rubygems-update
RubyGems25 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting rubygems-updatepage 1 of 1
- CVE-2007-0469NONECVSS 0.0EG 0.0✓ Fixed in 0.9.12007-01-24
vulnerable: 0.8.10 ... 0.9.0 (8 versions)
The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute…
- CVE-2012-2125NONECVSS 0.0EG 0.0✓ Fixed in 1.8.232013-10-01
vulnerable: 0.8.10 ... 1.8.9 (61 versions)
RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.
- CVE-2012-2126NONECVSS 0.0EG 0.0✓ Fixed in 1.8.232013-10-01
vulnerable: 0.8.10 ... 1.8.9 (61 versions)
RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.
- CVE-2013-4287NONECVSS 0.0EG 0.0✓ Fixed in 2.1.02013-10-17
vulnerable: 2.1.0.rc.1, 2.1.0.rc.2
Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allow…
- CVE-2013-4363NONECVSS 0.0EG 0.0✓ Fixed in 2.1.52013-10-17
vulnerable: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4
Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p…
- CVE-2015-3900NONECVSS 0.0EG 0.0✓ Fixed in 2.4.72015-06-24
vulnerable: 2.4.0 ... 2.4.6 (7 versions)
RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SR…
- CVE-2015-4020NONECVSS 0.0EG 0.0✓ Fixed in 2.4.82015-08-25
vulnerable: 2.3.0 ... 2.4.7 (9 versions)
RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SR…
- CVE-2017-0899CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.132017-08-31
vulnerable: 0.8.10 ... 2.6.9 (139 versions)
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
- CVE-2017-0900HIGHCVSS 7.5EG 7.5✓ Fixed in 2.6.132017-08-31
vulnerable: 0.8.10 ... 2.6.9 (139 versions)
RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
- CVE-2017-0901HIGHCVSS 7.5EG 7.5✓ Fixed in 2.6.132017-08-31
vulnerable: 0.8.10 ... 2.6.9 (139 versions)
RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
- CVE-2017-0902HIGHCVSS 8.1EG 8.1✓ Fixed in 2.6.132017-08-31
vulnerable: 0.8.10 ... 2.6.9 (139 versions)
RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls.
- CVE-2017-0903CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.6.142017-10-11
vulnerable: 2.0.0 ... 2.6.9 (65 versions)
RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used…
- CVE-2018-1000073HIGHCVSS 7.5EG 7.5✓ Fixed in 2.7.62018-03-13
vulnerable: 0.8.10 ... 2.7.5 (148 versions)
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in …
- CVE-2018-1000074HIGHCVSS 7.8EG 7.8✓ Fixed in 2.7.62018-03-13
vulnerable: 0.8.10 ... 2.7.5 (148 versions)
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vul…
- CVE-2018-1000075HIGHCVSS 7.5EG 7.5✓ Fixed in 2.7.62018-03-13
vulnerable: 0.8.10 ... 2.7.5 (148 versions)
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size…
- CVE-2018-1000076CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.7.62018-03-13
vulnerable: 2.2.0 ... 2.7.5 (41 versions)
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographi…
- CVE-2018-1000077MEDIUMCVSS 5.3EG 5.3✓ Fixed in 2.7.62018-03-13
vulnerable: 0.8.10 ... 2.7.5 (148 versions)
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerabili…
- CVE-2018-1000078MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.7.62018-03-13
vulnerable: 0.8.10 ... 2.7.5 (148 versions)
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerabil…
- CVE-2018-1000079MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.7.62018-03-13
vulnerable: 0.8.10 ... 2.7.5 (148 versions)
RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in …
- CVE-2019-8320HIGHCVSS 7.4EG 7.4✓ Fixed in 3.0.32019-06-06
vulnerable: 3.0.0, 3.0.1, 3.0.2
A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that dest…
- CVE-2019-8321HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.22019-06-17
vulnerable: 3.0.0, 3.0.1
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible.
- CVE-2019-8322HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.22019-06-17
vulnerable: 3.0.0, 3.0.1
An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur.
- CVE-2019-8323HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.22019-06-17
vulnerable: 3.0.0, 3.0.1
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur.
- CVE-2019-8324HIGHCVSS 8.8EG 8.8✓ Fixed in 3.0.22019-06-17
vulnerable: 3.0.0, 3.0.1
An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ens…
- CVE-2019-8325HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.22019-06-17
vulnerable: 3.0.0, 3.0.1
An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.)
Check whether rubygems-update is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for rubygems-update CVEs against the assets you own.
Start Free Scan →