Filtered by vendor Ruby-lang
Subscriptions
Total
119 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2012-4522 | 2 Redhat, Ruby-lang | 3 Enterprise Linux, Openshift, Ruby | 2024-11-21 | N/A |
The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. | ||||
CVE-2012-4481 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005. | ||||
CVE-2012-4466 | 2 Redhat, Ruby-lang | 2 Openshift, Ruby | 2024-11-21 | N/A |
Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. | ||||
CVE-2012-4464 | 2 Redhat, Ruby-lang | 2 Openshift, Ruby | 2024-11-21 | N/A |
Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression. | ||||
CVE-2011-4815 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. | ||||
CVE-2011-4121 | 1 Ruby-lang | 1 Ruby | 2024-11-21 | 9.8 Critical |
The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used for private RSA key generation. A remote attacker could use this flaw to bypass or corrupt integrity of services, depending on strong private RSA keys generation mechanism. | ||||
CVE-2011-3624 | 1 Ruby-lang | 1 Ruby | 2024-11-21 | 5.3 Medium |
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. | ||||
CVE-2011-3009 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. | ||||
CVE-2011-2705 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID. | ||||
CVE-2011-2686 | 1 Ruby-lang | 1 Ruby | 2024-11-21 | N/A |
Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development. | ||||
CVE-2011-1005 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname. | ||||
CVE-2011-1004 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack. | ||||
CVE-2011-0188 | 3 Apple, Redhat, Ruby-lang | 4 Mac Os X, Mac Os X Server, Enterprise Linux and 1 more | 2024-11-21 | N/A |
The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue." | ||||
CVE-2010-2489 | 2 Microsoft, Ruby-lang | 2 Windows, Ruby | 2024-11-21 | N/A |
Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files. | ||||
CVE-2009-5147 | 2 Redhat, Ruby-lang | 2 Rhel Software Collections, Ruby | 2024-11-21 | N/A |
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. | ||||
CVE-2009-4492 | 2 Redhat, Ruby-lang | 3 Enterprise Linux, Ruby, Webrick | 2024-11-21 | N/A |
WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. | ||||
CVE-2009-4124 | 1 Ruby-lang | 1 Ruby | 2024-11-21 | N/A |
Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information. | ||||
CVE-2009-1904 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
The BigDecimal library in Ruby 1.8.6 before p369 and 1.8.7 before p173 allows context-dependent attackers to cause a denial of service (application crash) via a string argument that represents a large number, as demonstrated by an attempted conversion to the Float data type. | ||||
CVE-2009-0642 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
ext/openssl/ossl_ocsp.c in Ruby 1.8 and 1.9 does not properly check the return value from the OCSP_basic_verify function, which might allow remote attackers to successfully present an invalid X.509 certificate, possibly involving a revoked certificate. | ||||
CVE-2008-4310 | 2 Redhat, Ruby-lang | 2 Enterprise Linux, Ruby | 2024-11-21 | N/A |
httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656. |