The vulnerability of the RubyGems package management system, related to the possibility of cross-site scripting, allows a hacker to cause a service failure.

The vulnerability of the RubyGems package management system is related to the possibility of cross-site scripting execution. Exploiting this vulnerability allows a malicious actor to cause service failures using a specially crafted gem archive...

The vulnerability of the RubyGems package management system, related to the creation of infinite loops, allows for the execution of arbitrary code.

The vulnerability of the RubyGems package management system is related to improper handling of the tar archive header, which can lead to the creation of an infinite loop. Exploiting this vulnerability allows a remote attacker to cause a service failure...

The vulnerability in the RubyGems package management system arises from improper handling of parameters, allowing users to compromise data integrity.

The vulnerability of the RubyGems package management system is related to the improper handling of HTTP/FTP request parameters, which can lead to incorrect URL formation. Exploiting this vulnerability allows a remote attacker to compromise data integrity...

ruby, rubygem, rubygems security update

CentOS Errata and Security Advisory CESA-2018:3738 An update for ruby is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

RHEL 6 : rubygem packages (RHSA-2013:0728)

This update fixes one security issue in multiple rubygem packages for Red Hat OpenShift Enterprise 1.1.3. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

RHEL 6 : rubygems (RHSA-2013:1203)

An updated rubygems package that fixes two security issues is now available for Red Hat OpenShift Enterprise 1.2.2. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

RHEL 6 : rubygems (RHSA-2014:0207)

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2014:0207 advisory. RubyGems is the Ruby standard for publishing and managing third-party libraries. It was discovered that the rubygems API validated version strings...

rubygems: Improper verification of signatures in tarball allows to install mis-signed gem

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in...

rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can...

rubygems: Unsafe Object Deserialization Vulnerability in gem owner allowing arbitrary code execution on specially crafted YAML

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code...

rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to...

rubygems: Path traversal when writing to a symlinked basedir outside of the root

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in installlocation function of package.rb that can result in...

rubygems: XSS vulnerability in homepage attribute when displayed via gem server

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting XSS vulnerability in gem server display of homepage attribute that can...

rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to...

rubygems: Improper verification of signatures in tarball allows to install mis-signed gem

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in...

RubyGems: 65534 times efficient, Brute-force attack for api_key

I have found that type checking for apikey is insufficient in rubygems.org's source code. https://github.com/rubygems/rubygems.org/blob/master/app/controllers/applicationcontroller.rbL63 ruby def authenticatewithapikey apikey = request.headers"Authorization" || params:apikey @apiuser =...

Debian DLA-1480-1 : ruby2.1 security update

Several vulnerabilities were discovered in Ruby 2.1. CVE-2016-2337 Type confusion exists in canceleval Ruby's TclTkIp class method. Attacker passing different type of object than String as 'retval' argument can cause arbitrary code execution. CVE-2018-1000073 RubyGems contains a Directory Travers...

RubyGems: Malware in `active-support` gem

This was sent to RubySec: The gem duplicates official activesupport no hyphen code, but adds a compiled extension. The extension attempts to resolve a base64 encoded domain 29faea63.planfhntage.de, downloads a payload, and executes...

Debian DSA-4259-1 : ruby2.3 - security update

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure. This update also fixes several issues in RubyGems which could...

[SECURITY] [DSA 4259-1] ruby2.3 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-4259-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff July 31, 2018 https://www.debian.org/security/faq -...