Vulnerabilities > Ruby Lang > Ruby > 2.6.0

DATE CVE VULNERABILITY TITLE RISK
2020-02-28 CVE-2020-5247 In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e.
network
low complexity
ruby-lang puma debian fedoraproject
7.5
7.5
2019-11-26 CVE-2019-16255 Code Injection vulnerability in multiple products
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data.
network
high complexity
ruby-lang debian opensuse oracle CWE-94
8.1
8.1
2019-11-26 CVE-2019-16254 Injection vulnerability in multiple products
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting.
network
low complexity
ruby-lang debian CWE-74
5.3
5.3
2019-11-26 CVE-2019-16201 Improper Authentication vulnerability in multiple products
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking.
network
low complexity
ruby-lang debian CWE-287
7.5
7.5
2019-11-26 CVE-2019-15845 Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.
network
low complexity
ruby-lang canonical
6.5
6.5
2018-11-16 CVE-2018-16396 An issue was discovered in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3.
network
high complexity
ruby-lang canonical debian redhat
8.1
8.1
2018-11-16 CVE-2018-16395 An issue was discovered in the OpenSSL library in Ruby before 2.3.8, 2.4.x before 2.4.5, 2.5.x before 2.5.2, and 2.6.x before 2.6.0-preview3.
network
low complexity
ruby-lang canonical debian redhat
critical
 9.8
9.8
2018-04-03 CVE-2018-8780 Path Traversal vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the Dir.open, Dir.new, Dir.entries and Dir.empty? methods do not check NULL characters.
network
low complexity
ruby-lang canonical debian CWE-22
critical
 9.1
9.1
2018-04-03 CVE-2018-8779 Improper Input Validation vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, the UNIXServer.open and UNIXSocket.open methods are not checked for null characters.
network
low complexity
ruby-lang canonical debian CWE-20
7.5
7.5
2018-04-03 CVE-2018-8778 Use of Externally-Controlled Format String vulnerability in multiple products
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker controlling the unpacking format (similar to format string vulnerabilities) can trigger a buffer under-read in the String#unpack method, resulting in a massive and controlled information disclosure.
network
low complexity
ruby-lang canonical debian redhat CWE-134
7.5
7.5