Vulmon
Recent Vulnerabilities
Research Posts
Trends
Blog
About
Contact
Vulmon Alerts
By Relevance
By Risk Score
By Publish Date
rubygems vulnerabilities and exploits
(subscribe to this query)
NA
CVE-2007-0469
The extract_files function in installer.rb in RubyGems prior to 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote malicious users to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM p...
Rubyforge Rubygems 0.8.11
Rubyforge Rubygems
7.5
CVSSv3
CVE-2019-8321
An issue exists in RubyGems 2.6 and later up to and including 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.
Rubygems Rubygems
Debian Debian Linux 9.0
Opensuse Leap 15.0
Opensuse Leap 15.1
7.5
CVSSv3
CVE-2019-8322
An issue exists in RubyGems 2.6 and later up to and including 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
Rubygems Rubygems
Debian Debian Linux 9.0
Opensuse Leap 15.0
Opensuse Leap 15.1
7.5
CVSSv3
CVE-2019-8323
An issue exists in RubyGems 2.6 and later up to and including 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
Rubygems Rubygems
Debian Debian Linux 9.0
Opensuse Leap 15.0
Opensuse Leap 15.1
7.5
CVSSv3
CVE-2019-8325
An issue exists in RubyGems 2.6 and later up to and including 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
Rubygems Rubygems
Opensuse Leap 15.0
Opensuse Leap 15.1
Debian Debian Linux 9.0
7.5
CVSSv3
CVE-2022-29176
Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was possible for any RubyGems.org user to remove and replace certain gems even if that user was not authorized to do so. To be vulnerable, a gem needed: one...
Rubygems Rubygems.org -
1 Github repository
7.5
CVSSv3
CVE-2022-29218
RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accepts gem uploads allowed some gems (with platforms ending in numbers, like `arm64-darwin-21`) to be temporarily replaced in the CDN cache by a malicious...
Rubygems Rubygems.org -
9.8
CVSSv3
CVE-2024-21654
Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from account takeover in the case of email account takeover. However, a workaround on the forgotten password form allows an malicious user to bypass the ...
Rubygems Rubygems.org
7.5
CVSSv3
CVE-2023-40165
rubygems.org is the Ruby community's primary gem (library) hosting service. Insufficient input validation allowed malicious actors to replace any uploaded gem version that had a platform, version number, or gem name matching `/-\d/`, permanently replacing the legitimate uplo...
Rubygems Rubygems.org
8.8
CVSSv3
CVE-2019-8324
An issue exists in RubyGems 2.6 and later up to and including 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinsta...
Rubygems Rubygems
Debian Debian Linux 9.0
Opensuse Leap 15.0
Opensuse Leap 15.1
Redhat Enterprise Linux 8.0
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2022-48693
CVE-2024-30851
CVE-2024-34460
CVE-2024-2887
local
CVE-2024-27956
remote code execution
CVE-2024-34475
privilege
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started
« PREV
1
2
3
4
NEXT »