Lucene search
K

16 matches found

CVE
CVE
added 2017/12/15 9:0 a.m.305 views

CVE-2017-17405

CVE-2017-17405 is a Ruby Net::FTP command-injection vulnerability where Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile invoke Kernel#open on local files; if the localfile argument begins with a pipe, the following command is executed. The default localfile is the ba...

9.3CVSS7.5AI score0.73927EPSS
CVE
CVE
added 2017/09/19 5:0 p.m.295 views

CVE-2017-10784

CVE-2017-10784 affects Ruby’s WEBrick Basic authentication: an attacker can inject terminal escape sequences into WEBrick logs via a crafted username, potentially affecting the attacker’s terminal emulator. Deb and related advisories confirm the vulnerability exists in WEBrick in Ruby versions pr...

9.3CVSS7.9AI score0.16412EPSS
CVE
CVE
added 2017/09/19 5:0 p.m.255 views

CVE-2017-14033

CVE-2017-14033 is a buffer underrun in the OpenSSL::ASN1 decode path of Ruby’s OpenSSL extension. Reported as a denial of service causing interpreter crash when processing a crafted string. Affected Ruby versions include 2.2.x prior to 2.2.8, 2.3.x prior to 2.3.5, and 2.4.x up to 2.4.1. Mitigatio...

7.5CVSS6.6AI score0.07734EPSS
CVE
CVE
added 2017/05/24 3:0 p.m.247 views

CVE-2017-9225

Oniguruma 6.2.0 (as used in Ruby via oniguruma-mod through Ruby 2.4.1 and mbstring in PHP through 7.1.5) contains CVE-2017-9225, a stack out-of-bounds write in onigenc_unicode_get_case_fold_codes_by_str() and related unicode handling, with Code point 0xFFFFFFFF not properly handled in unicode_unf...

9.8CVSS9.5AI score0.0308EPSS
CVE
CVE
added 2017/05/24 3:0 p.m.233 views

CVE-2017-9229

CVE-2017-9229 affects Oniguruma 6.2.0 (as used by Oniguruma-mod in Ruby up to 2.4.1 and mbstring in PHP up to 7.1.5). A SIGSEGV can occur in left_adjust_char_head() during regular expression compilation due to invalid handling of reg->dmax in forward_search_range(), which may yield an invalid ...

7.5CVSS8.5AI score0.05129EPSS
CVE
CVE
added 2017/08/31 5:0 p.m.215 views

CVE-2017-14064

CVE-2017-14064 affects Ruby before the fixed versions: Ruby 2.2.7 and earlier (2.2.x), 2.3.0–2.3.4, and 2.4.0–2.4.1. Root cause is a strdup-based bug in ext/json/ext/generator/generator.c that stops at the first NUL byte, returning a string of length zero while space_len indicates otherwise, expo...

9.8CVSS7.3AI score0.09445EPSS
CVE
CVE
added 2017/09/15 7:0 p.m.183 views

CVE-2017-0898

CVE-2017-0898 affects Ruby older branches (before 2.4.2, 2.3.5, and 2.2.8) and is caused by a buffer underrun in Kernel.sprintf, leading to heap memory corruption and potential information disclosure from the heap or application instability. The issue is not restricted to a single product; it app...

9.1CVSS7.4AI score0.09718EPSS
CVE
CVE
added 2017/12/20 9:0 a.m.181 views

CVE-2017-17790

CVE-2017-17790 affects Ruby up to 2.4.3 and is caused by the lazy_initialize function in lib/resolv.rb calling Kernel#open, which may allow command injection. The vulnerability can be triggered by a Resolv::Hosts::new argument that begins with a leading '|' character. The description notes this i...

9.8CVSS8.8AI score0.05913EPSS
CVE
CVE
added 2017/01/06 9:0 p.m.143 views

CVE-2016-2339

CVE-2016-2339 involves an exploitable heap overflow in Ruby’s Fiddle::Function.new initialize. The heap buffer arg_types allocation is sized based on the length of the args array; a specially crafted object inside the args array can increase the array size after allocation, causing a heap overflo...

9.8CVSS7.5AI score0.05187EPSS
CVE
CVE
added 2017/01/06 9:0 p.m.138 views

CVE-2016-2337

CVE-2016-2337 fixes a type confusion in Ruby’s TclTkIp._cancel_eval method. An attacker could cause arbitrary code execution by passing a non-String as the retval argument. Public advisories (e.g., MiracleLinux AXSA-2025-10964:04) reference this CVE and note a fix to prevent the type confusion; t...

9.8CVSS8.7AI score0.06204EPSS
CVE
CVE
added 2017/06/12 8:0 p.m.133 views

CVE-2015-9096

CVE-2015-9096 affects Net::SMTP in Ruby prior to 2.4.0, allowing SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands, demonstrated around a DATA substring. The vulnerability applies to Ruby’s Net::SMTP implementation and, per the initial description, is fixed in Ruby 2.4.0 ...

6.1CVSS6.8AI score0.03645EPSS
CVE
CVE
added 2017/03/29 2:0 p.m.123 views

CVE-2009-5147

CVE-2009-5147 affects Ruby’s DL::dlopen by allowing libraries with tainted names to be opened on several Ruby releases (1.8, 1.9.x, 2.0.0 pre-patch 648, and 2.1 pre-2.1.8). Connected materials document a regression in later Ruby/fiddle handling (CVE-2015-7551) that ties back to this regression an...

7.5CVSS7.1AI score0.07766EPSS
CVE
CVE
added 2017/09/06 9:0 p.m.57 views

CVE-2014-6438

CVE-2014-6438: The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service via a crafted string, due to catastrophic regular expression backtracking and related resource consumption or application crash. The issue affects Ruby versions p...

7.5CVSS7.2AI score0.04128EPSS
CVE
CVE
added 2017/01/06 9:0 p.m.55 views

CVE-2016-2336

CVE-2016-2336 : Type confusion exists in two methods of Ruby’s WIN32OLE class, ole_invoke and ole_query_interface . Attacker-supplied objects of unexpected types can trigger arbitrary code execution, as noted in multiple connected records. The vulnerability affects Ruby’s WIN32OLE interactions, w...

9.8CVSS9.6AI score0.03291EPSS
CVE
CVE
added 2017/07/19 9:0 p.m.54 views

CVE-2017-11465

CVE-2017-11465 concerns Ruby 2.4.1’s UTF-8 parser. The vulnerability lies in the function parser_yyerror (related to parser_tokadd_utf8 in parse.y), which can be triggered by a crafted script to cause a denial of service via invalid read/write and may have other impact, including potential bypass...

9.8CVSS9.7AI score0.01677EPSS
CVE
CVE
added 2017/04/03 5:44 a.m.50 views

CVE-2017-6181

The CVE-2017-6181 entry corresponds to an unbounded recursion flaw in the Onigmo (Oniguruma-mod) regular expression library’s parse_char_class function (regparse.c) used by Ruby 2.4.0. A crafted regular expression can cause a remote attacker to trigger deep recursion and a potential application c...

7.5CVSS7.1AI score0.03647EPSS