CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2013-4136 – rubygem-passenger: insecure temporary directory usage due to reuse of existing server instance directories
https://notcve.org/view.php?id=CVE-2013-4136
05 Aug 2013 — ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 for Ruby allows local users to gain privileges or possibly change the ownership of arbitrary directories via a symlink attack on a directory with a predictable name in /tmp/. ext/common/ServerInstanceDir.h en Phusion Passenger gem anteriores a 4.0.6 para Ruby permite a usuarios locales obtener privilegios o posiblemente cambiar el propietario de directorios arbitrarios a través de un ataque de enlaces simbólicos sobre un directorio con nom... • http://rhn.redhat.com/errata/RHSA-2013-1136.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 7.8EPSS: 0%CPEs: 26EXPL: 0CVE-2013-2119 – rubygem-passenger: incorrect temporary file usage
https://notcve.org/view.php?id=CVE-2013-2119
05 Aug 2013 — Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem. Las versiones 3.0.21 y 4.0.x anteriores a 4.0.5 de la gema Phusion Passenger para Ruby permite a usuarios locales causar denegación de servicio (prevención de inicio de la aplicación) u obtener privilegios creando un fichero "con... • http://blog.phusion.nl/2013/05/29/phusion-passenger-3-0-21-released • CWE-264: Permissions, Privileges, and Access Controls CWE-377: Insecure Temporary File •
CVSS: 9.8EPSS: 2%CPEs: 42EXPL: 0CVE-2013-4073 – ruby: hostname check bypassing vulnerability in SSL client
https://notcve.org/view.php?id=CVE-2013-4073
28 Jun 2013 — The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. La función OpenSSL::SSL.verify_certificate_identity en... • http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel%21 • CWE-310: Cryptographic Issues •
CVSS: 7.5EPSS: 0%CPEs: 20EXPL: 1CVE-2013-2065 – Ubuntu Security Notice USN-2035-1
https://notcve.org/view.php?id=CVE-2013-2065
17 May 2013 — (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions. (1) DL y (2) Fiddle en Ruby 1.9 anterior a 1.9.3 patchlevel 426, y 2.0 anterior a 2.0.0 patchlevel 195, no se realizan la comprobación de corrupción de las funciones nativas, lo que permite a atacantes dependientes de contexto eludir el nivel de restricciones $SAFE. Charlie... • http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 1%CPEs: 15EXPL: 0CVE-2013-0175 – openSUSE Security Advisory - openSUSE-SU-2025:15122-1
https://notcve.org/view.php?id=CVE-2013-0175
25 Apr 2013 — multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156. multi_xml v0.5.2 de Ruby, tal como se utiliza en Grape a... • http://www.openwall.com/lists/oss-security/2013/01/11/9 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 1%CPEs: 2EXPL: 0CVE-2013-1947
https://notcve.org/view.php?id=CVE-2013-1947
25 Apr 2013 — kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb. kelredd-pruview v0.3.8 para Ruby permite a atacantes dependientes de contexto ejecutar comandos arbitrarios vía metacaracteres de shell en un argumento de nombre de archivo a (1) document.rb, (2) video.rb, o (3) video_image.rb. • http://www.openwall.com/lists/oss-security/2013/04/10/3 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.8EPSS: 67%CPEs: 17EXPL: 3CVE-2013-0233 – Ruby on Rails Devise Authentication Password Reset
https://notcve.org/view.php?id=CVE-2013-0233
25 Apr 2013 — Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts. Devise v2.2.x antes de v2.2.3, v2.1.x antes de v2.1.3, v2.0.x antes de v2.0.5, v1.5.x antes de v1.5.4 de Ruby, al u... • https://packetstorm.news/files/id/180861 • CWE-399: Resource Management Errors •
CVSS: 10.0EPSS: 0%CPEs: 2EXPL: 1CVE-2013-1948 – Ruby Gem md2pdf Command Injection
https://notcve.org/view.php?id=CVE-2013-1948
15 Apr 2013 — converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename. converter.rb del md2pdf para Ruby v0.0.1 permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo. Ruby Gem md2pdf suffers from a remote command injection vulnerability. • https://packetstorm.news/files/id/121307 •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 1CVE-2013-1933 – Ruby Gem Karteek Docsplit 0.5.4 Command Injection
https://notcve.org/view.php?id=CVE-2013-1933
10 Apr 2013 — The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename. La función extract_from_ocr en lib/docsplit/text_extractor.rb en el Karteek Docsplit (karteek-docsplit) v0.5.4 para Ruby permite a atacantes dependientes de contexto para ejecutar comandos arbitrarios vía metacaracteres de shell en un nombre de archivo PDF. Ruby Gem Karteek Do... • https://packetstorm.news/files/id/121208 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.8EPSS: 0%CPEs: 2EXPL: 4CVE-2013-1911
https://notcve.org/view.php?id=CVE-2013-1911
03 Apr 2013 — lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name. lib/ldoce/word.rb en el gem ldoce 0.0.2 para Ruby, permite a atacantes remotos ejecutar comandos arbitrarios a través de meta caracteres de consola en (1) un mp3 o URL, o (2) en un nombre de archivo. • http://archives.neohapsis.com/archives/bugtraq/2013-04/0010.html • CWE-20: Improper Input Validation •