Search for packages
| purl | pkg:deb/debian/rubygems@1.8.24-1 |
| Next non-vulnerable version | 3.3.15-2+deb12u1 |
| Latest non-vulnerable version | 3.3.15-2+deb12u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8d7n-bfhu-dkfd
Aliases: CVE-2018-1000075 GHSA-74pv-v9gh-h25p |
Loop with Unreachable Exit Condition (Infinite Loop) RubyGems contains an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop. |
Affected by 4 other vulnerabilities. |
|
VCID-8hm4-c4w4-gfen
Aliases: CVE-2018-1000078 GHSA-87qx-g5wg-mwmj |
Cross-site Scripting RubyGems contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appears to be exploitable by the victim browsing to a malicious gem on a vulnerable gem server. |
Affected by 4 other vulnerabilities. |
|
VCID-9t45-d5mf-3uar
Aliases: CVE-2018-1000079 GHSA-8qxg-mff5-j3wc |
Path Traversal RubyGems contains a Directory Traversal vulnerability in gem installation that can result in the gem being able to write to arbitrary filesystem locations during installation. This attack appears to be exploitable by a victim installing a malicious gem. |
Affected by 4 other vulnerabilities. |
|
VCID-af1f-xwwy-jfa8
Aliases: CVE-2018-1000074 GHSA-qj2w-mw2r-pv39 |
RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appears to be exploitable when the victim runs the `gem owner` command on a gem with a specially crafted YAML file. |
Affected by 4 other vulnerabilities. |
|
VCID-b36p-re17-n7dq
Aliases: CVE-2017-0900 GHSA-p7f2-rr42-m9xm |
Improper Input Validation RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. |
Affected by 4 other vulnerabilities. |
|
VCID-cde2-rv4n-tkau
Aliases: CVE-2017-0903 GHSA-mqwr-4qf2-2hcv |
Deserialization of Untrusted Data rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. |
Affected by 4 other vulnerabilities. |
|
VCID-f7x5-hz5f-hyd3
Aliases: CVE-2019-8325 GHSA-4wm8-fjv7-j774 |
Improper Restriction of Operations within the Bounds of a Memory Buffer An issue was discovered in RubyGems. Since `Gem::CommandManager#run` calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) |
Affected by 4 other vulnerabilities. |
|
VCID-ha3g-uyse-wybx
Aliases: CVE-2019-8322 GHSA-mh37-8c3g-3fgc |
Injection Vulnerability An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. |
Affected by 4 other vulnerabilities. |
|
VCID-jkwe-c323-3yez
Aliases: CVE-2019-8321 GHSA-fr32-gr5c-xq5c |
Argument Injection or Modification An issue was discovered in RubyGems. Since `Gem::UserInteraction#verbose` calls say without escaping, escape sequence injection is possible. |
Affected by 4 other vulnerabilities. |
|
VCID-jmzh-89dm-r7g2
Aliases: CVE-2017-0902 GHSA-73w7-6w9g-gc8w |
Origin Validation Error RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. |
Affected by 4 other vulnerabilities. |
|
VCID-k2ga-fgvp-5qc7
Aliases: CVE-2013-4287 GHSA-9j7m-rjqx-48vh OSV-97163 |
Cryptographic Issues Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. |
Affected by 4 other vulnerabilities. |
|
VCID-ky5r-bch5-m7dv
Aliases: CVE-2019-8323 GHSA-3h4r-pjv6-cph9 |
Injection Vulnerability An issue was discovered in RubyGems. `Gem::GemcutterUtilities#with_response` may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. |
Affected by 4 other vulnerabilities. |
|
VCID-mamm-cvdr-subf
Aliases: CVE-2018-1000077 GHSA-gv86-43rv-79m2 |
RubyGems contains an Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem being able to set an invalid homepage URL. |
Affected by 4 other vulnerabilities. |
|
VCID-n1ja-n53g-fycm
Aliases: CVE-2025-27221 GHSA-22h5-pq3x-2gf2 |
URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-t78a-dw4s-vqf5
Aliases: CVE-2019-8320 GHSA-5x32-c9mf-49cc |
Path Traversal A Directory Traversal issue was discovered in RubyGems. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (`/tmp`, `/usr`, etc.), this could likely lead to data loss or an unusable system. |
Affected by 4 other vulnerabilities. |
|
VCID-tq93-h2ag-s3bx
Aliases: CVE-2018-1000073 GHSA-gx69-6cp4-hxrj |
Path Traversal RubyGems contains a Directory Traversal vulnerability in install_location function of `package.rb` that can result in path traversal when writing to a symlinked basedir outside the root. |
Affected by 4 other vulnerabilities. |
|
VCID-ucdh-7fgy-33h8
Aliases: CVE-2013-4363 GHSA-9qvm-2vhf-q649 |
Cryptographic Issues Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. |
Affected by 4 other vulnerabilities. |
|
VCID-uxdx-abx7-fkdy
Aliases: CVE-2023-28755 GHSA-hv5j-3h9f-99c2 |
Ruby URI component ReDoS issue A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. |
Affected by 0 other vulnerabilities. |
|
VCID-w4ns-f42m-pyec
Aliases: CVE-2018-1000076 GHSA-mc6j-h948-v2p6 |
RubyGems contains an Improper Verification of Cryptographic Signature vulnerability in `package.rb` that can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. |
Affected by 4 other vulnerabilities. |
|
VCID-xbrw-47yv-wqcr
Aliases: CVE-2021-43809 GHSA-fj7f-vq84-fh43 |
Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile. In `bundler` versions before 2.2.33, when working with untrusted and apparently harmless `Gemfile`'s, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside the `Gemfile` itself. However, if the `Gemfile` includes `gem` entries that use the `git` option with invalid, but seemingly harmless, values with a leading dash, this can be false. To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as `git clone`. These commands are being constructed using user input (e.g. the repository URL). When building the commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (`-`) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables. Since this value comes from the `Gemfile` file, it can contain any character, including a leading dash. |
Affected by 0 other vulnerabilities. |
|
VCID-xgmc-a5rk-zqag
Aliases: CVE-2019-8324 GHSA-76wm-422q-92mq |
Improper Input Validation A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is evaluated by `ensure_loadable_spec` during the pre-installation check. |
Affected by 4 other vulnerabilities. |
|
VCID-xgsa-5umz-qffr
Aliases: CVE-2017-0899 GHSA-7gcp-2gmq-w3xh |
Code Injection RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. |
Affected by 4 other vulnerabilities. |
|
VCID-xz68-vwz2-2ke4
Aliases: CVE-2017-0901 GHSA-pm9x-4392-2c2p |
Improper Input Validation RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||