Advisory Archive

2024	Apr 16	GHSA-g7xq-xv8c-h98c (phlex): Cross-site Scripting (XSS) possible due to improper sanitisation of `href` attributes on `` tags posted in •
	Mar 25	CVE-2024-29034 (carrierwave): CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained posted in •
	Mar 21	CVE-2024-27280 (stringio): Buffer overread vulnerability in StringIO posted in •
	Mar 21	CVE-2024-27281 (rdoc): RCE vulnerability with .rdoc_options in RDoc posted in •
	Mar 18	CVE-2024-28862 (rotp): ROTP 6.2.2 and 6.2.1 has 0666 permissions for the .rb files. posted in •
	Mar 18	GHSA-vcc3-rw6f-jv97 (nokogiri): Use-after-free in libxml2 via Nokogiri::XML::Reader posted in •
	Mar 15	CVE-2024-28181 (turbo_boost-commands): TurboBoost Commands vulnerable to arbitrary method invocation posted in •
	Mar 12	CVE-2024-28121 (stimulus_reflex): StimulusReflex arbitrary method call posted in •
	Mar 12	CVE-2024-28199 (phlex): Cross-site Scripting (XSS) possible with maliciously formed HTML attribute names and values in Phlex posted in •
	Feb 29	CVE-2023-51774 (json-jwt): json-jwt allows bypass of identity checks via a sign/encryption confusion attack posted in •
	Feb 28	CVE-2024-27285 (yard): YARD's default template vulnerable to Cross-site Scripting in generated frames.html posted in •
	Feb 26	CVE-2024-27456 (rack-cors): Rack CORS Middleware has Insecure File Permissions posted in •
	Feb 21	CVE-2024-25126 (rack): Denial of Service Vulnerability in Rack Content-Type Parsing posted in •
	Feb 21	CVE-2024-26141 (rack): Possible DoS Vulnerability with Range Header in Rack posted in •
	Feb 21	CVE-2024-26142 (actionpack): Possible ReDoS vulnerability in Accept header parsing in Action Dispatch posted in •
	Feb 21	CVE-2024-26143 (actionpack): Possible XSS Vulnerability in Action Controller posted in •
	Feb 21	CVE-2024-26144 (activestorage): Possible Sensitive Session Information Leak in Active Storage posted in •
	Feb 21	CVE-2024-26146 (rack): Possible Denial of Service Vulnerability in Rack Header Parsing posted in •
	Feb 20	CVE-2023-47634 (decidim): Race condition in Endorsements posted in •
	Feb 20	CVE-2023-47635 (decidim-templates): Possible CSRF attack at questionnaire templates preview posted in •
	Feb 20	CVE-2023-48220 (devise_invitable): Possibility to circumvent the invitation token expiry period posted in •
	Feb 20	CVE-2023-51447 (decidim): Cross-site scripting (XSS) in the dynamic file uploads posted in •
	Feb 13	CVE-2024-25122 (sidekiq-unique-jobs): sidekiq-unique-jobs UI server vulnerable to XSS & RCE in Redis posted in •
	Feb 04	CVE-2024-25062 (nokogiri): Improper Handling of Unexpected Data Type in Nokogiri posted in •
	Feb 04	GHSA-xc9x-jj77-9p9j (nokogiri): Use-after-free in libxml2 via Nokogiri::XML::Reader posted in •
	Jan 17	CVE-2024-22411 (avo): Cross-site scripting (XSS) in Action messages on Avo posted in •
	Jan 16	CVE-2024-22191 (avo): avo vulnerable to stored cross-site scripting (XSS) in key_value field posted in •
	Jan 12	CVE-2024-0227 (devise-two-factor): Devise-Two-Factor vulnerable to brute force attacks posted in •
	Jan 08	CVE-2024-21647 (puma): Puma HTTP Request/Response Smuggling vulnerability posted in •
	Jan 04	CVE-2024-21636 (view_component): view_component Cross-site Scripting vulnerability posted in •
	Jan 03	CVE-2024-21632 (omniauth-microsoft_graph): Omniauth::MicrosoftGraph Account takeover (nOAuth) posted in •
2023	Dec 24	CVE-2023-51763 (activeadmin): ActiveAdmin vulnerable to CSV injection posted in •
	Dec 18	CVE-2022-44303 (resque-scheduler): Resque Scheduler Reflected XSS In Delayed Jobs View posted in •
	Dec 18	CVE-2023-50724 (resque): Resque vulnerable to Reflected Cross Site Scripting through pathnames posted in •
	Dec 18	CVE-2023-50725 (resque): Resque vulnerable to reflected XSS in resque-web failed and queues lists posted in •
	Dec 18	CVE-2023-50727 (resque): Resque vulnerable to reflected XSS in Queue Endpoint posted in •
	Dec 15	CVE-2023-50448 (activeadmin): Potential CSV export data leak posted in •
	Dec 06	CVE-2023-26154 (pubnub): pubnub Insufficient Entropy vulnerability posted in •
	Nov 29	CVE-2023-49090 (carrierwave): CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS posted in •
	Oct 30	CVE-2023-5349 (rmagick): memory leak flaw was found in ruby-magick posted in •
	Oct 24	CVE-2024-0241 (encoded_id-rails): encoded_id-rails potential DOS vulnerability due to URIs with extremely long encoded IDs posted in •
	Oct 24	GHSA-3px7-jm2p-6h2c (encoded_id-rails): encoded_id-rails potential DOS vulnerability due to URIs with extremely long encoded IDs posted in •
	Oct 19	CVE-2023-46035 (svg_optimizer): External XML entity (XXE) vulnerability in svg_optimizer rubygem posted in •
	Oct 06	CVE-2023-26153 (geokit-rails): geokit-rails Command Injection vulnerability posted in •
	Oct 06	CVE-2023-5214 (bolt): Puppet Bolt privilege escalation vulnerability posted in •
	Oct 05	CVE-2023-36465 (decidim): Decidim has broken access control in templates posted in •
	Sep 14	CVE-2023-26141 (sidekiq): sidekiq Denial of Service vulnerability posted in •
	Sep 13	CVE-2023-4785 (grpc): Denial of Service Vulnerability in gRPC TCP Server (Posix-compatible platforms) posted in •
	Aug 23	CVE-2023-38037 (activesupport): Possible File Disclosure of Locally Encrypted Files posted in •
	Aug 18	CVE-2023-40175 (puma): Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma posted in •
	Aug 18	GHSA-68xg-gqqm-vgj8 (puma): Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') in puma posted in •
	Aug 08	GHSA-7vh7-fw88-wj87 (commonmarker): Several quadratic complexity bugs may lead to denial of service in Commonmarker posted in •
	Aug 03	CVE-2023-38697 (protocol-http1): protocol-http1 HTTP Request/Response Smuggling vulnerability posted in •
	Jul 15	CVE-2023-38337 (rswag): rswag vulnerable to arbitrary JSON and YAML file read via directory traversal posted in •
	Jul 11	CVE-2023-32693 (decidim): Decidim Cross-site Scripting vulnerability in the external link redirections posted in •
	Jul 11	CVE-2023-34089 (decidim): Decidim Cross-site Scripting vulnerability in the processes filter posted in •
	Jul 11	CVE-2023-34090 (decidim): Decidim vulnerable to sensitive data disclosure posted in •
	Jul 06	CVE-2023-1428 (grpc): gRPC Reachable Assertion issue posted in •
	Jul 06	CVE-2023-32732 (grpc): gRPC connection termination issue posted in •
	Jul 06	CVE-2023-36823 (sanitize): Sanitize vulnerable to Cross-site Scripting via insufficient neutralization of `style` element content posted in •
	Jul 05	CVE-2023-32731 (grpc): Connection confusion in gRPC posted in •
	Jun 29	CVE-2023-36617 (uri): ReDoS vulnerability in URI posted in •
	Jun 28	CVE-2023-3445 (spina): Spina Cross-site Scripting vulnerability posted in •
	Jun 26	CVE-2020-23064 (jquery-rails): jQuery Cross Site Scripting vulnerability posted in •
	Jun 26	CVE-2023-28362 (actionpack): Possible XSS via User Supplied Values to redirect_to posted in •
	Jun 12	CVE-2023-34246 (doorkeeper): Doorkeeper Improper Authentication vulnerability posted in •
	Jun 06	CVE-2023-31606 (RedCloth): RedCloth Regular Expression Denial of Service issue posted in •
	Jun 06	CVE-2023-34102 (avo): avo possible unsafe reflection / partial DoS vulnerability posted in •
	Jun 06	CVE-2023-34103 (avo): avo vulnerable to Stored XSS (Cross Site Scripting) in html content based fields posted in •
	May 26	CVE-2023-30145 (camaleon_cms): Server-Side Template Injection in Camaleon CMS posted in •
	May 01	CVE-2024-22047 (audited): Race Condition leading to logging errors posted in •
	May 01	GHSA-hjp3-5g2q-7jww (audited): Race Condition leading to logging errors posted in •
	Apr 26	CVE-2022-37454 (sha3): Buffer overflow in sponge queue functions posted in •
	Apr 24	CVE-2023-30618 (kitchen-terraform): Sensitive Terraform Output Values Printed At Info Logging Level In Kitchen-Terraform posted in •
	Apr 21	CVE-2023-1892 (sidekiq): sidekiq vulnerable to cross-site scripting posted in •
	Apr 20	CVE-2023-30614 (pay): Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Pay posted in •
	Apr 11	CVE-2024-22048 (govuk_tech_docs): govuk_tech_docs vulnerable to unescaped HTML on search results page posted in •
	Apr 11	GHSA-pxvg-2qj5-37jq (nokogiri): Update packaged libxml2 to v2.10.4 to resolve multiple CVEs posted in •
	Apr 11	GHSA-x2xw-hw8g-6773 (govuk_tech_docs): govuk_tech_docs vulnerable to unescaped HTML on search results page posted in •
	Mar 31	CVE-2023-28755 (uri): Ruby URI component ReDoS issue posted in •
	Mar 31	CVE-2023-28756 (time): Ruby Time component ReDos issue posted in •
	Mar 31	GHSA-48wp-p9qv-4j64 (commonmarker): Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service posted in •
	Mar 30	CVE-2023-28846 (unpoly-rails): unpoly-rails Denial of Service vulnerability posted in •
	Mar 27	CVE-2023-28102 (discordrb): GHSL-2022-094: Remote Code Execution in discordrb posted in •
	Mar 13	CVE-2023-23913 (actionview): DOM Based Cross-site Scripting in rails-ujs for contenteditable HTML Elements posted in •
	Mar 13	CVE-2023-27531 (kredis): Possible Deserialization of Untrusted Data Vulnerability in Kredis JSON posted in •
	Mar 13	CVE-2023-27539 (rack): Possible Denial of Service Vulnerability in Rack’s header parsing posted in •
	Mar 13	CVE-2023-28120 (activesupport): Possible XSS Security Vulnerability in SafeBuffer#bytesplice posted in •
	Mar 03	CVE-2023-27530 (rack): Possible DoS Vulnerability in Multipart MIME parsing posted in •
	Feb 24	CVE-2022-36231 (pdf_info): Code injection in pdf_info posted in •
	Feb 01	CVE-2023-25015 (clockwork_web): CSRF Vulnerability with Rails < 5.2 posted in •
	Jan 29	CVE-2023-0569 (publify_core): Publify contains Weak Password Requirements posted in •
	Jan 28	CVE-2023-23627 (sanitize): Improper neutralization of `noscript` element content may allow XSS in Sanitize posted in •
	Jan 24	GHSA-636f-xm5j-pj9m (commonmarker): Several quadratic complexity bugs may lead to denial of service in Commonmarker posted in •
	Jan 20	GHSA-q95h-cqrv-8jv5 (exiftool_vendored): ExifTool vulnerable to arbitrary code execution posted in •
	Jan 18	CVE-2022-44566 (activerecord): Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter posted in •
	Jan 18	CVE-2022-44570 (rack): Denial of service via header parsing in Rack posted in •
	Jan 18	CVE-2022-44571 (rack): Denial of Service Vulnerability in Rack Content-Disposition parsing posted in •
	Jan 18	CVE-2022-44572 (rack): Denial of service via multipart parsing in Rack posted in •
	Jan 18	CVE-2023-22792 (actionpack): ReDoS based DoS vulnerability in Action Dispatch posted in •
	Jan 18	CVE-2023-22794 (activerecord): SQL Injection Vulnerability via ActiveRecord comments posted in •
	Jan 18	CVE-2023-22795 (actionpack): ReDoS based DoS vulnerability in Action Dispatch posted in •
	Jan 18	CVE-2023-22796 (activesupport): ReDoS based DoS vulnerability in Active Support’s underscore posted in •
	Jan 18	CVE-2023-22797 (actionpack): Open Redirect Vulnerability in Action Pack posted in •
	Jan 18	CVE-2023-22799 (globalid): ReDoS based DoS vulnerability in GlobalID posted in •
	Jan 17	CVE-2022-47318 (git): Code injection in ruby git posted in •
	Jan 17	CVE-2022-4891 (sisimai): Sisimai Inefficient Regular Expression Complexity vulnerability posted in •
	Jan 16	CVE-2015-10053 (curupira): curupira is vulnerable to SQL injection posted in •
	Jan 14	CVE-2022-1812 (publify_core): Integer overflow in publify_core posted in •
	Jan 14	CVE-2022-2815 (publify_core): Publify Core does not strip metadata from images posted in •
	Jan 14	CVE-2023-0299 (publify_core): Publify Improper Input Validation vulnerability posted in •
	Jan 07	CVE-2020-36644 (inline_svg): Inline SVG vulnerable to Cross-site Scripting posted in •
	Jan 05	CVE-2022-46648 (git): Potential remote code execution in ruby-git posted in •
	Jan 04	CVE-2023-22626 (pghero): Information Disclosure Through EXPLAIN Feature posted in •
	Jan 03	CVE-2024-22049 (httparty): httparty has multipart/form-data request tampering vulnerability posted in •
	Jan 03	GHSA-5pq7-52mg-hr42 (httparty): httparty has multipart/form-data request tampering vulnerability posted in •
2022	Dec 31	CVE-2017-20159 (keynote): keynote Cross-site Scripting vulnerability posted in •
	Dec 27	CVE-2019-25088 (oxidized-web): Oxidized Web vulnerable to Cross-site Scripting posted in •
	Dec 22	CVE-2020-36624 (text_helpers): text_helpers uses web link to untrusted target with window.opener access posted in •
	Dec 19	CVE-2021-4250 (active_attr): active_attr Improper Resource Shutdown or Release vulnerability posted in •
	Dec 13	CVE-2022-23514 (loofah): Inefficient Regular Expression Complexity in Loofah posted in •
	Dec 13	CVE-2022-23515 (loofah): Improper neutralization of data URIs may allow XSS in Loofah posted in •
	Dec 13	CVE-2022-23516 (loofah): Uncontrolled Recursion in Loofah posted in •
	Dec 13	CVE-2022-23517 (rails-html-sanitizer): Inefficient Regular Expression Complexity in rails-html-sanitizer posted in •
	Dec 13	CVE-2022-23518 (rails-html-sanitizer): Improper neutralization of data URIs may allow XSS in rails-html-sanitizer posted in •
	Dec 13	CVE-2022-23519 (rails-html-sanitizer): Possible XSS vulnerability with certain configurations of rails-html-sanitizer posted in •
	Dec 13	CVE-2022-23520 (rails-html-sanitizer): Possible XSS vulnerability with certain configurations of rails-html-sanitizer posted in •
	Dec 07	CVE-2022-23476 (nokogiri): Unchecked return value from xmlTextReaderExpand posted in •
	Nov 30	CVE-2022-45442 (sinatra): Sinatra vulnerable to Reflected File Download attack posted in •
	Nov 19	CVE-2022-4064 (dalli): Unsanitized input leading to code injection in Dalli posted in •
	Nov 18	CVE-2021-33621 (cgi): HTTP response splitting in CGI posted in •
	Nov 02	CVE-2022-39379 (fluentd): fluentd vulnerable to remote code execution due to insecure deserialization (in non-default configuration) posted in •
	Oct 18	GHSA-2qc6-mcvw-92cw (nokogiri): Update bundled libxml2 to v2.10.3 to resolve multiple CVEs posted in •
	Oct 07	CVE-2022-39281 (fat_free_crm): Fat Free CRM vulnerable to Remote Denial of Service via Tasks endpoint posted in •
	Oct 04	CVE-2022-3171 (google-protobuf): protobuf-java has a potential Denial of Service issue posted in •
	Oct 03	GHSA-mgvv-5mxp-xq67 (sqlite3): SQLite3 addresses vulnerability in packaged version of libsqlite posted in •
	Sep 21	CVE-2022-39224 (arr-pm): arr-pm vulnerable to arbitrary shell execution when extracting or listing files contained in a malicious rpm posted in •
	Sep 21	GHSA-4qw4-jpp4-8gvp (commonmarker): Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service posted in •
	Sep 15	GHSA-qcqv-38jg-2r43 (pageflow): Pageflow vulnerable to insecure direct object reference in membership update endpoint posted in •
	Sep 15	GHSA-wrrw-crp8-979q (pageflow): Pageflow vulnerable to sensitive user data extraction via Ransack query injection posted in •
	Sep 10	CVE-2022-25765 (pdfkit): PDFKit vulnerable to Command Injection posted in •
	Aug 19	CVE-2020-36599 (omniauth): OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value posted in •
	Aug 11	CVE-2022-35956 (update_by_case): update_by_case before 0.1.3 can be vulnerable to sql injection posted in •
	Jul 21	CVE-2022-31163 (tzinfo): TZInfo relative path traversal vulnerability allows loading of arbitrary files posted in •
	Jul 16	CVE-2020-35305 (gollum): XSS via `filename` parameter to New Page dialog posted in •
	Jul 15	CVE-2022-31160 (jquery-ui-rails): jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label posted in •
	Jul 12	CVE-2022-32224 (activerecord): Possible RCE escalation bug with Serialized Columns in Active Record posted in •
	Jul 05	CVE-2022-31115 (opensearch-ruby): Unsafe YAML deserialization in opensearch-ruby posted in •
	Jun 28	CVE-2021-3779 (ruby-mysql): ruby-mysql Client File Read posted in •
	Jun 27	CVE-2022-30122 (rack): Denial of Service Vulnerability in Rack Multipart Parsing posted in •
	Jun 27	CVE-2022-30123 (rack): Possible shell escape sequence injection vulnerability in Rack posted in •
	Jun 24	CVE-2022-33127 (diffy): Improper handling of double quotes in file name in Diffy in Windows environment posted in •
	Jun 15	CVE-2022-31071 (octopoller): Octopoller gem published with world-writable files posted in •
	Jun 15	CVE-2022-31072 (octokit): Octokit gem published with world-writable files posted in •
	Jun 10	CVE-2022-32209 (rails-html-sanitizer): Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer posted in •
	Jun 09	CVE-2022-31033 (mechanize): Authorization header leak on port redirect in mechanize posted in •
	Jun 09	CVE-2022-32209 (rails-html-sanitizer): Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer posted in •
	Jun 07	CVE-2022-32511 (jmespath): JMESPath for Ruby using JSON.load instead of JSON.parse posted in •
	Jun 06	CVE-2022-31026 (trilogy): Use of Uninitialized Variable in trilogy posted in •
	Jun 03	CVE-2021-33473 (dragonfly): Arbitrary file write in dragonfly posted in •
	Jun 01	CVE-2022-31000 (solidus_backend): CSRF allows attacker to finalize/unfinalize order adjustments in solidus_backend posted in •
	May 24	CVE-2015-2784 (papercrop): papercrop does not properly handle crop input posted in •
	May 24	CVE-2019-10226 (fat_free_crm): Fat Free CRM Cross-site Scripting vulnerability posted in •
	May 24	CVE-2019-12408 (red-arrow): Missing Initialization of Resource in Apache Arrow posted in •
	May 24	CVE-2019-12410 (red-arrow): Missing Initialization of Resource in Apache Arrow posted in •
	May 24	CVE-2019-13118 (nokogiri): libxslt Type Confusion vulnerability that affects Nokogiri posted in •
	May 24	CVE-2019-14825 (katello): Katello cleartext password storage issue posted in •
	May 24	CVE-2019-16751 (devise_token_auth): Devise Token Auth vulnerable to Cross-site Scripting posted in •
	May 24	CVE-2019-17268 (omniauth-weibo-oauth2): omniauth-weibo-oauth2 included a code-execution backdoor inserted by a third-party posted in •
	May 24	CVE-2019-18197 (nokogiri): Nokogiri affected by libxslt Use of Uninitialized Resource/ Use After Free vulnerability posted in •
	May 24	CVE-2019-5815 (nokogiri): Nokogiri implementation of libxslt vulnerable to heap corruption posted in •
	May 24	CVE-2019-7615 (elastic-apm): Elastic APM agent for Ruby vulnerable to Improper Certificate Validation posted in •
	May 24	CVE-2020-13353 (gitaly): Gitaly Insufficient Session Expiration vulnerability posted in •
	May 24	CVE-2020-7385 (metasploit-framework): Metasploit Framework user exposes Metasploit to same deserialization issue that is exploited by that module posted in •
	May 24	CVE-2021-25969 (camaleon_cms): Camaleon CMS Stored Cross-site Scripting vulnerability posted in •
	May 24	CVE-2021-25970 (camaleon_cms): Camaleon CMS Insufficient Session Expiration vulnerability posted in •
	May 24	CVE-2021-25971 (camaleon_cms): Camaleon CMS vulnerable to Uncaught Exception posted in •
	May 24	CVE-2021-25972 (camaleon_cms): Camaleon CMS vulnerable to Server-Side Request Forgery posted in •
	May 24	CVE-2021-25974 (publify_core): Cross site scripting in publify posted in •
	May 24	CVE-2021-25975 (publify_core): Cross site scripting in publify posted in •
	May 24	CVE-2021-3517 (nokogiri): Nokogiri contains libxml Out-of-bounds Write vulnerability posted in •
	May 24	CVE-2021-3518 (nokogiri): Nokogiri Implements libxml2 version vulnerable to use-after-free posted in •
	May 24	CVE-2021-3537 (nokogiri): Nokogiri Implements libxml2 version vulnerable to null pointer dereferencing posted in •
	May 24	CVE-2021-35440 (smashing): Smashing Cross-site Scripting vulnerability posted in •
	May 24	CVE-2021-39880 (apollo_upload_server): apollo_upload_server has Denial of Service vulnerability posted in •
	May 24	CVE-2022-1810 (publify_core): Improper Access Control in publify posted in •
	May 24	CVE-2022-1811 (publify_core): Cross site scripting in publify posted in •
	May 23	CVE-2022-29181 (nokogiri): Improper Handling of Unexpected Data Type in Nokogiri posted in •
	May 19	CVE-2019-25061 (random_password_generator): Insecure PRNG use in random_password_generator posted in •
	May 18	GHSA-cgx6-hpwq-fhv5 (nokogiri): Integer Overflow or Wraparound in libxml2 affects Nokogiri posted in •
	May 17	CVE-2012-3503 (katello): Katello uses hard coded credential posted in •
	May 17	CVE-2014-0084 (openshift-origin-node): openshift-origin-node Improper Input Validation vulnerability posted in •
	May 17	CVE-2017-15364 (ccsv): ccsv Double Free vulnerability posted in •
	May 17	CVE-2022-0574 (publify_core): Incorrect Authorization in publify posted in •
	May 17	CVE-2022-0578 (publify_core): Code injection in publify posted in •
	May 17	CVE-2022-1553 (publify_core): Article metadata exposure in publify posted in •
	May 14	CVE-2011-0528 (puppet): Puppet does not properly restrict access to node resources posted in •
	May 14	CVE-2011-3869 (puppet): Puppet arbitrary file overwrite posted in •
	May 14	CVE-2012-1987 (puppet): Puppet Denial of Service and Arbitrary File Write posted in •
	May 14	CVE-2012-1988 (puppet): Puppet Arbitrary Command Execution posted in •
	May 14	CVE-2016-3072 (katello): Katello SQL Injection vulnerabilities posted in •
	May 14	CVE-2017-10784 (webrick): WEBrick RCE Vulnerability posted in •
	May 14	CVE-2017-14033 (openssl): Ruby OpenSSL DoS Vulnerability posted in •
	May 14	CVE-2018-0499 (xapian-core): xapian-core Cross-site Scripting vulnerability posted in •
	May 14	CVE-2018-1000074 (rubygems-update): RubyGems Deserialization of Untrusted Data vulnerability posted in •
	May 14	CVE-2018-1000076 (rubygems-update): RubyGems Improper Verification of Cryptographic Signature vulnerability posted in •
	May 14	CVE-2018-1000077 (rubygems-update): RubyGems Improper Input Validation vulnerability posted in •
	May 14	CVE-2018-1000078 (rubygems-update): RubyGems Cross-site Scripting vulnerability posted in •
	May 14	CVE-2018-1000079 (rubygems-update): RubyGems Path Traversal vulnerability posted in •
	May 14	CVE-2018-16887 (katello): katello Cross-site Scripting vulnerability posted in •
	May 13	CVE-2017-1000026 (mixlib-archive): mixlib-archive Path Traversal vulnerability posted in •
	May 13	CVE-2017-10689 (puppet): Tarball permission preservation in puppet posted in •
	May 13	CVE-2017-10906 (fluentd): Fluentd Escape Sequence Injection Vulnerability posted in •
	May 13	CVE-2017-14506 (geminabox): Gem in a Box vulnerable to Cross-site Scripting posted in •
	May 13	CVE-2017-14683 (geminabox): Gem in a Box vulnerable to Cross-site Request Forgery posted in •
	May 13	CVE-2017-16355 (passenger): Phusion Passenger information disclosure posted in •
	May 13	CVE-2017-2096 (smalruby): smalruby and smalruby-editor vulnerable to OS Command Injection posted in •
	May 13	CVE-2017-2662 (katello): katello Improper Privilege Management vulnerability posted in •
	May 13	CVE-2017-2667 (hammer_cli_foreman): hammer_cli_foreman Improper Certificate Validation vulnerability posted in •
	May 13	CVE-2018-1000073 (rubygems-update): RubyGems Link Following vulnerability posted in •
	May 13	CVE-2018-1000075 (rubygems-update): RubyGems Infinite Loop vulnerability posted in •
	May 13	CVE-2018-12615 (passenger): Phusion Passenger incorrect permission assignment posted in •
	May 13	CVE-2018-14623 (katello): katello SQL Injection vulnerability posted in •
	May 13	CVE-2018-18260 (camaleon_cms): Camaleon CMS vulnerable to Stored Cross-site Scripting posted in •
	May 13	CVE-2018-18385 (asciidoctor): Asciidoctor Infinite Loop vulnerability posted in •
	May 05	CVE-2013-2095 (openshift-origin-controller): RubyGem openshift-origin-controller is vulnerable to command injection posted in •
	May 03	CVE-2022-28481 (csv-safe): CSV-Safe improperly filters special characters potentially leading to CSV injection posted in •
	May 03	CVE-2022-29970 (sinatra): sinatra does not validate expanded path matches posted in •
	May 02	CVE-2010-0156 (puppet): Puppet arbitrary files overwrite via a symlink attack posted in •
	May 01	CVE-2007-6612 (mongrel): Mongrel vulnerable to directory traversal via double-encoded sequences posted in •
	Apr 27	CVE-2022-22577 (actionpack): Possible XSS Vulnerability in Action Pack posted in •
	Apr 26	CVE-2022-27311 (gibbon): Server side request forgery in gibbon posted in •
	Apr 26	CVE-2022-27777 (actionview): Possible XSS Vulnerability in Action View tag helpers posted in •
	Apr 22	CVE-2011-1497 (actionpack): Cross site scripting in rails/actionpack < 3.0.6 posted in •
	Apr 20	CVE-2022-25648 (git): Command injection in ruby-git posted in •
	Apr 20	CVE-2022-29498 (blazer): SQL injection for certain queries with variables posted in •
	Apr 11	CVE-2018-25032 (nokogiri): Out-of-bounds Write in zlib affects Nokogiri posted in •
	Apr 11	CVE-2022-23437 (nokogiri): XML Injection in Xerces Java affects Nokogiri posted in •
	Apr 11	CVE-2022-24836 (nokogiri): Inefficient Regular Expression Complexity in Nokogiri posted in •
	Apr 11	CVE-2022-24839 (nokogiri): Denial of Service (DoS) in Nokogiri on JRuby posted in •
	Apr 07	CVE-2021-43177 (devise-two-factor): Improper one time password handling in devise-two-factor posted in •
	Apr 05	CVE-2022-24795 (yajl-ruby): Reallocation bug can trigger heap memory corruption posted in •
	Apr 02	CVE-2022-21223 (cocoapods-downloader): Command injection in cocoapods-downloader posted in •
	Apr 02	CVE-2022-24440 (cocoapods-downloader): Command injection in cocoapods-downloader posted in •
	Mar 31	CVE-2022-24803 (asciidoctor-include-ext): Command Injection vulnerability in asciidoctor-include-ext posted in •
	Mar 30	CVE-2022-24790 (puma): HTTP Request Smuggling in puma posted in •
	Mar 26	CVE-2022-0759 (kubeclient): Improper Certificate Validation in kubeclient posted in •
	Mar 24	CVE-2021-3589 (foreman_ansible): Missing Authentication for Critical Function in Foreman Ansible posted in •
	Mar 08	CVE-2022-21831 (activestorage): Possible code injection vulnerability in Rails / Active Storage posted in •
	Mar 03	CVE-2024-22051 (commonmarker): Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption posted in •
	Mar 03	GHSA-fmx4-26r3-wxpf (commonmarker): Integer overflow in cmark-gfm table parsing extension leads to heap memory corruption posted in •
	Mar 02	CVE-2022-24722 (view_component): XSS via `translate` method of `ViewComponent::Translatable` in view_component gem posted in •
	Mar 01	CVE-2022-24720 (image_processing): Remote shell execution vulnerability when applying commands from user input posted in •
	Feb 21	CVE-2021-30560 (nokogiri): Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) posted in •
	Feb 15	CVE-2014-0177 (hub): Hub Package Arbitrary File Overwrite posted in •
	Feb 11	CVE-2022-23633 (actionpack): Possible exposure of information vulnerability in Action Pack posted in •
	Feb 11	CVE-2022-23634 (puma): Information Exposure with Puma when used with Rails posted in •
	Feb 09	CVE-2022-0524 (publify_core): Business Logic Errors in Publify posted in •
	Jan 27	CVE-2022-23837 (sidekiq): Denial of service in sidekiq posted in •
	Jan 07	CVE-2021-22569 (google-protobuf): A potential Denial of Service issue in protobuf-java posted in •
	Jan 06	CVE-2021-43846 (solidus_frontend): CSRF forgery protection bypass in solidus_frontend posted in •
2021	Dec 17	CVE-2021-43840 (message_bus): Path traversal when MessageBus::Diagnostics is enabled posted in •
	Dec 14	CVE-2021-44528 (actionpack): Possible Open Redirect in Host Authorization Middleware posted in •
	Dec 08	CVE-2021-28680 (devise_masquerade): Improper Privilege Management in devise_masquerade posted in •
	Dec 08	CVE-2021-43809 (bundler): Local Code Execution through Argument Injection via dash leading git url parameter in Gemfile posted in •
	Dec 07	CVE-2021-43805 (solidus_core): ReDos vulnerability on guest checkout email validation posted in •
	Dec 02	CVE-2021-27023 (puppet): Unsafe HTTP Redirect in Puppet Agent and Puppet Server posted in •
	Dec 02	CVE-2021-27025 (puppet): Silent Configuration Failure in Puppet Agent posted in •
	Nov 24	CVE-2021-41816 (cgi): Buffer Overrun in CGI.escape_html posted in •
	Nov 24	CVE-2021-41819 (cgi): Cookie Prefix Spoofing in CGI::Cookie.parse posted in •
	Nov 18	CVE-2021-41274 (solidus_auth_devise): Authentication Bypass by CSRF Weakness posted in •
	Nov 18	CVE-2021-41275 (spree_auth_devise): Authentication Bypass by CSRF Weakness posted in •
	Nov 18	GHSA-5629-8855-gf4g (solidus_core): Authentication Bypass by CSRF Weakness posted in •
	Nov 15	CVE-2021-41263 (rails_multisite): Secure/signed cookies share secrets between sites in a multi-site application posted in •
	Nov 15	CVE-2021-41817 (date): Regular Expression Denial of Service Vulnerability of Date Parsing Methods posted in •
	Nov 03	CVE-2021-25973 (publify_core): Improper Authorization in Publify posted in •
	Nov 01	CVE-2021-41186 (fluentd): ReDoS vulnerability in parser_apache2 posted in •
	Oct 26	CVE-2021-41182 (jquery-ui-rails): XSS in the `altField` option of the Datepicker widget in jquery-ui posted in •
	Oct 26	CVE-2021-41183 (jquery-ui-rails): XSS in `*Text` options of the Datepicker widget in jquery-ui posted in •
	Oct 26	CVE-2021-41184 (jquery-ui-rails): XSS in the `of` option of the `.position()` util in jquery-ui posted in •
	Oct 12	CVE-2021-41136 (puma): Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma posted in •
	Oct 06	CVE-2021-30151 (sidekiq): Cross-site Scripting in Sidekiq posted in •
	Oct 06	CVE-2021-33575 (ruby-jss): Remote code execution in ruby-jss posted in •
	Sep 27	CVE-2021-41098 (nokogiri): Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby posted in •
	Sep 13	CVE-2021-23435 (clearance): Open Redirect in clearance posted in •
	Sep 07	CVE-2021-39197 (better_errors): Older releases of better_errors open to Cross-Site Request Forgery attack posted in •
	Aug 19	CVE-2021-22942 (actionpack): Possible Open Redirect in Host Authorization Middleware posted in •
	Aug 02	CVE-2021-28796 (qiita-markdown): Cross-Site Scripting in Qiita::Markdown posted in •
	Aug 02	CVE-2021-28833 (qiita-markdown): XSS in qiita-markdown posted in •
	Jul 12	CVE-2021-32740 (addressable): Regular Expression Denial of Service in Addressable templates posted in •
	Jul 02	CVE-2021-35514 (narou): Code injection in Narou posted in •
	Jun 10	CVE-2021-20259 (foreman_fog_proxmox): Exposure of Sensitive Information to an Unauthorized Actor in foreman_fog_proxmox posted in •
	Jun 02	CVE-2021-33564 (dragonfly): Remote code execution in Dragonfly posted in •
	May 24	CVE-2020-13163 (em-imap): Improper certificate validation in em-imap posted in •
	May 24	CVE-2020-13482 (em-http-request): Improper Certificate Validation in EM-HTTP-Request posted in •
	May 24	CVE-2020-7659 (reel): HTTP Request Smuggling in reel posted in •
	May 24	CVE-2020-7671 (goliath): HTTP Request Smuggling in goliath posted in •
	May 18	CVE-2021-32823 (bindata): Potential Denial-of-Service in bindata posted in •
	May 17	GHSA-7rrm-v45f-jp64 (nokogiri): Update packaged dependency libxml2 from 2.9.10 to 2.9.12 posted in •
	May 11	CVE-2021-29509 (puma): Keepalive Connections Causing Denial Of Service in puma posted in •
	May 05	CVE-2021-22885 (actionpack): Possible Information Disclosure / Unintended Method Execution in Action Pack posted in •
	May 05	CVE-2021-22902 (actionpack): Possible Denial of Service vulnerability in Action Dispatch posted in •
	May 05	CVE-2021-22903 (actionpack): Possible Open Redirect Vulnerability in Action Pack posted in •
	May 05	CVE-2021-22904 (actionpack): Possible DoS Vulnerability in Action Controller Token Authentication posted in •
	May 04	CVE-2021-23383 (handlebars-source): Prototype Pollution in handlebars posted in •
	May 02	CVE-2021-31799 (rdoc): RDoc OS command injection vulnerability posted in •
	Apr 26	CVE-2021-31671 (pgsync): Connection security vulnerability with schema sync posted in •
	Apr 22	CVE-2016-11086 (oauth): Improper Certificate Validation in oauth ruby gem posted in •
	Apr 14	CVE-2021-29435 (trestle-auth): Cross-Site Request Forgery (CSRF) in trestle-auth posted in •
	Apr 13	CVE-2020-24393 (tweetstream): Improper Certificate Validation in TweetStream posted in •
	Apr 13	CVE-2020-7942 (puppet): Improper Certificate Validation in Puppet posted in •
	Apr 12	CVE-2021-23369 (handlebars-source): Remote code execution in handlebars when compiling templates posted in •
	Apr 05	CVE-2021-28965 (rexml): XML round-trip vulnerability in REXML posted in •
	Apr 05	CVE-2021-28966 (tmpdir): Path traversal in Tempfile on Windows posted in •
	Mar 29	CVE-2020-24392 (twitter-stream): Improper Certificate Validation in twitter-stream posted in •
	Mar 29	CVE-2021-28834 (kramdown): Remote code execution in Kramdown posted in •
	Mar 08	CVE-2019-25025 (activerecord-session_store): activerecord-session_store Timing Attack posted in •
	Feb 10	CVE-2021-22880 (activerecord): Possible DoS Vulnerability in Active Record PostgreSQL adapter posted in •
	Feb 10	CVE-2021-22881 (actionpack): Possible Open Redirect in Host Authorization Middleware posted in •
	Feb 08	CVE-2021-21288 (carrierwave): Server-side request forgery in CarrierWave posted in •
	Feb 08	CVE-2021-21305 (carrierwave): Code Injection vulnerability in CarrierWave::RMagick posted in •
	Feb 01	CVE-2021-21289 (mechanize): Mechanize ruby gem Command Injection vulnerability posted in •
	Jan 11	CVE-2020-26298 (redcarpet): Injection/XSS in Redcarpet posted in •
2020	Dec 30	CVE-2020-26247 (nokogiri): Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability posted in •
	Dec 08	CVE-2020-26254 (omniauth-apple): omniauth-apple allows attacker to fake their email address during authentication posted in •
	Nov 13	CVE-2020-26222 (dependabot-omnibus): Remote code execution in dependabot-core branch names when cloning posted in •
	Nov 13	CVE-2020-26223 (spree_api): Authorization bypass in Spree posted in •
	Nov 03	CVE-2020-15240 (omniauth-auth0): Regression in JWT Signature Validation posted in •
	Oct 20	CVE-2020-15269 (spree): Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls posted in •
	Oct 20	CVE-2020-7670 (agoo): HTTP Request Smuggling in Agoo posted in •
	Oct 07	CVE-2020-8264 (actionpack): Possible XSS Vulnerability in Action Pack in Development Mode posted in •
	Oct 05	CVE-2020-15237 (shrine): Possible timing attack in derivation_endpoint posted in •
	Sep 30	CVE-2020-36327 (bundler): Dependency Confusion in Bundler with Implicit Private Dependencies posted in •
	Sep 29	CVE-2020-25613 (webrick): Potential HTTP Request Smuggling Vulnerability in WEBrick posted in •
	Sep 23	GHSA-vp9c-fpxx-744v (personnummer): Validation bypass vulnerability posted in •
	Sep 18	CVE-2020-25739 (gon): Gon gem lack of escaping certain input when outputting as JSON posted in •
	Sep 09	CVE-2020-15169 (actionview): Potential XSS vulnerability in Action View posted in •
	Sep 01	CVE-2012-6708 (jquery-rails): Cross-Site Scripting in jquery posted in •
	Aug 04	CVE-2020-15109 (solidus_frontend): Ability to change order address without triggering address validations in solidus posted in •
	Aug 04	CVE-2020-16252 (field_test): CSRF Vulnerability with Non-Session Based Authentication posted in •
	Aug 04	CVE-2020-16253 (pghero): CSRF Vulnerability with Non-Session Based Authentication posted in •
	Aug 04	CVE-2020-16254 (chartkick): CSS injection with width and height options posted in •
	Jul 31	CVE-2020-15133 (faye-websocket): Missing TLS certificate verification in faye-websocket posted in •
	Jul 31	CVE-2020-15134 (faye): Missing TLS certificate verification posted in •
	Jun 28	CVE-2020-14001 (kramdown): Unintended read access in kramdown gem posted in •
	Jun 17	CVE-2020-8185 (actionpack): Untrusted users able to run pending migrations in production posted in •
	Jun 16	CVE-2020-4054 (sanitize): Cross-site scripting vulnerability via ` $` or ` ` element in Sanitize$ posted in •
	Jun 15	CVE-2020-8184 (rack): Percent-encoded cookies can be used to overwrite existing prefixed cookie names posted in •
	Jun 05	CVE-2020-7663 (websocket-extensions): Regular Expression Denial of Service in websocket-extensions (RubyGem) posted in •
	May 28	CVE-2020-11082 (kaminari): Cross-Site Scripting in Kaminari via `original_script_name` parameter posted in •
	May 22	CVE-2020-11076 (puma): HTTP Smuggling via Transfer-Encoding Header in Puma posted in •
	May 22	CVE-2020-11077 (puma): HTTP Smuggling via Transfer-Encoding Header in Puma posted in •
	May 20	CVE-2020-7656 (jquery-rails): Cross-Site Scripting in jquery posted in •
	May 18	CVE-2020-8162 (activestorage): Circumvention of file size limits in ActiveStorage posted in •
	May 18	CVE-2020-8164 (actionpack): Possible Strong Parameters Bypass in ActionPack posted in •
	May 18	CVE-2020-8165 (activesupport): Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore posted in •
	May 18	CVE-2020-8166 (actionpack): Ability to forge per-form CSRF tokens given a global CSRF token posted in •
	May 18	CVE-2020-8167 (actionview): CSRF Vulnerability in rails-ujs posted in •
	May 15	CVE-2020-8163 (actionview): Potential remote code execution of user-provided local names in ActionView posted in •
	May 12	CVE-2020-8161 (rack): Directory traversal in Rack::Directory app bundled with Rack posted in •
	May 07	CVE-2020-11052 (sorcery): Improper Restriction of Excessive Authentication Attempts in Sorcery posted in •
	May 06	CVE-2020-8159 (actionpack-page_caching): Arbitrary file write/potential remote code execution in actionpack-page_caching posted in •
	May 05	CVE-2020-8151 (activeresource): activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding posted in •
	May 02	CVE-2020-10187 (doorkeeper): Doorkeeper application secret information disclosure vulnerability posted in •
	Apr 29	CVE-2015-4411 (bson): Potential denial of service in bson rubygem posted in •
	Apr 29	CVE-2020-11020 (faye): Authentication and extension bypass in Faye posted in •
	Apr 29	CVE-2020-11022 (jquery-rails): Potential XSS vulnerability in jQuery posted in •
	Apr 29	CVE-2020-11023 (jquery-rails): Potential XSS vulnerability in jQuery posted in •
	Mar 19	CVE-2020-10663 (json): json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) posted in •
	Mar 19	CVE-2020-5267 (actionview): Possible XSS vulnerability in ActionView posted in •
	Mar 14	CVE-2020-36190 (rails_admin): rails_admin ruby gem XSS vulnerability posted in •
	Mar 14	CVE-2020-5257 (administrate): Sort order SQL injection via `direction` parameter in administrate posted in •
	Mar 10	CVE-2020-5243 (user_agent_parser): Denial of Service in uap-core when processing crafted User-Agent strings posted in •
	Mar 03	CVE-2020-5249 (puma): HTTP Response Splitting (Early Hints) in Puma posted in •
	Feb 27	CVE-2020-5247 (puma): HTTP Response Splitting vulnerability in puma posted in •
	Feb 14	CVE-2019-10780 (bibtex-ruby): OS command injection in BibTeX-Ruby posted in •
	Feb 12	CVE-2020-7595 (nokogiri): libxml2 2.9.10 has an infinite loop in a certain end-of-file situation posted in •
	Feb 10	CVE-2020-5241 (matestack-ui-core): matestack-ui-core is vulnerable to XSS/Script injection posted in •
	Jan 25	CVE-2020-7981 (geocoder): Geocoder gem for Ruby contains possible SQL injection vulnerability posted in •
	Jan 23	CVE-2020-5216 (secure_headers): secure_headers header injection due to newline posted in •
	Jan 23	CVE-2020-5217 (secure_headers): secure_headers directive injection using semicolon posted in •
	Jan 09	CVE-2014-3211 (publify_core): Publify vulnerable to DoS attack posted in •
2019	Dec 26	CVE-2019-19919 (bootstrap-wysihtml5-rails): Prototype Pollution in handlebars posted in •
	Dec 18	CVE-2019-16782 (rack): Possible information leak / session hijack vulnerability posted in •
	Dec 16	CVE-2019-16779 (excon): Race condition when using persistent connections posted in •
	Dec 05	CVE-2019-16770 (puma): Keepalive thread overload/DoS in puma posted in •
	Nov 15	CVE-2019-18978 (rack-cors): rack-cors directory traversal via path posted in •
	Nov 14	CVE-2019-18848 (json-jwt): json-jwt improper input validation due to lack of element count when splitting string posted in •
	Nov 09	CVE-2019-18841 (chartkick): Prototype Pollution in Chartkick.js 3.1.x posted in •
	Oct 31	CVE-2019-13117 (nokogiri): Nokogiri gem, via libxslt, is affected by multiple vulnerabilities posted in •
	Oct 24	CVE-2019-18409 (ruby_parser-legacy): ruby_parser-legacy world writable files allow local privilege escalation posted in •
	Oct 22	CVE-2019-15587 (loofah): Loofah XSS Vulnerability posted in •
	Oct 14	CVE-2019-17383 (netaddr): netaddr world-writeable file permissions posted in •
	Oct 07	CVE-2024-22050 (iodine): Malicious URL drafting attack against iodines static file server may allow path traversal posted in •
	Oct 07	GHSA-85rf-xh54-whp3 (iodine): iodine path traversal via malicious URL drafting attack posted in •
	Sep 27	CVE-2019-16676 (simple_form): simple_form Gem for Ruby Incorrect Access Control for forms based on user input posted in •
	Sep 23	CVE-2019-16145 (padrino-contrib): padrino-contrib XSS via caption parameter of breadcrumbs helper posted in •
	Sep 23	CVE-2019-16377 (consul): Consul gem insufficient authentication check - Multiple powers in one controller are not always checked correctly posted in •
	Sep 12	CVE-2019-16892 (rubyzip): Denial of Service in rubyzip ("zip bombs") posted in •
	Sep 08	CVE-2019-16109 (devise): Devise Gem for Ruby confirmation token validation with a blank string posted in •
	Aug 29	CVE-2020-8130 (rake): OS Command Injection in Rake posted in •
	Aug 21	CVE-2018-20975 (fat_free_crm): fat_free_crm XSS via query parameter of tags_helper method posted in •
	Aug 20	CVE-2019-15224 (omniauth_amazon): Code execution backdoor in omniauth_amazon posted in •
	Aug 19	CVE-2019-15224 (rest-client): Code execution backdoor in rest-client posted in •
	Aug 11	CVE-2019-5477 (rexical): Rexical Command Injection Vulnerability posted in •
	Jul 31	CVE-2018-20857 (samlr): samlr XML nodes comment attack posted in •
	Jul 31	CVE-2019-14281 (datagrid): Code execution backdoor in datagrid posted in •
	Jul 31	CVE-2019-14282 (simple_captcha2): Code backdoor in simple_captcha2 posted in •
	Jul 26	CVE-2019-1010191 (marginalia): SQL injection vulnerability via Marginalia::Comment posted in •
	Jul 16	CVE-2019-1010306 (slanger): Arbitrary command execution in slanger posted in •
	Jul 16	CVE-2019-13589 (paranoid2): Code backdoor in paranoid2 posted in •
	Jul 12	CVE-2019-13574 (mini_magick): Remote command execution via filename posted in •
	Jul 05	CVE-2019-13354 (strong_password): strong_password Ruby gem malicious version causing Remote Code Execution vulnerability posted in •
	Jul 02	CVE-2019-1020001 (yard): Arbitrary path traversal and file access via `yard server` posted in •
	Jul 02	GHSA-xfhh-rx56-rxcr (yard): Possible arbitrary path traversal and file access via `yard server` posted in •
	Jul 01	CVE-2019-13146 (field_test): Arbitrary Variants Via Query Parameters posted in •
	Jun 13	CVE-2019-11027 (ruby-openid): ruby-openid SSRF via claimed_id request posted in •
	Jun 04	CVE-2019-12732 (chartkick): XSS Vulnerability in Chartkick Ruby Gem posted in •
	Apr 22	CVE-2019-11068 (nokogiri): Nokogiri gem, via libxslt, is affected by improper access control vulnerability posted in •
	Apr 19	CVE-2019-11358 (jquery-rails): Prototype pollution attack through jQuery $.extend posted in •
	Apr 10	CVE-2019-16060 (airbrake-ruby): Blacklist keys are no longer being filtered in airbrake-ruby posted in •
	Apr 04	CVE-2019-10842 (bootstrap-sass): Remote code execution in bootstrap-sass posted in •
	Mar 25	CVE-2019-9837 (doorkeeper-openid_connect): Doorkeeper::OpenidConnect Open Redirect posted in •
	Mar 13	CVE-2019-5418 (actionview): File Content Disclosure in Action View posted in •
	Mar 13	CVE-2019-5419 (actionview): Denial of Service Vulnerability in Action View posted in •
	Mar 13	CVE-2019-5420 (railties): Possible Remote Code Execution Exploit in Rails Development Mode posted in •
	Mar 08	CVE-2018-6517 (chloride): Improper handling of ssh known_hosts file with Chloride posted in •
	Mar 05	CVE-2019-8320 (rubygems-update): Delete directory using symlink when decompressing tar posted in •
	Mar 05	CVE-2019-8321 (rubygems-update): Escape sequence injection vulnerability in verbose posted in •
	Mar 05	CVE-2019-8322 (rubygems-update): Escape sequence injection vulnerability in gem owner posted in •
	Mar 05	CVE-2019-8323 (rubygems-update): Escape sequence injection vulnerability in api response handling posted in •
	Mar 05	CVE-2019-8324 (rubygems-update): Installing a malicious gem may lead to arbitrary code execution posted in •
	Mar 05	CVE-2019-8325 (rubygems-update): Escape sequence injection vulnerability in errors posted in •
	Feb 15	CVE-2019-8331 (twitter-bootstrap-rails): twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS) posted in •
	Feb 07	CVE-2019-5421 (devise): Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module posted in •
2018	Nov 27	CVE-2018-16476 (activejob): Broken Access Control vulnerability in Active Job posted in •
	Nov 27	CVE-2018-16477 (activestorage): Bypass vulnerability in Active Storage posted in •
	Nov 09	CVE-2018-1000855 (easymon): Reflected XSS in Firefox in check endpoint posted in •
	Nov 05	CVE-2018-16470 (rack): Possible DoS vulnerability in Rack posted in •
	Nov 05	CVE-2018-16471 (rack): Possible XSS vulnerability in Rack posted in •
	Oct 30	CVE-2018-16468 (loofah): Loofah XSS Vulnerability posted in •
	Oct 27	CVE-2018-1000842 (fat_free_crm): fat_free_crm gem XSS vulnerability via query parameter posted in •
	Oct 19	CVE-2018-18476 (mysql-binuuid-rails): mysql-binuuid-rails allows SQL Injection by removing default string escaping posted in •
	Oct 17	CVE-2018-16395 (openssl): Incorrect value comparison in Ruby openssl posted in •
	Oct 04	CVE-2018-14404 (nokogiri): Nokogiri gem, via libxml2, is affected by multiple vulnerabilities posted in •
	Sep 28	CVE-2018-17567 (jekyll): Jekyll _config.yml privilege escalation posted in •
	Sep 14	CVE-2018-14643 (smart_proxy_dynflow): smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature posted in •
	Sep 13	CVE-2018-14041 (bootstrap): Bootstrap vulnerable to Cross-Site Scripting (XSS) posted in •
	Sep 13	CVE-2018-14042 (bootstrap): Bootstrap Cross-site Scripting vulnerability posted in •
	Aug 09	CVE-2018-3779 (active-support): Malicious ruby gem - active-support posted in •
	Jul 27	CVE-2018-3777 (restforce): Insufficient URI encoding in restforce posted in •
	Jul 11	CVE-2018-1000211 (doorkeeper): Doorkeeper gem does not revoke token for public clients posted in •
	Jul 03	CVE-2018-14040 (bootstrap): XSS vulnerabilities via data-parent, data-target, data-container in bootstrap posted in •
	Jun 22	CVE-2018-1000201 (ffi): ruby-ffi DDL loading issue on Windows OS posted in •
	Jun 19	CVE-2018-3760 (sprockets): Path Traversal in Sprockets posted in •
	Jun 14	CVE-2018-1000544 (rubyzip): Directory Traversal in rubyzip posted in •
	Jun 12	CVE-2018-12026 (passenger): SpawningKit exploits posted in •
	Jun 12	CVE-2018-12027 (passenger): Insecure Permissions in Phusion Passenger posted in •
	Jun 12	CVE-2018-12028 (passenger): Incorrect Access Control in Phusion Passenger posted in •
	Jun 12	CVE-2018-12029 (passenger): CHMOD race vulnerability posted in •
	May 31	CVE-2018-11627 (sinatra): XSS via the 400 Bad Request page posted in •
	May 23	CVE-2018-3769 (grape): ruby-grape Gem has XSS via "format" parameter posted in •
	May 03	CVE-2018-3759 (private_address_check): private_address_check Ruby Gem Time-of-check Time-of-use race condition posted in •
	Apr 30	CVE-2018-1000539 (json-jwt): Auth tag forgery vulnerability with AES-GCM encrypted JWT posted in •
	Apr 23	CVE-2019-3881 (bundler): Insecure path handling in Bundler posted in •
	Apr 13	CVE-2017-18258 (nokogiri): Moderate severity vulnerability that affects nokogiri posted in •
	Mar 29	CVE-2018-8048 (nokogiri): Revert libxml2 behavior in Nokogiri gem that could cause XSS posted in •
	Mar 22	CVE-2018-3741 (rails-html-sanitizer): XSS vulnerability in rails-html-sanitizer posted in •
	Mar 19	CVE-2018-3740 (sanitize): HTML injection/XSS in Sanitize posted in •
	Mar 16	CVE-2018-8048 (loofah): Loofah XSS Vulnerability posted in •
	Mar 07	CVE-2018-1000119 (rack-protection): rack-protection gem timing attack vulnerability when validating CSRF token posted in •
	Feb 27	CVE-2017-11428 (ruby-saml): Authentication bypass via incorrect XML canonicalization and DOM traversal posted in •
	Feb 27	CVE-2017-11430 (omniauth-saml): omniauth-saml authentication bypass via incorrect XML canonicalization and DOM traversal posted in •
	Feb 21	CVE-2018-1000088 (doorkeeper): Doorkeeper gem has stored XSS on authorization consent view posted in •
	Feb 19	CVE-2018-7261 (radiant): Multiple persistent XSS vulnerabilities in Radiant CMS posted in •
	Feb 18	CVE-2018-7212 (rack-protection): Path traversal is possible via backslash characters on Windows. posted in •
	Jan 29	CVE-2017-15412 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities posted in •
	Jan 29	CVE-2017-16932 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities posted in •
	Jan 23	CVE-2017-0889 (paperclip): Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class. posted in •
	Jan 22	CVE-2015-9251 (jquery-rails): Cross-Site Scripting (XSS) in jquery posted in •
	Jan 18	CVE-2016-10707 (jquery-rails): Denial of Service in jquery posted in •
	Jan 10	CVE-2017-12097 (delayed_job_web): delayed_job_web ruby gem XSS vulnerability via `queues` parameter posted in •
	Jan 10	CVE-2017-12098 (rails_admin): rails_admin ruby gem XSS vulnerability posted in •
	Jan 09	CVE-2018-7212 (sinatra): sinatra ruby gem path traversal via backslash characters on Windows posted in •
	Jan 04	CVE-2018-5216 (radiant): Radiant CMS 1.1.4 Markdown admin/pages/*/edit part_body_content cross site scripting posted in •
2017	Dec 17	CVE-2017-17718 (net-ldap): No validation of hostname certificate in net-ldap posted in •
	Nov 28	CVE-2017-17042 (yard): Potential arbitrary file read vulnerability in yard server posted in •
	Nov 16	CVE-2014-9489 (gollum): gollum and gollum-lib allow remote authenticated users to execute arbitrary code posted in •
	Nov 16	CVE-2017-1000248 (redis-store): Unsafe objects can be loaded from Redis posted in •
	Nov 15	CVE-2017-7475 (cairo): cairo NULL pointer dereference posted in •
	Nov 10	CVE-2017-16792 (geminabox): Stored XSS in "geminabox" via injection in Gemspec "homepage" value posted in •
	Nov 09	CVE-2017-0905 (recurly): SSRF vulnerability in Recurly gem's Resource#find. posted in •
	Nov 09	CVE-2017-0909 (private_address_check): private_address_check Ruby Gem Blacklist Bypass privilege escalation posted in •
	Nov 07	CVE-2017-0904 (private_address_check): private_address_check Ruby Gem Resolv.getaddresses Server-Side Request Forgery posted in •
	Nov 03	CVE-2017-16516 (yajl-ruby): Flaw in yajl-ruby gem may cause a DoS posted in •
	Oct 29	CVE-2017-16229 (ox): ox ruby gem stack overflow in sax_parse posted in •
	Oct 27	CVE-2017-15928 (ox): ox ruby gem segmentation fault via parse_obj posted in •
	Oct 24	CVE-2006-4111 (rails): High severity vulnerability that affects rails posted in •
	Oct 24	CVE-2006-4112 (rails): High severity vulnerability that affects rails. posted in •
	Oct 24	CVE-2007-3227 (rails): Moderate severity vulnerability that affects rails posted in •
	Oct 24	CVE-2007-5379 (rails): Moderate severity vulnerability that affects rails posted in •
	Oct 24	CVE-2007-5380 (rails): Moderate severity vulnerability that affects rails posted in •
	Oct 24	CVE-2007-6077 (rails): Moderate severity vulnerability that affects rails posted in •
	Oct 24	CVE-2008-4094 (activerecord): High severity vulnerability that affects rails posted in •
	Oct 24	CVE-2008-5189 (rails): Moderate severity vulnerability that affects rails posted in •
	Oct 24	CVE-2008-7248 (actionpack): Improper Input Validation in rails posted in •
	Oct 24	CVE-2009-2422 (rails): High severity vulnerability that affects rails posted in •
	Oct 24	CVE-2009-3009 (activesupport): Moderate severity XSS vulnerability that affects rails posted in •
	Oct 24	CVE-2009-3086 (activesupport): actionpack and activesupport vulnerable to information leaks posted in •
	Oct 24	CVE-2009-3287 (thin): High severity vulnerability that affects thin posted in •
	Oct 24	CVE-2009-4214 (rails): Moderate severity XSS vulnerability that affects rails posted in •
	Oct 24	CVE-2010-3933 (activerecord): Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and 3.0.0 posted in •
	Oct 24	CVE-2010-5312 (jquery-ui-rails): Cross-site Scripting in jquery-ui posted in •
	Oct 24	CVE-2011-0446 (actionview): XSS vulnerabilities in the mail_to helper in rails/actionview posted in •
	Oct 24	CVE-2011-0447 (actionpack): CSRF Protection Bypass in Ruby on Rails posted in •
	Oct 24	CVE-2011-0448 (activerecord): Potential SQL Injection with limit in rails/activerecord posted in •
	Oct 24	CVE-2011-0449 (actionpack): Filter Problems on Case-Insensitive Filesystems in rails/actionpack posted in •
	Oct 24	CVE-2011-2197 (activesupport): Potential XSS Vulnerability in Ruby on Rails Applications posted in •
	Oct 24	CVE-2011-2929 (actionpack): Filter Skipping Vulnerability in Ruby on Rails 3.0/actionpack posted in •
	Oct 24	CVE-2011-2930 (activerecord): SQL Injection Vulnerability in quote_table_name in rails/activerecord posted in •
	Oct 24	CVE-2011-2931 (actionpack): XSS Vulnerability in strip_tags helper in rails/actionpack posted in •
	Oct 24	CVE-2011-2932 (activesupport): UTF-8 escaping vulnerability in rails/activesupport posted in •
	Oct 24	CVE-2011-3187 (actionpack): Ruby on rails 3.0.5 Remote_IP.rb Input Validation in rails/actionpack posted in •
	Oct 24	CVE-2011-4319 (actionpack): Cross-site Scripting vulnerability in i18n translations helper method posted in •
	Oct 24	CVE-2012-1989 (puppet): Arbitrary File Write Access in Puppet posted in •
	Oct 24	CVE-2012-2660 (actionpack): Unsafe Query Generation Risk in Ruby on Rails posted in •
	Oct 24	CVE-2012-2694 (actionpack): Unsafe Query Generation Risk in Ruby on Rails posted in •
	Oct 24	CVE-2012-2695 (activerecord): SQL Injection Vulnerability in Ruby on Rails posted in •
	Oct 24	CVE-2012-3408 (puppet): Agent Imprersonation in Puppet posted in •
	Oct 24	CVE-2012-3865 (puppet): Arbitrary file delete/D.O.S on Puppet Master posted in •
	Oct 24	CVE-2012-3866 (puppet): last_run_report.yaml is world readable posted in •
	Oct 24	CVE-2012-3867 (puppet): Insufficient input validation posted in •
	Oct 24	CVE-2012-6662 (jquery-ui-rails): Moderate severity vulnerability that affects jquery-ui posted in •
	Oct 24	CVE-2012-6684 (redcloth): RedCloth Cross-site Scripting vulnerability posted in •
	Oct 24	CVE-2013-1655 (puppet): Unauthenticated Remote Code Execution Vulnerability posted in •
	Oct 24	CVE-2013-1812 (ruby-openid): Vulnerable to XIE DoS attacks posted in •
	Oct 24	CVE-2013-3567 (puppet): Unauthenticated Remote Code Execution Vulnerability posted in •
	Oct 24	CVE-2013-4761 (puppet): Puppet `resource_type` Remote Code Execution Vulnerability posted in •
	Oct 24	CVE-2014-0081 (rails): Rails vulnerable to Cross-site Scripting posted in •
	Oct 24	CVE-2014-3248 (puppet): Moderate severity vulnerability that affects facter, hiera, mcollective-client, and puppet posted in •
	Oct 24	CVE-2016-7798 (openssl): Incorrect handling of initialization vector in the GCM mode in OpenSSL posted in •
	Oct 09	CVE-2017-0903 (rubygems-update): Unsafe Object Deserialization Vulnerability in RubyGems posted in •
	Sep 19	CVE-2017-9050 (nokogiri): Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities posted in •
	Aug 29	CVE-2017-0899 (rubygems-update): RubyGems ANSI escape sequence vulnerability posted in •
	Aug 29	CVE-2017-0900 (rubygems-update): RubyGems DoS vulnerability in the query command posted in •
	Aug 29	CVE-2017-0901 (rubygems-update): RubyGems vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files posted in •
	Aug 29	CVE-2017-0902 (rubygems-update): RubyGems DNS request hijacking vulnerability posted in •
	Jul 11	CVE-2017-16833 (gemirro): Stored XSS in "gemirro" via injection in Gemspec "homepage" value posted in •
	Jun 16	CVE-2016-1000221 (logstash-core): Logstash Logs Sensitive Information posted in •
	May 09	CVE-2017-5029 (nokogiri): Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 posted in •
	May 08	CVE-2017-1002201 (haml): haml failure to escape single quotes posted in •
	May 01	CVE-2017-8418 (rubocop): RuboCop gem Insecure use of /tmp posted in •
	Apr 05	CVE-2017-7540 (safemode): Safemode Gem for Ruby is vulnerable to bypassing safe mode limitations posted in •
	Mar 11	CVE-2016-4658 (nokogiri): Nokogiri gem contains several vulnerabilities in libxml2 and libxslt posted in •
	Feb 27	CVE-2017-5946 (rubyzip): Directory traversal vulnerability in rubyzip posted in •
	Jan 11	CVE-2017-18076 (omniauth): omniauth leaks authenticity token in callback params posted in •
2016	Dec 21	CVE-2016-10522 (rails_admin): CSRF vulnerability in rails_admin posted in •
	Nov 09	CVE-2016-10345 (passenger): Predictable tmp File Path Vulnerability in Phusion Passenger posted in •
	Oct 06	CVE-2016-7954 (bundler): Allows an attacker to inject arbitrary code into your application via any secondary Gem source declared in your Gemfile posted in •
	Aug 27	CVE-2016-7103 (jquery-ui-rails): XSS Vulnerability on closeText option of Dialog jQuery UI posted in •
	Aug 22	CVE-2016-10173 (minitar): Minitar Directory Traversal Vulnerability posted in •
	Aug 18	CVE-2016-6582 (doorkeeper): Doorkeeper gem does not revoke tokens & uses wrong auth/auth method posted in •
	Aug 11	CVE-2016-6316 (actionview): Possible XSS Vulnerability in Action View posted in •
	Aug 11	CVE-2016-6317 (activerecord): Unsafe Query Generation Risk in Active Record posted in •
	Jul 27	CVE-2016-10735 (bootstrap): XSS vulnerability via data-target in bootstrap posted in •
	Jun 24	CVE-2016-5697 (ruby-saml): XML signature wrapping attack posted in •
	Jun 16	CVE-2016-10362 (logstash-core): Logstash Logs Sensitive Information posted in •
	Jun 07	CVE-2015-8806 (nokogiri): Denial of service or RCE from libxml2 and libxslt posted in •
	May 18	CVE-2016-4442 (rack-mini-profiler): rack-mini-profiler may disclose information to unauthorized users posted in •
	Apr 26	CVE-2016-2785 (puppet): Puppet Improper Access Control posted in •
	Apr 23	CVE-2016-10194 (festivaltts4r): festivaltts4r Gem for Ruby Arbitrary Command Execution posted in •
	Apr 20	CVE-2016-3693 (safemode): Safemode Gem for Ruby is vulnerable to information disclosure posted in •
	Apr 13	CVE-2016-10193 (espeak-ruby): espeak-ruby Gem for Ruby Arbitrary Command Execution posted in •
	Apr 01	CVE-2016-3098 (administrate): Cross-site request forgery (CSRF) vulnerability in administrate gem posted in •
	Feb 29	CVE-2016-2097 (actionview): Possible Information Leak Vulnerability in Action View posted in •
	Feb 29	CVE-2016-2098 (actionpack): Possible remote code execution vulnerability in Action Pack posted in •
	Jan 25	CVE-2015-7576 (actionpack): Timing attack vulnerability in basic authentication in Action Controller. posted in •
	Jan 25	CVE-2015-7577 (activerecord): Nested attributes rejection proc bypass in Active Record posted in •
	Jan 25	CVE-2015-7578 (rails-html-sanitizer): Possible XSS vulnerability in rails-html-sanitizer posted in •
	Jan 25	CVE-2015-7579 (rails-html-sanitizer): XSS vulnerability in rails-html-sanitizer posted in •
	Jan 25	CVE-2015-7580 (rails-html-sanitizer): Possible XSS vulnerability in rails-html-sanitizer posted in •
	Jan 25	CVE-2015-7581 (actionpack): Object leak vulnerability for wildcard controller routes in Action Pack posted in •
	Jan 25	CVE-2016-0751 (actionpack): Possible Object Leak and Denial of Service attack in Action Pack posted in •
	Jan 25	CVE-2016-0752 (actionview): Possible Information Leak Vulnerability in Action View posted in •
	Jan 25	CVE-2016-0753 (activemodel): Possible Input Validation Circumvention in Active Model posted in •
	Jan 19	CVE-2015-7499 (nokogiri): Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 posted in •
	Jan 18	CVE-2015-8314 (devise): Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie posted in •
	Jan 14	CVE-2015-7565 (ember-source): Ember.js XSS Vulnerability with User-Supplied JSON posted in •
	Jan 12	CVE-2017-1000043 (mapbox-rails): mapbox-rails Content Injection via TileJSON Name posted in •
	Jan 12	OSVDB-132871 (mapbox-rails): mapbox-rails Content Injection via TileJSON Name posted in •
	Jan 08	OSVDB-132800 (auto_select2): auto_select2 Gem for Ruby allows arbitrary search execution posted in •
	Jan 04	CVE-2015-7541 (colorscore): colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection posted in •
2015	Dec 18	OSVDB-132234 (rack-attack): rack-attack Gem for Ruby missing normalization before request path processing posted in •
	Dec 15	CVE-2015-5312 (nokogiri): Nokogiri gem contains several vulnerabilities in libxml2 posted in •
	Dec 15	CVE-2015-8969 (git-fastclone): git-fastclone Shell Metacharacter Injection Arbitrary Command Execution posted in •
	Dec 11	CVE-2015-8968 (git-fastclone): git-fastclone permits arbitrary shell command execution from .gitmodules posted in •
	Dec 09	CVE-2015-9097 (mail): CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses posted in •
	Nov 23	CVE-2015-7519 (passenger): Phusion Passenger Server allows to overwrite headers in some cases posted in •
	Nov 17	OSVDB-131671 (mustache-js-rails): mustache.js - quoteless attributes in templates can lead to XSS posted in •
	Oct 24	CVE-2017-1000042 (mapbox-rails): mapbox-rails Content Injection via TileJSON attribute posted in •
	Oct 24	OSVDB-129854 (mapbox-rails): mapbox-rails Content Injection via TileJSON attribute posted in •
	Sep 20	CVE-2015-7314 (gollum): gollum Upload File Functionality Permits Arbitrary File Access posted in •
	Sep 17	CVE-2015-7225 (devise-two-factor): devise-two-factor 1.1.0 and earlier vulnerable to replay attacks posted in •
	Aug 24	OSVDB-131671 (handlebars-source): handlebars.js - quoteless attributes in templates can lead to XSS posted in •
	Aug 20	CVE-2015-5619 (logstash-core): Logstash: Man-In-The Middle attack posted in •
	Jul 28	OSVDB-125699 (spree): Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure posted in •
	Jul 21	CVE-2015-5378 (logstash-core): Logstash: SSL/TLS FREAK Attack posted in •
	Jul 21	CVE-2015-8857 (uglifier): uglifier incorrectly handles non-boolean comparisons during minification posted in •
	Jul 21	OSVDB-126747 (uglifier): uglifier incorrectly handles non-boolean comparisons during minification posted in •
	Jul 20	OSVDB-125701 (spree): Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure posted in •
	Jul 17	OSVDB-126331 (sidekiq-pro): Sidekiq Pro Gem for Ruby CSRF in Job Filtering posted in •
	Jul 13	CVE-2017-11173 (rack-cors): rack-cors Gem Missing Anchor permits unauthorized CORS requests posted in •
	Jul 06	OSVDB-125675 (sidekiq): Sidekiq Gem for Ruby Multiple Unspecified CSRF posted in •
	Jun 30	OSVDB-124383 (ruby-saml): Ruby-Saml Gem is vulnerable to entity expansion attacks posted in •
	Jun 22	CVE-2015-5147 (redcarpet): redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow posted in •
	Jun 16	CVE-2015-1840 (jquery-ujs): CSRF Vulnerability in jquery-ujs posted in •
	Jun 16	CVE-2015-3224 (web-console): IP whitelist bypass in Web Console posted in •
	Jun 16	CVE-2015-3225 (rack): Potential Denial of Service Vulnerability in Rack posted in •
	Jun 16	CVE-2015-3226 (activesupport): XSS Vulnerability in ActiveSupport::JSON.encode posted in •
	Jun 16	CVE-2015-3227 (activesupport): Possible Denial of Service attack in Active Support posted in •
	Jun 16	CVE-2015-4619 (spina): Cross-site request forgery (CSRF) vulnerability in Spina gem posted in •
	Jun 08	CVE-2015-4020 (rubygems-update): RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking posted in •
	Jun 05	CVE-2015-2963 (paperclip): Paperclip Gem for Ruby vulnerable to content type spoofing posted in •
	Jun 04	CVE-2015-4410 (moped): Data Injection Vulnerability in moped Rubygem posted in •
	Jun 04	CVE-2015-4412 (bson): Data Injection Vulnerability in bson Rubygem posted in •
	Jun 04	OSVDB-125676 (sidekiq): Sidekiq Gem for Ruby web/views/queue.erb Element Reflected XSS posted in •
	May 25	CVE-2015-9284 (omniauth): CSRF vulnerability in OmniAuth's request phase posted in •
	May 14	CVE-2015-3900 (rubygems-update): CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint() posted in •
	May 11	OSVDB-126329 (sidekiq-pro): Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements Reflected XSS posted in •
	May 05	CVE-2015-3649 (open-uri-cached): open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege Escalation posted in •
	Apr 29	CVE-2015-20108 (ruby-saml): ruby-saml gem is vulnerable to XPath injection posted in •
	Apr 29	CVE-2015-3448 (rest-client): rest-client ruby gem logs sensitive information posted in •
	Apr 29	OSVDB-124991 (ruby-saml): Ruby-Saml Gem is vulnerable to XPath Injection posted in •
	Apr 21	OSVDB-125678 (sidekiq): Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS posted in •
	Apr 15	OSVDB-120857 (refile): refile Gem for Ruby contains a remote code execution vulnerability posted in •
	Apr 14	CVE-2015-1819 (nokogiri): Nokogiri gem contains several vulnerabilities in libxml2 and libxslt posted in •
	Apr 14	CVE-2015-1866 (ember-source): Ember.js XSS Vulnerability With {{view "select"}} Options posted in •
	Apr 07	OSVDB-120415 (redcarpet): redcarpet Gem for Ruby markdown.c parse_inline() Function XSS posted in •
	Mar 24	CVE-2015-1820 (rest-client): CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses posted in •
	Mar 24	CVE-2015-1828 (http): HTTPS MitM vulnerability in http.rb posted in •
	Mar 05	OSVDB-119205 (spree): Spree API Information Disclosure CSRF posted in •
	Feb 17	CVE-2015-2179 (xaviershay-dm-rails): xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table posted in •
	Feb 16	CVE-2015-1585 (fat_free_crm): Fat Free CRM Gem being vulnerable to CSRF-type attacks posted in •
	Feb 10	CVE-2015-1426 (facter): Puppet Labs Facter allows local users to obtains sensitive Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node. posted in •
	Feb 10	OSVDB-118830 (doorkeeper): Doorkeeper Gem for Ruby stores sensitive information in production logs posted in •
	Feb 03	OSVDB-117903 (ruby-saml): Ruby-Saml Gem is vulnerable to arbitrary code execution posted in •
2014	Dec 18	CVE-2014-8144 (doorkeeper): Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier. posted in •
	Dec 08	CVE-2014-9490 (sentry-raven): sentry-raven Gem for Ruby contains a flaw that can result in a denial of service posted in •
	Dec 04	CVE-2014-9489 (gollum-grit_adapter): gollum-grit_adapter Search Functionality Allows Arbitrary Command Execution posted in •
	Nov 17	CVE-2014-7829 (actionpack): Arbitrary file existence disclosure in Action Pack posted in •
	Oct 30	CVE-2014-7818 (actionpack): Arbitrary file existence disclosure in Action Pack posted in •
	Oct 30	CVE-2014-7819 (sprockets): CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure posted in •
	Oct 13	OSVDB-126330 (sidekiq-pro): Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb Description Element XSS posted in •
	Sep 29	OSVDB-112346 (web-console): Web Console Gem for Ruby contains an unspecified flaw posted in •
	Sep 27	CVE-2014-10077 (i18n): i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS posted in •
	Sep 25	OSVDB-112683 (as): as Gem for Ruby Process List Local Plaintext Credentials Disclosure posted in •
	Sep 04	OSVDB-110796 (flavour_saver): FlavourSaver handlebars helper remote code execution. posted in •
	Aug 25	OSVDB-110439 (dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution posted in •
	Aug 22	CVE-2014-5441 (fat_free_crm): Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability posted in •
	Aug 18	CVE-2014-3514 (activerecord): Data Injection Vulnerability in Active Record posted in •
	Aug 13	CVE-2013-0334 (bundler): CVE-2013-0334 rubygem-bundler: 'bundle install' may install a gem from a source other than expected posted in •
	Jul 09	CVE-2014-5004 (brbackup): brbackup Gem for Ruby Process List Local Plaintext Password Disclosure posted in •
	Jul 09	OSVDB-108899 (brbackup): brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection posted in •
	Jul 09	OSVDB-108900 (brbackup): brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote Command Execution posted in •
	Jul 02	CVE-2014-3482 (activerecord): CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting posted in •
	Jul 02	CVE-2014-3483 (activerecord): CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in 'range' quoting posted in •
	Jun 30	CVE-2014-10075 (karo): karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution posted in •
	Jun 30	CVE-2014-4991 (codders-dataset): codders-dataset Gem for Ruby lib/dataset/database/mysql.rb and lib/dataset/database/postgresql.rb Process Table Local Plaintext Credential Disclosure posted in •
	Jun 30	CVE-2014-4992 (cap-strap): cap-strap Gem for Ruby Process Table Local Plaintext Credential Disclosure posted in •
	Jun 30	CVE-2014-4993 (backup_checksum): backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Process List Local Plaintext Password Disclosure posted in •
	Jun 30	CVE-2014-4994 (gyazo): gyazo Gem for Ruby client.rb Metacharacter Handling Remote Command Execution posted in •
	Jun 30	CVE-2014-4995 (VladTheEnterprising): VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact posted in •
	Jun 30	CVE-2014-4996 (VladTheEnterprising): VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact posted in •
	Jun 30	CVE-2014-4997 (point-cli): point-cli Gem for Ruby /lib/commands/setup.rb Process Table Local Plaintext Credential Disclosure posted in •
	Jun 30	CVE-2014-4998 (lean-ruport): lean-ruport Gem for Ruby /test/tc_database.rb Process Table Local Plaintext MySQL Password Disclosure posted in •
	Jun 30	CVE-2014-4999 (kajam): kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Process List Local Plaintext Password Disclosure posted in •
	Jun 30	CVE-2014-5000 (lawn-login): lawn-login Gem for Ruby /lib/lawn.rb Process Table Local Plaintext Password Disclosure posted in •
	Jun 30	CVE-2014-5001 (kcapifony): kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password Disclosure posted in •
	Jun 30	CVE-2014-5002 (lynx): lynx Gem for Ruby command/basic.rb Process Table Local Plaintext Password Disclosure posted in •
	Jun 30	CVE-2014-5003 (ciborg): ciborg Gem for Ruby default.rb /tmp/perlbrew-installer Local Symlink File Overwrite posted in •
	Jun 30	OSVDB-108530 (kajam): kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Metacharacter Handling Remote Command Execution posted in •
	Jun 30	OSVDB-108570 (backup_checksum): backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Metacharacter Handling Remote Command Execution posted in •
	Jun 30	OSVDB-108572 (kcapifony): kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter Handling Remote Command Execution posted in •
	Jun 30	OSVDB-108573 (karo): karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution posted in •
	Jun 30	OSVDB-108575 (cap-strap): cap-strap Gem for Ruby Hardcoded Password Crypt Hash Salt Weakness posted in •
	Jun 30	OSVDB-108579 (lynx): lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command Execution posted in •
	Jun 30	OSVDB-108585 (lingq): lingq Gem for Ruby client.rb Metacharacter Handling Remote Command Execution posted in •
	Jun 30	OSVDB-108593 (kompanee-recipes): kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb Multiple Variable Handling Remote Command Execution Weakness posted in •
	Jun 30	OSVDB-108594 (gnms): gnms Gem for Ruby /lib/cmd_parse.rb ip Variable Shell Metacharacter Handling Remote Command Injection posted in •
	Jun 07	OSVDB-107783 (screen_capture): Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command Execution posted in •
	May 06	CVE-2014-0130 (actionpack): Directory Traversal Vulnerability With Certain Route Configurations posted in •
	Apr 30	OSVDB-118481 (nokogiri): Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS posted in •
	Apr 24	OSVDB-106279 (jruby-sandbox): jruby-sandbox Java Class Importation Sandbox Bypass posted in •
	Apr 16	CVE-2014-2888 (sfpagent): sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution posted in •
	Mar 28	CVE-2014-0156 (awesome_spawn): OS command injection flaw in awesome_spawn posted in •
	Mar 25	CVE-2014-4920 (twitter-bootstrap-rails): Reflective XSS Vulnerability in twitter-bootstrap-rails posted in •
	Mar 13	CVE-2014-0135 (kafo): CVE-2014-0135 rubygem-kafo: temporary file creation vulnerability when creating /tmp/default_values.yaml posted in •
	Mar 10	CVE-2014-2322 (Arabic-Prawn): Arabic Prawn Gem for Ruby lib/string_utf_support.rb User Input Handling Remote Command Injection posted in •
	Mar 05	CVE-2014-0036 (rbovirt): CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client posted in •
	Feb 18	CVE-2014-0080 (activerecord): CVE-2014-0080 rubygem-activerecord: PostgreSQL array data injection vulnerability posted in •
	Feb 18	CVE-2014-0081 (actionpack): CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability posted in •
	Feb 18	CVE-2014-0082 (actionpack): CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service posted in •
	Feb 13	CVE-2014-0083 (net-ldap): CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated by the net-ldap Ruby gem use a weak salt posted in •
	Feb 07	CVE-2014-0046 (ember-source): Ember.js XSS Vulnerability With {{link-to}} Helper in Non-block Form posted in •
	Jan 31	OSVDB-103151 (paperclip): Paperclip: Access Restriction Bypass posted in •
	Jan 29	CVE-2014-1832 (passenger): CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files posted in •
	Jan 28	CVE-2014-1831 (passenger): CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary files posted in •
	Jan 14	CVE-2014-0013 (ember-source): Ember.js Potential XSS Exploit With User-Supplied Data When Binding Primitive Values posted in •
	Jan 14	CVE-2014-0014 (ember-source): Ember.js Potential XSS Exploit With User-Supplied Data When Using {{group}} Helper posted in •
	Jan 14	CVE-2014-1834 (echor): echor Gem for Ruby backplane.rb perform_request Function Arbitrary Command Execution posted in •
	Jan 14	CVE-2014-1835 (echor): echor Gem for Ruby Process Listing Local Plaintext Credential Disclosure posted in •
	Jan 08	CVE-2014-1234 (paratrooper-newrelic): Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure posted in •
2013	Dec 31	OSVDB-101577 (flukso4r): flukso4r Gem for Ruby /lib/flukso/R.rb Arbitrary Command Execution posted in •
	Dec 26	CVE-2014-1233 (paratrooper-pingdom): paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials Local Disclosure posted in •
	Dec 24	CVE-2013-7222 (fat_free_crm): Fat Free CRM Gem for Ruby lack of support for cycling the Rails session secret posted in •
	Dec 24	CVE-2013-7223 (fat_free_crm): Fat Free CRM Gem for Ruby contains multiple cross-site request forgery (CSRF) vulnerabilities posted in •
	Dec 24	CVE-2013-7224 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations posted in •
	Dec 24	CVE-2013-7225 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate SQL queries posted in •
	Dec 24	CVE-2013-7249 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations posted in •
	Dec 14	CVE-2013-6460 (nokogiri): CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents posted in •
	Dec 14	CVE-2013-6461 (nokogiri): CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities posted in •
	Dec 14	CVE-2013-7111 (bio-basespace-sdk): Bio Basespace SDK Gem for Ruby Command Line API Key Disclosure posted in •
	Dec 12	CVE-2013-7086 (webbynode): Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution posted in •
	Dec 03	CVE-2013-4491 (actionpack): Reflective XSS Vulnerability in Ruby on Rails posted in •
	Dec 03	CVE-2013-4492 (i18n): i18n missing translation error message XSS posted in •
	Dec 03	CVE-2013-6414 (actionpack): Denial of Service Vulnerability in Action View posted in •
	Dec 03	CVE-2013-6415 (actionpack): XSS Vulnerability in number_to_currency posted in •
	Dec 03	CVE-2013-6416 (actionpack): XSS Vulnerability in simple_format helper posted in •
	Dec 03	CVE-2013-6417 (actionpack): Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) posted in •
	Dec 02	CVE-2013-6421 (sprout): sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution posted in •
	Nov 14	CVE-2013-4593 (omniauth-facebook): omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass posted in •
	Nov 12	CVE-2013-4562 (omniauth-facebook): omniauth-facebook Gem for Ruby Unspecified CSRF posted in •
	Nov 04	CVE-2013-4489 (gitlab-grit): GitLab Grit Gem for Ruby contains a flaw posted in •
	Oct 29	CVE-2013-4478 (sup): Sup wrongly handled the filename of attachments posted in •
	Oct 29	CVE-2013-4479 (sup): Sup did not sanitize the content-type of attachments posted in •
	Oct 22	CVE-2013-4457 (cocaine): Cocaine Gem for Ruby contains a flaw posted in •
	Oct 16	CVE-2013-4389 (actionmailer): CVE-2013-4389 rubygem-actionmailer: email address processing DoS posted in •
	Oct 08	CVE-2013-4413 (wicked): Wicked Gem for Ruby contains a flaw posted in •
	Oct 01	CVE-2013-7463 (aescrypt): Vulnerability in aescrypt because IV is not randomized posted in •
	Sep 24	CVE-2013-4363 (rubygems-update): CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, incomplete CVE-2013-4287 fix posted in •
	Sep 19	CVE-2013-6459 (will_paginate): CVE-2013-6459 rubygem-will_paginate: XSS vulnerabilities posted in •
	Sep 09	CVE-2013-4287 (rubygems-update): CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability posted in •
	Sep 03	CVE-2013-5671 (fog-dragonfly): fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution posted in •
	Sep 01	CVE-2013-4318 (features): Features Gem for Ruby /tmp/out.html Local XSS posted in •
	Aug 14	CVE-2013-5647 (sounder): Sounder Gem for Ruby File Name Handling Arbitrary Command Execution posted in •
	Aug 03	OSVDB-96425 (redis-namespace): redis-namespace Gem for Ruby contains a flaw in the method_missing implementation posted in •
	Aug 02	CVE-2013-4203 (rgpg): rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution posted in •
	Aug 02	OSVDB-114435 (devise): CSRF token fixation attacks in Devise posted in •
	Jul 25	CVE-2013-4170 (ember-source): Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data posted in •
	Jul 09	CVE-2014-2538 (rack-ssl): CVE-2014-2538 rubygem rack-ssl: URL error display XSS posted in •
	Jun 26	OSVDB-94679 (enum_column3): enum_column3 Gem for Ruby Symbol Creation Remote DoS posted in •
	Jun 10	CVE-2013-4136 (passenger): CVE-2013-4136 rubygem-passenger: insecure temporary directory usage due toreuse of existing server instance directories posted in •
	May 29	CVE-2013-2119 (passenger): CVE-2013-2119 rubygem-passenger: incorrect temporary file usage posted in •
	May 17	CVE-2013-2105 (show_in_browser): Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection posted in •
	May 14	CVE-2013-2090 (cremefraiche): Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution posted in •
	Apr 13	CVE-2013-1948 (md2pdf): md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution posted in •
	Apr 08	CVE-2013-1933 (karteek-docsplit): Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution posted in •
	Apr 04	CVE-2013-1947 (kelredd-pruview): kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution posted in •
	Apr 01	CVE-2013-1911 (ldoce): ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution posted in •
	Mar 26	CVE-2013-1898 (thumbshooter): Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution posted in •
	Mar 19	CVE-2013-1854 (activerecord): CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability posted in •
	Mar 19	CVE-2013-1855 (actionpack): CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css posted in •
	Mar 19	CVE-2013-1856 (activesupport): XML Parsing Vulnerability affecting JRuby users posted in •
	Mar 19	CVE-2013-1857 (actionpack): CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails posted in •
	Mar 18	CVE-2013-1875 (command_wrap): command_wrap Gem for Ruby URI Handling Arbitrary Command Injection posted in •
	Mar 13	CVE-2013-2615 (fastreader): fastreader Gem for Ruby URI Handling Arbitrary Command Injection posted in •
	Mar 12	CVE-2013-2616 (mini_magick): MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection posted in •
	Mar 12	CVE-2013-2617 (curl): CVE-2013-2617 rubygem-curl: insufficient URL escaping command injection posted in •
	Mar 04	CVE-2013-2513 (flash_tool): flash_tool Gem for Ruby File Download Handling Arbitrary Command Execution posted in •
	Feb 28	CVE-2013-2512 (ftpd): ftpd Gem for Ruby Shell Character Handling Remote Command Injection posted in •
	Feb 28	CVE-2013-2516 (fileutils): fileutils Gem for Ruby file_utils.rb Crafted URL Handling Remote Command Execution posted in •
	Feb 25	OSVDB-114854 (activerecord-jdbc-adapter): ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection posted in •
	Feb 21	CVE-2013-0162 (ruby_parser): CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage posted in •
	Feb 21	CVE-2013-1607 (pdfkit): PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution posted in •
	Feb 21	CVE-2013-1656 (spree): Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution posted in •
	Feb 21	CVE-2013-2506 (spree_auth_devise): Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation posted in •
	Feb 19	CVE-2013-1756 (fog-dragonfly): Dragonfly Gem for Ruby Crafted Request Parsing Remote Code Execution posted in •
	Feb 12	CVE-2013-0269 (json): CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection posted in •
	Feb 12	OSVDB-115090 (bundler): Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing posted in •
	Feb 12	OSVDB-115091 (bundler): Bundler Gem for Ruby Redirection Remote HTTP Basic Authentication Credential Disclosure posted in •
	Feb 11	CVE-2013-0276 (activerecord): CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected posted in •
	Feb 11	CVE-2013-0277 (activerecord): CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability with Rails 2.3 and 3.0 posted in •
	Feb 07	CVE-2013-0262 (rack): CVE-2013-0262 rubygem-rack: Path sanitization information disclosure posted in •
	Feb 07	CVE-2013-0263 (rack): CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions posted in •
	Feb 06	CVE-2013-0256 (rdoc): CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template posted in •
	Jan 28	CVE-2013-0233 (devise): Devise Database Type Conversion Crafted Request Parsing Security Bypass posted in •
	Jan 28	CVE-2013-0333 (activesupport): CVE-2013-0333 rubygem-activesupport: json to yaml parsing posted in •
	Jan 14	CVE-2013-1801 (httparty): httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution posted in •
	Jan 13	CVE-2013-0184 (rack): CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS posted in •
	Jan 11	CVE-2013-0175 (multi_xml): multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution posted in •
	Jan 10	CVE-2013-0285 (nori): Ruby Gem nori Parameter Parsing Remote Code Execution posted in •
	Jan 09	CVE-2013-1800 (crack): CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability posted in •
	Jan 08	CVE-2013-0155 (activerecord): CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails posted in •
	Jan 08	CVE-2013-0156 (actionpack): CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack posted in •
	Jan 08	CVE-2013-1802 (extlib): extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution posted in •
	Jan 07	CVE-2013-0183 (rack): CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error posted in •
2012	Dec 22	CVE-2012-6496 (activerecord): Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass posted in •
	Dec 21	CVE-2012-6497 (authlogic): Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness posted in •
	Dec 06	CVE-2013-0284 (newrelic_rpm): Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information posted in •
	Dec 04	CVE-2012-5604 (ldap_fluff): CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication bypass when handling anonymous LDAP bind posted in •
	Sep 25	CVE-2012-2125 (rubygems-update): CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23 posted in •
	Sep 08	CVE-2012-6134 (omniauth-oauth2): Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability posted in •
	Sep 08	OSVDB-90945 (loofah): Loofah HTML and XSS injection vulnerability posted in •
	Aug 09	CVE-2012-3463 (actionpack): CVE-2012-3463 rubygem-actionpack: potential XSS vulnerability in select_tag prompt posted in •
	Aug 09	CVE-2012-3464 (activesupport): CVE-2012-3464 rubygem-actionpack: potential XSS vulnerability posted in •
	Aug 09	CVE-2012-3465 (actionpack): CVE-2012-3465 rubygem-actionpack: XSS Vulnerability in strip_tags posted in •
	Aug 08	CVE-2010-5142 (chef): Chef Improper Access Control Vulnerability posted in •
	Jul 26	CVE-2012-3424 (actionpack): CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest posted in •
	Jul 02	OSVDB-125712 (spree): Product Scopes could allow for unauthenticated remote command execution posted in •
	Jul 02	OSVDB-125713 (spree): Potential XSS vulnerability related to the analytics dashboard posted in •
	Jun 08	CVE-2012-6685 (nokogiri): CVE-2012-6685 rubygem-nokogiri: XML eXternal Entity (XXE) flaw posted in •
	Jun 06	CVE-2012-2671 (rack-cache): rack-cache Rubygem Sensitive HTTP Header Caching Weakness posted in •
	May 31	CVE-2012-2660 (activerecord): CVE-2012-2660 rubygem-actionpack: Unsafe query generation posted in •
	May 31	CVE-2012-2661 (activerecord): CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested query paramaters posted in •
	May 29	CVE-2012-1053 (puppet): Puppet Privilege Escallation posted in •
	May 29	CVE-2012-1906 (puppet): Puppet uses predictable filenames, allowing arbitrary file overwrite posted in •
	May 11	OSVDB-96396 (activemodel): Don't allow confirmation to pass if confirmation value is nil and doesn't match value. posted in •
	May 04	CVE-2012-6109 (rack): CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS posted in •
	Apr 20	CVE-2012-2126 (rubygems-update): CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23 posted in •
	Mar 14	CVE-2012-2139 (mail): CVE-2012-2139 rubygem-mail: directory traversal posted in •
	Mar 14	CVE-2012-2140 (mail): CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline posted in •
	Mar 01	CVE-2012-1098 (activesupport): CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe buffers can be marked as safe) posted in •
	Mar 01	CVE-2012-1099 (actionpack): CVE-2012-1099 rubygem-actionpack: XSS in the "select" helper posted in •
	Feb 29	CVE-2012-6684 (RedCloth): CVE-2012-6684 rubygem-RedCloth: XSS vulnerability posted in •
	Feb 01	CVE-2012-6135 (passenger): Phusion Passenger Gem for Ruby Arbitrary File Deletion posted in •
2011	Dec 28	CVE-2011-5036 (rack): CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003) posted in •
	Nov 17	CVE-2011-4319 (actionpack): XSS vulnerability in the translate helper method in Ruby on Rails posted in •
	Oct 27	CVE-2011-3870 (puppet): Puppet allows local users to modify the permissions of arbitrary files posted in •
	Oct 27	CVE-2011-3871 (puppet): Puppet uses predictable filenames, allowing arbitrary file overwrite posted in •
	Oct 05	OSVDB-76011 (spree): Spree Search ProductScope Class search[send][] Parameter Arbitrary Command Execution posted in •
	Sep 20	OSVDB-115917 (bundler): Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential Disclosure posted in •
	Sep 01	CVE-2011-4969 (jquery-rails): jQuery vulnerable to Cross-Site Scripting (XSS) posted in •
	Sep 01	OSVDB-97854 (fog-dragonfly): Dragonfly Gem for Ruby on Windows Shell Escaping Weakness posted in •
	Aug 16	CVE-2011-3186 (actionpack): Response Splitting Vulnerability in Ruby on Rails posted in •
	May 13	CVE-2011-0995 (sqlite3-ruby): rubygem-sqlite3 gem uses weak file permissions posted in •
	Apr 19	OSVDB-73751 (spree): Spree Content Controller Unspecified Arbitrary File Disclosure posted in •
	Jan 25	CVE-2011-0739 (mail): Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection posted in •
	Jan 12	OSVDB-106954 (quick_magick): quick_magick Gem for Ruby QuickMagick::Image.read Function Crafted String Handling Remote Command Injection posted in •
2010	Nov 02	CVE-2010-3978 (spree): Spree Multiple Script JSON Request Validation Weakness Remote Information Disclosure posted in •
	Aug 12	OSVDB-114600 (curb): curb Gem for Ruby Empty http_put Body Handling Remote DoS posted in •
	Apr 27	OSVDB-110439 (fog-dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution posted in •
	Feb 01	OSVDB-62067 (bcrypt): bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only) posted in •
2009	Dec 07	CVE-2009-4123 (jruby-openssl): jruby-openssl Gem for JRuby fails to do proper certificate validation posted in •
	Jul 10	CVE-2009-2422 (rails): High Security Vulnerability with authenticate_with_http_digest of Rails posted in •
2008	Dec 08	CVE-2008-4310 (webrick): WEBrick Denial of Service Vulnerability posted in •
	Oct 10	OSVDB-95376 (activerecord-oracle_enhanced-adapter): Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection posted in •
	Sep 22	CVE-2008-7310 (spree): Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation posted in •
	Aug 15	OSVDB-95749 (activeresource): activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String posted in •
	Aug 12	CVE-2008-7311 (spree): Spree Hardcoded config.action_controller_session Hash Value Cryptographic Protection Weakness posted in •
2007	Nov 27	CVE-2007-6183 (gtk2): CVE-2007-6183 ruby-gnome2: format string vulnerability posted in •
	Jun 15	OSVDB-95668 (builder): Builder Gem for Ruby Tag Name Handling Private Method Exposure posted in •
	May 21	OSVDB-101157 (json): json Gem for Ruby Data Handling Stack Buffer Overflow posted in •
	Jan 22	CVE-2007-0469 (rubygems-update): CVE-2007-0469 RubyGems: Specially-crafted Gem archive can overwrite system files posted in •
2006	May 14	CVE-2006-2581 (rwiki): RWiki before 2.1.1 has cross-site scripting vulnerability posted in •
	May 14	CVE-2006-2582 (rwiki): High severity vulnerability that affects rwiki posted in •

Advisory Archive

2024

Apr 16

posted in •

Mar 25

posted in •

Mar 21

posted in •

Mar 21

posted in •

Mar 18

posted in •

Mar 18

posted in •

Mar 15

posted in •

Mar 12

posted in •

Mar 12

posted in •

Feb 29

posted in •

Feb 28

posted in •

Feb 26

posted in •

Feb 21

posted in •

Feb 21

posted in •

Feb 21

posted in •

Feb 21

posted in •

Feb 21

posted in •

Feb 21

posted in •

Feb 20

posted in •

Feb 20

posted in •

Feb 20

posted in •

Feb 20

posted in •

Feb 13

posted in •

Feb 04

posted in •

Feb 04

posted in •

Jan 17

posted in •

Jan 16

posted in •

Jan 12

posted in •

Jan 08

posted in •

Jan 04

posted in •

Jan 03

posted in •

2023

Dec 24

posted in •

Dec 18

posted in •

Dec 18

posted in •

Dec 18

posted in •

Dec 18

posted in •

Dec 15

posted in •

Dec 06

posted in •

Nov 29