GCVE - cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:ruby-lang:ruby:2.0.0:*:*:*:*:*:*:*

part: a version: 2.0.0 update: *

Vendor	Ruby Lang (`5813a634-c286-5f1d-90d5-a1a352f78d39`)
Product	Ruby (`48f7c14c-c576-5b15-be87-22eeb9add91e`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from NVD CPE 2.0 feed

PURL mappings

PURL	Source	Last updated
`pkg:github/ruby/ruby`	purl2cpe	2026-06-01 10:11:45.599844
`pkg:ruby-lang/ruby`	purl2cpe	2026-06-01 10:11:45.599846

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2015-3900`	vulnerable	2026-06-03 14:34:50.675730	Details available RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." Published: 2015-06-24T14:00:00.000Z Updated: 2024-08-06T05:56:16.332Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2015-1657.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163502.html http://lists.fedoraproject.org/pipermail/package-announce/2015-August/163600.html http://www.openwall.com/lists/oss-security/2015/06/26/2 https://www.trustwave.com/Resources/SpiderLabs-Blog/Attacking-Ruby-Gem-Security-with-CVE-2015-3900/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-8090`	vulnerable	2026-06-03 14:34:22.485969	Details available The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080. Published: 2014-11-21T15:00:00.000Z Updated: 2024-08-06T13:10:50.067Z Open on db.gcve.eu Reference links http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html http://secunia.com/advisories/59948 http://rhn.redhat.com/errata/RHSA-2014-1912.html http://www.debian.org/security/2015/dsa-3159 http://secunia.com/advisories/62050	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-8080`	vulnerable	2026-06-03 14:34:22.455968	Details available The REXML parser in Ruby 1.9.x before 1.9.3-p550, 2.0.x before 2.0.0-p594, and 2.1.x before 2.1.4 allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document, aka an XML Entity Expansion (XEE) attack. Published: 2014-11-03T16:00:00.000Z Updated: 2024-08-06T13:10:50.075Z Open on db.gcve.eu Reference links http://secunia.com/advisories/61607 http://lists.opensuse.org/opensuse-updates/2014-12/msg00035.html http://advisories.mageia.org/MGASA-2014-0443.html http://rhn.redhat.com/errata/RHSA-2014-1912.html http://www.debian.org/security/2015/dsa-3159	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-4975`	vulnerable	2026-06-03 14:34:05.109622	Details available Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow. Published: 2014-11-15T20:00:00.000Z Updated: 2024-08-06T11:34:36.647Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2014/07/09/13 http://rhn.redhat.com/errata/RHSA-2014-1912.html http://www.securityfocus.com/bid/68474 http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html http://rhn.redhat.com/errata/RHSA-2014-1913.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2014-2734`	vulnerable	2026-06-03 14:33:51.755562	Details available The openssl extension in Ruby 2.x does not properly maintain the state of process memory after a file is reopened, which allows remote attackers to spoof signatures within the context of a Ruby script that attempts signature verification after performing a certain sequence of filesystem operations. NOTE: this issue has been disputed by the Ruby OpenSSL team and third parties, who state that the original demonstration PoC contains errors and redundant or unnecessarily-complex code that does not appear to be related to a demonstration of the issue. As of 20140502, CVE is not aware of any public comment by the original researcher Published: 2014-04-24T23:00:00.000Z Updated: 2024-08-06T10:21:36.074Z Open on db.gcve.eu Reference links http://packetstormsecurity.com/files/126218/Ruby-OpenSSL-Private-Key-Spoofing.html http://www.osvdb.org/106006 https://news.ycombinator.com/item?id=7601973 http://www.securityfocus.com/bid/66956 http://seclists.org/fulldisclosure/2014/May/13	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4363`	vulnerable	2026-06-03 14:33:11.325738	Details available Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287. Published: 2013-10-17T23:00:00.000Z Updated: 2024-08-06T16:38:01.886Z Open on db.gcve.eu Reference links https://puppet.com/security/cve/cve-2013-4363 http://www.openwall.com/lists/oss-security/2013/09/18/8 http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html http://www.openwall.com/lists/oss-security/2013/09/14/3 http://www.openwall.com/lists/oss-security/2013/09/20/1	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4287`	vulnerable	2026-06-03 14:33:10.887973	Details available Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. Published: 2013-10-17T23:00:00.000Z Updated: 2024-08-06T16:38:01.871Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2013/09/10/1 http://secunia.com/advisories/55381 http://rhn.redhat.com/errata/RHSA-2013-1523.html http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html https://puppet.com/security/cve/cve-2013-4287	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-4164`	vulnerable	2026-06-03 14:33:10.040787	Details available Heap-based buffer overflow in Ruby 1.8, 1.9 before 1.9.3-p484, 2.0 before 2.0.0-p353, 2.1 before 2.1.0 preview2, and trunk before revision 43780 allows context-dependent attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a string that is converted to a floating point value, as demonstrated using (1) the to_f method or (2) JSON.parse. Published: 2013-11-23T19:00:00.000Z Updated: 2024-08-06T16:30:50.071Z Open on db.gcve.eu Reference links https://puppet.com/security/cve/cve-2013-4164 http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html http://lists.opensuse.org/opensuse-updates/2013-12/msg00028.html http://www.ubuntu.com/usn/USN-2035-1 http://archives.neohapsis.com/archives/bugtraq/2014-04/0134.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-2065`	vulnerable	2026-06-03 14:32:53.560514	Details available (1) DL and (2) Fiddle in Ruby 1.9 before 1.9.3 patchlevel 426, and 2.0 before 2.0.0 patchlevel 195, do not perform taint checking for native functions, which allows context-dependent attackers to bypass intended $SAFE level restrictions. Published: 2013-11-02T19:00:00.000Z Updated: 2024-08-06T15:20:37.490Z Open on db.gcve.eu Reference links https://puppet.com/security/cve/cve-2013-2065 http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107064.html http://www.ubuntu.com/usn/USN-2035-1 https://www.ruby-lang.org/en/news/2013/05/14/taint-bypass-dl-fiddle-cve-2013-2065/ http://lists.fedoraproject.org/pipermail/package-announce/2013-May/107098.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1821`	vulnerable	2026-06-03 14:32:51.955467	Details available lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack. Published: 2013-04-09T21:00:00.000Z Updated: 2024-08-06T15:13:33.271Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2013-0612.html http://www.mandriva.com/security/advisories?name=MDVSA-2013:124 http://lists.opensuse.org/opensuse-updates/2013-04/msg00034.html http://www.slackware.com/security/viewer.php?l=slackware-security&y=2013&m=slackware-security.426862 http://secunia.com/advisories/52783	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-1655`	not_vulnerable	2026-06-03 14:32:50.694264	Details available Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running Ruby 1.9.3 or later, allows remote attackers to execute arbitrary code via vectors related to "serialized attributes." Published: 2013-03-20T16:00:00.000Z Updated: 2024-08-06T15:13:31.295Z Open on db.gcve.eu Reference links http://www.securityfocus.com/bid/58442 http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html http://www.debian.org/security/2013/dsa-2643 http://secunia.com/advisories/52596 https://puppetlabs.com/security/cve/cve-2013-1655/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2013-0256`	vulnerable	2026-06-03 14:32:42.443081	Details available darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL. Published: 2013-03-01T02:00:00.000Z Updated: 2024-08-06T14:18:09.523Z Open on db.gcve.eu Reference links http://rhn.redhat.com/errata/RHSA-2013-0701.html http://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/ http://secunia.com/advisories/52774 http://lists.opensuse.org/opensuse-updates/2013-02/msg00048.html http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-4522`	vulnerable	2026-06-03 14:32:24.286854	Details available The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path. Published: 2012-11-24T20:00:00.000Z Updated: 2024-08-06T20:42:53.662Z Open on db.gcve.eu Reference links http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090235.html http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=37163 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/090515.html http://www.openwall.com/lists/oss-security/2012/10/13/1 http://rhn.redhat.com/errata/RHSA-2013-0129.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-4466`	vulnerable	2026-06-03 14:32:19.086430	Details available Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005. Published: 2013-04-25T23:00:00.000Z Updated: 2024-08-06T20:35:09.685Z Open on db.gcve.eu Reference links http://www.openwall.com/lists/oss-security/2012/10/02/4 http://www.mandriva.com/security/advisories?name=MDVSA-2013:124 http://www.openwall.com/lists/oss-security/2012/10/03/9 https://bugzilla.redhat.com/show_bug.cgi?id=862614 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089554.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2012-4464`	vulnerable	2026-06-03 14:32:19.055951	Details available Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression. Published: 2013-04-25T23:00:00.000Z Updated: 2024-08-06T20:35:09.734Z Open on db.gcve.eu Reference links https://bugzilla.redhat.com/show_bug.cgi?id=862598 http://www.openwall.com/lists/oss-security/2012/10/02/4 http://www.openwall.com/lists/oss-security/2012/10/03/9 http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089554.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089887.html	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2009-5147`	vulnerable	2026-06-03 14:30:01.429789	Details available DL::dlopen in Ruby 1.8, 1.9.0, 1.9.2, 1.9.3, 2.0.0 before patchlevel 648, and 2.1 before 2.1.8 opens libraries with tainted names. Published: 2017-03-29T14:00:00.000Z Updated: 2024-08-07T07:32:23.332Z Open on db.gcve.eu Reference links https://github.com/ruby/ruby/commit/4600cf725a86ce31266153647ae5aa1197b1215b http://seclists.org/oss-sec/2015/q3/222 https://www.ruby-lang.org/en/news/2015/12/16/unsafe-tainted-string-usage-in-fiddle-and-dl-cve-2015-7551/ https://access.redhat.com/errata/RHSA-2018:0583 https://bugzilla.redhat.com/show_bug.cgi?id=1248935	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.