Vulnerabilities > Ruby Lang > Ruby > 2.4.1

DATE CVE VULNERABILITY TITLE RISK
2017-12-20 CVE-2017-17790 Injection vulnerability in Ruby-Lang Ruby
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405.
network
low complexity
ruby-lang CWE-74
critical
 9.8
9.8
2017-12-15 CVE-2017-17405 OS Command Injection vulnerability in multiple products
Ruby before 2.4.3 allows Net::FTP command injection.
network
low complexity
ruby-lang debian redhat CWE-78
8.8
8.8
2017-09-19 CVE-2017-14033 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Ruby-Lang Ruby
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
network
low complexity
ruby-lang CWE-119
7.5
7.5
2017-09-19 CVE-2017-10784 Improper Authentication vulnerability in Ruby-Lang Ruby
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
network
low complexity
ruby-lang CWE-287
8.8
8.8
2017-09-15 CVE-2017-0898 Use of Externally-Controlled Format String vulnerability in Ruby-Lang Ruby
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value.
network
low complexity
ruby-lang CWE-134
critical
 9.1
9.1
2017-08-31 CVE-2017-14064 Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in multiple products
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call.
network
low complexity
ruby-lang debian canonical redhat CWE-119
critical
 9.8
9.8
2017-07-19 CVE-2017-11465 Out-of-bounds Write vulnerability in Ruby-Lang Ruby 2.4.1
The parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to the parser_tokadd_utf8 function in parse.y.
network
low complexity
ruby-lang CWE-787
critical
 9.8
9.8