Search CVE reports
41 – 50 of 57 results
CVE-2017-0899
Negligible prioritySome fixes available 2 of 20
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-11465
Medium priorityThe parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to...
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2015-9096
Medium prioritySome fixes available 4 of 5
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Fixed |
CVE-2017-6181
Medium priorityThe parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a...
4 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | — | — | — | — | Not in release |
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2009-5147
Low prioritySome fixes available 1 of 5
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
6 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | — | — | — | — | Not in release |
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.1 | — | — | — | — | Not in release |
ruby2.2 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2016-7798
Low prioritySome fixes available 5 of 16
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
7 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.3...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
ruby-attr-encrypted | Not affected | Not affected | Not affected | Not in release | Vulnerable |
ruby-encryptor | Not affected | Not affected | Not affected | Not in release | Vulnerable |
CVE-2016-2339
Low prioritySome fixes available 2 of 4
An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length....
4 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | — | — | — | — | Not in release |
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2016-2337
Negligible prioritySome fixes available 2 of 4
Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.
4 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | — | — | — | — | Not in release |
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2015-7551
Low prioritySome fixes available 1 of 6
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which...
5 affected packages
ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.1 | — | — | — | — | Not in release |
ruby2.2 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2015-1855
Low prioritySome fixes available 2 of 11
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors...
6 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | — | — | — | — | Not in release |
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.1 | — | — | — | — | Not in release |
ruby2.2 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |