CVSS: 9.8EPSS: 2%CPEs: 10EXPL: 0CVE-2008-2664 – ruby: Unsafe use of alloca in rb_str_format()
https://notcve.org/view.php?id=CVE-2008-2664
24 Jun 2008 — The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely ... • http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 2%CPEs: 9EXPL: 0CVE-2008-2725 – ruby: integer overflow in rb_ary_splice/update/replace() - REALLOC_N
https://notcve.org/view.php?id=CVE-2008-2725
24 Jun 2008 — Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description ... • http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue • CWE-189: Numeric Errors CWE-190: Integer Overflow or Wraparound •
CVSS: 9.8EPSS: 2%CPEs: 10EXPL: 0CVE-2008-2726 – ruby: integer overflow in rb_ary_splice/update/replace() - beg + rlen
https://notcve.org/view.php?id=CVE-2008-2726
24 Jun 2008 — Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption, aka the "beg + rlen" issue. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change. Un de... • http://blog.phusion.nl/2008/06/23/ruby-186-p230187-broke-your-app-ruby-enterprise-edition-to-the-rescue • CWE-189: Numeric Errors CWE-190: Integer Overflow or Wraparound •
CVSS: 5.3EPSS: 1%CPEs: 3EXPL: 0CVE-2008-1891
https://notcve.org/view.php?id=CVE-2008-1891
18 Apr 2008 — Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :Docum... • http://aluigi.altervista.org/adv/webrickcgi-adv.txt • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 48%CPEs: 7EXPL: 2CVE-2008-1145 – Ruby 1.8.6/1.9 (WEBick HTTPd 1.3.1) - Directory Traversal
https://notcve.org/view.php?id=CVE-2008-1145
04 Mar 2008 — Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash (\) path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option. Una vulnerabilidad de salto de directorio en WEBrick en Ruby versiones 1.8 anteriores a 1.8.5-p115 y 1.8.6-p114, y versiones 1.9 h... • https://www.exploit-db.com/exploits/5215 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.1EPSS: 8%CPEs: 2EXPL: 0CVE-2007-5770 – net:: * modules
https://notcve.org/view.php?id=CVE-2007-5770
14 Nov 2007 — The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162. Las librerias (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, y (5) Net::smtp en Ruby 1.... • http://docs.info.apple.com/article.html?artnum=307179 • CWE-287: Improper Authentication •
CVSS: 5.9EPSS: 2%CPEs: 2EXPL: 0CVE-2007-5162 – Net: HTTP insufficient verification of SSL certificate
https://notcve.org/view.php?id=CVE-2007-5162
01 Oct 2007 — The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site. El método connect en lib/net/http.rb en las bibliotecas (1) Net::HTTP y (2) Net::HTTPS de Ruby 1.8.5 y 1.8.6 no verifica que el campo commonName (CN) en un ce... • http://secunia.com/advisories/26985 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 6%CPEs: 8EXPL: 0CVE-2006-6303 – ruby's cgi.rb vulnerable infinite loop DoS
https://notcve.org/view.php?id=CVE-2006-6303
06 Dec 2006 — The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467. La función read_multipart en cgi.rb de Ruby anterior a 1.8.5-p2 no detecta adecuadamente los límites en contenido MIME multipart, lo cual permite a atacantes remotos provocar una denegación de servicio (bucle infinito) mediante una petición HTTP a... • http://bugs.gentoo.org/show_bug.cgi?id=157048 • CWE-399: Resource Management Errors CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 7.5EPSS: 19%CPEs: 1EXPL: 0CVE-2006-5467 – Ruby CGI multipart parsing DoS
https://notcve.org/view.php?id=CVE-2006-5467
27 Oct 2006 — The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID. La libreria CGI cgi.rb para Ruby 1.8 permite a un atacante remoto provocar denegación de servicio (bucle infinito y consumo de CPU) a través de una respuesta HTTP con un cuerpo multiparte M... • ftp://patches.sgi.com/support/free/security/advisories/20061101-01-P • CWE-399: Resource Management Errors •
CVSS: 9.8EPSS: 3%CPEs: 3EXPL: 0CVE-2006-3694
https://notcve.org/view.php?id=CVE-2006-3694
19 Jul 2006 — Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations". Múltiples vulnerabilidades no especificadas en Ruby anterior a 1.8.5 permite a atacantes remotos evitar la validación "nivel de seguro" a través de vectores no especificados afectando a la función (1)alias y (2) "operaciones de directorio". • ftp://patches.sgi.com/support/free/security/advisories/20060801-01-P •