Ruby@* Security Vulnerabilities and Issues — Ruby@* CVE List

Lucene search

Ruby-langRuby*

5 matches found

CVE•added 2022/11/18 11:15 p.m.•764 views

CVE-2021-33621

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

8.8CVSS8.6AI score0.00854EPSS

CVE•added 2022/05/09 6:15 p.m.•462 views

CVE-2022-28739

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

7.5CVSS7.8AI score0.00402EPSS

CVE•added 2022/01/01 6:15 a.m.•434 views

CVE-2021-41819

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

7.5CVSS7.5AI score0.00291EPSS

CVE•added 2022/01/01 5:15 a.m.•387 views

CVE-2021-41817

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

7.5CVSS7.4AI score0.00284EPSS

CVE•added 2022/05/09 6:15 p.m.•202 views

CVE-2022-28738

A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.

9.8CVSS9.1AI score0.00245EPSS