Latest ruby-lang ruby Vulnerabilities

CVE-2023-28756
A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time f...
Ruby-lang Ruby<=2.7.7
Ruby-lang Time=0.1.0
Ruby-lang Time=0.2.1
Debian Debian Linux=10.0
Fedoraproject Fedora=36
Fedoraproject Fedora=37
and 15 more
CVE-2023-22795
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expressio...
debian/rails<=2:5.2.2.1+dfsg-1+deb10u3<=2:5.2.2.1+dfsg-1+deb10u5
Rubyonrails Rails<6.1.7.1
Rubyonrails Rails>=7.0.0<7.0.4.1
Ruby-lang Ruby<3.2.0
Debian Debian Linux=11.0
redhat/rubygem-actionpack<6.1.7.1
and 4 more
CVE-2021-33621
A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker ...
redhat/rh-ruby27-ruby<0:2.7.8-132.el7
Ruby-lang Cgi<0.1.0.2
Ruby-lang Cgi>=0.2.0<0.2.2
Ruby-lang Cgi>=0.3.0<0.3.5
Fedoraproject Fedora=35
Fedoraproject Fedora=36
and 17 more
CVE-2016-2338
An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags a...
Ruby-lang Ruby=2.2.2
Ruby-lang Ruby=2.3.0
Debian Debian Linux=8.0
CVE-2022-28738
A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to u...
redhat/ruby<0:3.0.4-160.el9_0
redhat/rh-ruby30-ruby<0:3.0.4-149.el7
Ruby-lang Ruby>=3.0.0<3.0.4
debian/ruby2.5
debian/ruby2.7
CVE-2022-28739
Ruby. A memory corruption issue was addressed by updating Ruby to version 2.6.10.
redhat/ruby<0:3.0.4-160.el9_0
redhat/rh-ruby30-ruby<0:3.0.4-149.el7
redhat/rh-ruby27-ruby<0:2.7.6-131.el7
debian/ruby2.5<=2.5.5-3+deb10u4
debian/ruby2.7<=2.7.4-1+deb11u1
Apple macOS Monterey<12.6.1
and 14 more
CVE-2021-41816
A buffer overrun vulnerability was discovered in CGI.escape_html. This can lead to a buffer overflow when a user passes a very large string (> 700 MB) to CGI.escape_html on a platform where long type ...
rubygems/cgi<0.1.0.1
rubygems/cgi>=0.2.0<0.2.1
rubygems/cgi>=0.3.0<0.3.1
redhat/rh-ruby30-ruby<0:3.0.4-149.el7
redhat/rh-ruby27-ruby<0:2.7.6-131.el7
Ruby-lang Cgi<0.3.1
and 19 more
CVE-2021-41819
A flaw was found in Ruby. RubyGems cgi gem could allow a remote attacker to conduct spoofing attacks caused by the mishandling of security prefixes in cookie names in the CGI::Cookie.parse function. B...
rubygems/cgi<0.1.0.1
rubygems/cgi=0.2.0
rubygems/cgi=0.3.0
redhat/rh-ruby26-ruby<0:2.6.9-120.el7
redhat/rh-ruby30-ruby<0:3.0.4-149.el7
redhat/rh-ruby27-ruby<0:2.7.6-131.el7
and 42 more
CVE-2021-41817
A flaw was found in ruby, where the date object was found to be vulnerable to a regular expression denial of service (ReDoS) during the parsing of dates. This flaw allows an attacker to hang a ruby ap...
redhat/rh-ruby26-ruby<0:2.6.9-120.el7
redhat/rh-ruby30-ruby<0:3.0.4-149.el7
redhat/rh-ruby27-ruby<0:2.7.6-131.el7
Ruby-lang Date<2.0.1
Ruby-lang Date>=3.0.0<3.0.2
Ruby-lang Date>=3.1.0<3.1.2
and 46 more
CVE-2021-32066
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-...
redhat/rh-ruby27-ruby<0:2.7.4-130.el7
redhat/rh-ruby30-ruby<0:3.0.2-148.el7
redhat/rh-ruby26-ruby<0:2.6.9-120.el7
Ruby-lang Ruby>=2.6.0<=2.6.7
Ruby-lang Ruby>=2.7.0<=2.7.3
Ruby-lang Ruby>=3.0.0<=3.0.1
and 1 more
CVE-2021-31810
A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes Net::FTP extract information about services that are othe...
redhat/rh-ruby27-ruby<0:2.7.4-130.el7
redhat/rh-ruby30-ruby<0:3.0.2-148.el7
redhat/rh-ruby26-ruby<0:2.6.9-120.el7
Ruby-lang Ruby<=2.6.7
Ruby-lang Ruby>=2.7.0<=2.7.3
Ruby-lang Ruby>=3.0.0<=3.0.1
and 11 more
CVE-2021-31799
An operating system command injection flaw was found in RDoc. Using the rdoc command to generate documentation for a malicious Ruby source code could lead to execution of arbitrary commands with the p...
rubygems/rdoc>=6.3.0<6.3.1
rubygems/rdoc>=6.2.0<6.2.1.1
rubygems/rdoc>=3.11<6.1.2.1
Debian Debian Linux=9.0
Debian Debian Linux=10.0
Ruby-lang Rdoc>=3.11<6.3.1
and 18 more
CVE-2021-28965
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and seria...
Ruby-lang Rexml<3.2.5
Ruby-lang Ruby<2.6.7
Ruby-lang Ruby>=2.7.0<2.7.3
Ruby-lang Ruby>=3.0.0<3.0.1
Fedoraproject Fedora=34
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
and 2 more
CVE-2020-25613
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorou...
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
redhat/rh-ruby27-ruby<0:2.7.3-129.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
redhat/rubygem-webrick<1.6.1
redhat/ruby<2.5.9
redhat/ruby<2.6.7
and 8 more
CVE-2020-10933
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffe...
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
Ruby-lang Ruby>=2.5.0<=2.5.7
Ruby-lang Ruby>=2.6.0<=2.6.5
Ruby-lang Ruby=2.7.0
Linux Linux kernel
and 4 more
CVE-2020-10663
Ruby. This issue was addressed with improved checks.
redhat/pcs<0:0.10.4-6.el8_2.1
redhat/pcs<0:0.10.1-4.el8_0.5
redhat/pcs<0:0.10.2-4.el8_1.1
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
redhat/rubygem-json<2.3.0
and 14 more
CVE-2020-5247
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end...
Puma Puma<=3.12.3
Puma Puma>=4.0.0<=4.3.2
Ruby-lang Ruby<=2.3.0
Ruby-lang Ruby>=2.4.0<=2.4.7
Ruby-lang Ruby>=2.5.0<=2.5.6
Ruby-lang Ruby>=2.6.0<=2.6.4
and 5 more
CVE-2011-4121
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use th...
debian/ruby1.9.1
Ruby-lang Ruby>=1.8.7.334<1.9.3
CVE-2011-3624
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote a...
Ruby-lang Ruby=1.9.2
Ruby-lang Ruby=1.8.7
debian/ruby1.8
debian/ruby1.9
debian/ruby1.9.1
CVE-2019-16255
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. A...
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
Ruby-lang Ruby>=2.4.0<=2.4.7
Ruby-lang Ruby>=2.5.0<=2.5.6
Ruby-lang Ruby>=2.6.0<=2.6.4
Debian Debian Linux=8.0
and 15 more
CVE-2019-16254
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it...
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
Ruby-lang Ruby<=2.3.0
Ruby-lang Ruby>=2.4.0<=2.4.7
Ruby-lang Ruby>=2.5.0<=2.5.6
Ruby-lang Ruby>=2.6.0<=2.6.4
and 13 more
CVE-2019-16201
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBri...
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
Ruby-lang Ruby>=2.4.0<=2.4.7
Ruby-lang Ruby>=2.5.0<=2.5.6
Ruby-lang Ruby>=2.6.0<=2.6.4
Debian Debian Linux=8.0
and 12 more
CVE-2019-15845
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
redhat/rh-ruby25-ruby<0:2.5.9-9.el7
redhat/rh-ruby26-ruby<0:2.6.7-119.el7
Ruby-lang Ruby>=2.4.0<=2.4.7
Ruby-lang Ruby>=2.5.0<=2.5.6
Ruby-lang Ruby>=2.6.0<=2.6.4
Canonical Ubuntu Linux=16.04
and 14 more
CVE-2018-16396
An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. It does not taint strings that result from unpacking tainted strings with some fo...
ubuntu/ruby1.9.1<1.9.3.484-2ubuntu1.13
ubuntu/ruby2.0<2.0.0.484-1ubuntu2.11
ubuntu/ruby2.3<2.3.1-2~16.04.11
ubuntu/ruby2.5<2.5.1-1ubuntu1.1
ubuntu/ruby2.5<2.5.1-5ubuntu4.1
>=2.3.0<=2.3.7
and 32 more
CVE-2018-16395
An instance of OpenSSL::X509::Name contains entities such as CN, C and so on. Some two instances of OpenSSL::X509::Name are equal only when all entities are exactly equal. However, there is a bug that...
ubuntu/ruby1.9.1<1.9.3.484-2ubuntu1.13
ubuntu/ruby2.0<2.0.0.484-1ubuntu2.11
ubuntu/ruby2.3<2.3.1-2~16.04.11
ubuntu/ruby2.5<2.5.1-1ubuntu1.1
ubuntu/ruby2.5<2.5.1-5ubuntu4.1
ubuntu/ruby2.5<2.5.1-6ubuntu3
and 30 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203