Vulnerabilities > Ruby Lang > High

DATE CVE VULNERABILITY TITLE RISK
2021-07-30 CVE-2021-28966 Path Traversal vulnerability in Ruby-Lang Ruby
In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.
network
low complexity
ruby-lang CWE-22
7.5
2021-07-30 CVE-2021-31799 OS Command Injection vulnerability in multiple products
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
local
high complexity
debian ruby-lang oracle CWE-78
7.0
2021-04-21 CVE-2021-28965 The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues.
network
low complexity
ruby-lang fedoraproject
7.5
2020-10-06 CVE-2020-25613 HTTP Request Smuggling vulnerability in multiple products
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1.
network
low complexity
ruby-lang fedoraproject CWE-444
7.5
2020-02-28 CVE-2020-5247 In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e.
network
low complexity
ruby-lang puma debian fedoraproject
7.5
2019-11-26 CVE-2019-16255 Code Injection vulnerability in multiple products
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data.
network
high complexity
ruby-lang debian opensuse oracle CWE-94
8.1
2019-11-26 CVE-2019-16201 Improper Authentication vulnerability in multiple products
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking.
network
low complexity
ruby-lang debian CWE-287
7.5
2018-11-16 CVE-2018-16396 An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3.
network
high complexity
ruby-lang canonical debian redhat
8.1
2018-04-03 CVE-2018-8779 Improper Input Validation vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters.
network
low complexity
ruby-lang canonical debian CWE-20
7.5
2018-04-03 CVE-2018-8778 Use of Externally-Controlled Format String vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure.
network
low complexity
ruby-lang canonical debian redhat CWE-134
7.5