Here you will find information about security issues of Ruby.
Reporting Security Vulnerabilities
Security vulnerabilities in the Ruby programming language should be reported through our bounty program page at HackerOne. Please ensure you read the specific details around the scope of our program before reporting an issue. Any valid reported problems will be published after fixes.
If you have found an issue affecting one of our websites, please report it via GitHub.
If you have found an issue that affects a specific Ruby gem, follow the instructions on RubyGems.org.
If you need to get in touch with the security team directly outside of HackerOne, you can send email to firstname.lastname@example.org (the PGP public key), which is a private mailing list.
The members of the mailing list are people who provide Ruby (Ruby committers and authors of other Ruby implementations, distributors, PaaS platformers). The members must be individual people, mailing lists are not permitted.
Here are recent issues:
- CVE-2018-16395: OpenSSL::X509::Name equality check does not work correctly
- CVE-2018-16396: Tainted flags are not propagated in Array#pack and String#unpack with some directives
- CVE-2018-6914: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
- CVE-2018-8779: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
- CVE-2018-8780: Unintentional directory traversal by poisoned NUL byte in Dir
- CVE-2018-8777: DoS by large request in WEBrick
- CVE-2017-17742: HTTP response splitting in WEBrick
- CVE-2018-8778: Buffer under-read in String#unpack
- Multiple vulnerabilities in RubyGems
- CVE-2017-17405: Command injection vulnerability in Net::FTP
- CVE-2017-10784: Escape sequence injection vulnerability in the Basic authentication of WEBrick
- CVE-2017-0898: Buffer underrun vulnerability in Kernel.sprintf
- CVE-2017-14033: Buffer underrun vulnerability in OpenSSL ASN1 decode
- CVE-2017-14064: Heap exposure vulnerability in generating JSON
- Multiple vulnerabilities in RubyGems
- CVE-2015-7551: Unsafe tainted string usage in Fiddle and DL
- CVE-2015-1855: Ruby OpenSSL Hostname Verification
- CVE-2014-8090: Another Denial of Service XML Expansion
- CVE-2014-8080: Denial of Service XML Expansion
- Changed default settings of ext/openssl
- Dispute of Vulnerability CVE-2014-2734
- OpenSSL Severe Vulnerability in TLS Heartbeat Extension (CVE-2014-0160)
- Heap Overflow in YAML URI Escape Parsing (CVE-2014-2525)
- Heap Overflow in Floating Point Parsing (CVE-2013-4164)
- Hostname check bypassing vulnerability in SSL client (CVE-2013-4073)
- Object taint bypassing in DL and Fiddle in Ruby (CVE-2013-2065)
More known issues:
- Entity expansion DoS vulnerability in REXML (XML bomb, CVE-2013-1821) published at 22 Feb, 2013.
- Denial of Service and Unsafe Object Creation Vulnerability in JSON (CVE-2013-0269) published at 22 Feb, 2013.
- XSS exploit of RDoc documentation generated by rdoc (CVE-2013-0256) published at 6 Feb, 2013.
- Hash-flooding DoS vulnerability for ruby 1.9 (CVE-2012-5371) published at 10 Nov, 2012.
- Unintentional file creation caused by inserting a illegal NUL character (CVE-2012-4522) published at 12 Oct, 2012.
- $SAFE escaping vulnerability about Exception#to_s / NameError#to_s (CVE-2012-4464, CVE-2012-4466) published at 12 Oct, 2012.
- Security Fix for RubyGems: SSL server verification failure for remote repository published at 20 Apr, 2012.
- Security Fix for Ruby OpenSSL module: Allow 0/n splitting as a prevention for the TLS BEAST attack published at 16 Feb, 2012.
- Denial of service attack was found for Ruby's Hash algorithm (CVE-2011-4815) published at 28 Dec, 2011.
- Exception methods can bypass $SAFE published at 18 Feb, 2011.
- FileUtils is vulnerable to symlink race attacks published at 18 Feb, 2011.
- XSS in WEBrick (CVE-2010-0541) published at 16 Aug, 2010.
- Buffer over-run in ARGF.inplace_mode= published at 2 Jul, 2010.
- WEBrick has an Escape Sequence Injection vulnerability published at 10 Jan, 2010.
- Heap overflow in String (CVE-2009-4124) published at 7 Dec, 2009.
- DoS vulnerability in BigDecimal published at 9 Jun, 2009.
- DoS vulnerability in REXML published at 23 Aug, 2008.
- Multiple vulnerabilities in Ruby published at 8 Aug, 2008.
- Arbitrary code execution vulnerabilities published at 20 Jun, 2008.
- File access vulnerability of WEBrick published at 3 Mar, 2008.
- Net::HTTPS Vulnerability published at 4 Oct, 2007.
- Another DoS Vulnerability in CGI Library published at 4 Dec, 2006.
- DoS Vulnerability in CGI Library (CVE-2006-5467) published at 3 Nov, 2006.
- Ruby vulnerability in the safe level settings published at 2 Oct, 2005.