8 matches found
CVE-2018-16395
The CVE describes a bug in Ruby’s OpenSSL X509::Name equality check. Affected Ruby/OpenSSL versions are 2.3.x before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. When two OpenSSL::X509::Name objects are compared, depending on ordering, non-equal names may compar...
CVE-2017-17742
CVE-2017-17742 affects Ruby with WEBrick: HTTP Response Splitting via crafted headers in WEBrick, impacting Ruby versions: <2.2.10, 2.3.x <2.3.7, 2.4.x <2.4.4, 2.5.x
CVE-2018-8780
CVE-2018-8780 affects Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1. The flaw is in Dir.open, Dir.new, Dir.entries and Dir.empty? which do not check NULL characters, enabling unintentional directory traversal when these methods are used. Affect...
CVE-2018-16396
CVE-2018-16396 is a taint propagation issue in Ruby: certain formats used when unpacking tainted strings do not propagate taint correctly. Affected versions are Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. The root cause is that unpacked strings deri...
CVE-2018-6914
CVE-2018-6914 is a directory traversal vulnerability in Ruby’s tmpdir library (Dir.mktmpdir). The flaw allows an attacker to create arbitrary directories or files via a “..” in the prefix argument. Affected Ruby versions: before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, ...
CVE-2018-8778
CVE-2018-8778 affects Ruby prior to 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1. It describes a buffer under-read in String#unpack triggered by an attacker-controlled unpacking format, leading to massive information disclosure. Affected platforms include...
CVE-2018-8779
CVE-2018-8779 is a Ruby vulnerability in which UNIXServer.open and UNIXSocket.open did not check for NULL (NUL) bytes in the path, potentially creating an unintended socket. Public details in the provided documents show affected series include Ruby 2.2.x prior to 2.2.10, 2.3.x prior to 2.3.7, 2.4...
CVE-2018-8777
CVE-2018-8777 affects Ruby WEBrick: sending a large HTTP request or crafted body to WEBrick can cause memory-based denial of service. Affected Ruby branches include 2.2.x before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1. Mitigation is upgrading to the ...