Vulnerabilities > Ruby Lang

DATE CVE VULNERABILITY TITLE RISK
2017-09-15 CVE-2017-0898 Use of Externally-Controlled Format String vulnerability in Ruby-Lang Ruby
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value.
network
low complexity
ruby-lang CWE-134
6.4
2017-09-06 CVE-2014-6438 Resource Management Errors vulnerability in Ruby-Lang Ruby
The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
network
low complexity
ruby-lang CWE-399
5.0
2017-08-31 CVE-2017-14064 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ruby-Lang Ruby
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call.
network
low complexity
ruby-lang debian canonical redhat CWE-119
7.5
2017-07-19 CVE-2017-11465 Out-of-bounds Read vulnerability in Ruby-Lang Ruby 2.4.1
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y.
network
low complexity
ruby-lang CWE-125
7.5
2017-06-12 CVE-2015-9096 CRLF Injection vulnerability in Ruby-Lang Ruby
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
network
ruby-lang CWE-93
4.3
2017-05-24 CVE-2017-9229 NULL Pointer Dereference vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project ruby-lang php CWE-476
5.0
2017-05-24 CVE-2017-9225 Out-of-bounds Write vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project php ruby-lang CWE-787
7.5
2017-04-03 CVE-2017-6181 Improper Input Validation vulnerability in Ruby-Lang Ruby 2.4.0
The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted regular expression.
network
low complexity
ruby-lang CWE-20
5.0
2017-03-29 CVE-2009-5147 Improper Input Validation vulnerability in Ruby-Lang Ruby
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
network
low complexity
ruby-lang CWE-20
7.5
2017-01-30 CVE-2016-7798 Inadequate Encryption Strength vulnerability in multiple products
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
network
low complexity
ruby-lang debian CWE-326
5.0