Ruby@* Security Vulnerabilities and Issues — Ruby@* CVE List

Lucene search

Ruby-langRuby*

8 matches found

CVE•added 2017/12/15 9:29 a.m.•257 views

CVE-2017-17405

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default va...

9.3CVSS7.5AI score0.8688EPSS

CVE•added 2017/09/19 5:29 p.m.•249 views

CVE-2017-10784

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

9.3CVSS7.9AI score0.02063EPSS

CVE•added 2017/05/24 3:29 p.m.•199 views

CVE-2017-9229

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in an invalid poin...

7.5CVSS8.5AI score0.0035EPSS

CVE•added 2017/08/31 5:29 p.m.•183 views

CVE-2017-14064

Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of length zero, which is n...

9.8CVSS7.3AI score0.01568EPSS

CVE•added 2017/05/24 3:29 p.m.•182 views

CVE-2017-9225

An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() occurs during regular expression compilation. Code point 0xFFFFFFFF is not properly handled in un...

9.8CVSS9.5AI score0.00392EPSS

CVE•added 2017/12/20 9:29 a.m.•150 views

CVE-2017-17790

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input ma...

9.8CVSS8.8AI score0.8688EPSS

CVE•added 2017/06/12 8:29 p.m.•104 views

CVE-2015-9096

Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

6.1CVSS6.8AI score0.01297EPSS

CVE•added 2017/09/06 9:29 p.m.•44 views

CVE-2014-6438

The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.

7.5CVSS7.2AI score0.01078EPSS