cbcvebase.

Ruby-Lang Ruby vulnerabilities

95 known vulnerabilities affecting ruby-lang/ruby.

Total CVEs
95
CISA KEV
0
Public exploits
11
Exploited in wild
1
Severity breakdown
CRITICAL16HIGH35MEDIUM44

Vulnerabilities

Page 3 of 5
CVE-2021-41819P3HIGHCVSS 7.5≤ 2.6.8≥ 2.7.0, < 2.7.5+1 more2022-01-01
CVE-2021-41819 [HIGH] CWE-565 CVE-2021-41819: CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affe CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.
nvd
CVE-2018-8777P3HIGHCVSS 7.5≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.7+3 more2018-04-03
CVE-2018-8777 [HIGH] CWE-400 CVE-2018-8777: In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
nvdosv
CVE-2020-5247P3HIGHCVSS 7.5≤ 2.3.0≥ 2.4.0, ≤ 2.4.7+3 more2020-02-28
CVE-2020-5247 [HIGH] CWE-113 CVE-2020-5247: In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted inpu In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitti
nvd
CVE-2017-9229P3HIGHCVSS 7.5≤ 2.4.12017-05-24
CVE-2017-9229 [HIGH] CWE-476 CVE-2017-9229: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstr An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid pointer dereference, normally as an immediate denial-of-service
nvd
CVE-2019-16201P3HIGHCVSS 7.5≥ 2.4.0, ≤ 2.4.7≥ 2.5.0, ≤ 2.5.6+1 more2019-11-26
CVE-2019-16201 [HIGH] CWE-287 CVE-2019-16201: WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 ha WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
nvd
CVE-2021-41817P3HIGHCVSS 7.5≥ 2.6.0, < 2.6.9≥ 2.7.0, < 2.7.5+1 more2022-01-01
CVE-2021-41817 [HIGH] CWE-1333 CVE-2021-41817: Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.
nvd
CVE-2017-14033P3HIGHCVSS 7.5v2.2.0v2.2.1+13 more2017-09-19
CVE-2017-14033 [HIGH] CWE-119 CVE-2017-14033: The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x th The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
nvdosv
CVE-2015-7551P3HIGHCVSS 8.4≤ 2.0.0-p647v2.1.0+11 more2016-03-24
CVE-2015-7551 [HIGH] CVE-2015-7551: The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8 The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the D
nvd
CVE-2015-3900P3MEDIUMCVSS 5.0v1.9v1.9.1+10 more2015-06-24
CVE-2015-3900 [MEDIUM] CWE-254 CVE-2015-3900: RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostn RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
nvd
CVE-2008-2726P3HIGHCVSS 7.8≤ 1.8.4≥ 1.8.5, < 1.8.5.231+3 more2008-06-24
CVE-2008-2726 [HIGH] CWE-189 CVE-2008-2726: Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p23 Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been in
nvd
CVE-2008-2664P3HIGHCVSS 7.8≤ 1.8.4fixed in 1.8.5.231+3 more2008-06-24
CVE-2008-2664 [HIGH] CVE-2008-2664: The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p2 The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has
nvd
CVE-2008-2725P4HIGHCVSS 7.8≤ 1.8.4≥ 1.8.5, < 1.8.5.231+2 more2008-06-24
CVE-2008-2725 [HIGH] CVE-2008-2725: Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p23 Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-20
nvd
CVE-2017-11465P4CRITICALCVSS 9.8v2.4.12017-07-19
CVE-2017-11465 [CRITICAL] CWE-125 CVE-2017-11465: The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y. NOTE: this might have security relevance as a bypass of a $SAFE protection mechanism.
nvd
CVE-2011-4815P4HIGHCVSS 7.8≤ 1.8.7-p352v1.8.7-p299+3 more2011-12-30
CVE-2011-4815 [HIGH] CWE-20 CVE-2011-4815: Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger h Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
nvd
CVE-2014-6438P4HIGHCVSS 7.5≤ 1.9.22017-09-06
CVE-2014-6438 [HIGH] CWE-399 CVE-2014-6438: The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
nvd
CVE-2019-15845P4MEDIUMCVSS 6.5≥ 2.4.0, ≤ 2.4.7≥ 2.5.0, ≤ 2.5.6+1 more2019-11-26
CVE-2019-15845 [MEDIUM] CVE-2019-15845: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within Fil Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
nvdosv
CVE-2017-17742P4MEDIUMCVSS 5.3≥ 2.2.0, < 2.2.10≥ 2.3.0, < 2.3.7+3 more2018-04-03
CVE-2017-17742 [MEDIUM] CWE-113 CVE-2017-17742: Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 a Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
nvd
CVE-2015-1855P4MEDIUMCVSS 5.9≥ 2.1.0, < 2.1.6≥ 2.2.0, < 2.2.2+1 more2019-11-29
CVE-2015-1855 [MEDIUM] CWE-20 CVE-2015-1855: verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x befo verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
nvd
CVE-2021-31810P4MEDIUMCVSS 5.8≤ 2.6.7≥ 2.7.0, ≤ 2.7.3+1 more2021-07-13
CVE-2021-31810 [MEDIUM] CVE-2021-31810: An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicio An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise private and not disclosed (e.g., the attacker can conduct port sca
nvd
CVE-2017-6181P4HIGHCVSS 7.5v2.4.02017-04-03
CVE-2017-6181 [HIGH] CWE-20 CVE-2017-6181: The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression lib The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted regular expression.
nvd
Ruby-Lang Ruby vulnerabilities | cvebase