CVE-2019-15224

The rest-client rubygem, hosted on rubygems.org, was compromised and released containing malware in versions 1.6.10 to 1.6.13. Applications using these versions of the rest-client rubygem should be considered compromised...

Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16779).

Summary There is a vulnerability in Ruby On Rails that is used by IBM License Metric Tool. Vulnerability Details CVEID: CVE-2019-16779 DESCRIPTION: RubyGem excon could allow a remote attacker to obtain sensitive information, caused by a race condition around persistent connections. By sending a...

FreeBSD : rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix) (40194e1c-6d89-11ea-8082-80ee73419af3)

When parsing certain JSON documents, the json gem including the one bundled with Ruby can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parseuserinput, but didn't address some other...

RubyGem Rack Path Traversal Vulnerability

RubyGem Rack is a modular interface between web servers and web applications developed using the Ruby programming language. A path traversal vulnerability exists in RubyGem Rack versions prior to 2.2.0. The vulnerability stems from a failure of a network system or product to properly filter speci...

CVE-2020-5249

A flaw was discovered in rubygem-puma, where it did not properly forbid untrusted input in an early-hints header. This flaw allows an attacker with the ability to tamper with HTTP headers to insert a carriage return character to end the header and then insert malicious content, allowing an HTTP...

CVE-2020-5247

A flaw was discovered in rubygem-puma, where it did not properly forbid untrusted input in a response header. This flaw allows an attacker with the ability to tamper with HTTP headers to insert a new-line and insert malicious content, allowing an HTTP response splitting, which exposes the risk of...

rubygem-json -- Unsafe Objection Creation Vulnerability in JSON (Additional fix)

When parsing certain JSON documents, the json gem including the one bundled with Ruby can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parseuserinput, but didn’t address some other...

Sort order SQL injection via `direction` parameter in administrate

In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...

CVE-2020-5257

In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...

Sql injection

In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...

GHSA-2P5P-M353-833W Sort order SQL injection in Administrate

In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...

Sort order SQL injection in Administrate

In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...

CVE-2020-5257

CVE-2020-5257 affects the Administrate Ruby gem prior to version 0.13.0. The vulnerability arises when sorting by attributes on a dashboard, where the direction parameter was interpolated into an SQL query without validation, potentially enabling SQL injection if an attacker can modify the direct...

CVE-2020-5257 Sort order SQL injection in Administrate

In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...

SQL Injection

In Administrate rubygem, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord SQL protections. Whils...

CVE-2020-5249

In Puma RubyGem before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is...

CVE-2020-5249

In Puma RubyGem before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is...

CVE-2020-5249

In Puma RubyGem before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is...

Cross site scripting

In Puma RubyGem before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is...

CVE-2020-5249

CVE-2020-5249 affects Puma RubyGem: untrusted input in an Early Hints header can allow HTTP Response Splitting via a carriage return that ends the header and injects content. Impact: attacking craftable headers or response bodies in vulnerable Puma versions. Affected: Puma before 4.3.3 and 3.12.4...