Filtered by vendor Rubygems Subscriptions
Total 35 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2017-0901 4 Canonical, Debian, Redhat and 1 more 11 Ubuntu Linux, Debian Linux, Enterprise Linux and 8 more 2024-11-21 N/A
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
CVE-2017-0900 3 Debian, Redhat, Rubygems 10 Debian Linux, Enterprise Linux, Enterprise Linux Desktop and 7 more 2024-11-21 N/A
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
CVE-2017-0899 3 Debian, Redhat, Rubygems 10 Debian Linux, Enterprise Linux, Enterprise Linux Desktop and 7 more 2024-11-21 N/A
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
CVE-2015-4020 2 Oracle, Rubygems 2 Solaris, Rubygems 2024-11-21 N/A
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.
CVE-2015-3900 4 Oracle, Redhat, Ruby-lang and 1 more 5 Solaris, Enterprise Linux, Rhel Software Collections and 2 more 2024-11-21 N/A
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."
CVE-2013-4363 2 Ruby-lang, Rubygems 2 Ruby, Rubygems 2024-11-21 N/A
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.
CVE-2013-4287 3 Redhat, Ruby-lang, Rubygems 7 Enterprise Linux, Enterprise Mrg, Openshift and 4 more 2024-11-21 N/A
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.
CVE-2013-2616 1 Rubygems 1 Mini Magick 2024-11-21 N/A
lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2013-2615 1 Rubygems 1 Fastreader 2024-11-21 N/A
lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2013-1875 1 Rubygems 1 Command Wrap 2024-11-21 N/A
command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.
CVE-2013-0269 3 Redhat, Rhel Sam, Rubygems 6 Fuse Esb Enterprise, Jboss Enterprise Soa Platform, Jboss Fuse and 3 more 2024-11-21 N/A
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
CVE-2012-2140 2 Cloudforms Cloudengine, Rubygems 2 1, Mail Gem 2024-11-21 N/A
The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.
CVE-2012-2139 2 Cloudforms Cloudengine, Rubygems 2 1, Mail Gem 2024-11-21 N/A
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
CVE-2012-2126 3 Canonical, Redhat, Rubygems 5 Ubuntu Linux, Enterprise Linux, Enterprise Mrg and 2 more 2024-11-21 N/A
RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.
CVE-2012-2125 3 Canonical, Redhat, Rubygems 5 Ubuntu Linux, Enterprise Linux, Enterprise Mrg and 2 more 2024-11-21 N/A
RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.