Search for packages
| purl | pkg:deb/debian/rubygems@1.8.24-1 |
| Next non-vulnerable version | 3.3.15-2+deb12u1 |
| Latest non-vulnerable version | 3.3.15-2+deb12u1 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4z5m-pfsj-6qdt
Aliases: CVE-2019-8321 GHSA-fr32-gr5c-xq5c |
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible. |
Affected by 4 other vulnerabilities. |
|
VCID-55ab-2wkt-dfcy
Aliases: CVE-2019-8324 GHSA-76wm-422q-92mq |
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. |
Affected by 4 other vulnerabilities. |
|
VCID-5gck-a7sm-tbe1
Aliases: CVE-2019-8322 GHSA-mh37-8c3g-3fgc |
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. |
Affected by 4 other vulnerabilities. |
|
VCID-6jkx-n7aj-73g3
Aliases: CVE-2019-8325 GHSA-4wm8-fjv7-j774 |
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) |
Affected by 4 other vulnerabilities. |
|
VCID-9fjb-7wus-cfeu
Aliases: CVE-2019-8323 GHSA-3h4r-pjv6-cph9 |
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. |
Affected by 4 other vulnerabilities. |
|
VCID-9v2s-tv6k-cbey
Aliases: CVE-2017-0899 GHSA-7gcp-2gmq-w3xh |
Affected by 4 other vulnerabilities. |
|
|
VCID-ej8g-bnsx-kfhv
Aliases: CVE-2018-1000076 GHSA-mc6j-h948-v2p6 |
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. |
Affected by 4 other vulnerabilities. |
|
VCID-fwds-unu4-n7gn
Aliases: CVE-2019-8320 GHSA-5x32-c9mf-49cc |
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system. |
Affected by 4 other vulnerabilities. |
|
VCID-g3hj-d52t-1bf1
Aliases: CVE-2017-0902 GHSA-73w7-6w9g-gc8w |
Affected by 4 other vulnerabilities. |
|
|
VCID-gknp-a2p2-4ucm
Aliases: CVE-2018-1000074 GHSA-qj2w-mw2r-pv39 |
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. |
Affected by 4 other vulnerabilities. |
|
VCID-hk69-vd9p-wfb3
Aliases: CVE-2021-43809 GHSA-fj7f-vq84-fh43 |
arbitrary command execution |
Affected by 2 other vulnerabilities. |
|
VCID-j53m-puxj-gbfb
Aliases: CVE-2018-1000073 GHSA-gx69-6cp4-hxrj |
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. |
Affected by 4 other vulnerabilities. |
|
VCID-nhny-8weg-7fam
Aliases: CVE-2017-0903 GHSA-mqwr-4qf2-2hcv |
Affected by 4 other vulnerabilities. |
|
|
VCID-npc6-7kwh-8ud9
Aliases: CVE-2018-1000077 GHSA-gv86-43rv-79m2 |
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. |
Affected by 4 other vulnerabilities. |
|
VCID-qfe5-w7ge-skfa
Aliases: CVE-2023-28755 GHSA-hv5j-3h9f-99c2 |
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ug6n-hxax-xfgp
Aliases: CVE-2025-27221 GHSA-22h5-pq3x-2gf2 |
URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+ There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem. ## Details The methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur. Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. ## Affected versions uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2. ## Credits Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v446-d877-f3a3
Aliases: CVE-2018-1000075 GHSA-74pv-v9gh-h25p |
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. |
Affected by 4 other vulnerabilities. |
|
VCID-vvkj-4ywh-47cb
Aliases: CVE-2017-0900 GHSA-p7f2-rr42-m9xm |
Affected by 4 other vulnerabilities. |
|
|
VCID-w37m-8kzy-kydq
Aliases: CVE-2013-4287 GHSA-9j7m-rjqx-48vh OSV-97163 |
RubyGems Regular Expression Denial of Service vulnerability Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in `lib/rubygems/version.rb` in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. |
Affected by 4 other vulnerabilities. |
|
VCID-x6ej-fw8q-3qd9
Aliases: CVE-2017-0901 GHSA-pm9x-4392-2c2p |
Affected by 4 other vulnerabilities. |
|
|
VCID-xbwr-ubt1-57c6
Aliases: CVE-2018-1000079 GHSA-8qxg-mff5-j3wc |
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. |
Affected by 4 other vulnerabilities. |
|
VCID-y7ya-bf6z-g3bn
Aliases: CVE-2018-1000078 GHSA-87qx-g5wg-mwmj |
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. |
Affected by 4 other vulnerabilities. |
|
VCID-yx2m-uv31-37dv
Aliases: CVE-2013-4363 GHSA-9qvm-2vhf-q649 |
RubyGems Regular Expression Denial of Service Algorithmic complexity vulnerability in `Gem::Version::ANCHORED_VERSION_PATTERN` in `lib/rubygems/version.rb` in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||