Max CVSS | 9.3 | Min CVSS | 5.0 | Total Count | 2 |
ID | CVSS | Summary | Last (major) update | Published | |
CVE-2017-0901 | 6.4 |
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
|
09-10-2019 - 23:21 | 31-08-2017 - 20:29 | |
CVE-2017-0903 | 7.5 |
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalat
|
09-10-2019 - 23:21 | 11-10-2017 - 18:29 | |
CVE-2017-0902 | 6.8 |
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
|
09-10-2019 - 23:21 | 31-08-2017 - 20:29 | |
CVE-2017-0899 | 7.5 |
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
|
09-10-2019 - 23:21 | 31-08-2017 - 20:29 | |
CVE-2017-17405 | 9.3 |
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command followi
|
19-09-2019 - 10:15 | 15-12-2017 - 09:29 | |
CVE-2017-14064 | 7.5 |
Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning
|
13-05-2019 - 18:48 | 31-08-2017 - 17:29 | |
CVE-2017-0900 | 5.0 |
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
|
13-05-2019 - 14:31 | 31-08-2017 - 20:29 | |
CVE-2017-14033 | 5.0 |
The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.
|
31-10-2018 - 10:29 | 19-09-2017 - 17:29 | |
CVE-2017-10784 | 9.3 |
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted
|
31-10-2018 - 10:29 | 19-09-2017 - 17:29 | |
CVE-2017-17790 | 7.5 |
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-201
|
03-08-2018 - 01:29 | 20-12-2017 - 09:29 | |
CVE-2017-0898 | 6.4 |
Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information discl
|
15-07-2018 - 01:29 | 15-09-2017 - 19:29 |