Vulnerabilities > Ruby Lang > Ruby > 2.1.5

DATE CVE VULNERABILITY TITLE RISK
2018-04-03 CVE-2018-8780 Path Traversal vulnerability in Ruby-Lang Ruby
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters.
network
low complexity
ruby-lang canonical debian CWE-22
7.5
7.5
2017-09-19 CVE-2017-10784 Improper Authentication vulnerability in Ruby-Lang Ruby
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
network
ruby-lang CWE-287
critical
 9.3
9.3
2017-08-31 CVE-2017-14064 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ruby-Lang Ruby
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call.
network
low complexity
ruby-lang debian canonical redhat CWE-119
7.5
7.5
2017-03-29 CVE-2009-5147 Improper Input Validation vulnerability in Ruby-Lang Ruby
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
network
low complexity
ruby-lang CWE-20
7.5
7.5
2016-03-24 CVE-2015-7551 Improper Input Validation vulnerability in multiple products
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library.
local
low complexity
apple ruby-lang CWE-20
4.6
4.6
2015-06-24 CVE-2015-3900 7PK - Security Features vulnerability in multiple products
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
network
low complexity
ruby-lang rubygems oracle redhat CWE-254
5.0
5.0