Ruby@* Security Vulnerabilities and Issues — Ruby@* CVE List

Ruby-langRuby*

7 matches found

CVE•added 2022/05/09 12:0 a.m.•524 views

CVE-2022-28739

CVE-2022-28739 describes a buffer over-read during String-to-Float conversion in Ruby. Affected are Ruby versions: 2.6 and earlier, 2.7.x prior to 2.7.6, 3.x prior to 3.0.4, and 3.1.x prior to 3.1.2. The flaw affects conversion paths such as Kernel#Float and String#to_f and can lead to memory saf...

7.5CVSS7.8AI score0.00306EPSS

CVE•added 2021/04/21 6:55 a.m.•401 views

CVE-2021-28965

The CVE-2021-28965 issue concerns the Ruby REXML library: specifically the REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1. The root cause is improper handling of XML round-trips, which can produce an incorrect XML document after parsing and serializing. Seve...

7.5CVSS7.6AI score0.00576EPSS

CVE•added 2018/04/03 10:0 p.m.•329 views

CVE-2018-8780

CVE-2018-8780 affects Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1. The flaw is in Dir.open, Dir.new, Dir.entries and Dir.empty? which do not check NULL characters, enabling unintentional directory traversal when these methods are used. Affect...

9.1CVSS7.1AI score0.01739EPSS

CVE•added 2021/07/27 4:1 p.m.•124 views

CVE-2021-28966

CVE-2021-28966 affects Ruby up to 3.0 on Windows. A remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir, enabling path-related manipulation. Root cause: how TmpDir parameter is processed in web contexts (no details beyond this in the provided documents...

7.5CVSS7.3AI score0.00247EPSS

CVE•added 2008/06/24 7:0 p.m.•101 views

CVE-2008-2664

CVE-2008-2664 details: In Ruby, the rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context‑dependent attackers to trigger memory corruption via unspecified vectors related to alloca. This ...

7.8CVSS6.8AI score0.05116EPSS

CVE•added 2008/06/24 7:0 p.m.•83 views

CVE-2008-2662

CVE-2008-2662 is a Ruby vulnerability: multiple integer overflows in rb_str_buf_append() across Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2. These overflows allow context-dependent attackers to execute arbitrary code o...

10CVSS7.2AI score0.1019EPSS

CVE•added 2008/06/24 7:0 p.m.•73 views

CVE-2008-2663

Ruby 1.8.4 and earlier (and 1.8.5-p231, 1.8.6-p230, 1.8.7-p22) are affected by an integer overflow in rb_ary_store that can enable context-dependent arbitrary code execution or a denial of service (CVE-2008-2663). The MiracleLinux, Oracle Linux, and Red Hat advisories in the connected documents r...

10CVSS7.2AI score0.1019EPSS