NotCVE - vendor:"Ruby-lang" product:"Ruby" version:" >= 2.2.0

Page 4 of 33 results (0.003 seconds)

CVSS: 8.4EPSS: 0%CPEs: 14EXPL: 0

CVE-2015-7551 – ruby: DL:: dlopen could open a library with tainted library name

https://notcve.org/view.php?id=CVE-2015-7551

22 Mar 2016 — The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression. La implementación Fiddle::Handle en ext/fiddl... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344 • CWE-20: Improper Input Validation CWE-267: Privilege Defined With Unsafe Actions •

CVSS: 8.6EPSS: 2%CPEs: 42EXPL: 0

CVE-2015-3900 – rubygems: DNS hijacking vulnerability in api_endpoint()

https://notcve.org/view.php?id=CVE-2015-3900

24 Jun 2015 — RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." RubyGems 2.0.x en versiones anteriores a 2.0.16, 2.2.x en versiones anteriores a 2.2.4 y 2.4.x en versiones anteriores a 2.4.7 no valida el nombre de host al recuperar gemas o hacer solicitudes de API, lo que permite a atacantes remotos... • http://blog.rubygems.org/2015/05/14/CVE-2015-3900.html • CWE-254: 7PK - Security Features CWE-345: Insufficient Verification of Data Authenticity •

CVSS: 5.9EPSS: 2%CPEs: 19EXPL: 1

CVE-2015-1855 – Ubuntu Security Notice USN-3365-1

https://notcve.org/view.php?id=CVE-2015-1855

04 May 2015 — verify_certificate_identity in the OpenSSL extension in Ruby before 2.0.0 patchlevel 645, 2.1.x before 2.1.6, and 2.2.x before 2.2.2 does not properly validate hostnames, which allows remote attackers to spoof servers via vectors related to (1) multiple wildcards, (1) wildcards in IDNA names, (3) case sensitivity, and (4) non-ASCII characters. La función Verified_certificate_identity en la extensión OpenSSL en Ruby versiones anteriores a 2.0.0 patchlevel 645, versiones 2.1.x anteriores a 2.1.6 y versiones 2... • https://github.com/vpereira/CVE-2015-1855 • CWE-20: Improper Input Validation •

1 2 3 4