Search for packages
| purl | pkg:gem/rubygems-update@2.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-b36p-re17-n7dq
Aliases: CVE-2017-0900 GHSA-p7f2-rr42-m9xm |
Improper Input Validation RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. |
Affected by 6 other vulnerabilities. |
|
VCID-cde2-rv4n-tkau
Aliases: CVE-2017-0903 GHSA-mqwr-4qf2-2hcv |
Deserialization of Untrusted Data rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. |
Affected by 5 other vulnerabilities. |
|
VCID-ee8m-jtmh-dfbs
Aliases: CVE-2015-3900 GHSA-wp3j-rvfp-624h OSV-122162 |
7PK - Security Features RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." |
Affected by 7 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-jmzh-89dm-r7g2
Aliases: CVE-2017-0902 GHSA-73w7-6w9g-gc8w |
Origin Validation Error RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. |
Affected by 6 other vulnerabilities. |
|
VCID-k2ga-fgvp-5qc7
Aliases: CVE-2013-4287 GHSA-9j7m-rjqx-48vh OSV-97163 |
Cryptographic Issues Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. |
Affected by 8 other vulnerabilities. |
|
VCID-ucdh-7fgy-33h8
Aliases: CVE-2013-4363 GHSA-9qvm-2vhf-q649 |
Cryptographic Issues Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. |
Affected by 7 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-xgsa-5umz-qffr
Aliases: CVE-2017-0899 GHSA-7gcp-2gmq-w3xh |
Code Injection RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. |
Affected by 6 other vulnerabilities. |
|
VCID-xz68-vwz2-2ke4
Aliases: CVE-2017-0901 GHSA-pm9x-4392-2c2p |
Improper Input Validation RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. |
Affected by 6 other vulnerabilities. |
|
VCID-zb9m-getz-3keh
Aliases: CVE-2015-4020 GHSA-qv62-xfj6-32xm |
Improper Input Validation RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900. |
Affected by 7 other vulnerabilities. Affected by 12 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-k2ga-fgvp-5qc7 | Cryptographic Issues Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. |
CVE-2013-4287
GHSA-9j7m-rjqx-48vh OSV-97163 |