Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive

Date Rubygem Title CVE
2012-07-02 spree Potential XSS vulnerability related to the analytics dashboard
2012-06-08 nokogiri Nokogiri Gem for Ruby External Entity (XXE) Expansion Internal Network Response Remote Disclosure 2012-6685
2012-06-06 rack-cache rack-cache Rubygem Sensitive HTTP Header Caching Weakness 2012-2671
2012-05-31 activerecord Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection 2012-2660
2012-05-31 activerecord Ruby on Rails where Method ActiveRecord Class SQL Injection 2012-2661
2012-05-04 rack Rack Regular Expressions Engine Content-Disposition Header Parsing Infinite Loop Remote DoS 2012-6109
2012-03-14 mail Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution 2012-2140
2012-03-14 mail Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation 2012-2139
2012-03-01 actionpack Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb Manually Generated Select Tag Options XSS 2012-1099
2012-03-01 activesupport Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS 2012-1098
2012-02-29 RedCloth RedCloth Gem for Ruby Textile Link Parsing XSS 2012-6684
2012-02-01 passenger Phusion Passenger Gem for Ruby Arbitrary File Deletion 2012-6135
2011-12-28 rack Rack Hash Collision Form Parameter Parsing Remote DoS 2011-5036
2011-11-17 actionpack XSS vulnerability in the translate helper method in Ruby on Rails 2011-4319
2011-10-05 spree Spree Search ProductScope Class search[send][] Parameter Arbitrary Command Execution
2011-09-20 bundler Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential Disclosure
2011-09-01 dragonfly Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
2011-09-01 fog-dragonfly Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
2011-08-16 actionpack Response Splitting Vulnerability in Ruby on Rails 2011-3186
2011-04-19 spree Spree Content Controller Unspecified Arbitrary File Disclosure
2011-01-25 mail Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection 2011-0739
2011-01-12 quick_magick quick_magick Gem for Ruby Function Crafted String Handling Remote Command Injection
2010-11-02 spree Spree Multiple Script JSON Request Validation Weakness Remote Information Disclosure 2010-3978
2010-08-12 curb curb Gem for Ruby Empty http_put Body Handling Remote DoS
2010-02-01 bcrypt-ruby bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
2010-02-01 bcrypt bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
2009-12-07 jruby-openssl jruby-openssl Gem for JRuby fails to do proper certificate validation 2009-4123
2008-10-10 activerecord-oracle_enhanced-adapter Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
2008-09-22 spree Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation 2008-7310
2008-08-15 activeresource activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String