open-uri-cached Gem for Ruby Temporary File Creation Elevation of Privilege Vulnerability

open-uri-cached Gem for Ruby is a Ruby-based application. open-uri-cached Gem for Ruby insecurely creates temporary files when using YAML, allowing local attackers to exploit vulnerabilities for elevated privileges...

rest-client ruby gem logs sensitive information

REST client for Ruby aka rest-client before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log...

CVE-2014-9490

The raven-ruby gem prior to 0.12.2 contains a vulnerability in lib/raven/okjson.rb where the numtok function can be triggered by large exponents in scientific numbers, enabling remote DoS. Impact is a denial of service as described in multiple advisories (e.g., GHSA-C9C5-9FPR-M882). A fix is avai...

kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Process List Local Plaintext Password Disclosure

kajam Gem for Ruby contains a flaw in /dataset/lib/dataset/database/postgresql.rb that is triggered as the program exposes the MySQL or PostgreSQL password in the process list. This may allow a local attacker to gain access to password information...

Remote Command Injection in Ruby Gem sfpagent 0.4.14

Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14 Date: 4/15/2014 Author: Larry W. Cashdollar, @larry0 CVE: 2014-2888 Download: http://rubygems.org/gems/sfpagent Vulnerability The list variable generated from the user supplied JSONbody input is passed directly to the system shell on lin...

Remote Command Injection in Arabic Prawn 0.0.1 Ruby Gem

Title: Remote Command Injection in Arabic Prawn 0.0.1 Ruby Gem Author: Larry W. Cashdollar, @larry0 Download Site: http://rubygems.org/gems/Arabic-Prawn CVE: 2014-2322 Date: 12/17/2013 In Arabic-Prawn-0.0.1/lib/stringutfsupport.rb, the following lines pass unsanitized input to the shell. 426 var ...

Ruby Gem sfpagent 0.4.14 Command Injection Vulnerability

Ruby Gem sfpagent version 0.4.14 suffers from a remote command injection vulnerability. Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14 Date: 4/15/2014 Author: Larry W. Cashdollar, @larry0 CVE: 2014-2888 Download: http://rubygems.org/gems/sfpagent Vulnerability The list variable...

Ruby Gem sfpagent 0.4.14 Command Injection

Title: Remote Command Injection in Ruby Gem sfpagent 0.4.14 Date: 4/15/2014 Author: Larry W. Cashdollar, @larry0 CVE: 2014-2888 Download: http://rubygems.org/gems/sfpagent Vulnerability The list variable generated from the user supplied JSONbody input is passed directly to the system shell on lin...

Ruby Gem Arabic Prawn 0.0.1 Command Injection Vulnerability

Arabic Prawn Ruby gem version 0.0.1 suffers from a remote command injection vulnerability. Title: Remote Command Injection in Arabic Prawn 0.0.1 Ruby Gem Author: Larry W. Cashdollar, @larry0 Download Site: http://rubygems.org/gems/Arabic-Prawn CVE: 2014-2322 Date: 12/17/2013 In...

Ruby Gem Arabic Prawn 0.0.1 Command Injection

Title: Remote Command Injection in Arabic Prawn 0.0.1 Ruby Gem Author: Larry W. Cashdollar, @larry0 Download Site: http://rubygems.org/gems/Arabic-Prawn CVE: 2014-2322 Date: 12/17/2013 In Arabic-Prawn-0.0.1/lib/stringutfsupport.rb, the following lines pass unsanitized input to the shell. 426 var ...

Active Record: SQL injection

Background Active Record is a Ruby gem that allows database entries to be manipulated as objects. Description An Active Record method parameter can mistakenly be used as a scope. Impact A remote attacker could use specially crafted input to execute arbitrary SQL statements. Workaround The...

Command injection vulnerability in Ruby Gem sprout 0.7.246

Title: Command injection vulnerability in Ruby Gem sprout 0.7.246 Date: 11/14/2013 Download: http://rubygems.org/gems/sprout, http://projectsprouts.org/ Vulnerability: The unpackzip function contains the following code: sprout-0.7.246/lib/sprout/archiveunpacker.rb 60 zipdir =...

Command injection in Ruby Gem Webbynode 1.0.5.3

Title: Command injection in Ruby Gem Webbynode 1.0.5.3 Date: 11/11/2013 Author: Larry W. Cashdollar, @larry0 Download: http://rubygems.org/gems/webbynode Vulnerability Description: The following code located in: ./webbynode-1.0.5.3/lib/webbynode/notify.rb doesn't fully sanitize user supplied inpu...

UBUNTU-CVE-2013-2119

Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service prevent application start or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem...

flukso4r Gem for Ruby /lib/flukso/R.rb任意命令执行漏洞

flukso4r Gem for Ruby是一款Flukso API库。 flukso4r Gem for Ruby /lib/flukso/R.rb不正确过滤用户提交的输入，允许远程攻击者利用漏洞提交特意输入，并以应用程序上下文执行。 0 flukso4r Gem for Ruby 0.3.8 目前没有详细解决方案提供： http://rubygems.org/gems/flukso4r...

paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials Local Disclosure

paratrooper-pingdom Gem for Ruby contains a flaw in /lib/paratrooper-pingdom.rb. The issue is triggered when the script exposes API login credentials, allowing a local attacker to gain access to the API key, username, and password for the API login by monitoring the process tree...

Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate SQL queries

Fat Free CRM contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the app/controllers/homecontroller.rb script not properly sanitizing user-supplied input to the 'state' parameter or input passed via comments and emails. This may allow a remote attacker to inje...

Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations

Fat Free CRM contains a flaw in user controllers that is triggered as JSON requests are rendered with a full JSON object. This may allow a remote attacker to gain access to potentially sensitive information e.g. other users password hashes...

Fedora 19 : rubygem-i18n-0.6.1-4.fc19 (2013-23062)

Fix cross-site scripting flaw in exception handling CVE-2013-4492. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing...

Webbynode Ruby Gems命令注入漏洞

Bugtraq ID:64289 CVE ID:CVE-2013-7086 Ruby Gem Webbynode是一款让用户部署应用至Webbynode平台的工具。 Ruby Gem Webbynode没有正确过滤通过growlnotify命令所提交的消息，如果消息中包含shell元字符，可以应用程序上下文执行任意命令。 0 Ruby Gem Webbynode 1.0.5.3 目前厂商暂无提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本： http://rubygems.org/gems/webbynode...