Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive

Date Rubygem Title CVE
2019-11-09 chartkick Prototype Pollution in Chartkick.js 3.1.x 2019-18841
2019-10-24 brakeman brakeman world writable files allow local privilege escalation 2019-18409
2019-10-24 ruby_parser-legacy ruby_parser-legacy world writable files allow local privilege escalation 2019-18409
2019-10-22 loofah Loofah XSS Vulnerability 2019-15587
2019-09-27 simple_form simple_form Gem for Ruby Incorrect Access Control for forms based on user input 2019-16676
2019-09-23 consul Consul gem insufficient authentication check: Multiple powers in one controller are not always checked correctly 2019-16377
2019-09-12 rubyzip Denial of Service in rubyzip ("zip bombs") 2019-16892
2019-09-08 devise Devise Gem for Ruby confirmation token validation with a blank string 2019-16109
2019-08-20 awesome-bot Code execution backdoor in awesome-bot 2019-15224
2019-08-20 omniauth_amazon Code execution backdoor in omniauth_amazon 2019-15224
2019-08-20 capistrano-colors Code execution backdoor in capistrano-colors 2019-15224
2019-08-20 blockchain_wallet Code execution backdoor in blockchain_wallet 2019-15224
2019-08-20 coming-soon Code execution backdoor in coming-soon 2019-15224
2019-08-20 doge-coin Code execution backdoor in doge-coin 2019-15224
2019-08-20 bitcoin_vanity Code execution backdoor in bitcoin_vanity 2019-15224
2019-08-20 cron_parser Code execution backdoor in cron_parser 2019-15224
2019-08-20 coin_base Code execution backdoor in coin_base 2019-15224
2019-08-20 lita_coin Code execution backdoor in lita_coin 2019-15224
2019-08-19 rest-client Code execution backdoor in rest-client 2019-15224
2019-08-11 nokogiri Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file 2019-5477
2019-08-11 rexical Rexical Command Injection Vulnerability 2019-5477
2019-07-31 simple_captcha2 Code backdoor in simple_captcha2 2019-14282
2019-07-31 datagrid Code execution backdoor in datagrid 2019-14281
2019-07-26 marginalia SQL injection vulnerability via Marginalia::Comment 2019-1010191
2019-07-16 slanger Arbitrary command execution in slanger 2019-1010306
2019-07-16 paranoid2 Code backdoor in paranoid2 2019-13589
2019-07-12 mini_magick Remote command execution via filename 2019-13574
2019-07-05 strong_password strong_password Ruby gem malicious version causing Remote Code Execution vulnerability 2019-13354
2019-07-02 yard Arbitrary path traversal and file access via `yard server` 2019-1020001
2019-07-02 yard Possible arbitrary path traversal and file access via `yard server`