git-fastclone Shell Metacharacter Injection Arbitrary Command Execution

git-fastclone before 1.0.5 passes user modifiable strings directly to a shell command. An attacker can execute malicious commands by modifying the strings that are passed as arguments to "cd " and "git clone " commands in the library...

git-fastclone permits arbitrary shell command execution from .gitmodules

Git allows executing arbitrary shell commands using git-remote-ext via a remote URLs. Normally git never requests URLs that the user doesn't specifically request, so this is not a serious security concern. However, submodules did allow the remote repository to specify what URL to clone from. If a...

CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses

The mail gem before 2.5.5 for Ruby aka A Really Ruby Mail Library is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring...

SMTP command injection

Net::SMTP is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring. Applications that validate email address format are not affected by this vulnerability. The injection attack is...

Phusion Passenger Server allows to overwrite headers in some cases

It is possible in some cases, for clients to overwrite headers set by the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired format to pass headers to all applications...

mapbox-rails Content Injection via TileJSON attribute

Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable to a cross-site-scripting attack in certain uncommon usage scenarios. If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON content from a non-Mapbox URL, it is possible for a malicious user with contro...

gollum Upload File Functionality Permits Arbitrary File Access

The gollum gem contains a flaw in its upload file functionality that can allow arbitrary file access. This occurs due to a lack of type checking when handling temporary files during the upload process...

devise-two-factor 1.1.0 and earlier vulnerable to replay attacks

A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local attackers to shoulder-surf a user's TOTP verification code and use it to login after the user has authenticated. By not "burning" a previously used TOTP, devise-two-factor allows a narrow window of opportunity aka the...

Logstash: Man-In-The Middle attack

Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack output or the Logstash forwarder does not validate SSL/TLS certificates from the Logstash server, which might allow attackers to obtain sensitive information via a man-in-the-middle attack...

uglifier incorrectly handles non-boolean comparisons during minification

The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code ...

Logstash: SSL/TLS FREAK Attack

Logstash: SSL/TLS FREAK Attack: Logstash 1.5.x before 1.5.3 and 1.4.x before 1.4.4 allows remote attackers to read communications between Logstash Forwarder agent and Logstash server...

rack-cors Gem Missing Anchor permits unauthorized CORS requests

Missing anchor in generated regex for rack-cors before 0.4.1 allows a malicious third-party site to perform CORS requests. If the configuration were intended to allow only the trusted example.com domain name and not the malicious example.net domain name, then example.com.example.net as well as...

redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow

redcarpet Gem for Ruby contains a flaw that allows a stack overflow. This flaw exists because the headeranchor function in html.c uses variable length arrays VLA without any range checking. This may allow a remote attacker to execute arbitrary code...

XSS Vulnerability in ActiveSupport::JSON.encode

When a Hash containing user-controlled data is encode as JSON either through Hashtojson or ActiveSupport::JSON.encode, Rails does not perform adequate escaping that matches the guarantee implied by the escapehtmlentitiesinjson option which is enabled by default. If this resulting JSON string is...

Possible Denial of Service attack in Active Support

Specially crafted XML documents can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This only impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted. All users running an affected...

Cross-site request forgery (CSRF) vulnerability in Spina gem

"Spina::ApplicationController actions didn't have CSRF protection. This causes a CSRF vulnerability across the entire engine which includes administrative functionality such as creating users, changing passwords, and media management."...

CSRF Vulnerability in jquery-ujs

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to " https://attacker.com" note the leading space that will be passed to JQuery, who will s...

IP whitelist bypass in Web Console

Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled development and test, by default. Users whose application is only accessible from localhost as is the default behaviour in Rails 4.2 are not affected, unless a loc...

CSRF Vulnerability in jquery-rails

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to " https://attacker.com" note the leading space that will be passed to JQuery, who will s...

Potential Denial of Service Vulnerability in Rack

Carefully crafted requests can cause a SystemStackError and potentially cause a denial of service attack. All users running an affected release should upgrade...

RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking

RubyGems contains a flaw in the apiendpoint function in remotefetcher.rb that is triggered when handling hostnames in SRV records. With a specially crafted response, a context-dependent attacker may conduct DNS hijacking attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,...

Paperclip Gem for Ruby vulnerable to content type spoofing

There is an issue where if an HTML file is uploaded with a .html extension, but the content type is listed as being image/jpeg, this will bypass a validation checking for images. But it will also pass the spoof check, because a file named .html and containing actual HTML passes the spoof check...

Data Injection Vulnerability in moped Rubygem

A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object...

Data Injection Vulnerability in bson Rubygem

A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object...

CSRF vulnerability in OmniAuth's request phase

The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site Request Forgery CSRF when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able to sign into...

CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." A flaw was found in a...

open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege Escalation

open-uri-cached Gem for Ruby contains a flaw that is due to the program creating temporary files in a predictable, unsafe manner when using YAML. This may allow a local attacker to gain elevated privileges...

ruby-saml gem is vulnerable to XPath injection

xmlsecurity.rb in the ruby-saml gem before 1.0.0 for Ruby allows XPath injection and code execution because prepared statements are not used. The lack of prepared statements allows for possibly command injection, leading to arbitrary code execution...

rest-client ruby gem logs sensitive information

REST client for Ruby aka rest-client before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log...

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt

Several vulnerabilities were discovered in the libxml2 and libxslt libraries that the Nokogiri gem depends on. CVE-2015-1819 A denial of service flaw was found in the way libxml2 parsed XML documents. This flaw could cause an application that uses libxml2 to use an excessive amount of memory...

Ember.js XSS Vulnerability With {{view "select"}} Options

In general, Ember.js escapes or strips any user-supplied content before inserting it in strings that will be sent to innerHTML. However, a change made to the implementation of the select view means that any user-supplied data bound to an option's label will not be escaped correctly. In applicatio...

Ruby OpenSSL Hostname Verification

After reviewing RFC 6125 and RFC 5280, we found multiple violations of matching hostnames and particularly wildcard certificates. Ruby’s OpenSSL extension will now provide a string-based matching algorithm which follows more strict behavior, as recommended by these RFCs. In particular, matching o...

HTTPS MitM vulnerability in http.rb

http.rb failed to call the OpenSSL::SSL::SSLSocketpostconnectioncheck method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack...

CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses

REST client for Ruby aka rest-client before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect...

xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table

xaviershay-dm-rails Gem for Ruby contains a flaw in the execute function in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is due to the function exposing sensitive information via the process table. This may allow a local attack to gain access to MySQL credential information...

Fat Free CRM Gem being vulnerable to CSRF-type attacks

Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Reques...

Puppet Labs Facter allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.

Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node...

Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier.

Cross-site request forgery CSRF vulnerability in doorkeeper 1.4.0 and earlier allows remote attackers to hijack the user's OAuth autorization code. This vulnerability has been assigned the CVE identifier CVE-2014-8144. Doorkeeper's endpoints didn't have CSRF protection. Any HTML document on the...

sentry-raven Gem for Ruby contains a flaw that can result in a denial of service

Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that is triggered when large numeric values are stored as an exponent or in scientific notation. With a specially crafted request, an attacker can cause the software to consume excessive resources resulting in a denial of service...

gollum-grit_adapter Search Functionality Allows Arbitrary Command Execution

The gollum-gritadapter gem contains a flaw that can allow arbitrary command execution. Grit implements its search functionality by shelling out to git grep. In turn, git grep takes a -O or --open-files-in-pages option that will pipe the results of grep to an arbitrary process. By failing to...

Arbitrary file existence disclosure in Action Pack

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists. This vulnerability is very similar to CVE-2014-7818, but th...

CVE-2014-8090 ruby: REXML incomplete fix for CVE-2014-8080

The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service CPU and memory consumption a crafted XML document containing an empty string in an entity that is used in a large number of...

Arbitrary file existence disclosure in Action Pack

Specially crafted requests can be used to determine whether a file exists on the filesystem that is outside the Rails application's root directory. The files will not be served, but attackers can determine whether or not the file exists...

CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure

Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3...

CVE-2014-8080 ruby: REXML billion laughs attack via parameter entity expansion

The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service memory consumption via a crafted XML document, aka an XML Entity Expansion XEE attack...

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS

i18n Gem for Ruby contains a flaw in the Hashslice function in lib/i18n/coreext/hash.rb that is triggered when calling a hash when :somekey is in keepkeys but not in the hash. This may allow an attacker to cause the program to crash...

Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability

Fat Free CRM Gem contains a javascript cross-site scripting XSS vulnerability. When a user is created/updated using a specifically crafted username, first name or last name, it is possible for arbitrary javascript to be executed on all Fat Free CRM pages. This code would be executed for all logge...

Data Injection Vulnerability in Active Record

The createwith functionality in Active Record was implemented incorrectly and completely bypasses the strong parameters protection. Applications which pass user-controlled values to createwith could allow attackers to set arbitrary attributes on models...

CVE-2013-0334 rubygem-bundler: 'bundle install' may install a gem from a source other than expected

Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source. A flaw was found in the way Bundler handled gems available from multiple sources. An attacker with access...

CVE-2014-4975 ruby: off-by-one stack-based buffer overflow in the encodes() function

Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service segmentation fault via vectors that trigger a stack-based buffer overflow...