CVSS: 7.5EPSS: 17%CPEs: 13EXPL: 1CVE-2017-0900 – rubygems: No size limit in summary length of gem spec
https://notcve.org/view.php?id=CVE-2017-0900
31 Aug 2017 — RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. RubyGems 2.6.12 y anteriores es vulnerable a especificaciones de gemas manipuladas maliciosamente para provocar ataques de denegación de servicio contra clientes RubyGems que hayan enviado un comando query. It was found that rubygems could use an excessive amount of CPU while parsing a sufficiently long gem summary. A spec... • http://blog.rubygems.org/2017/08/27/2.6.13-released.html • CWE-20: Improper Input Validation CWE-138: Improper Neutralization of Special Elements •
CVSS: 7.5EPSS: 24%CPEs: 16EXPL: 3CVE-2017-0901 – RubyGems < 2.6.13 - Arbitrary File Overwrite
https://notcve.org/view.php?id=CVE-2017-0901
31 Aug 2017 — RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. RubyGems 2.6.12 y anteriores no valida con éxito los nombres de las especificaciones, permitiendo que una gema manipulada maliciosamente sobrescriba cualquier archivo en el sistema de archivos. It was found that rubygems did not sanitize gem names during installation of a given gem. A specially crafted gem could use this flaw to install files outs... • https://packetstorm.news/files/id/143993 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-138: Improper Neutralization of Special Elements •
CVSS: 8.1EPSS: 3%CPEs: 16EXPL: 2CVE-2017-0902 – rubygems: DNS hijacking vulnerability
https://notcve.org/view.php?id=CVE-2017-0902
31 Aug 2017 — RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. RubyGems 2.6.12 y anteriores es vulnerable a secuestro de DNS, lo que permite a un atacante Man-in-the-Middle (MitM) forzar el cliente RubyGems a que descargue e instale gemas desde un servidor que está bajo el control del atacante. A vulnerability was found where rubygems did not sanitize DNS respon... • http://blog.rubygems.org/2017/08/27/2.6.13-released.html • CWE-138: Improper Neutralization of Special Elements CWE-346: Origin Validation Error CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action •
CVSS: 4.3EPSS: 0%CPEs: 36EXPL: 0CVE-2015-4020
https://notcve.org/view.php?id=CVE-2015-4020
25 Aug 2015 — RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900. RubyGems 2.0.x en versiones anteriores a 2.0.17, 2.2.x en versiones anteriores a 2.2.5 y 2.4.x ... • http://blog.rubygems.org/2015/06/08/2.2.5-released.html • CWE-20: Improper Input Validation •
CVSS: 8.6EPSS: 2%CPEs: 42EXPL: 0CVE-2015-3900 – rubygems: DNS hijacking vulnerability in api_endpoint()
https://notcve.org/view.php?id=CVE-2015-3900
24 Jun 2015 — RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." RubyGems 2.0.x en versiones anteriores a 2.0.16, 2.2.x en versiones anteriores a 2.2.4 y 2.4.x en versiones anteriores a 2.4.7 no valida el nombre de host al recuperar gemas o hacer solicitudes de API, lo que permite a atacantes remotos... • http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html • CWE-254: 7PK - Security Features CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 9.8EPSS: 0%CPEs: 71EXPL: 0CVE-2013-4363
https://notcve.org/view.php?id=CVE-2013-4363
17 Oct 2013 — Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287. Vulnerabilidad en la complejidad algo... • http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html • CWE-310: Cryptographic Issues •