Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Date Rubygem Title CVE
2012-12-04 ldap_fluff Red Hat Subscription Asset Manager rubygem-ldap_fluff Active Directory Authentication Bypass 2012-5604
2012-09-08 omniauth-oauth2 Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability 2012-6134
2012-09-08 loofah Loofah HTML and XSS injection vulnerability
2012-08-09 actionpack Ruby on Rails strip_tags Helper Method XSS 2012-3465
2012-08-09 actionpack Ruby on Rails select_tag Helper Method prompt Value XSS 2012-3463
2012-08-09 activesupport Ruby on Rails HTML Escaping Code XSS 2012-3464
2012-07-26 actionpack Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS 2012-3424
2012-07-02 spree Product Scopes could allow for unauthenticated remote command execution
2012-07-02 spree Potential XSS vulnerability related to the analytics dashboard
2012-06-08 nokogiri Nokogiri Gem for Ruby External Entity (XXE) Expansion Internal Network Response Remote Disclosure 2012-6685
2012-06-06 rack-cache rack-cache Rubygem Sensitive HTTP Header Caching Weakness 2012-2671
2012-05-31 activerecord Ruby on Rails where Method ActiveRecord Class SQL Injection 2012-2661
2012-05-31 activerecord Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection 2012-2660
2012-05-04 rack Rack Regular Expressions Engine Content-Disposition Header Parsing Infinite Loop Remote DoS 2012-6109
2012-03-14 mail Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution 2012-2140
2012-03-14 mail Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation 2012-2139
2012-03-01 activesupport Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS 2012-1098
2012-03-01 actionpack Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb Manually Generated Select Tag Options XSS 2012-1099
2012-02-29 RedCloth RedCloth Gem for Ruby Textile Link Parsing XSS 2012-6684
2012-02-01 passenger Phusion Passenger Gem for Ruby Arbitrary File Deletion 2012-6135
2011-12-28 rack Rack Hash Collision Form Parameter Parsing Remote DoS 2011-5036
2011-11-17 actionpack XSS vulnerability in the translate helper method in Ruby on Rails 2011-4319
2011-10-05 spree Spree Search ProductScope Class search[send][] Parameter Arbitrary Command Execution
2011-09-20 bundler Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential Disclosure
2011-09-01 fog-dragonfly Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
2011-09-01 dragonfly Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
2011-08-16 actionpack Response Splitting Vulnerability in Ruby on Rails 2011-3186
2011-04-19 spree Spree Content Controller Unspecified Arbitrary File Disclosure
2011-01-25 mail Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection 2011-0739
2011-01-12 quick_magick quick_magick Gem for Ruby QuickMagick::Image.read Function Crafted String Handling Remote Command Injection