684 matches found
GHSA-67J6-XV27-W6WW Web Console (Ruby gem) contains whitelisted_ips bypass
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelistedips protection mechanism via a crafted request...
sentry-raven allows remote attackers to cause a denial of service via a large exponent value in a scientific number
The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number...
Web Console (Ruby gem) contains whitelisted_ips bypass
request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelistedips protection mechanism via a crafted request...
rack-ssl Cross-site Scripting vulnerability
Cross-site scripting XSS vulnerability in lib/rack/ssl.rb in the rack-ssl gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script or HTML via a URI, which might not be properly handled by third-party adapters such as JRuby-Rack...
Code injection
The gollum-gritadapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags...
CVE-2014-9489
The gollum-gritadapter Ruby gem dependency in gollum before 3.1.1 and the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string "master" is in any of the wiki documents, allows remote authenticated users to execute arbitrary code via the -O or --open-files-in-pager flags...
CVE-2014-9489
The CVE-2014-9489 issue affects the gollum-grit_adapter (part of Gollum) and the gollum-lib gem, where if any wiki document contains the string "master", remote authenticated users can execute arbitrary code through the -O/--open-files-in-pager flags. Root cause is the grit_adapter’s search funct...
UBUNTU-CVE-2015-1828
The Ruby http gem before 0.7.3 does not verify hostnames in SSL connections, which might allow remote attackers to obtain sensitive information via a man-in-the-middle-attack...
Remediation Workflow Now Integrates with ServiceNow
Today were sharing an update to Remediation Workflow Ticketing capabilities. We are pleased to announce that Remediation Workflow in InsightVM now integrates with ServiceNow. One of the main benefits of Remediation Workflow Ticketing is to improve collaboration between security and remediation...
CVE-2016-10193
The espeak-ruby gem before 1.0.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a string to the speak, save, bytes or byteswav method in lib/espeak/speech.rb...
CVE-2017-5946
CVE-2017-5946 – Rubyzip directory traversal vulnerability : The Zip::File component of the rubyzip gem for Ruby (pre-1.2.1) allows a ZIP archive to write files outside the target directory when a ZIP upload contains paths with "..". This enables arbitrary file writes on the filesystem if a site p...
UBUNTU-CVE-2016-7798
The openssl gem for Ruby uses the same initialization vector IV in GCM Mode aes--gcm when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism...
Denial Of Service (DoS)
sequel is vulnerable to denial of service DoS attacks. The library uses the packaged JSON ruby gem which can be used by a malicious user to create ruby symbols on a system. Since ruby symbols are not removed by the garbage collector, this can lead to a denial of service on the system via resource...
Droid-Hunter - Android Application Vulnerability Analysis And Android Pentest Tool
.---. .----------- / \ / ------ / / \ / ----- ╔╦╗╦═╗╔═╗╦╔╦╗ ╦ ╦╦ ╦╔╗╔╔╦╗╔═╗╦═╗ ////// ' / --- ║║╠╦╝║ ║║ ║║───╠═╣║ ║║║║ ║ ║╣ ╠╦╝ //// / // : : --- ═╩╝╩╚═╚═╝╩═╩╝ ╩ ╩╚═╝╝╚╝ ╩ ╚═╝╩╚═ // / / / '-- By HaHwul // //..\ www.hahwul.com ====UU====UU==== https://github.com/hahwul/droid-hunter '//||\ ''...
rubygem-actionpack: possible object leak and denial of service attack in Action Pack
A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service...
rubygem-actionpack: code injection vulnerability in Action View
A code injection flaw was found in the way Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to execute arbitrary code...
MGASA-2015-0345 Updated ruby-RubyGems packages fix security vulnerabilities
Updated ruby-RubyGems package fixes security vulnerability: RubyGems does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack" CVE-2015-3900...
Contributed Systems RubyGems Sidekiq Cross-Site Scripting Vulnerability
Contributed Systems Sidekiq is a Ruby-based background processor that provides an efficient message queuing system for Rails 3 applications. A cross-site scripting vulnerability exists in Contributed Systems Sidekiq, which allows remote attackers to exploit the vulnerability to inject malicious...
Debian DLA-229-1 : libnokogiri-ruby security update
An XML eXternal Entity XXE flaw was found in Nokogiri, a Ruby gem for parsing HTML, XML, and SAX. Using external XML entities, a remote attacker could specify a URL in a specially crafted XML that, when parsed, would cause a connection to that URL to be opened. This update enables the 'nonet'...
DLA-229-1 libnokogiri-ruby - security update
Bulletin has no description...