Ruby-lang

Ruby

92 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.8

CVE-2024-27280

  • EPSS 2.04%
  • Veröffentlicht 14.05.2024 15:11:56
  • Zuletzt bearbeitet 02.05.2025 23:15:15

A buffer-overread issue was discovered in StringIO 3.0.1, as distributed in Ruby 3.0.x through 3.0.6 and 3.1.x through 3.1.4. The ungetbyte and ungetc methods on a StringIO can read past the end of a string, and a subsequent call to StringIO.gets may...

5.3

CVE-2023-28756

  • EPSS 0.87%
  • Veröffentlicht 31.03.2023 04:15:09
  • Zuletzt bearbeitet 21.11.2024 07:55:56

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed vers...

8.8

CVE-2021-33621

Exploit
  • EPSS 2.49%
  • Veröffentlicht 18.11.2022 23:15:18
  • Zuletzt bearbeitet 21.11.2024 06:09:12

The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.

9.8

CVE-2016-2338

Exploit
  • EPSS 15.05%
  • Veröffentlicht 29.09.2022 03:15:11
  • Zuletzt bearbeitet 21.11.2024 02:48:15

An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed a...

7.5

CVE-2022-28739

  • EPSS 0.51%
  • Veröffentlicht 09.05.2022 18:15:08
  • Zuletzt bearbeitet 21.11.2024 06:57:50

There is a buffer over-read in Ruby before 2.6.10, 2.7.x before 2.7.6, 3.x before 3.0.4, and 3.1.x before 3.1.2. It occurs in String-to-Float conversion, including Kernel#Float and String#to_f.

9.8

CVE-2022-28738

  • EPSS 0.55%
  • Veröffentlicht 09.05.2022 18:15:08
  • Zuletzt bearbeitet 21.11.2024 06:57:50

A double free was found in the Regexp compiler in Ruby 3.x before 3.0.4 and 3.1.x before 3.1.2. If a victim attempts to create a Regexp from untrusted user input, an attacker may be able to write to unexpected memory locations.

7.5

CVE-2021-41819

Exploit
  • EPSS 0.88%
  • Veröffentlicht 01.01.2022 06:15:07
  • Zuletzt bearbeitet 22.05.2025 15:15:54

CGI::Cookie.parse in Ruby through 2.6.8 mishandles security prefixes in cookie names. This also affects the CGI gem through 0.3.0 for Ruby.

7.5

CVE-2021-41817

Exploit
  • EPSS 0.54%
  • Veröffentlicht 01.01.2022 05:15:08
  • Zuletzt bearbeitet 21.11.2024 06:26:48

Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1.

7.4

CVE-2021-32066

Exploit
  • EPSS 0.07%
  • Veröffentlicht 01.08.2021 19:15:07
  • Zuletzt bearbeitet 21.11.2024 06:06:47

An issue was discovered in Ruby through 2.6.7, 2.7.x through 2.7.3, and 3.x through 3.0.1. Net::IMAP does not raise an exception when StartTLS fails with an an unknown response, which might allow man-in-the-middle attackers to bypass the TLS protecti...

7.5

CVE-2021-28966

Exploit
  • EPSS 0.35%
  • Veröffentlicht 30.07.2021 14:15:16
  • Zuletzt bearbeitet 21.11.2024 06:00:27

In Ruby through 3.0 on Windows, a remote attacker can submit a crafted path when a Web application handles a parameter with TmpDir.