Vulnerabilities > Ruby Lang
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-04-21 | CVE-2021-28965 | The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. | 7.5 |
2020-10-06 | CVE-2020-25613 | HTTP Request Smuggling vulnerability in multiple products An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. | 7.5 |
2020-05-04 | CVE-2020-10933 | Use of Uninitialized Resource vulnerability in multiple products An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. | 5.3 |
2020-02-28 | CVE-2020-5247 | In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. | 7.5 |
2020-02-24 | CVE-2020-8130 | OS Command Injection vulnerability in multiple products There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`. | 6.4 |
2019-11-29 | CVE-2015-1855 | Improper Input Validation vulnerability in multiple products verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. | 5.9 |
2019-11-26 | CVE-2019-16255 | Code Injection vulnerability in multiple products Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. | 8.1 |
2019-11-26 | CVE-2019-16254 | Injection vulnerability in multiple products Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. | 5.3 |
2019-11-26 | CVE-2019-16201 | Improper Authentication vulnerability in multiple products WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. | 7.5 |
2019-11-26 | CVE-2019-15845 | Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions. | 6.5 |