Vulnerabilities > Ruby Lang

DATE CVE VULNERABILITY TITLE RISK
2019-11-26 CVE-2011-4121 Inadequate Encryption Strength vulnerability in Ruby-Lang Ruby
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation.
network
low complexity
ruby-lang CWE-326
critical
9.8
2019-11-26 CVE-2011-3624 Injection vulnerability in Ruby-Lang Ruby 1.8.7/1.9.2
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
network
low complexity
ruby-lang CWE-74
5.3
2019-10-31 CVE-2013-1945 Inclusion of Functionality from Untrusted Control Sphere vulnerability in Ruby-Lang Ruby193
ruby193 uses an insecure LD_LIBRARY_PATH setting.
local
low complexity
ruby-lang CWE-829
3.3
2019-05-10 CVE-2019-11879 Link Following vulnerability in Ruby-Lang Webrick 1.4.2
The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory.
local
low complexity
ruby-lang CWE-59
5.5
2018-11-16 CVE-2018-16396 An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3.
network
high complexity
ruby-lang canonical debian redhat
8.1
2018-11-16 CVE-2018-16395 An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3.
network
low complexity
ruby-lang canonical debian redhat
critical
9.8
2018-04-03 CVE-2018-8780 Path Traversal vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters.
network
low complexity
ruby-lang canonical debian CWE-22
critical
9.1
2018-04-03 CVE-2018-8779 Improper Input Validation vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters.
network
low complexity
ruby-lang canonical debian CWE-20
7.5
2018-04-03 CVE-2018-8778 Use of Externally-Controlled Format String vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure.
network
low complexity
ruby-lang canonical debian redhat CWE-134
7.5
2018-04-03 CVE-2018-8777 Resource Exhaustion vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
network
low complexity
ruby-lang debian canonical redhat CWE-400
7.5