CVE-2017-0899

A vulnerability was found where rubygems did not properly sanitize gems' specification text. A specially crafted gem could interact with the terminal via the use of escape sequences...

ruby, rubygem, rubygems security update

CentOS Errata and Security Advisory CESA-2019:2028 An update for ruby is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

GHSA-333G-RPR4-7HXQ rest-client Gem Contains Malicious Code

The rest-client gem 1.6.10 through 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.6.9, or upgrading to 1.7.x. Additionally, a set of other...

Code execution backdoor in coming-soon

The coming-soon gem 0.2.8 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in lita_coin

The litacoin gem 0.0.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in awesome-bot

The awesome-bot gem 1.18.0 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.17.2 or upgrading to 1.19.x...

Code execution backdoor in capistrano-colors

The capistrano-colors 0.5.5 gem for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 0.5.4...

Code execution backdoor in bitcoin_vanity

The bitcoinvanity gem 4.3.3 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. No unaffected version is known to exist, as the gem appears to have been entirely removed...

Code execution backdoor in doge-coin

The doge-coin gem 1.0.2 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.0.1...

Code execution backdoor in omniauth_amazon

The omniauthamazon gem 1.0.1 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party. Users of an affected version should consider downgrading to the last non-affected version of 1.0.1...

Code execution backdoor in rest-client

The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party...

Amazon Linux AMI : ruby20 / ruby21, ruby24 (ALAS-2019-1255)

An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.CVE-2019-8322 An issue was discovered in RubyGems. Gem::GemcutterUtilitieswithresponse may output the...

rubygems: Installing a malicious gem may lead to arbitrary code execution

A flaw was found in RubyGems. A crafted gem with a multi-line name is not handled correctly allowing an attacker to inject arbitrary code to the stub line of gemspec. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Important: ruby20, ruby21, ruby24

Issue Overview: An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.CVE-2019-8322 An issue was discovered in RubyGems. Gem::GemcutterUtilitieswithresponse...

rubygems: Path traversal issue during gem installation allows to write to arbitrary filesystem locations

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to...

rubygems: Missing URL validation on spec home attribute allows malicious gem to set an invalid homepage URL

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can...

datagrid contains code Injection backdoor

The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party...

GHSA-RQP5-PG7W-832P datagrid contains code Injection backdoor

The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party...

CVE-2019-14282

CVE-2019-14282 affects the Ruby gem simple_captcha2 (version 0.2.3) distributed on RubyGems.org. A third party inserted a code-execution backdoor into the package, enabling remote arbitrary code execution as described across multiple connected sources (e.g., Red Hat, Ubuntu, RubySec, GHSA). The d...

Amazon Linux 2 : ruby (ALAS-2019-1249)

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. CVE-2019-8322 An issue was discovered in RubyGems 2.6 and later through...