GCVE - cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:ruby-lang:ruby:2.1.2:*:*:*:*:*:*:*

part: a version: 2.1.2 update: *

Vendor	Ruby Lang (`5813a634-c286-5f1d-90d5-a1a352f78d39`)
Product	Ruby (`48f7c14c-c576-5b15-be87-22eeb9add91e`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/ruby/ruby`	purl2cpe	2026-06-01 10:11:45.610068
`pkg:ruby-lang/ruby`	purl2cpe	2026-06-01 10:11:45.610069

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2015-7551`	vulnerable	2026-06-03 14:35:09.347808	Details available The Fiddle::Handle implementation in ext/fiddle/handle.c in Ruby before 2.0.0-p648, 2.1 before 2.1.8, and 2.2 before 2.2.4, as distributed in Apple OS X before 10.11.4 and other products, mishandles tainting, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted string, related to the DL module and the libffi library. NOTE: this vulnerability exists because of a CVE-2009-5147 regression. Published: 2016-03-24T01:00:00.000Z Updated: 2024-08-06T07:51:28.515Z Open on db.gcve.eu Reference links http://lists.apple.com/archives/security-announce/2016/Mar/msg00004.html https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7551.html https://support.apple.com/HT206167 https://github.com/ruby/ruby/commit/339e11a7f178312d937b7c95dd3115ce7236597a http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=796344	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2015-3900`	vulnerable	2026-06-03 14:34:50.677319	Details available RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." Published: 2015-06-24T14:00:00.000Z Updated: 2024-08-06T05:56:16.332Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2015-1657.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html http://www.openwall.com/lists/oss-security/2015/06/26/2 https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-8090`	vulnerable	2026-06-03 14:34:22.488872	Details available The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. Published: 2014-11-21T15:00:00.000Z Updated: 2024-08-06T13:10:50.067Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html http://secunia.com/advisories/59948 http://rhn.redhat.com/errata/RHSA-2014-1912.html http://www.debian.org/security/2015/dsa-3159 http://secunia.com/advisories/62050	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-8080`	vulnerable	2026-06-03 14:34:22.460259	Details available The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. Published: 2014-11-03T16:00:00.000Z Updated: 2024-08-06T13:10:50.075Z Open on db.gcve.eu Reference links http://secunia.com/advisories/61607 http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html http://advisories.mageia.org/MGASA-2014-0443.html http://rhn.redhat.com/errata/RHSA-2014-1912.html http://www.debian.org/security/2015/dsa-3159	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-4975`	vulnerable	2026-06-03 14:34:05.115777	Details available Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. Published: 2014-11-15T20:00:00.000Z Updated: 2024-08-06T11:34:36.647Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2014/07/09/13 http://rhn.redhat.com/errata/RHSA-2014-1912.html http://www.securityfocus.com/bid/68474 http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html http://rhn.redhat.com/errata/RHSA-2014-1913.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-5147`	vulnerable	2026-06-03 14:30:01.436611	Details available DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. Published: 2017-03-29T14:00:00.000Z Updated: 2024-08-07T07:32:23.332Z Open on db.gcve.eu Reference links https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b http://seclists.org/oss-sec/2015/q3/222 https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/ https://access.redhat.com/errata/RHSA-2018:0583 https://bugzilla.redhat.com/show_bug.cgi?id=1248935	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.