rubygems-update (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package rubygems-update, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (25)
CVE-2018-1000076 — CVSS 9.8 (critical): RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5…
CVE-2017-0899 — CVSS 9.8 (critical): RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters…
CVE-2017-0903 — CVSS 9.8 (critical): RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem…
CVE-2007-0469 — CVSS 9.3 (critical): The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which…
CVE-2019-8324 — CVSS 8.8 (high): An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore…
CVE-2017-0902 — CVSS 8.1 (high): RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client…
CVE-2018-1000074 — CVSS 7.8 (high): RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5…
CVE-2019-8325 — CVSS 7.5 (high): An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape…
CVE-2017-0900 — CVSS 7.5 (high): RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against…
CVE-2017-0901 — CVSS 7.5 (high): RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any…
CVE-2018-1000073 — CVSS 7.5 (high): RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5…
CVE-2018-1000075 — CVSS 7.5 (high): RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5…
CVE-2019-8321 — CVSS 7.5 (high): An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape…
CVE-2019-8322 — CVSS 7.5 (high): An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to…
CVE-2019-8323 — CVSS 7.5 (high): An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to…
CVE-2019-8320 — CVSS 7.4 (high): A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files…
CVE-2018-1000078 — CVSS 6.1 (medium): RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5…
CVE-2012-2125 — CVSS 5.8 (medium): RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during…
CVE-2018-1000079 — CVSS 5.5 (medium): RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5…
CVE-2018-1000077 — CVSS 5.3 (medium): RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5…
CVE-2015-3900 — CVSS 5.0 (medium): RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API…
CVE-2012-2126 — CVSS 4.3 (medium): RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a…
CVE-2015-4020 — CVSS 4.3 (medium): RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API…
CVE-2013-4363 — CVSS 4.3 (medium): Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2…
CVE-2013-4287 — CVSS 4.3 (medium): Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24…