Vulnerabilities > Ruby Lang
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2013-04-25 | CVE-2012-4464 | Permissions, Privileges, and Access Controls vulnerability in Ruby-Lang Ruby 1.9.3/2.0/2.0.0 Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. | 5.0 |
| 2013-04-09 | CVE-2013-1821 | Improper Input Validation vulnerability in Ruby-Lang Ruby lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. | 5.0 |
| 2013-04-03 | CVE-2013-1911 | Improper Input Validation vulnerability in Mark Burns Ldoce 0.0.2 lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name. | 6.8 |
| 2013-03-20 | CVE-2013-1655 | Improper Input Validation vulnerability in multiple products Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." Per http://www.ubuntu.com/usn/usn-1759-1/ "A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 12.10 Ubuntu 12.04 LTS Ubuntu 11.10 " | 7.5 |
| 2013-03-01 | CVE-2013-0256 | Cross-site Scripting vulnerability in multiple products darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. | 4.3 |
| 2012-11-28 | CVE-2012-5371 | Cryptographic Issues vulnerability in Ruby-Lang Ruby Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815. | 5.0 |
| 2012-11-24 | CVE-2012-4522 | Permissions, Privileges, and Access Controls vulnerability in Ruby-Lang Ruby 1.9.3/2.0.0 The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. | 5.0 |
| 2011-12-30 | CVE-2011-4815 | Improper Input Validation vulnerability in Ruby-Lang Ruby Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | 7.8 |
| 2011-08-05 | CVE-2011-3009 | Cryptographic Issues vulnerability in Ruby-Lang Ruby 1.8.6 Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. | 5.0 |
| 2011-08-05 | CVE-2011-2705 | Improper Input Validation vulnerability in Ruby-Lang Ruby The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID. | 5.0 |