CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2012-4464 – 1.9.3: Possibility to bypass Ruby's $SAFE (level 4) semantics
https://notcve.org/view.php?id=CVE-2012-4464
25 Apr 2013 — Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression. Ruby v1.9.3 antes patchlevel 286 y v2.0 antes de la revisión r37068 permite a atacantes dependientes de contexto para evitar las restricciones de... • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089554.html • CWE-264: Permissions, Privileges, and Access Controls CWE-266: Incorrect Privilege Assignment •
CVSS: 7.5EPSS: 0%CPEs: 34EXPL: 0CVE-2012-4466 – ruby: safe level bypass via name_err_mesg_to_str()
https://notcve.org/view.php?id=CVE-2012-4466
25 Apr 2013 — Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. Ruby v1.8.7 antes de patchlevel 371, v1.9.3 antes patchlevel 286 y v2.0 antes de la revisión r37068 permite a atacantes dependientes de contexto evitar las restricciones de seguridad de nivel y mo... • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089554.html • CWE-264: Permissions, Privileges, and Access Controls CWE-266: Incorrect Privilege Assignment •
CVSS: 5.3EPSS: 10%CPEs: 14EXPL: 0CVE-2013-1821 – ruby: entity expansion DoS vulnerability in REXML
https://notcve.org/view.php?id=CVE-2013-1821
09 Apr 2013 — lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. lib/rexml/text.rb en el analizador REXML en Ruby anterior a 1.9.3-p392, permite a atacantes remotos provocar una denegación de servicio (consumo de memoria o caída de la aplicación) a través de nodos de texto manipulados en un documento XML. Aka como ataque XML Entity Expansion ... • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702525 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 10%CPEs: 35EXPL: 0CVE-2013-1655 – Gentoo Linux Security Advisory 2013-08-04
https://notcve.org/view.php?id=CVE-2013-1655
20 Mar 2013 — Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." Puppet v2.7.x anterior a v2.7.21 y 3.1.x anterior a v3.1.1, cuando ejecutan Ruby v1.9.3 o posterior, permite a atacantes remotos ejecutar código arbitario mediante vectores relacionados con "serialized attributes." Multiple vulnerabilities have been found in Puppet, the worst of which could lead to execution of arbitrary code. ... • http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html • CWE-20: Improper Input Validation •
CVSS: 6.1EPSS: 0%CPEs: 17EXPL: 0CVE-2013-0256 – rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template
https://notcve.org/view.php?id=CVE-2013-0256
01 Mar 2013 — darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. darkfish.js de RDoc v2.3.0 hasta v3.12 y v4.x antes de v4.0.0.preview2.1, tal como se utiliza en Ruby, no se generó correctamente los documentos, que permite a atacantes remotos realizar ejecución de secuencias de comandos en sitios cruzados (XSS) a través de una URL manipulada. • http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 9EXPL: 0CVE-2012-5371 – ruby: Murmur hash-flooding DoS flaw in ruby 1.9 (oCERT-2012-001)
https://notcve.org/view.php?id=CVE-2012-5371
28 Nov 2012 — Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815. Ruby (también conocido como CRuby) v1.9 anteriore... • http://2012.appsec-forum.ch/conferences/#c17 • CWE-310: Cryptographic Issues •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2012-4522 – ruby: unintentional file creation caused by inserting an illegal NUL character
https://notcve.org/view.php?id=CVE-2012-4522
24 Nov 2012 — The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. La función rb_get_path_check en file.c en Ruby v1.9.3 anterior a patchlevel 286 y Ruby v2.0.0 anterior a r37163 permite a atacantes dependientes de contexto crear archivos en ubicaciones inesperadas o con nombres inesperados a través de un byte NUL en una ruta de archivo. • http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090235.html • CWE-264: Permissions, Privileges, and Access Controls CWE-626: Null Byte Interaction Error (Poison Null Byte) •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 2CVE-2012-5380 – IKE and AuthIP IPsec Keyring Modules Service (IKEEXT) - Missing DLL
https://notcve.org/view.php?id=CVE-2012-5380
11 Oct 2012 — Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Rel... • https://www.exploit-db.com/exploits/28130 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.8EPSS: 1%CPEs: 5EXPL: 0CVE-2011-4815 – ruby: hash table collisions CPU usage DoS (oCERT-2011-003)
https://notcve.org/view.php?id=CVE-2011-4815
30 Dec 2011 — Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. Ruby (también conocido como CRuby) anterior a v1.8.7-P357 calcula los valores de hash sin restringir la capacidad de desencadenar colisiones hash predecible, que permite a atacantes dependientes de contexto para causar una denegaci... • http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html • CWE-20: Improper Input Validation •
CVSS: 7.4EPSS: 0%CPEs: 3EXPL: 0CVE-2011-3009 – ruby: Properly initialize the random number generator when forking new process
https://notcve.org/view.php?id=CVE-2011-3009
05 Aug 2011 — Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. Ruby en versiones anteriores a la 1.8.6-p114 no resetea la semilla aleatoria después de la creacción de procesos ("forking"), lo que facilita a atacantes, dependiendo del contexto, predecir el valor de números aleatorios basándose... • http://redmine.ruby-lang.org/issues/show/4338 • CWE-310: Cryptographic Issues •