Vulnerabilities > Ruby Lang

DATE CVE VULNERABILITY TITLE RISK
2021-08-01 CVE-2021-32066 Inadequate Encryption Strength vulnerability in Ruby-Lang Ruby
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1.
network
ruby-lang CWE-326
5.8
2021-07-30 CVE-2021-31799 Command Injection vulnerability in multiple products
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
4.4
2021-07-30 CVE-2021-28966 Path Traversal vulnerability in Ruby-Lang Ruby
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
network
low complexity
ruby-lang CWE-22
5.0
2021-07-13 CVE-2021-31810 Exposure of Resource to Wrong Sphere vulnerability in multiple products
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1.
network
low complexity
ruby-lang debian CWE-668
5.0
2021-04-21 CVE-2021-28965 XXE vulnerability in multiple products
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues.
network
low complexity
ruby-lang fedoraproject CWE-611
5.0
2020-10-06 CVE-2020-25613 HTTP Request Smuggling vulnerability in multiple products
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1.
network
low complexity
ruby-lang fedoraproject CWE-444
5.0
2020-05-04 CVE-2020-10933 Information Exposure vulnerability in Ruby-Lang Ruby
An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0.
network
low complexity
ruby-lang CWE-200
5.0
2020-02-28 CVE-2020-5247 Injection vulnerability in multiple products
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e.
network
low complexity
puma ruby-lang CWE-74
5.0
2020-02-24 CVE-2020-8130 OS Command Injection vulnerability in multiple products
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
6.9
2019-11-29 CVE-2015-1855 Improper Input Validation vulnerability in multiple products
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
4.3