Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive

Date Rubygem Title CVE
2013-02-11 activerecord Ruby on Rails Active Record attr_protected Method Bypass 2013-0276
2013-02-11 json Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS 2013-0269
2013-02-07 rack Rack Rack::File Function Symlink Traversal Arbitrary File Disclosure 2013-0262
2013-02-07 rack Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution 2013-0263
2013-02-06 rdoc RDoc 2.3.0 through 3.12 XSS Exploit 2013-0256
2013-02-04 json json Gem for Ruby JSON::GenericObject Function Arbitrary Addition Creation 2013-0269
2013-01-28 devise Devise Database Type Conversion Crafted Request Parsing Security Bypass 2013-0233
2013-01-28 activesupport Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code Execution 2013-0333
2013-01-14 httparty httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 2013-1801
2013-01-13 rack Rack Rack::Auth::AbstractRequest Class Unspecified Remote DoS 2013-0184
2013-01-11 multi_xml multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution 2013-0175
2013-01-10 nori Ruby Gem nori Parameter Parsing Remote Code Execution 2013-0285
2013-01-09 crack crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 2013-1800
2013-01-08 activerecord Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 2013-0155
2013-01-08 extlib extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 2013-1802
2013-01-08 actionpack Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing Remote Code Execution 2013-0156
2013-01-07 rack Rack Long String Parsing Memory Consumption Remote DoS 2013-0183
2012-12-22 activerecord Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass 2012-6496
2012-12-21 authlogic Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness 2012-6497
2012-12-06 newrelic_rpm Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information 2013-0284
2012-12-04 ldap_fluff Red Hat Subscription Asset Manager rubygem-ldap_fluff Active Directory Authentication Bypass 2012-5604
2012-09-08 omniauth-oauth2 Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability 2012-6134
2012-09-08 loofah Loofah HTML and XSS injection vulnerability
2012-08-09 actionpack Ruby on Rails select_tag Helper Method prompt Value XSS 2012-3463
2012-08-09 activesupport Ruby on Rails HTML Escaping Code XSS 2012-3464
2012-08-09 actionpack Ruby on Rails strip_tags Helper Method XSS 2012-3465
2012-07-26 actionpack Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS 2012-3424
2012-07-02 spree Product Scopes could allow for unauthenticated remote command execution
2012-07-02 spree Potential XSS vulnerability related to the analytics dashboard
2012-06-08 nokogiri Nokogiri Gem for Ruby External Entity (XXE) Expansion Internal Network Response Remote Disclosure 2012-6685