Search for packages
| purl | pkg:gem/rubygems-update@2.4.4 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8d7n-bfhu-dkfd
Aliases: CVE-2018-1000075 GHSA-74pv-v9gh-h25p |
Loop with Unreachable Exit Condition (Infinite Loop) RubyGems contains an infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-8hm4-c4w4-gfen
Aliases: CVE-2018-1000078 GHSA-87qx-g5wg-mwmj |
Cross-site Scripting RubyGems contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appears to be exploitable by the victim browsing to a malicious gem on a vulnerable gem server. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-9t45-d5mf-3uar
Aliases: CVE-2018-1000079 GHSA-8qxg-mff5-j3wc |
Path Traversal RubyGems contains a Directory Traversal vulnerability in gem installation that can result in the gem being able to write to arbitrary filesystem locations during installation. This attack appears to be exploitable by a victim installing a malicious gem. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-af1f-xwwy-jfa8
Aliases: CVE-2018-1000074 GHSA-qj2w-mw2r-pv39 |
RubyGems contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appears to be exploitable when the victim runs the `gem owner` command on a gem with a specially crafted YAML file. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-b36p-re17-n7dq
Aliases: CVE-2017-0900 GHSA-p7f2-rr42-m9xm |
Improper Input Validation RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. |
Affected by 6 other vulnerabilities. |
|
VCID-cde2-rv4n-tkau
Aliases: CVE-2017-0903 GHSA-mqwr-4qf2-2hcv |
Deserialization of Untrusted Data rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. |
Affected by 5 other vulnerabilities. |
|
VCID-ee8m-jtmh-dfbs
Aliases: CVE-2015-3900 GHSA-wp3j-rvfp-624h OSV-122162 |
7PK - Security Features RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." |
Affected by 13 other vulnerabilities. |
|
VCID-jmzh-89dm-r7g2
Aliases: CVE-2017-0902 GHSA-73w7-6w9g-gc8w |
Origin Validation Error RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. |
Affected by 6 other vulnerabilities. |
|
VCID-mamm-cvdr-subf
Aliases: CVE-2018-1000077 GHSA-gv86-43rv-79m2 |
RubyGems contains an Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem being able to set an invalid homepage URL. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-tq93-h2ag-s3bx
Aliases: CVE-2018-1000073 GHSA-gx69-6cp4-hxrj |
Path Traversal RubyGems contains a Directory Traversal vulnerability in install_location function of `package.rb` that can result in path traversal when writing to a symlinked basedir outside the root. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-w4ns-f42m-pyec
Aliases: CVE-2018-1000076 GHSA-mc6j-h948-v2p6 |
RubyGems contains an Improper Verification of Cryptographic Signature vulnerability in `package.rb` that can result in a mis-signed gem being installed, as the tarball would contain multiple gem signatures. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-xgsa-5umz-qffr
Aliases: CVE-2017-0899 GHSA-7gcp-2gmq-w3xh |
Code Injection RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. |
Affected by 6 other vulnerabilities. |
|
VCID-xz68-vwz2-2ke4
Aliases: CVE-2017-0901 GHSA-pm9x-4392-2c2p |
Improper Input Validation RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. |
Affected by 6 other vulnerabilities. |
|
VCID-zb9m-getz-3keh
Aliases: CVE-2015-4020 GHSA-qv62-xfj6-32xm |
Improper Input Validation RubyGems does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900. |
Affected by 12 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||