Filtered by vendor Ruby-lang Subscriptions
Total 119 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2011-2686 1 Ruby-lang 1 Ruby 2024-08-06 N/A
Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.
CVE-2011-1005 2 Redhat, Ruby-lang 2 Enterprise Linux, Ruby 2024-08-06 N/A
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
CVE-2011-1004 2 Redhat, Ruby-lang 2 Enterprise Linux, Ruby 2024-08-06 N/A
The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
CVE-2011-0188 3 Apple, Redhat, Ruby-lang 4 Mac Os X, Mac Os X Server, Enterprise Linux and 1 more 2024-08-06 N/A
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue."
CVE-2012-5371 2 Redhat, Ruby-lang 2 Openshift, Ruby 2024-08-06 N/A
Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.
CVE-2012-4522 2 Redhat, Ruby-lang 3 Enterprise Linux, Openshift, Ruby 2024-08-06 N/A
The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.
CVE-2012-4481 2 Redhat, Ruby-lang 2 Enterprise Linux, Ruby 2024-08-06 N/A
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
CVE-2012-4464 2 Redhat, Ruby-lang 2 Openshift, Ruby 2024-08-06 N/A
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.
CVE-2012-4466 2 Redhat, Ruby-lang 2 Openshift, Ruby 2024-08-06 N/A
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
CVE-2013-4413 2 Ruby-lang, Schneems 2 Ruby, Wicked 2024-08-06 N/A
Directory traversal vulnerability in controller/concerns/render_redirect.rb in the Wicked gem before 1.0.1 for Ruby allows remote attackers to read arbitrary files via a %2E%2E%2F (encoded dot dot slash) in the step.
CVE-2013-4363 2 Ruby-lang, Rubygems 2 Ruby, Rubygems 2024-08-06 N/A
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
CVE-2013-4287 3 Redhat, Ruby-lang, Rubygems 7 Enterprise Linux, Enterprise Mrg, Openshift and 4 more 2024-08-06 N/A
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
CVE-2013-4164 2 Redhat, Ruby-lang 6 Cloudforms Managementengine, Enterprise Linux, Openstack and 3 more 2024-08-06 N/A
Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse.
CVE-2013-4073 2 Redhat, Ruby-lang 4 Enterprise Linux, Openshift, Openstack and 1 more 2024-08-06 N/A
The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVE-2013-2119 3 Phusion, Redhat, Ruby-lang 3 Passenger, Openshift, Ruby 2024-08-06 N/A
Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.
CVE-2013-2065 2 Opensuse, Ruby-lang 2 Opensuse, Ruby 2024-08-06 N/A
(1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions.
CVE-2013-1945 1 Ruby-lang 1 Ruby193 2024-08-06 3.3 Low
ruby193 uses an insecure LD_LIBRARY_PATH setting.
CVE-2013-1948 2 Rob Westgeest, Ruby-lang 2 Md2pdf, Ruby 2024-08-06 N/A
converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.
CVE-2013-1933 2 Documentcloud, Ruby-lang 2 Karteek-docsplit, Ruby 2024-08-06 N/A
The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.
CVE-2013-1911 2 Mark Burns, Ruby-lang 2 Ldoce, Ruby 2024-08-06 N/A
lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.