rubygems: Improper verification of signatures in tarball allows to install mis-signed gem

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in...

rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can...

rubygems: XSS vulnerability in homepage attribute when displayed via gem server

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting XSS vulnerability in gem server display of homepage attribute that can...

RHEL 7 : ruby (RHSA-2020:0542)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0542 advisory. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system...

CVE-2019-17268

The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected...

CVE-2019-17268

The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Versions through 0.4.5, and 0.5.1 and later, are unaffected...

CVE-2020-5216 Limited header injection when using dynamic overrides with user input in RubyGems secure_headers

In Secure Headers RubyGem secureheaders, a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection. Upon seeing a...

GHSA-W978-RMPF-QMWG Limited header injection when using dynamic overrides with user input in RubyGems secure_headers

Impact If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the...

Limited header injection when using dynamic overrides with user input in RubyGems secure_headers

Impact If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the...

CVE-2020-5217 Directive injection when using dynamic overrides with user input in RubyGems secure_headers

In Secure Headers RubyGem secureheaders, a directive injection vulnerability is present in versions before 3.8.0, 5.1.0, and 6.2.0. If user-supplied input was passed into append/overridecontentsecuritypolicydirectives, a semicolon could be injected leading to directive injection. This could be us...

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2019-2230)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2018-1000075

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can...

The vulnerability of the RubyGems package management system’s installation mechanism allows a hacker to write any files into the device’s file system.

The vulnerability of the RubyGems package management system is related to errors in restricting the path name of the restricted directory. Exploiting this vulnerability could allow an attacker to write any files into the device’s file system...

The vulnerability of the `install_location` function in the RubyGems package management system allows a hacker to gain access to arbitrary files.

The vulnerability of the installlocation function in the RubyGems package management system exists due to an incorrect restriction on the path to the restricted directory. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain access to arbitrary files...

The vulnerability of the components lib/rubygems/commands/owner_command.rb and test/rubygems/test_gem_commands_owner_command.rb of the RubyGems package management system allows a hacker to execute arbitrary code.

The vulnerability in the components lib/rubygems/commands/ownercommand.rb and test/rubygems/testgemcommandsownercommand.rb of the RubyGems package management system is related to the restoration of unreliable data in memory. Exploiting this vulnerability could allow an attacker to execute arbitra...

CVE-2012-6135

RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process...

CVE-2012-6135

RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process...

Code injection

RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process...

CVE-2012-6135

CVE-2012-6135 affects Phusion Passenger RubyGem (RubyGems passenger) versions 4.0.0 beta1/beta2. The startup routine can be abused to delete arbitrary files. Exploitation context varies by source: NVD/SUSE/GHSA imply remote access, while the RubySec advisory notes a local attacker during startup....

CVE-2012-6135

RubyGems passenger 4.0.0 betas 1 and 2 allows remote attackers to delete arbitrary files during the startup process...