Search CVE reports
51 – 60 of 68 results
CVE-2017-0898
Medium prioritySome fixes available 4 of 5
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or...
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | — | — | Not in release | Not in release |
ruby2.0 | — | — | — | Not in release | Not in release |
ruby2.3 | — | — | — | Not in release | Fixed |
CVE-2014-6438
Low priorityThe URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.
7 affected packages
ruby1.8, ruby1.9, ruby1.9.1, ruby2.0, ruby2.1...
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | — | — | — | — | Not in release |
ruby1.9 | — | — | — | — | Not in release |
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.1 | — | — | — | — | Not in release |
ruby2.2 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2017-14064
Low prioritySome fixes available 4 of 5
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a...
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | — | — | Not in release | Not in release |
ruby2.0 | — | — | — | Not in release | Not in release |
ruby2.3 | — | — | — | Not in release | Fixed |
CVE-2017-0902
Medium prioritySome fixes available 3 of 19
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-0901
Medium prioritySome fixes available 4 of 20
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-0900
Negligible prioritySome fixes available 2 of 19
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-0899
Negligible prioritySome fixes available 2 of 19
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
4 affected packages
jruby, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
jruby | Needs evaluation | — | Vulnerable | Vulnerable | Vulnerable |
ruby1.9.1 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.0 | Not in release | Not in release | Not in release | Not in release | Not in release |
ruby2.3 | Not in release | Not in release | Not in release | Not in release | Fixed |
CVE-2017-11465
Medium priorityThe parser_yyerror function in the UTF-8 parser in Ruby 2.4.1 allows attackers to cause a denial of service (invalid write or read) or possibly have unspecified other impact via a crafted Ruby script, related to...
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |
CVE-2015-9096
Medium prioritySome fixes available 4 of 5
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
3 affected packages
ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Fixed |
CVE-2017-6181
Medium priorityThe parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a...
4 affected packages
ruby1.8, ruby1.9.1, ruby2.0, ruby2.3
Package | 24.04 LTS | 22.04 LTS | 20.04 LTS | 18.04 LTS | 16.04 LTS |
---|---|---|---|---|---|
ruby1.8 | — | — | — | — | Not in release |
ruby1.9.1 | — | — | — | — | Not in release |
ruby2.0 | — | — | — | — | Not in release |
ruby2.3 | — | — | — | — | Not affected |