CVE search results

21 – 30 of 52 results

Detailed view

Sort by:

CVE-2021-31799

Medium priority

Fixed

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

5 affected packages

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	Not in release	Not in release	Not in release
ruby2.0	—	Not in release	Not in release	Not in release
ruby2.3	—	Not in release	Not in release	Not in release
ruby2.5	—	Not in release	Not in release	Fixed
ruby2.7	—	—	Fixed	Not in release

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. A malicious FTP server can use the PASV response to trick Net::FTP into connecting back to a given IP address and port. This potentially...

5 affected packages

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	Not in release	Not in release	Not in release
ruby2.0	—	Not in release	Not in release	Not in release
ruby2.3	—	Not in release	Not in release	Not in release
ruby2.5	—	Not in release	Not in release	Fixed
ruby2.7	—	—	Fixed	Not in release

CVE-2021-28965

Medium priority

Some fixes available 6 of 9

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

4 affected packages

ruby2.3, ruby2.5, ruby2.7, ruby-rexml

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby2.3	—	Not in release	Not in release	Not in release
ruby2.5	—	Not in release	Not in release	Fixed
ruby2.7	—	—	Fixed	Not in release
ruby-rexml	—	Not in release	Not in release	Not in release

CVE-2020-25613

Low priority

Fixed

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker...

5 affected packages

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	Not in release	Not in release
ruby2.0	—	—	Not in release	Not in release
ruby2.3	—	—	Not in release	Not in release
ruby2.5	—	—	Not in release	Fixed
ruby2.7	—	—	Fixed	Not in release

CVE-2020-10933

Low priority

Some fixes available 2 of 3

An issue was discovered in Ruby 2.5.x through 2.5.7, 2.6.x through 2.6.5, and 2.7.0. If a victim calls BasicSocket#read_nonblock(requested_size, buffer, exception: false), the method resizes the buffer to fit the requested size,...

5 affected packages

ruby1.9.1, ruby2.0, ruby2.3, ruby2.5, ruby2.7

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby1.9.1	—	—	Not in release	Not in release
ruby2.0	—	—	Not in release	Not in release
ruby2.3	—	—	Not in release	Not in release
ruby2.5	—	—	Not in release	Fixed
ruby2.7	—	—	Fixed	Not in release

CVE-2020-10663

Medium priority

Some fixes available 2 of 7

The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor...

5 affected packages

ruby2.1, ruby2.3, ruby2.5, ruby2.7, ruby-json

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
ruby2.1	Not in release	Not in release	Not in release	Not in release
ruby2.3	Not in release	Not in release	Not in release	Not in release
ruby2.5	Not in release	Not in release	Not in release	Fixed
ruby2.7	—	—	Not affected	Not in release
ruby-json	Not affected	Not affected	Not affected	Needs evaluation

CVE-2019-16255

Medium priority

Some fixes available 5 of 17

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows code injection if the first argument (aka the "command" argument) to Shell#[] or Shell#test in lib/shell.rb is untrusted data. An attacker can exploit this to...

3 affected packages

jruby, ruby2.3, ruby2.5

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jruby	Needs evaluation	—	Needs evaluation	Needs evaluation
ruby2.3	Not in release	Not in release	Not in release	Not in release
ruby2.5	Not in release	Not in release	Not in release	Fixed

CVE-2019-16254

Medium priority

Some fixes available 5 of 6

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character...

3 affected packages

jruby, ruby2.3, ruby2.5

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jruby	—	—	Not affected	Not affected
ruby2.3	—	Not in release	Not in release	Not in release
ruby2.5	—	Not in release	Not in release	Fixed

CVE-2019-16201

Medium priority

Some fixes available 5 of 17

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth...

3 affected packages

jruby, ruby2.3, ruby2.5

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jruby	Needs evaluation	—	Vulnerable	Vulnerable
ruby2.3	Not in release	Not in release	Not in release	Not in release
ruby2.5	Not in release	Not in release	Not in release	Fixed

CVE-2019-15845

Medium priority

Fixed

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 mishandles path checking within File.fnmatch functions.

3 affected packages

jruby, ruby2.3, ruby2.5

Package	24.04 LTS	22.04 LTS	20.04 LTS	18.04 LTS
jruby	—	—	—	Not affected
ruby2.3	—	—	—	Not in release
ruby2.5	—	—	—	Fixed

Export to JSON

Results by page:

Search CVE reports

CVE-2021-31799

CVE-2021-31810

CVE-2021-28965

CVE-2020-25613

CVE-2020-10933

CVE-2020-10663

CVE-2019-16255

CVE-2019-16254

CVE-2019-16201

CVE-2019-15845