Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive

Date Rubygem Title CVE
2012-02-01 passenger Phusion Passenger Gem for Ruby Arbitrary File Deletion 2012-6135
2011-12-28 rack Rack Hash Collision Form Parameter Parsing Remote DoS 2011-5036
2011-11-17 actionpack XSS vulnerability in the translate helper method in Ruby on Rails 2011-4319
2011-10-05 spree Spree Search ProductScope Class search[send][] Parameter Arbitrary Command Execution
2011-09-20 bundler Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential Disclosure
2011-09-01 fog-dragonfly Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
2011-09-01 dragonfly Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
2011-08-16 actionpack Response Splitting Vulnerability in Ruby on Rails 2011-3186
2011-04-19 spree Spree Content Controller Unspecified Arbitrary File Disclosure
2011-01-25 mail Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection 2011-0739
2011-01-12 quick_magick quick_magick Gem for Ruby Function Crafted String Handling Remote Command Injection
2010-11-02 spree Spree Multiple Script JSON Request Validation Weakness Remote Information Disclosure 2010-3978
2010-08-12 curb curb Gem for Ruby Empty http_put Body Handling Remote DoS
2010-02-01 bcrypt bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
2010-02-01 bcrypt-ruby bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
2009-12-07 jruby-openssl jruby-openssl Gem for JRuby fails to do proper certificate validation 2009-4123
2008-10-10 activerecord-oracle_enhanced-adapter Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
2008-09-22 spree Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation 2008-7310
2008-08-15 activeresource activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
2008-08-12 spree Spree Hardcoded config.action_controller_session Hash Value Cryptographic Protection Weakness 2008-7311
2007-11-27 gtk2 Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Function Format String 2007-6183
2007-06-15 builder Builder Gem for Ruby Tag Name Handling Private Method Exposure
2007-05-21 json json Gem for Ruby Data Handling Stack Buffer Overflow
2007-01-22 rubygems-update RubyGems installer.rb extract_files Function Crafted GEM Package Arbitrary File Overwrite 2007-0469