Vulnerabilities > Ruby Lang
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2017-04-03 | CVE-2017-6181 | Improper Input Validation vulnerability in Ruby-Lang Ruby 2.4.0 The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted regular expression. | 5.0 |
| 2017-03-29 | CVE-2009-5147 | Improper Input Validation vulnerability in Ruby-Lang Ruby DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. | 7.5 |
| 2017-01-30 | CVE-2016-7798 | Inadequate Encryption Strength vulnerability in multiple products The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism. | 5.0 |
| 2017-01-06 | CVE-2016-2339 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ruby-Lang Ruby 2.2.2/2.3.0 An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. | 7.5 |
| 2017-01-06 | CVE-2016-2337 | Remote Code Execution vulnerability in Ruby TclTkIp 'ip_cancel_eval()' Function Type Confusion Type confusion exists in _cancel_eval Ruby's TclTkIp class method. | 7.5 |
| 2017-01-06 | CVE-2016-2336 | Type Confusion Multiple Remote Code Execution vulnerability in Ruby 2.2.2/2.3.0 Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. | 7.5 |
| 2016-03-24 | CVE-2015-7551 | Improper Input Validation vulnerability in multiple products The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. | 4.6 |
| 2015-06-24 | CVE-2015-3900 | 7PK - Security Features vulnerability in multiple products RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." | 5.0 |
| 2014-11-21 | CVE-2014-8090 | Incomplete Fix XML External Entity Denial of Service vulnerability in Ruby The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. | 5.0 |
| 2014-11-15 | CVE-2014-4975 | Buffer Errors vulnerability in Ruby-Lang Ruby Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. | 5.0 |