Vulnerabilities > Ruby Lang

DATE CVE VULNERABILITY TITLE RISK
2020-02-28 CVE-2020-5247 In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e.
network
low complexity
ruby-lang puma debian fedoraproject
7.5
2020-02-24 CVE-2020-8130 OS Command Injection vulnerability in multiple products
There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.
6.4
2019-11-29 CVE-2015-1855 Improper Input Validation vulnerability in multiple products
verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters.
network
high complexity
ruby-lang debian puppet CWE-20
5.9
2019-11-26 CVE-2019-16255 Code Injection vulnerability in multiple products
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data.
network
high complexity
ruby-lang debian opensuse oracle CWE-94
8.1
2019-11-26 CVE-2019-16254 Injection vulnerability in multiple products
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting.
network
low complexity
ruby-lang debian CWE-74
5.3
2019-11-26 CVE-2019-16201 Improper Authentication vulnerability in multiple products
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking.
network
low complexity
ruby-lang debian CWE-287
7.5
2019-11-26 CVE-2019-15845 Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
network
low complexity
ruby-lang canonical
6.5
2019-11-26 CVE-2011-4121 Inadequate Encryption Strength vulnerability in Ruby-Lang Ruby
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation.
network
low complexity
ruby-lang CWE-326
critical
9.8
2019-11-26 CVE-2011-3624 Injection vulnerability in Ruby-Lang Ruby 1.8.7/1.9.2
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
network
low complexity
ruby-lang CWE-74
5.3
2019-10-31 CVE-2013-1945 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Ruby-Lang Ruby193
ruby193 uses an insecure LD_LIBRARY_PATH setting.
local
low complexity
ruby-lang CWE-829
3.3