VYPR

rpm package

suse/ruby2.1&distro=SUSE Linux Enterprise Server 12 SP4

pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4

Vulnerabilities (42)

  • CVE-2018-1000078MedMar 13, 2018
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage att

  • CVE-2018-1000077MedMar 13, 2018
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage at

  • CVE-2018-1000076CriMar 13, 2018
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb t

  • CVE-2018-1000075HigMar 13, 2018
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar he

  • CVE-2018-1000074HigMar 13, 2018
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can resu

  • CVE-2018-1000073HigMar 13, 2018
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb t

  • CVE-2017-17790CriDec 20, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with

  • CVE-2017-17405HigDec 15, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is execu

  • CVE-2017-0903CriOct 11, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

  • CVE-2017-14033HigSep 19, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string.

  • CVE-2017-10784HigSep 19, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

  • CVE-2017-0898CriSep 15, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap.

  • CVE-2017-0902HigAug 31, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.

  • CVE-2017-0901HigAug 31, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.

  • CVE-2017-0900HigAug 31, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.

  • CVE-2017-0899CriAug 31, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.

  • CVE-2017-14064CriAug 31, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    Ruby through 2.2.7, 2.3.x through 2.3.4, and 2.4.x through 2.4.1 can expose arbitrary memory during a JSON.generate call. The issues lies in using strdup in ext/json/ext/generator/generator.c, which will stop after encountering a '\0' byte, returning a pointer to a string of leng

  • CVE-2015-9096MedJun 12, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

  • CVE-2017-9229HigMay 24, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A SIGSEGV occurs in left_adjust_char_head() during regular expression compilation. Invalid handling of reg->dmax in forward_search_range() could result in

  • CVE-2017-9228CriMay 24, 2017
    affected < 2.1.9-19.3.2fixed 2.1.9-19.3.2

    An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write occurs in bitset_set_range() during regular expression compilation due to an uninitialized variable from an incorrect state tra