Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive

Date Rubygem Title CVE
2017-11-28 yard Potential arbitrary file read vulnerability in yard server 2017-17042
2017-11-16 redis-store Unsafe objects can be loaded from Redis 2017-1000248
2017-11-10 geminabox Stored XSS in "geminabox" via injection in Gemspec "homepage" value 2017-16792
2017-11-09 recurly SSRF vulnerability in Recurly gem's Resource#find. 2017-0905
2017-11-09 private_address_check private_address_check Ruby Gem Blacklist Bypass privilege escalation 2017-0909
2017-11-07 private_address_check private_address_check Ruby Gem Resolv.getaddresses Server-Side Request Forgery 2017-0904
2017-11-03 yajl-ruby Flaw in yajl-ruby gem may cause a DoS 2017-16516
2017-10-29 ox ox ruby gem stack overflow in sax_parse 2017-16229
2017-10-27 ox ox ruby gem segmentation fault via parse_obj 2017-15928
2017-10-24 rest-client rest-client ruby gem logs sensitive information 2015-3448
2017-10-24 openssl Incorrect handling of initialization vector in the GCM mode in OpenSSL 2016-7798
2017-10-09 rubygems-update Unsafe Object Deserialization Vulnerability in RubyGems 2017-0903
2017-09-19 nokogiri Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities 2017-9050
2017-08-29 rubygems-update RubyGems DNS request hijacking vulnerability 2017-0902
2017-08-29 rubygems-update RubyGems ANSI escape sequence vulnerability 2017-0899
2017-08-29 rubygems-update RubyGems vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files 2017-0901
2017-08-29 rubygems-update RubyGems DoS vulnerability in the query command 2017-0900
2017-07-11 gemirro Stored XSS in "gemirro" via injection in Gemspec "homepage" value 2017-16833
2017-05-09 nokogiri Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 2017-5029
2017-05-08 haml haml failure to escape single quotes 2017-1002201
2017-05-01 rubocop RuboCop: insecure use of /tmp 2017-8418
2017-04-05 safemode Safemode Gem for Ruby is vulnerable to bypassing safe mode limitations 2017-7540
2017-03-11 nokogiri Nokogiri gem contains several vulnerabilities in libxml2 and libxslt 2016-4658
2017-02-27 rubyzip Directory traversal vulnerability in rubyzip 2017-5946
2017-01-11 omniauth omniauth leaks authenticity token in callback params 2017-18076
2016-12-21 rails_admin CSRF vulnerability in rails_admin 2016-10522
2016-11-09 passenger Predictable tmp File Path Vulnerability in Phusion Passenger 2016-10345
2016-08-22 minitar Minitar Directory Traversal Vulnerability 2016-10173
2016-08-22 archive-tar-minitar Archive-Tar-Minitar Directory Traversal Vulnerability 2016-10173
2016-08-18 doorkeeper Doorkeeper gem does not revoke tokens & uses wrong auth/auth method 2016-6582