Search CVE reports
41 – 50 of 86 results
CVE-2017-14064
Low prioritySome fixes available 4 of 5
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a...
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | — | — | Not in release | Not in release |
| ruby2.0 | — | — | — | Not in release | Not in release |
| ruby2.3 | — | — | — | Not in release | Fixed |
CVE-2017-0902
Medium prioritySome fixes available 3 of 20
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
| ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-0901
Medium prioritySome fixes available 4 of 21
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
| ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-0900
Negligible prioritySome fixes available 2 of 20
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
| ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-0899
Negligible prioritySome fixes available 2 of 20
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
| ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-11465
Medium priorityThe parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to...
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | — | — | — | Not in release |
| ruby2.0 | — | — | — | — | Not in release |
| ruby2.3 | — | — | — | — | Not affected |
CVE-2015-9096
Medium prioritySome fixes available 4 of 5
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.9.1 | — | — | — | — | Not in release |
| ruby2.0 | — | — | — | — | Not in release |
| ruby2.3 | — | — | — | — | Fixed |
CVE-2017-6181
Medium priorityThe parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a...
4 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.8 | — | — | — | — | Not in release |
| ruby1.9.1 | — | — | — | — | Not in release |
| ruby2.0 | — | — | — | — | Not in release |
| ruby2.3 | — | — | — | — | Not affected |
CVE-2009-5147
Low prioritySome fixes available 1 of 5
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
6 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby1.8 | — | — | — | — | Not in release |
| ruby1.9.1 | — | — | — | — | Not in release |
| ruby2.0 | — | — | — | — | Not in release |
| ruby2.1 | — | — | — | — | Not in release |
| ruby2.2 | — | — | — | — | Not in release |
| ruby2.3 | — | — | — | — | Not affected |
CVE-2016-7798
Low prioritySome fixes available 5 of 16
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
7 affected packages
ruby-attr-encrypted, ruby-encryptor, ruby1.8, ruby1.9.1, ruby2.0...
| Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
|---|---|---|---|---|---|
| ruby-attr-encrypted | Not affected | Not affected | Not affected | Not in release | Vulnerable |
| ruby-encryptor | Not affected | Not affected | Not affected | Not in release | Vulnerable |
| ruby1.8 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
| ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |