Rubygems

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2017-0901 4Canonical DebianRedhat+1 more 9Debian Linux Enterprise Linux DesktopEnterprise Linux Server+6 more May 13, 2026 Aug 31, 2017 N/A· v4 7.5 HIGH· v3 6.4 MEDIUM· v2 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem.
CVE-2017-0900 3Debian RedhatRubygems 8Debian Linux Enterprise Linux DesktopEnterprise Linux Server+5 more May 13, 2026 Aug 31, 2017 N/A· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command.
CVE-2017-0899 3Debian RedhatRubygems 8Debian Linux Enterprise Linux DesktopEnterprise Linux Server+5 more May 13, 2026 Aug 31, 2017 N/A· v4 9.8 CRITICAL· v3 7.5 HIGH· v2 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences.
CVE-2015-4020 2Oracle Rubygems 2Rubygems Solaris May 6, 2026 Aug 25, 2015 N/A· v4 N/A· v3 4.3 MEDIUM· v2 RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains v...Show more RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900.Show less
CVE-2015-3900 4Oracle RedhatRuby Lang+1 more 4Enterprise Linux RubyRubygems+1 more May 6, 2026 Jun 24, 2015 N/A· v4 N/A· v3 5.0 MEDIUM· v2 RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains v...Show more RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack."Show less
CVE-2013-4363 2Ruby Lang Rubygems 2Ruby Rubygems Apr 29, 2026 Oct 17, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1...Show more Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287.Show less
CVE-2013-4287 3Redhat Ruby LangRubygems 3Enterprise Linux RubyRubygems Apr 29, 2026 Oct 17, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 throu...Show more Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression.Show less
CVE-2012-2126 1Rubygems 1Rubygems Apr 29, 2026 Oct 1, 2013 N/A· v4 N/A· v3 4.3 MEDIUM· v2 RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack.
CVE-2012-2125 1Rubygems 1Rubygems Apr 29, 2026 Oct 1, 2013 N/A· v4 N/A· v3 5.8 MEDIUM· v2 RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack.
CVE-2013-2616 1Rubygems 1Mini Magick Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2013-2615 1Rubygems 1Fastreader Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
CVE-2013-1875 1Rubygems 1Command Wrap Apr 29, 2026 Mar 20, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.
CVE-2013-0269 1Rubygems 1Json Gem Apr 29, 2026 Feb 13, 2013 N/A· v4 N/A· v3 7.5 HIGH· v2 The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted...Show more The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."Show less
CVE-2012-2140 1Rubygems 1Mail Gem Apr 29, 2026 Jul 18, 2012 N/A· v4 N/A· v3 7.5 HIGH· v2 The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.
CVE-2012-2139 1Rubygems 1Mail Gem Apr 29, 2026 Jul 18, 2012 N/A· v4 N/A· v3 5.0 MEDIUM· v2 Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.

Previous 12