Lucene search
+L
Ruby-langRuby

27 matches found

CVE
CVE
added 2023/03/31 12:0 a.m.784 views

CVE-2023-28756

CVE-2023-28756 describes a ReDoS vulnerability in the Ruby Time parser up to version 3.2.1. The Time parser mishandles invalid URLs containing certain characters, causing increased execution time when parsing strings to Time objects. Affected product: Ruby Time component (through Ruby up to 3.2.1...

5.3CVSS5.7AI score0.02452EPSS
CVE
CVE
added 2019/11/26 12:0 a.m.412 views

CVE-2019-16254

CVE-2019-16254 (HTTP Response Splitting) affects Ruby WEBrick in versions up to 2.4.7, 2.5.x up to 2.5.6, and 2.6.x up to 2.6.4. The issue arises when untrusted input is inserted into HTTP response headers, enabling CRLF/header injection and potentially malicious content. It is noted as a follow-...

5.3CVSS6.8AI score0.04569EPSS
CVE
CVE
added 2018/04/03 12:0 a.m.402 views

CVE-2017-17742

CVE-2017-17742 affects Ruby with WEBrick: HTTP Response Splitting via crafted headers in WEBrick, impacting Ruby versions: <2.2.10, 2.3.x <2.3.7, 2.4.x <2.4.4, 2.5.x

5.3CVSS6.8AI score0.0576EPSS
CVE
CVE
added 2020/05/04 2:54 p.m.395 views

CVE-2020-10933

CVE-2020-10933 affects the Ruby interpreter (2.5.x up to 2.5.7, 2.6.x up to 2.6.5, and 2.7.0). The issue occurs in BasicSocket#read_nonblock where the buffer is resized to the requested size but no data is copied, causing the buffer to expose the previous heap contents and potentially expose sens...

5.3CVSS6.1AI score0.02564EPSS
CVE
CVE
added 2021/07/13 12:0 a.m.360 views

CVE-2021-31810

CVE-2021-31810 affects Ruby up to 2.6.7, 2.7.x up to 2.7.3, and 3.x up to 3.0.1. A malicious FTP server can abuse the PASV response to persuade Net::FTP to connect to an attacker-specified IP/port, enabling potential information disclosure about private services (e.g., port scans and service bann...

5.8CVSS6.3AI score0.0305EPSS
CVE
CVE
added 2019/11/29 8:46 p.m.202 views

CVE-2015-1855

CVE-2015-1855 affects Ruby’s OpenSSL hostname matching: the OpenSSL extension fails to validate hostnames, allowing server spoofing. Affected: Ruby/OpenSSL before 2.0.0 patchlevel 645; 2.1.x before 2.1.6; 2.2.x before 2.2.2. Root cause: permissive hostname matching (wildcards, IDNA, case, non‑ASC...

5.9CVSS5.5AI score0.02815EPSS
CVE
CVE
added 2014/11/03 4:0 p.m.144 views

CVE-2014-8080

CVE-2014-8080 affects the REXML XML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4, where specially crafted XML can cause a denial of service via XML Entity Expansion (XEE). Affected Ruby versions are vulnerable to memory (and CPU) exhaustion. Remediation ...

5CVSS5.5AI score0.05538EPSS
CVE
CVE
added 2013/04/09 9:0 p.m.143 views

CVE-2013-1821

CVE-2013-1821 is an XML Entity Expansion (XEE) denial-of-service vulnerability in the REXML parser of Ruby. The provided sources confirm affected Ruby/REXML configurations across multiple lines: Ruby before 1.9.3-p392 (initial description) and extended references indicate the issue affects 1.9.x ...

5CVSS5.4AI score0.06671EPSS
CVE
CVE
added 2014/11/15 8:0 p.m.127 views

CVE-2014-4975

CVE-2014-4975 is an off-by-one stack-based buffer overflow in the encodes() function (pack.c) of Ruby 1.9.3 and earlier, and 2.x through 2.1.2, triggered by certain format string specifiers. This can cause a denial of service via segmentation fault. Connected advisories note this Ruby pack() issu...

5CVSS5.4AI score0.03893EPSS
CVE
CVE
added 2012/11/24 8:0 p.m.124 views

CVE-2012-4522

CVE-2012-4522 affects Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163, where a NUL byte in a file path enables context‑dependent attackers to create files in unintended locations or with unexpected names. The issue arises from rb_get_path_check in file.c and is confirmed by multiple...

5CVSS5.3AI score0.02204EPSS
CVE
CVE
added 2012/11/28 11:0 a.m.121 views

CVE-2012-5371

CVE-2012-5371 affects Ruby (CRuby) 1.9 prior to 1.9.3-p327 and 2.0 prior to r37575. The issue is that hash values can be triggered for collisions without proper restriction, enabling context-dependent attackers to cause CPU-driven denial of service via crafted input to hash-table data structures,...

5CVSS5.6AI score0.03357EPSS
CVE
CVE
added 2014/11/21 3:0 p.m.119 views

CVE-2014-8090

The CVE-2014-8090 issue is a vulnerability in Ruby’s REXML XML parser that can be exploited via crafted XML documents containing an empty string in repeated nested entities, causing CPU and memory exhaustion (XEE). Affected are Ruby 1.9.x before 1.9.3 patchlevel 551, Ruby 2.0.x before 2.0.0 patch...

5CVSS5.8AI score0.056EPSS
CVE
CVE
added 2011/08/05 9:0 p.m.114 views

CVE-2011-2705

CVE-2011-2705 affects Ruby’s SecureRandom.init in lib/securerandom.rb. The vulnerability arises because SecureRandom.random_bytes relies on PID values for initialization in Ruby versions prior to 1.8.7-p352 and 1.9.x prior to 1.9.2-p290, enabling context-dependent attackers to predict the generat...

5CVSS5.4AI score0.0195EPSS
CVE
CVE
added 2015/06/24 2:0 p.m.106 views

CVE-2015-3900

Vulnerability summary: CVE-2015-3900 affects RubyGems 2.0.x up to 2.0.16, 2.2.x up to 2.2.4, and 2.4.x up to 2.4.7. It does not validate hostnames when fetching gems or API requests, enabling a remote attacker to redirect requests to arbitrary domains via a crafted DNS SRV record (DNS hijack atta...

5CVSS6.3AI score0.08934EPSS
CVE
CVE
added 2009/06/11 9:0 p.m.104 views

CVE-2009-1904

CVE-2009-1904 concerns the Ruby BigDecimal conversion to Float: Ruby 1.8.6 before p369 and 1.8.7 before p173 can crash an application (DoS) when given a very large numeric string. Connected advisories (e.g., MiracleLinux AXSA-2009-78:01) confirm a patch was released (e.g., “New patchlevel fixing ...

5CVSS8.8AI score0.08375EPSS
CVE
CVE
added 2013/04/25 11:0 p.m.101 views

CVE-2012-4466

CVE-2012-4466 affects Ruby 1.8.7 before patchlevel 371, Ruby 1.9.3 before patchlevel 286, and Ruby 2.0 before revision r37068. The issue allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via name_err_mesg_to_str, tainting handling for strings. This ...

5CVSS5.8AI score0.02619EPSS
CVE
CVE
added 2013/04/25 11:0 p.m.99 views

CVE-2012-4464

Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 are vulnerable to a context-dependent taint bypass via exc_to_s or name_err_to_s in the exception-to-string paths, allowing modification of untainted strings and bypassing safe-level restrictions (distinct from CVE-2012-4466). Root c...

5CVSS5.8AI score0.0218EPSS
CVE
CVE
added 2011/03/02 7:0 p.m.96 views

CVE-2011-1005

The CVE-2011-1005 issue affects Ruby’s safe-level mechanism (Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev), where untrusted strings could be modified via Exception#to_s, enabling context-dependent attackers to alter a pathname. Public advisories reference this vulnerability...

5CVSS6.3AI score0.02772EPSS
CVE
CVE
added 2008/09/04 5:0 p.m.93 views

CVE-2008-3905

CVE-2008-3905 is associated with Ruby’s DNS resolver (resolv.rb). The issue stems from predictable transaction IDs and a fixed source port when sending DNS requests, enabling remote attackers to spoof DNS replies. The connected advisories confirm that resolv.rb’s DNS request handling could be exp...

5.8CVSS6.6AI score0.02415EPSS
CVE
CVE
added 2019/11/26 2:50 a.m.90 views

CVE-2011-3624

CVE-2011-3624 affects WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier. The vulnerability arises because these methods do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers, which could allow remote attackers to inject arbitrary text into log files or to byp...

5.3CVSS5.3AI score0.01521EPSS
CVE
CVE
added 2008/04/18 10:0 p.m.88 views

CVE-2008-1891

The CVE-2008-1891 entry covers a directory traversal in WEBrick for Ruby (affecting Ruby 1.8.4 and earlier, 1.8.5 before p231, 1.8.6 before p230, 1.8.7 before p22, and 1.9.0 before 1.9.0‑2) when using NTFS/FAT filesystems. An attacker could read arbitrary CGI files by supplying a trailing charact...

5CVSS6.5AI score0.02813EPSS
CVE
CVE
added 2008/08/14 11:0 p.m.88 views

CVE-2008-3443

CVE-2008-3443 affects Ruby’s regex engine in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423. The issue enables remote attackers to cause a denial of service (infinite loop and crash) by sending multiple long requests to a Ruby socket (notably Web...

5CVSS6.5AI score0.15678EPSS
CVE
CVE
added 2011/08/05 10:0 p.m.87 views

CVE-2011-3009

CVE-2011-3009 is confirmed in connected advisories as affecting Ruby before 1.8.6-p114, where the random seed is not reset on fork, enabling context-dependent prediction of random numbers (related to CVE-2003-0900). MiracleLinux advisories list this CVE among affected Ruby packages and indicate r...

5CVSS6.2AI score0.02088EPSS
CVE
CVE
added 2007/11/14 1:0 a.m.85 views

CVE-2007-5770

Concrete details found: CVE-2007-5162 and CVE-2007-5770 affect Ruby 1.8.5/1.8.6. The MiracleLinux AXSA-2007-63:01 advisory states that the CN field in a server certificate is not verified against the domain in the request for (1) Net::HTTP/Net::HTTPS and (2) multiple Net modules (ftptls, telnets,...

5CVSS9.2AI score0.0187EPSS
CVE
CVE
added 2008/08/27 8:0 p.m.85 views

CVE-2008-3790

CVE-2008-3790 details Affected software: Ruby (versions 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9). Vulnerable component: REXML module. Root cause/impact: XML entity explosion in XML documents enables context-dependent attackers to cause a denial of service (CPU consumption). Exp...

5CVSS6.5AI score0.15197EPSS
CVE
CVE
added 2011/08/05 9:0 p.m.78 views

CVE-2011-2686

CVE-2011-2686 affects Ruby (MRI) older than 1.8.7-p352; it arises from a regression in 1.8.6 where the random seed is not reset on fork, allowing context-dependent attackers to predict random numbers from a child process. The issue is fixed in Ruby 1.8.7-p352 and later. No exploitation details ar...

5CVSS6.2AI score0.02582EPSS
CVE
CVE
added 2014/04/24 11:0 p.m.64 views

CVE-2014-2734

The CVE-2014-2734 entry concerns the Ruby OpenSSL extension in Ruby 2.x, where the process memory state may not be correctly maintained after reopening a file, enabling remote attackers to spoof signatures during signature verification after specific filesystem operations. SUSE/PT-2019-4673 and P...

5.8CVSS6.9AI score0.05349EPSS