Vulnerabilities > Ruby Lang
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-04-25 | CVE-2013-1933 | OS Command Injection vulnerability in Documentcloud Karteek-Docsplit 0.5.4 The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. | 9.3 |
| 2013-04-25 | CVE-2013-0233 | Resource Management Errors vulnerability in multiple products Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. | 6.8 |
| 2013-04-25 | CVE-2012-4466 | Permissions, Privileges, and Access Controls vulnerability in Ruby-Lang Ruby Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. | 5.0 |
| 2013-04-25 | CVE-2012-4464 | Permissions, Privileges, and Access Controls vulnerability in Ruby-Lang Ruby 1.9.3/2.0/2.0.0 Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. | 5.0 |
| 2013-04-09 | CVE-2013-1821 | Improper Input Validation vulnerability in Ruby-Lang Ruby lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. | 5.0 |
| 2013-04-03 | CVE-2013-1911 | Improper Input Validation vulnerability in Mark Burns Ldoce 0.0.2 lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name. | 6.8 |
| 2013-03-20 | CVE-2013-1655 | Improper Input Validation vulnerability in multiple products Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." Per http://www.ubuntu.com/usn/usn-1759-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 " | 7.5 |
| 2013-03-01 | CVE-2013-0256 | Cross-site Scripting vulnerability in multiple products darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. | 4.3 |
| 2012-11-28 | CVE-2012-5371 | Cryptographic Issues vulnerability in Ruby-Lang Ruby Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815. | 5.0 |
| 2012-11-24 | CVE-2012-4522 | Permissions, Privileges, and Access Controls vulnerability in Ruby-Lang Ruby 1.9.3/2.0.0 The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. | 5.0 |