Ruby@3.0.0 Security Vulnerabilities and Issues — Ruby@3.0.0 CVE List

Lucene search

Ruby-langRuby3.0.0

9 matches found

CVE•added 2022/11/18 11:15 p.m.•829 views

CVE-2021-33621

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

8.8CVSS8.6AI score0.02028EPSS

CVE•added 2022/05/09 6:15 p.m.•476 views

CVE-2022-28739

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

7.5CVSS7.8AI score0.00469EPSS

CVE•added 2022/01/01 6:15 a.m.•447 views

CVE-2021-41819

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

7.5CVSS7.5AI score0.00566EPSS

CVE•added 2022/01/01 5:15 a.m.•402 views

CVE-2021-41817

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

7.5CVSS7.4AI score0.00422EPSS

CVE•added 2021/04/21 7:15 a.m.•379 views

CVE-2021-28965

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

7.5CVSS7.6AI score0.00339EPSS

CVE•added 2021/07/13 1:15 p.m.•324 views

CVE-2021-31810

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially makes curl extract information about services that are otherwise privat...

5.8CVSS6.3AI score0.00721EPSS

CVE•added 2021/08/01 7:15 p.m.•318 views

CVE-2021-32066

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the ...

7.4CVSS7.3AI score0.00114EPSS

CVE•added 2022/05/09 6:15 p.m.•213 views

CVE-2022-28738

A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.

9.8CVSS9.1AI score0.00487EPSS

CVE•added 2021/07/30 2:15 p.m.•114 views

CVE-2021-28966

In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.

7.5CVSS7.3AI score0.00325EPSS