Vulnerabilities > Ruby Lang

DATE CVE VULNERABILITY TITLE RISK
2017-12-15 CVE-2017-17405 OS Command Injection vulnerability in multiple products
Ruby before 2.4.3 allows Net::FTP command injection.
network
low complexity
ruby-lang debian redhat CWE-78
8.8
2017-09-19 CVE-2017-14033 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ruby-Lang Ruby
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
network
low complexity
ruby-lang CWE-119
7.5
2017-09-19 CVE-2017-10784 Improper Authentication vulnerability in Ruby-Lang Ruby
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
network
low complexity
ruby-lang CWE-287
8.8
2017-09-15 CVE-2017-0898 Use of Externally-Controlled Format String vulnerability in Ruby-Lang Ruby
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value.
network
low complexity
ruby-lang CWE-134
critical
9.1
2017-09-06 CVE-2014-6438 Resource Management Errors vulnerability in Ruby-Lang Ruby
The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
network
low complexity
ruby-lang CWE-399
7.5
2017-08-31 CVE-2017-14064 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call.
network
low complexity
ruby-lang debian canonical redhat CWE-119
critical
9.8
2017-07-19 CVE-2017-11465 Out-of-bounds Write vulnerability in Ruby-Lang Ruby 2.4.1
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y.
network
low complexity
ruby-lang CWE-787
critical
9.8
2017-06-12 CVE-2015-9096 CRLF Injection vulnerability in Ruby-Lang Ruby
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
network
low complexity
ruby-lang CWE-93
6.1
2017-05-24 CVE-2017-9229 NULL Pointer Dereference vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project ruby-lang php CWE-476
7.5
2017-05-24 CVE-2017-9225 Out-of-bounds Write vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project ruby-lang php CWE-787
critical
9.8