Search for packages
| purl | pkg:gem/rubygems-update@2.6.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-b36p-re17-n7dq
Aliases: CVE-2017-0900 GHSA-p7f2-rr42-m9xm |
Improper Input Validation RubyGems is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. |
Affected by 6 other vulnerabilities. |
|
VCID-cde2-rv4n-tkau
Aliases: CVE-2017-0903 GHSA-mqwr-4qf2-2hcv |
Deserialization of Untrusted Data rubygems-update is vulnerable to a remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. |
Affected by 5 other vulnerabilities. |
|
VCID-f7x5-hz5f-hyd3
Aliases: CVE-2019-8325 GHSA-4wm8-fjv7-j774 |
Improper Restriction of Operations within the Bounds of a Memory Buffer An issue was discovered in RubyGems. Since `Gem::CommandManager#run` calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ha3g-uyse-wybx
Aliases: CVE-2019-8322 GHSA-mh37-8c3g-3fgc |
Injection Vulnerability An issue was discovered in RubyGems. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jkwe-c323-3yez
Aliases: CVE-2019-8321 GHSA-fr32-gr5c-xq5c |
Argument Injection or Modification An issue was discovered in RubyGems. Since `Gem::UserInteraction#verbose` calls say without escaping, escape sequence injection is possible. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-jmzh-89dm-r7g2
Aliases: CVE-2017-0902 GHSA-73w7-6w9g-gc8w |
Origin Validation Error RubyGems is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. |
Affected by 6 other vulnerabilities. |
|
VCID-ky5r-bch5-m7dv
Aliases: CVE-2019-8323 GHSA-3h4r-pjv6-cph9 |
Injection Vulnerability An issue was discovered in RubyGems. `Gem::GemcutterUtilities#with_response` may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xgmc-a5rk-zqag
Aliases: CVE-2019-8324 GHSA-76wm-422q-92mq |
Improper Input Validation A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is evaluated by `ensure_loadable_spec` during the pre-installation check. |
Affected by 6 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xgsa-5umz-qffr
Aliases: CVE-2017-0899 GHSA-7gcp-2gmq-w3xh |
Code Injection RubyGems is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. |
Affected by 6 other vulnerabilities. |
|
VCID-xz68-vwz2-2ke4
Aliases: CVE-2017-0901 GHSA-pm9x-4392-2c2p |
Improper Input Validation RubyGems fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||