Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
ruby-lang vulnerabilities and exploits
(subscribe to this query)
445
VMScore
CVE-2020-10933
An issue exists in Ruby 2.5.x up to and including 2.5.7, 2.6.x up to and including 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size, but no data is copied. Thus, the bu...
Ruby-lang Ruby
Ruby-lang Ruby 2.7.0
Fedoraproject Fedora 31
Debian Debian Linux 10.0
445
VMScore
CVE-2015-3900
RubyGems 2.0.x prior to 2.0.16, 2.2.x prior to 2.2.4, and 2.4.x prior to 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote malicious users to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hij...
Ruby-lang Ruby 2.1.1
Ruby-lang Ruby 2.1.2
Ruby-lang Ruby 1.9.3
Ruby-lang Ruby 2.0.0
Ruby-lang Ruby 2.1
Ruby-lang Ruby 1.9.1
Ruby-lang Ruby 1.9.2
Ruby-lang Ruby 2.1.5
Ruby-lang Ruby 2.2.0
Ruby-lang Ruby 1.9
Ruby-lang Ruby 2.1.3
Ruby-lang Ruby 2.1.4
Rubygems Rubygems 2.0.1
Rubygems Rubygems 2.0.2
Rubygems Rubygems 2.0.3
Rubygems Rubygems 2.0.10
Rubygems Rubygems 2.0.11
Rubygems Rubygems 2.2.2
Rubygems Rubygems 2.2.3
Rubygems Rubygems 2.0.4
Rubygems Rubygems 2.0.5
Rubygems Rubygems 2.0.12
1 Github repository
1 Article
NA
CVE-2021-33621
The cgi gem prior to 0.1.0.2, 0.2.x prior to 0.2.2, and 0.3.x prior to 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
Ruby-lang Cgi
Fedoraproject Fedora 35
Fedoraproject Fedora 36
Fedoraproject Fedora 37
Ruby-lang Ruby
383
VMScore
CVE-2015-9096
Net::SMTP in Ruby prior to 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Ruby-lang Ruby
445
VMScore
CVE-2014-6438
The URI.decode_www_form_component method in Ruby prior to 1.9.2-p330 allows remote malicious users to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
Ruby-lang Ruby
187
VMScore
CVE-2013-1945
ruby193 uses an insecure LD_LIBRARY_PATH setting.
Ruby-lang Ruby193 -
668
VMScore
CVE-2011-4121
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on stron...
Ruby-lang Ruby
NA
CVE-2023-36617
A ReDoS issue exists in the URI component prior to 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exist...
Ruby-lang Uri
1 Github repository
445
VMScore
CVE-2021-28966
In Ruby up to and including 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
Ruby-lang Ruby
668
VMScore
CVE-2022-28738
A double free was found in the Regexp compiler in Ruby 3.x prior to 3.0.4 and 3.1.x prior to 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.
Ruby-lang Ruby
VMScore
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-3581
reflected XSS
CVE-2024-26925
CVE-2024-27956
LFI
CVE-2024-3607
CVE-2024-3107
CVE-2024-3295
SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
5
6
7
8
9
NEXT »