Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive

Date Rubygem Title CVE
2019-09-27 simple_form simple_form Gem for Ruby Incorrect Access Control for forms based on user input 2019-16676
2019-09-23 consul Consul gem insufficient authentication check: Multiple powers in one controller are not always checked correctly 2019-16377
2019-09-12 rubyzip Denial of Service in rubyzip ("zip bombs") 2019-16892
2019-09-08 devise Devise Gem for Ruby confirmation token validation with a blank string 2019-16109
2019-08-20 capistrano-colors Code execution backdoor in capistrano-colors 2019-15224
2019-08-20 coming-soon Code execution backdoor in coming-soon 2019-15224
2019-08-20 bitcoin_vanity Code execution backdoor in bitcoin_vanity 2019-15224
2019-08-20 awesome-bot Code execution backdoor in awesome-bot 2019-15224
2019-08-20 omniauth_amazon Code execution backdoor in omniauth_amazon 2019-15224
2019-08-20 doge-coin Code execution backdoor in doge-coin 2019-15224
2019-08-20 lita_coin Code execution backdoor in lita_coin 2019-15224
2019-08-20 blockchain_wallet Code execution backdoor in blockchain_wallet 2019-15224
2019-08-20 coin_base Code execution backdoor in coin_base 2019-15224
2019-08-20 cron_parser Code execution backdoor in cron_parser 2019-15224
2019-08-19 rest-client Code execution backdoor in rest-client 2019-15224
2019-08-11 nokogiri Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file 2019-5477
2019-08-11 rexical Rexical Command Injection Vulnerability 2019-5477
2019-07-31 simple_captcha2 Code backdoor in simple_captcha2 2019-14282
2019-07-31 datagrid Code execution backdoor in datagrid 2019-14281
2019-07-26 marginalia SQL injection vulnerability via Marginalia::Comment 2019-1010191
2019-07-16 slanger Arbitrary command execution in slanger 2019-1010306
2019-07-16 paranoid2 Code backdoor in paranoid2 2019-13589
2019-07-12 mini_magick Remote command execution via filename 2019-13574
2019-07-05 strong_password strong_password Ruby gem malicious version causing Remote Code Execution vulnerability 2019-13354
2019-07-02 yard Arbitrary path traversal and file access via `yard server` 2019-1020001
2019-07-02 yard Possible arbitrary path traversal and file access via `yard server`
2019-07-01 field_test Arbitrary Variants Via Query Parameters 2019-13146
2019-06-04 chartkick XSS Vulnerability in Chartkick Ruby Gem 2019-12732
2019-04-22 nokogiri Nokogiri gem, via libxslt, is affected by improper access control vulnerability 2019-11068
2019-04-10 airbrake-ruby Blacklist keys are no longer being filtered in airbrake-ruby 2019-16060