Vulnerabilities > Ruby Lang > High

DATE CVE VULNERABILITY TITLE RISK
2018-04-03 CVE-2018-8777 Resource Exhaustion vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
network
low complexity
ruby-lang debian canonical redhat CWE-400
7.5
2018-04-03 CVE-2018-6914 Path Traversal vulnerability in multiple products
Directory traversal vulnerability in the Dir.mktmpdir method in the tmpdir library in Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 might allow attackers to create arbitrary directories or files via a ..
network
low complexity
ruby-lang canonical debian redhat CWE-22
7.5
2017-12-15 CVE-2017-17405 OS Command Injection vulnerability in multiple products
Ruby before 2.4.3 allows Net::FTP command injection.
network
low complexity
ruby-lang debian redhat CWE-78
8.8
2017-09-19 CVE-2017-14033 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ruby-Lang Ruby
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
network
low complexity
ruby-lang CWE-119
7.5
2017-09-19 CVE-2017-10784 Improper Authentication vulnerability in Ruby-Lang Ruby
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
network
low complexity
ruby-lang CWE-287
8.8
2017-09-06 CVE-2014-6438 Resource Management Errors vulnerability in Ruby-Lang Ruby
The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
network
low complexity
ruby-lang CWE-399
7.5
2017-05-24 CVE-2017-9229 NULL Pointer Dereference vulnerability in multiple products
An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5.
network
low complexity
oniguruma-project ruby-lang php CWE-476
7.5
2017-04-03 CVE-2017-6181 Improper Input Validation vulnerability in Ruby-Lang Ruby 2.4.0
The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a crafted regular expression.
network
low complexity
ruby-lang CWE-20
7.5
2017-03-29 CVE-2009-5147 Improper Input Validation vulnerability in Ruby-Lang Ruby
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
network
low complexity
ruby-lang CWE-20
7.3
2017-01-30 CVE-2016-7798 Inadequate Encryption Strength vulnerability in multiple products
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
network
low complexity
ruby-lang debian CWE-326
7.5