Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

Search CVE reports


Toggle filters

1 – 10 of 62 results


CVE-2014-6438

Low priority
Ignored

The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.

7 affected packages

ruby1.8, ruby1.9, ruby1.9.1, ruby2.0, ruby2.1...

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.1 Not in release
ruby2.2 Not in release
ruby2.3 Not affected
Show all 7 packages Show less packages

CVE-2017-6181

Medium priority
Not affected

The parse_char_class function in regparse.c in the Onigmo (aka Oniguruma-mod) regular expression library, as used in Ruby 2.4.0, allows remote attackers to cause a denial of service (deep recursion and application crash) via a...

4 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.3 Not affected
Show less packages

CVE-2009-5147

Low priority

Some fixes available 1 of 5

DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names.

6 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.1 Not in release
ruby2.2 Not in release
ruby2.3 Not affected
Show less packages

CVE-2016-7798

Low priority

Some fixes available 5 of 16

The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.

7 affected packages

ruby-attr-encrypted, ruby-encryptor, ruby1.8, ruby1.9.1, ruby2.0...

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby-attr-encrypted Not affected Not affected Not affected Not in release Vulnerable
ruby-encryptor Not affected Not affected Not affected Not in release Vulnerable
ruby1.8 Not in release Not in release Not in release Not in release Not in release
ruby1.9.1 Not in release Not in release Not in release Not in release Not in release
ruby2.0 Not in release Not in release Not in release Not in release Not in release
ruby2.1 Not in release Not in release Not in release Not in release Not in release
ruby2.3 Not in release Not in release Not in release Not in release Fixed
Show all 7 packages Show less packages

CVE-2016-2339

Low priority

Some fixes available 2 of 4

An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length....

4 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.3 Not affected
Show less packages

CVE-2016-2337

Negligible priority

Some fixes available 2 of 4

Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution.

4 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.3 Not affected
Show less packages

CVE-2015-4020

Low priority
Not affected

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a...

7 affected packages

jruby, libgems-ruby, ruby1.8, ruby1.9.1, ruby2.1...

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
jruby
libgems-ruby
ruby1.8
ruby1.9.1
ruby2.1
ruby2.2
rubygems
Show all 7 packages Show less packages

CVE-2015-3900

Low priority
Ignored

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a...

8 affected packages

jruby, libgems-ruby, ruby1.8, ruby1.9.1, ruby2.1...

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
jruby
libgems-ruby
ruby1.8
ruby1.9.1
ruby2.1
ruby2.2
ruby2.3
rubygems
Show all 8 packages Show less packages

CVE-2015-1855

Low priority

Some fixes available 2 of 11

verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors...

6 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.1, ruby2.2, ruby2.3

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8 Not in release
ruby1.9.1 Not in release
ruby2.0 Not in release
ruby2.1 Not in release
ruby2.2 Not in release
ruby2.3 Not affected
Show less packages

CVE-2014-3916

Negligible priority
Ignored

The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string.

4 affected packages

ruby1.8, ruby1.9.1, ruby2.0, ruby2.1

Package 24.04 LTS 22.04 LTS 20.04 LTS 18.04 LTS 16.04 LTS
ruby1.8
ruby1.9.1
ruby2.0
ruby2.1
Show less packages