GCVE - cpe:2.3:a:ruby-lang:ruby:2.2.2:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:ruby-lang:ruby:2.2.2:*:*:*:*:*:*:*

part: a version: 2.2.2 update: *

Vendor	Ruby Lang (`5813a634-c286-5f1d-90d5-a1a352f78d39`)
Product	Ruby (`48f7c14c-c576-5b15-be87-22eeb9add91e`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/ruby/ruby`	purl2cpe	2026-06-01 10:11:45.610108
`pkg:ruby-lang/ruby`	purl2cpe	2026-06-01 10:11:45.610110

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2017-14033`	vulnerable	2026-06-03 14:36:38.364977	Details available The decode method in the OpenSSL::ASN1 module in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows attackers to cause a denial of service (interpreter crash) via a crafted string. Published: 2017-09-19T17:00:00.000Z Updated: 2024-08-05T19:13:41.487Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2018:0585 https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/ https://access.redhat.com/errata/RHSA-2018:0378 http://www.securitytracker.com/id/1042004 https://www.debian.org/security/2017/dsa-4031	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-0898`	vulnerable	2026-06-03 14:36:19.559751	Details available Ruby before 2.4.2, 2.3.5, and 2.2.8 is vulnerable to a malicious format string which contains a precious specifier (*) with a huge minus value. Such situation can lead to a buffer overrun, resulting in a heap memory corruption or an information disclosure from the heap. Published: 2017-09-15T19:00:00.000Z Updated: 2024-09-17T01:36:46.258Z Open on db.gcve.eu Reference links https://usn.ubuntu.com/3685-1/ https://hackerone.com/reports/212241 https://access.redhat.com/errata/RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0378 https://www.debian.org/security/2017/dsa-4031	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2016-2339`	vulnerable	2026-06-03 14:35:37.885959	Details available An exploitable heap overflow vulnerability exists in the Fiddle::Function.new "initialize" function functionality of Ruby. In Fiddle::Function.new "initialize" heap buffer "arg_types" allocation is made based on args array length. Specially constructed object passed as element of args array can increase this array size after mentioned allocation and cause heap overflow. Published: 2017-01-06T21:00:00.000Z Updated: 2024-08-05T23:24:48.934Z Open on db.gcve.eu Reference links https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html http://www.securityfocus.com/bid/91234 http://www.talosintelligence.com/reports/TALOS-2016-0034/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2016-2338`	vulnerable	2026-06-03 14:35:37.885486	Details available An exploitable heap overflow vulnerability exists in the Psych::Emitter start_document function of Ruby. In Psych::Emitter start_document function heap buffer "head" allocation is made based on tags array length. Specially constructed object passed as element of tags array can increase this array size after mentioned allocation and cause heap overflow. Published: 2020-02-14T00:00:00.000Z Updated: 2024-08-05T23:24:48.961Z Open on db.gcve.eu Reference links https://lists.debian.org/debian-lts-announce/2020/03/msg00032.html http://www.talosintelligence.com/reports/TALOS-2016-0032/ https://security.netapp.com/advisory/ntap-20221228-0005/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2016-2337`	vulnerable	2026-06-03 14:35:37.885004	Details available Type confusion exists in _cancel_eval Ruby's TclTkIp class method. Attacker passing different type of object than String as "retval" argument can cause arbitrary code execution. Published: 2017-01-06T21:00:00.000Z Updated: 2024-08-05T23:24:49.158Z Open on db.gcve.eu Reference links http://www.talosintelligence.com/reports/TALOS-2016-0031/ http://www.securityfocus.com/bid/91233 https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html https://security.gentoo.org/glsa/201710-18	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2016-2336`	vulnerable	2026-06-03 14:35:37.881179	Details available Type confusion exists in two methods of Ruby's WIN32OLE class, ole_invoke and ole_query_interface. Attacker passing different type of object than this assumed by developers can cause arbitrary code execution. Published: 2017-01-06T21:00:00.000Z Updated: 2024-08-05T23:24:48.901Z Open on db.gcve.eu Reference links http://www.talosintelligence.com/reports/TALOS-2016-0029/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-7551`	vulnerable	2026-06-03 14:35:09.352211	Details available The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression. Published: 2016-03-24T01:00:00.000Z Updated: 2024-08-06T07:51:28.515Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7551.html https://support.apple.com/HT206167 https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.