ruby/ruby

ruby/ruby

www.ruby-lang.org

Releases1.19K

Frequency1 week 1 day

Last Release 15 days ago

Stars23.6K

The Ruby Programming Language

Log in to subscribe

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2024-35221 ↗	May 29, 2024Wednesday, 29 May 2024, 21:15	4.3 MEDIUM	—
Rubygems.org is the Ruby community's gem hosting service. A Gem publisher can cause a Remote DoS when publishing a Gem. This is due to how Ruby reads the Manifest of Gem files when using Gem::Specification.from_yaml. from_yaml makes use of SafeYAML.load which allows YAML aliases inside the YAML-based metadata of a gem. YAML aliases allow for Denial of Service attacks with so-called `YAML-bombs` (comparable to Billion laughs attacks). This was patched. There is is no action required by users. This issue is also tracked as GHSL-2024-001 and was discovered by the GitHub security lab.
CVE-2021-32066 ↗	Aug 1, 2021Sunday, 1 August 2021, 19:15	7.4 HIGH	5.8 MEDIUM
An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
CVE-2017-17790 ↗	Dec 20, 2017Wednesday, 20 December 2017, 09:29	—	7.5 HIGH
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '\|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.
CVE-2015-9096 ↗	Jun 12, 2017Monday, 12 June 2017, 20:29	—	4.3 MEDIUM
Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
CVE-2009-5147 ↗	Mar 29, 2017Wednesday, 29 March 2017, 14:59	—	7.5 HIGH
DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.
CVE-2015-7551 ↗	Mar 24, 2016Thursday, 24 March 2016, 01:59	—	4.6 MEDIUM
The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression.