Skip to main content

Rubygems

25 CVEs product

Monthly

CVE-2022-36073 HIGH PATCH This Week

RubyGems.org is the Ruby community gem host. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Rubygems
NVD GitHub
CVSS 3.1
8.8
EPSS
0.8%
CVE-2019-8323 Ruby HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Debian Linux Leap
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2019-8322 Ruby HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Debian Linux Leap
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2019-8321 Ruby HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Debian Linux Leap
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2019-8325 Ruby HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Leap Debian Linux
NVD
CVSS 3.1
7.5
EPSS
3.4%
CVE-2019-8324 Ruby HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Rubygems Debian Linux Leap +1
NVD
CVSS 3.1
8.8
EPSS
3.2%
CVE-2019-8320 Ruby HIGH POC PATCH This Week

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Path Traversal Rubygems
NVD
CVSS 3.0
7.4
EPSS
4.2%
CVE-2018-1000079 LIB MEDIUM PATCH This Month

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rubygems
NVD GitHub
CVSS 3.0
5.5
EPSS
2.9%
CVE-2018-1000078 LIB MEDIUM PATCH This Month

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Rubygems Debian Linux
NVD GitHub
CVSS 3.0
6.1
EPSS
2.8%
CVE-2018-1000077 LIB MEDIUM PATCH This Month

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rubygems Debian Linux
NVD GitHub
CVSS 3.0
5.3
EPSS
3.8%
CVE-2018-1000076 LIB CRITICAL PATCH Act Now

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Rubygems Debian Linux
NVD GitHub
CVSS 3.0
9.8
EPSS
3.0%
CVE-2018-1000075 LIB HIGH PATCH This Week

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rubygems Debian Linux
NVD GitHub
CVSS 3.0
7.5
EPSS
4.8%
CVE-2018-1000074 LIB HIGH PATCH This Week

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Rubygems
NVD GitHub
CVSS 3.0
7.8
EPSS
3.0%
CVE-2018-1000073 LIB HIGH PATCH This Week

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Rubygems
NVD GitHub
CVSS 3.0
7.5
EPSS
5.1%
CVE-2017-0903 Ruby CRITICAL PATCH Act Now

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Rubygems Debian Linux Ubuntu Linux +6
NVD GitHub
CVSS 3.0
9.8
EPSS
5.5%
CVE-2017-0902 Ruby HIGH POC PATCH This Week

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Rubygems Debian Linux Ubuntu Linux Enterprise Linux Desktop +5
NVD GitHub
CVSS 3.0
8.1
EPSS
5.2%
CVE-2017-0901 Ruby HIGH POC PATCH THREAT Act Now

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.6%.

Path Traversal Rubygems Debian Linux Ubuntu Linux Enterprise Linux Desktop +5
NVD GitHub Exploit-DB
CVSS 3.0
7.5
EPSS
18.6%
CVE-2017-0900 Ruby HIGH POC PATCH THREAT Act Now

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.2%.

Denial Of Service Rubygems Debian Linux Enterprise Linux Desktop Enterprise Linux Server +4
NVD GitHub
CVSS 3.0
7.5
EPSS
11.2%
CVE-2017-0899 Ruby CRITICAL POC PATCH Act Now

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rubygems Debian Linux Enterprise Linux Desktop Enterprise Linux Server +4
NVD GitHub
CVSS 3.0
9.8
EPSS
7.4%
CVE-2015-4020 Ruby MEDIUM PATCH This Month

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Solaris Rubygems
NVD GitHub
CVSS 2.0
4.3
EPSS
0.5%
CVE-2015-3900 Ruby MEDIUM PATCH This Month

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Ruby Rubygems Solaris Enterprise Linux
NVD
CVSS 2.0
5.0
EPSS
2.4%
CVE-2013-4363 Ruby MEDIUM PATCH This Month

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Rubygems Ruby
NVD
CVSS 2.0
4.3
EPSS
0.6%
CVE-2013-4287 Ruby MEDIUM PATCH This Month

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Enterprise Linux Rubygems Ruby
NVD
CVSS 2.0
4.3
EPSS
2.0%
CVE-2012-2126 Ruby MEDIUM PATCH This Month

RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Rubygems
NVD GitHub
CVSS 2.0
4.3
EPSS
0.3%
CVE-2012-2125 Ruby MEDIUM PATCH This Month

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Information Disclosure Rubygems
NVD GitHub
CVSS 2.0
5.8
EPSS
0.6%
EPSS 1% CVSS 8.8
HIGH PATCH This Week

RubyGems.org is the Ruby community gem host. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. This Improper Authentication vulnerability could allow attackers to bypass authentication mechanisms to gain unauthorized access.

Authentication Bypass Rubygems
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Debian Linux +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Debian Linux +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Debian Linux +1
NVD
EPSS 3% CVSS 7.5
HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rubygems Leap +1
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection RCE Rubygems +3
NVD
EPSS 4% CVSS 7.4
HIGH POC PATCH This Week

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

Path Traversal Rubygems
NVD
EPSS 3% CVSS 5.5
MEDIUM PATCH This Month

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated medium severity (CVSS 5.5), this vulnerability is no authentication required, low attack complexity. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rubygems
NVD GitHub
EPSS 3% CVSS 6.1
MEDIUM PATCH This Month

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.

XSS Rubygems Debian Linux
NVD GitHub
EPSS 4% CVSS 5.3
MEDIUM PATCH This Month

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Rubygems Debian Linux
NVD GitHub
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Jwt Attack Information Disclosure Rubygems +1
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rubygems Debian Linux
NVD GitHub
EPSS 3% CVSS 7.8
HIGH PATCH This Week

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Rubygems
NVD GitHub
EPSS 5% CVSS 7.5
HIGH PATCH This Week

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Path Traversal Rubygems
NVD GitHub
EPSS 6% CVSS 9.8
CRITICAL PATCH Act Now

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Deserialization of Untrusted Data vulnerability could allow attackers to execute arbitrary code through malicious serialized objects.

Deserialization RCE Rubygems +8
NVD GitHub
EPSS 5% CVSS 8.1
HIGH POC PATCH This Week

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available.

Information Disclosure Rubygems Debian Linux +7
NVD GitHub
EPSS 19% CVSS 7.5
HIGH POC PATCH THREAT Act Now

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 18.6%.

Path Traversal Rubygems Debian Linux +7
NVD GitHub Exploit-DB
EPSS 11% CVSS 7.5
HIGH POC PATCH THREAT Act Now

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and EPSS exploitation probability 11.2%.

Denial Of Service Rubygems Debian Linux +6
NVD GitHub
EPSS 7% CVSS 9.8
CRITICAL POC PATCH Act Now

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rubygems Debian Linux +6
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Solaris Rubygems
NVD GitHub
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Ruby Rubygems +2
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Rubygems Ruby
NVD
EPSS 2% CVSS 4.3
MEDIUM PATCH This Month

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Enterprise Linux Rubygems +1
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Information Disclosure Rubygems
NVD GitHub
EPSS 1% CVSS 5.8
MEDIUM PATCH This Month

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable.

Information Disclosure Rubygems
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy