NVD
High

CVE-2013-1800

The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause…

CVSS: 7.5 CWE: CWE-264 View on NVD
High

CVE-2013-0285

The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attac…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2013-0284

Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2012-6134

Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session st…

CVSS: 6.8 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2013-04-03
Medium

CVE-2013-1911

lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2013-03-20
High

CVE-2013-2617

lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2013-2616

lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2013-2615

lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2013-1875

command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.

CVSS: 7.5 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2013-1655

Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes."

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2013-03-08
Medium

CVE-2013-1656

Spree Commerce 1.0.x through 1.3.2 allows remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/con…

CVSS: 4.3 CWE: CWE-20 - Improper Input Validation View on NVD
2013-03-01
Medium

CVE-2013-0256

darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) atta…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
Low

CVE-2013-0162

The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a pr…

CVSS: 2.1 CWE: CWE-264 View on NVD
Medium

CVE-2012-5604

The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.

CVSS: 4.3 CWE: CWE-264 View on NVD
2013-02-13
High

CVE-2013-0269

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mec…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2012-11-28
Medium

CVE-2012-5371

Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attac…

CVSS: 5.0 CWE: CWE-310 View on NVD
2012-11-24
Medium

CVE-2012-4522

The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected…

CVSS: 5.0 CWE: CWE-264 View on NVD
2012-10-11
Medium

CVE-2012-5380

Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse…

CVSS: 6.7 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2012-07-18
High

CVE-2012-2140

The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2012-2139

Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the…

CVSS: 5.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2012-04-16
High

CVE-2012-1241

GRScript18.dll before 1.2.2.0 in ActiveScriptRuby (ASR) before 1.8.7 does not properly restrict interaction with an Internet Explorer ActiveX environment, which allows remote attackers to execute arb…

CVSS: 7.5 CWE: CWE-264 View on NVD
2011-12-30
High

CVE-2011-4815

Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2011-09-19
Medium

CVE-2011-2854

Use-after-free vulnerability in Google Chrome before 14.0.835.163 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to "ruby / table s…

CVSS: 6.8 CWE: CWE-416 - Use After Free View on NVD
2011-08-05
Medium

CVE-2011-3009

Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number…

CVSS: 5.0 CWE: CWE-310 View on NVD
Medium

CVE-2011-2705

The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependen…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
Medium

CVE-2011-2686

Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number…

CVSS: 5.0 CWE: CWE-310 View on NVD
2011-05-13
Low

CVE-2011-0995

The sqlite3-ruby gem in the rubygem-sqlite3 package before 1.2.4-0.5.1 in SUSE Linux Enterprise (SLE) 11 SP1 uses weak permissions for unspecified files, which allows local users to gain privileges v…

CVSS: 2.1 CWE: CWE-264 View on NVD
2011-05-03
Medium

CVE-2011-1440

Use-after-free vulnerability in Google Chrome before 11.0.696.57 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the ruby element…

CVSS: 6.8 CWE: CWE-416 - Use After Free View on NVD
2011-03-23
Medium

CVE-2011-0188

The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which a…

CVSS: 6.8 CWE: CWE-189 View on NVD
2011-03-02
Medium

CVE-2011-1005

The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by ch…

CVSS: 5.0 CWE: CWE-264 View on NVD
Medium

CVE-2011-1004

The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delet…

CVSS: 6.3 CWE: CWE-59 - Improper Link Resolution Before File Access ('Link Following') View on NVD
2011-02-02
Medium

CVE-2011-0739

The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell…

CVSS: 6.8 CWE: CWE-20 - Improper Input Validation View on NVD
2011-01-20
Medium

CVE-2010-3928

Ruby Version Manager (RVM) before 1.2.1 writes file contents to a terminal without sanitizing non-printable characters, which might allow remote attackers to execute arbitrary commands via a crafted…

CVSS: 6.8 CWE: N/A View on NVD
2010-08-24
Critical

CVE-2010-3119

Google Chrome before 5.0.375.127 and webkitgtk before 1.2.6 do not properly support the Ruby language, which allows attackers to cause a denial of service (memory corruption) or possibly have unspeci…

CVSS: 10.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2010-07-12
High

CVE-2010-2489

Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filename…

CVSS: 7.2 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2010-06-17
Medium

CVE-2010-0541

Cross-site scripting (XSS) vulnerability in the WEBrick HTTP server in Ruby in Apple Mac OS X 10.5.8, and 10.6 before 10.6.4, allows remote attackers to inject arbitrary web script or HTML via a craf…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2010-02-18
Critical

CVE-2010-0647

WebKit before r53525, as used in Google Chrome before 4.0.249.89, allows remote attackers to execute arbitrary code in the Chrome sandbox via a malformed RUBY element, as demonstrated by a <ruby>><ta…

CVSS: 9.3 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2010-01-13
High

CVE-2009-4492

WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable chara…

CVSS: 7.5 CWE: N/A View on NVD
2009-12-11
Critical

CVE-2009-4124

Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1…

CVSS: 10.0 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2009-12-07
Medium

CVE-2009-4214

Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors i…

CVSS: 4.3 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2009-11-04
Medium

CVE-2009-3857

Buffer overflow in Softonic International SciTE 1.72 allows user-assisted remote attackers to cause a denial of service (application crash) via a Ruby (.rb) file containing a long string, which trigg…

CVSS: 4.3 CWE: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer View on NVD
2009-06-11
Medium

CVE-2009-1904

The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a larg…

CVSS: 5.0 CWE: CWE-189 View on NVD
2009-05-13
Medium

CVE-2009-0161

The OpenSSL::OCSP module for Ruby in Apple Mac OS X 10.5 before 10.5.7 misinterprets an unspecified invalid response as a successful OCSP certificate validation, which might allow remote attackers to…

CVSS: 6.4 CWE: CWE-20 - Improper Input Validation View on NVD
2009-02-20
Medium

CVE-2009-0642

ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 c…

CVSS: 6.8 CWE: CWE-287 - Improper Authentication View on NVD
2008-12-09
High

CVE-2008-4310

httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE:…

CVSS: 7.8 CWE: CWE-399 View on NVD
2008-09-04
Medium

CVE-2008-3905

resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which make…

CVSS: 5.8 CWE: CWE-287 - Improper Authentication View on NVD
2008-08-27
Medium

CVE-2008-3790

The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursiv…

CVSS: 5.0 CWE: CWE-20 - Improper Input Validation View on NVD
2008-08-14
Medium

CVE-2008-3443

The regular expression engine (regex.c) in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows remote attackers to cause a denial of service (infi…

CVSS: 5.0 CWE: CWE-399 View on NVD
2008-08-13
High

CVE-2008-3655

Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which all…

CVSS: 7.5 CWE: CWE-264 View on NVD
High

CVE-2008-3656

Algorithmic complexity vulnerability in the WEBrick::HTTPUtils.split_header_value function in WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 t…

CVSS: 7.8 CWE: CWE-399 View on NVD
High

CVE-2008-3657

The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to by…

CVSS: 7.5 CWE: CWE-20 - Improper Input Validation View on NVD
2008-07-09
High

CVE-2008-2376

Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact…

CVSS: 7.5 CWE: CWE-189 View on NVD
2008-06-24
Critical

CVE-2008-2662

Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow contex…

CVSS: 10.0 CWE: CWE-189 View on NVD
Critical

CVE-2008-2663

Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to ex…

CVSS: 10.0 CWE: CWE-190 - Integer Overflow or Wraparound View on NVD
High

CVE-2008-2664

The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger…

CVSS: 7.8 CWE: CWE-399 View on NVD
High

CVE-2008-2725

Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.…

CVSS: 7.8 CWE: CWE-189 View on NVD
High

CVE-2008-2726

Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_re…

CVSS: 7.8 CWE: CWE-189 View on NVD