Vulnerabilities > Ruby Lang
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2019-05-10 | CVE-2019-11879 | Link Following vulnerability in Ruby-Lang Webrick 1.4.2 The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. | 5.5 |
2018-11-16 | CVE-2018-16396 | An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. | 8.1 |
2018-11-16 | CVE-2018-16395 | An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3. | 9.8 |
2018-04-03 | CVE-2018-8780 | Path Traversal vulnerability in multiple products In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters. | 9.1 |
2018-04-03 | CVE-2018-8779 | Improper Input Validation vulnerability in multiple products In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters. | 7.5 |
2018-04-03 | CVE-2018-8778 | Use of Externally-Controlled Format String vulnerability in multiple products In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure. | 7.5 |
2018-04-03 | CVE-2018-8777 | Resource Exhaustion vulnerability in multiple products In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption). | 7.5 |
2018-04-03 | CVE-2018-6914 | Path Traversal vulnerability in multiple products Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a .. | 7.5 |
2018-04-03 | CVE-2017-17742 | HTTP Response Splitting vulnerability in multiple products Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. | 5.3 |
2017-12-20 | CVE-2017-17790 | Injection vulnerability in Ruby-Lang Ruby The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. | 9.8 |