Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Rubygems Subscribe
Total 33 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2013-4287 3 Redhat, Ruby-lang, Rubygems 3 Enterprise Linux, Ruby, Rubygems 2019-04-22 4.3 MEDIUM N/A
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
CVE-2015-3900 4 Oracle, Redhat, Ruby-lang and 1 more 4 Solaris, Enterprise Linux, Ruby and 1 more 2019-04-22 5.0 MEDIUM N/A
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
CVE-2018-1000079 1 Rubygems 1 Rubygems 2018-11-30 4.3 MEDIUM 5.5 MEDIUM
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6.
CVE-2013-0269 1 Rubygems 1 Json Gem 2017-12-08 7.5 HIGH N/A
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
CVE-2013-4363 2 Ruby-lang, Rubygems 2 Ruby, Rubygems 2017-12-08 4.3 MEDIUM N/A
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
CVE-2015-4020 2 Oracle, Rubygems 2 Solaris, Rubygems 2017-12-08 4.3 MEDIUM N/A
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
CVE-2013-2616 1 Rubygems 1 Mini Magick 2017-11-29 7.5 HIGH N/A
lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2012-2125 3 Canonical, Redhat, Rubygems 3 Ubuntu Linux, Openshift, Rubygems 2014-01-13 5.8 MEDIUM N/A
RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.
CVE-2012-2126 3 Canonical, Redhat, Rubygems 3 Ubuntu Linux, Openshift, Rubygems 2014-01-13 4.3 MEDIUM N/A
RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.
CVE-2012-2139 1 Rubygems 1 Mail Gem 2013-10-07 5.0 MEDIUM N/A
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
CVE-2013-1875 1 Rubygems 1 Command Wrap 2013-03-20 7.5 HIGH N/A
command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.
CVE-2013-2615 1 Rubygems 1 Fastreader 2013-03-20 7.5 HIGH N/A
lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2012-2140 1 Rubygems 1 Mail Gem 2012-10-29 7.5 HIGH N/A
The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.