Vulnerabilities > Rubygems > High

DATE CVE VULNERABILITY TITLE RISK
2018-03-13 CVE-2018-1000075 Infinite Loop vulnerability in multiple products
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop..
network
low complexity
rubygems debian CWE-835
7.5
7.5
2018-03-13 CVE-2018-1000074 Deserialization of Untrusted Data vulnerability in Rubygems
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution.
local
low complexity
rubygems CWE-502
7.8
7.8
2018-03-13 CVE-2018-1000073 Link Following vulnerability in Rubygems
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root.
network
low complexity
rubygems CWE-59
7.5
7.5
2017-08-31 CVE-2017-0902 Origin Validation Error vulnerability in multiple products
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
network
high complexity
rubygems debian canonical redhat CWE-346
8.1
8.1
2017-08-31 CVE-2017-0901 Improper Input Validation vulnerability in multiple products
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
network
low complexity
rubygems debian canonical redhat CWE-20
7.5
7.5
2017-08-31 CVE-2017-0900 Improper Input Validation vulnerability in multiple products
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
network
low complexity
rubygems debian redhat CWE-20
7.5
7.5