CVE-2024-21654

< 2024-01-08

Rubygems.org is the Ruby community's gem hosting service. Rubygems.org users with MFA enabled would normally be protected from acc

4.8MEDIUM

CVE-2023-40165

< 2023-08-14

rubygems.org is the Ruby community's primary gem (library) hosting service. Insufficient input validation allowed malicious actors

7.4HIGH

CVE-2022-36073

< 2022-08-31

RubyGems.org is the Ruby community gem host. A bug in password & email change confirmation code allowed an attacker to change thei

8.3HIGH

CVE-2022-29218

all versions

RubyGems is a package registry used to supply software for the Ruby language ecosystem. An ordering mistake in the code that accep

7.7HIGH

CVE-2022-29176

all versions

Rubygems is a package registry used to supply software for the Ruby language ecosystem. Due to a bug in the yank action, it was po

9.9CRITICAL

CVE-2019-8323

>= 2.6.0 and <= 3.0.2

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response

7.5HIGH

CVE-2019-8322

>= 2.6.0 and <= 3.0.2

An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response di

7.5HIGH

CVE-2019-8321

>= 2.6.0 and <= 3.0.2

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, es

7.5HIGH

CVE-2019-8325

>= 2.6.0 and <= 3.0.2

An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping,

7.5HIGH

CVE-2019-8324

>= 2.6.0 and <= 3.0.2

An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Th

8.8HIGH

CVE-2019-8320

>= 2.7.6 and <= 3.0.2

A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching fi

7.4HIGH

CVE-2018-1000079

<= 2.2.9

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby

5.5MEDIUM

CVE-2018-1000078

<= 2.2.9

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby

6.1MEDIUM

CVE-2018-1000077

<= 2.2.9

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby

5.3MEDIUM

CVE-2018-1000076

<= 2.2.9

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby

9.8CRITICAL

CVE-2018-1000075

<= 2.2.9

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby

7.5HIGH

CVE-2018-1000074

<= 2.2.9

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby

7.8HIGH

CVE-2018-1000073

<= 2.2.9

RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby

7.5HIGH

CVE-2017-0903

all versions

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization

9.8CRITICAL

CVE-2017-0902

<= 2.6.12

RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGe

8.1HIGH

CVE-2017-0901

<= 2.6.12

RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overw

7.5HIGH

CVE-2017-0900

<= 2.6.12

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack ag

7.5HIGH

CVE-2017-0899

<= 2.6.12

RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape character

9.8CRITICAL

CVE-2015-4020

all versions

RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or maki

CVE-2015-3900

all versions

RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or maki

CVE-2013-4363

<= 1.8.23

Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.2

CVE-2013-4287

<= 1.8.23

Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.

CVE-2012-2126

<= 1.8.22

RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a

CVE-2012-2125

<= 1.8.22

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a g

CVE-2013-2616

all versions

lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharac

CVE-2013-2615

all versions

lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metac

CVE-2013-1875

all versions

command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in

CVE-2013-0269

all versions

The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of servic

CVE-2012-2140

<= 2.4.1

The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmai

CVE-2012-2139

<= 2.4.3

Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allo

CVE-2007-0469

<= 0.9.0

The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, wh