cbcvebase.

Ruby-Lang Ruby vulnerabilities

95 known vulnerabilities affecting ruby-lang/ruby.

Total CVEs
95
CISA KEV
0
Public exploits
11
Exploited in wild
1
Severity breakdown
CRITICAL16HIGH35MEDIUM44

Vulnerabilities

Page 5 of 5
CVE-2012-4464P4MEDIUMCVSS 5.0v1.9.3v2.0+1 more2013-04-25
CVE-2012-4464 [MEDIUM] CVE-2012-4464: Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers t Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regres
nvd
CVE-2012-5371P4MEDIUMCVSS 5.0≤ 1.9.3v1.9+4 more2012-11-28
CVE-2012-5371 [MEDIUM] CVE-2012-5371: Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly r Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision
nvd
CVE-2009-1904P4MEDIUMCVSS 5.0v1.8.6v1.8.72009-06-11
CVE-2009-1904 [MEDIUM] CWE-189 CVE-2009-1904: The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent atta The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type.
nvd
CVE-2012-4522P4MEDIUMCVSS 5.0v1.9.3v2.0.02012-11-24
CVE-2012-4522 [MEDIUM] CWE-264 CVE-2012-4522: The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.
nvd
CVE-2011-2705P4MEDIUMCVSS 5.0≤ 1.8.7-334v1.8.7+19 more2011-08-05
CVE-2011-2705 [MEDIUM] CWE-20 CVE-2011-2705: The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x be The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.
nvd
CVE-2011-1005P4MEDIUMCVSS 5.0v1.8.6v1.8.6-420+3 more2011-03-02
CVE-2011-1005 [MEDIUM] CWE-264 CVE-2011-1005: The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
nvd
CVE-2011-2686P4MEDIUMCVSS 5.0≤ 1.8.7-334v1.8.7+8 more2011-08-05
CVE-2011-2686 [MEDIUM] CVE-2011-2686: Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for contex Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.
nvd
CVE-2011-3009P4MEDIUMCVSS 5.0≤ 1.8.6v1.8.62011-08-05
CVE-2011-3009 [MEDIUM] CVE-2011-3009: Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for contex Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.
nvd
CVE-2007-5770P4MEDIUMCVSS 5.0v1.8.5v1.8.62007-11-14
CVE-2007-5770 [MEDIUM] CVE-2007-5770: The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in R The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web
nvd
CVE-2013-4287P4MEDIUMCVSS 4.3v1.9v1.9.1+4 more2013-10-17
CVE-2013-4287 [MEDIUM] CWE-310 CVE-2013-4287: Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large a
nvd
CVE-2013-0256P4MEDIUMCVSS 4.3v1.9v1.9.1+4 more2013-03-01
CVE-2013-0256 [MEDIUM] CWE-79 CVE-2013-0256: darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not pr darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
nvd
CVE-2011-1004P4MEDIUMCVSS 6.3v1.8.6v1.8.7+4 more2011-03-02
CVE-2011-1004 [MEDIUM] CWE-59 CVE-2011-1004: The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1 The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
nvd
CVE-2012-4481P4MEDIUMCVSS 4.3v1.8.72013-05-02
CVE-2012-4481 [MEDIUM] CVE-2012-4481: The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the Na The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
nvd
CVE-2013-4363P4MEDIUMCVSS 4.3v1.9v1.9.1+4 more2013-10-17
CVE-2013-4363 [MEDIUM] CVE-2013-4363: Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/versi Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a larg
nvd
CVE-2007-5162P4MEDIUMCVSS 4.3v1.8.5v1.8.62007-10-01
CVE-2007-5162 [MEDIUM] CWE-287 CVE-2007-5162: The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8. The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
nvd
Ruby-Lang Ruby vulnerabilities | cvebase