161 matches found
Malicious Package
Overview acts-ascommentablewithreplies is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid usi...
Malicious Package
Overview adyenruby-api-library is a malicious package. Affected versions of this package were found to be a Malicious Package, as it utilised typosquatting to run Malicious 3rd party scripts. It replaced genuine packages using an and replaced it with - and vice versa Remediation Avoid using...
OpenID library for Ruby: Server-Side Request Forgery
Background A Ruby library for verifying and serving OpenID identities. Description It was discovered that OpenID library for Ruby performed discovery first, and then verification. Impact A remote attacker could possibly change the URL used for discovery and trick the server into connecting to the...
CVE-2019-13589
The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. The current version, without this backdoor, is 1.1.5...
[SECURITY] [DSA 4481-1] ruby-mini-magick security update
------------------------------------------------------------------------- Debian Security Advisory DSA-4481-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso July 13, 2019 https://www.debian.org/security/faq -...
Important: Red Hat Security Advisory: rh-ror42-rubygem-sprockets security update
An update for rh-ror42-rubygem-sprockets is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
Important: Red Hat Security Advisory: rh-ror50-rubygem-sprockets security update
An update for rh-ror50-rubygem-sprockets is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...
GHSA-X27V-X225-GQ8G Recurly gem Server-Side Request Forgery in Resource#find method
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the Resourcefind method that could result in compromise of API keys or other critical resources...
Recurly Client Ruby Library Server-Side Request Forgery Vulnerability
Recurly Client Ruby Library is a Ruby API wrapper for Recurly from Recurly USA. A server-side request forgery vulnerability exists in the Resourcefind method in the Recurly Client Ruby Library. An attacker could use this vulnerability to take control of API keys or other important resources...
CVE-2017-0905
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resourcefind" method that could result in compromise of API keys or other critical resources...
Server side request forgery (ssrf)
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resourcefind" method that could result in compromise of API keys or other critical resources...
CVE-2017-0905
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resourcefind" method that could result in compromise of API keys or other critical resources...
CVE-2017-0905
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resourcefind" method that could result in compromise of API keys or other critical resources...
CVE-2017-0905
The CVE-2017-0905 issue affects the Recurly Client Ruby Library (before versions 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3). A Server-Side Request Forgery vulnerability exists in the Resource#find method that could lead to compromise of API keys or o...
UBUNTU-CVE-2015-1820
REST client for Ruby aka rest-client before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect...
[SECURITY] [DSA 3778-1] ruby-archive-tar-minitar security update
------------------------------------------------------------------------- Debian Security Advisory DSA-3778-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso January 31, 2017 https://www.debian.org/security/faq -...
Facter: Privilege escalation
Background Facter is a cross-platform Ruby library for retrieving facts from operating systems. Description Facter includes the current working directory in the search path. Impact A local attacker may be able to gain escalated privileges. Workaround There is no known workaround at this time...
RedCloth Cross Site Scripting
I disclosed the following advisory about a XSS vulnerability of RedCloth Textile library for Ruby. http://co3k.org/blog/redcloth-unfixed-xss-en You shouldn't use RedCloth to parse user inputted contents and output the parsed string except that you allow your user to write arbitrary JavaScript cod...
DEBIAN-CVE-2013-1812
The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service CPU consumption via 1 a large XRDS document or 2 an XML Entity Expansion XEE attack...
CVE-2005-1992
The XMLRPC server in utils.rb for the ruby library libruby 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands...