Version 3.4.20

rubygems-update

Library packaging and distribution for Ruby.

Install Instructions

gem install rubygems-update
Current Version Release Date November 05, 2024
Language Ruby
Package URL (purl) pkg:gem/rubygems-update@3.4.20

Find rubygems-update vulnerabilities in your supply chain.

Scan for Free

rubygems-update Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2013-4287 Medium 4.3 CWE-310 0.01831 0.88718
  • 2.0.0–2.1.0.rc.2
  • 1.0.0–1.8.25
  • 0.8.3–0.9.5
CVE-2013-4363 Medium 4.3 CWE-310 0.0054 0.77983
  • 2.0.0–2.1.4
  • 1.0.0–1.8.26
  • 0.8.3–0.9.5
CVE-2015-3900 Medium 5 CWE-254 0.00845 0.82783
  • 2.0.0–2.4.6
CVE-2015-4020 Medium 4.3 CWE-20 0.00637 0.79775
  • 2.0.0–2.4.7
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2017-0899 High 9.8 CWE-94, CWE-150 0.0201 0.89352
  • 2.0.0–2.6.12
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2017-0900 High 7.5 CWE-20 0.02257 0.89971
  • 2.0.0–2.6.12
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2017-0901 High 7.5 CWE-22, CWE-20 0.00879 0.83124
  • 2.0.0–2.6.12
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2017-0902 High 8.1 CWE-350, CWE-346 0.00753 0.81641
  • 2.0.0–2.6.12
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2017-0903 High 9.8 CWE-502 0.13505 0.9579
  • 2.0.0–2.6.13
CVE-2018-1000073 High 7.5 CWE-59 0.00553 0.78221
  • 2.0.0–2.7.5
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2018-1000074 High 7.8 CWE-502 0.02161 0.89732
  • 2.0.0–2.7.5
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2018-1000075 High 7.5 CWE-835 0.01121 0.85206
  • 2.0.0–2.7.5
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2018-1000077 Medium 5.3 CWE-20 0.00375 0.73533
  • 2.0.0–2.7.5
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2018-1000078 Medium 6.1 CWE-79 0.00601 0.79121
  • 2.0.0–2.7.5
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2018-1000079 Medium 5.5 CWE-22 0.01031 0.84469
  • 2.0.0–2.7.5
  • 1.0.0–1.8.30
  • 0.8.3–0.9.5
CVE-2012-2125 Medium 5.8 CWE-297 0.00412 0.74675
  • 1.0.0–1.8.22
  • 0.8.3–0.9.5
CVE-2012-2126 Medium 4.3 CWE-310 0.00299 0.70242
  • 1.0.0–1.8.22
  • 0.8.3–0.9.5
CVE-2007-0469 High 9.3 CWE-400 0.01999 0.89311
  • 0.8.3–0.9.0
CVE-2018-1000076 High 9.8 CWE-347 0.01425 0.87066
  • 2.2.0–2.7.5
CVE-2019-8321 High 7.5 CWE-88 0.00286 0.69559
  • 3.0.0–3.0.1
  • 2.6.0–2.7.8
CVE-2019-8322 High 7.5 CWE-74 0.00229 0.61801
  • 3.0.0–3.0.1
  • 2.6.0–2.7.8
CVE-2019-8323 High 7.5 CWE-74 0.00229 0.61801
  • 3.0.0–3.0.1
  • 2.6.0–2.7.8
CVE-2019-8324 High 8.8 CWE-94 0.00338 0.72123
  • 3.0.0–3.0.1
  • 2.6.0–2.7.8
CVE-2019-8325 High 7.5 CWE-74 0.00229 0.61801
  • 3.0.0–3.0.1
  • 2.6.0–2.7.8
CVE-2019-8320 High 7.4 CWE-22 0.00605 0.79189
  • 3.0.0–3.0.2
  • 2.7.6–2.7.8

rubygems-update Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2019-8325 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::CommandManager#run calls alert_error without escaping, escape sequence injection is possible. (There are many ways to cause an error.) 2.6.4, 2.6.6, 2.6.11, 2.6.12, 2.6.10, 2.6.9, 2.6.8, 2.6.7 (Show all) Minor → 2.7.9
CVE-2019-8324 An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted gem with a multi-line name is not handled correctly. Therefore, an attacker could inject arbitrary code to the stub line of gemspec, which is eval-ed by code in ensure_loadable_spec during the preinstall check. 2.6.4, 2.6.6, 2.6.11, 2.6.12, 2.6.10, 2.6.9, 2.6.8, 2.6.7 (Show all) Minor → 2.7.9
CVE-2019-8323 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Gem::GemcutterUtilities#with_response may output the API response to stdout as it is. Therefore, if the API side modifies the response, escape sequence injection may occur. 2.6.4, 2.6.6, 2.6.11, 2.6.12, 2.6.10, 2.6.9, 2.6.8, 2.6.7 (Show all) Minor → 2.7.9
CVE-2019-8322 An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem owner command outputs the contents of the API response directly to stdout. Therefore, if the response is crafted, escape sequence injection may occur. 2.6.4, 2.6.6, 2.6.11, 2.6.12, 2.6.10, 2.6.9, 2.6.8, 2.6.7 (Show all) Minor → 2.7.9
CVE-2019-8321 An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteraction#verbose calls say without escaping, escape sequence injection is possible. 2.6.4, 2.6.6, 2.6.11, 2.6.12, 2.6.10, 2.6.9, 2.6.8, 2.6.7 (Show all) Minor → 2.7.9
CVE-2019-8320 A Directory Traversal issue was discovered in RubyGems 2.7.6 and later through 3.0.2. Before making new directories or touching files (which now include path-checking code for symlinks), it would delete the target destination. If that destination was hidden behind a symlink, a malicious gem could delete arbitrary files on the user's machine, presuming the attacker could guess at paths. Given how frequently gem is run as sudo, and how predictable paths are on modern systems (/tmp, /usr, etc.), this could likely lead to data loss or an unusable system. 3.0.1, 2.7.6, 2.7.7, 3.0.0, 3.0.2, 2.7.8 Patch → 3.0.3
CVE-2018-1000079 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in gem installation that can result in the gem could write to arbitrary filesystem locations during installation. This attack appear to be exploitable via the victim must install a malicious gem. This vulnerability appears to have been fixed in 2.7.6. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2018-1000078 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability in gem server display of homepage attribute that can result in XSS. This attack appear to be exploitable via the victim must browse to a malicious gem on a vulnerable gem server. This vulnerability appears to have been fixed in 2.7.6. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2018-1000077 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability in ruby gems specification homepage attribute that can result in a malicious gem could set an invalid homepage URL. This vulnerability appears to have been fixed in 2.7.6. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2018-1000076 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Improper Verification of Cryptographic Signature vulnerability in package.rb that can result in a mis-signed gem could be installed, as the tarball would contain multiple gem signatures.. This vulnerability appears to have been fixed in 2.7.6. 2.2.0, 2.4.6, 2.4.7, 2.4.8, 2.5.1, 2.5.2, 2.6.4, 2.6.6 (Show all) Minor → 2.7.9
CVE-2018-1000075 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a infinite loop caused by negative size vulnerability in ruby gem package tar header that can result in a negative size could cause an infinite loop.. This vulnerability appears to have been fixed in 2.7.6. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2018-1000074 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data vulnerability in owner command that can result in code execution. This attack appear to be exploitable via victim must run the `gem owner` command on a gem with a specially crafted YAML file. This vulnerability appears to have been fixed in 2.7.6. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2018-1000073 RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series: 2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of package.rb that can result in path traversal when writing to a symlinked basedir outside of the root. This vulnerability appears to have been fixed in 2.7.6. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2017-0903 RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 2.0.2, 2.0.4 (Show all) Minor → 2.7.9
CVE-2017-0902 RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking vulnerability that allows a MITM attacker to force the RubyGems client to download and install gems from a server that the attacker controls. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2017-0901 RubyGems version 2.6.12 and earlier fails to validate specification names, allowing a maliciously crafted gem to potentially overwrite any file on the filesystem. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2017-0900 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications to cause a denial of service attack against RubyGems clients who have issued a `query` command. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2017-0899 RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem specifications that include terminal escape characters. Printing the gem specification would execute terminal escape sequences. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2015-4020 RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a "DNS hijack attack." NOTE: this vulnerability exists because to an incomplete fix for CVE-2015-3900. 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 1.8.26, 2.0.0.preview2 (Show all) Minor → 2.7.9
CVE-2015-3900 RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 does not validate the hostname when fetching gems or making API requests, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record, aka a "DNS hijack attack." 2.0.3, 2.0.6, 2.0.13, 2.0.14, 2.0.11, 2.0.0, 2.0.2, 2.0.4 (Show all) Minor → 2.7.9
CVE-2013-4363 Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. NOTE: this issue is due to an incomplete fix for CVE-2013-4287. 2.0.3, 2.0.6, 2.0.0, 1.8.26, 1.8.22, 1.8.20, 1.8.25, 1.8.23 (Show all) Minor → 2.7.9
CVE-2013-4287 Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows remote attackers to cause a denial of service (CPU consumption) via a crafted gem version that triggers a large amount of backtracking in a regular expression. 2.0.3, 2.0.6, 2.0.0, 1.8.22, 1.8.20, 1.8.25, 1.8.23, 1.8.19 (Show all) Minor → 2.7.9
CVE-2012-2126 RubyGems before 1.8.23 does not verify an SSL certificate, which allows remote attackers to modify a gem during installation via a man-in-the-middle attack. 1.8.22, 1.8.20, 1.8.19, 1.8.18, 1.8.15, 1.8.14, 1.8.13, 1.8.6 (Show all) Major → 2.7.9
CVE-2012-2125 RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. 1.8.22, 1.8.20, 1.8.19, 1.8.18, 1.8.15, 1.8.14, 1.8.13, 1.8.6 (Show all) Major → 2.7.9
CVE-2007-0469 The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages. 0.8.10, 0.9.0, 0.8.4, 0.8.11, 0.8.8, 0.8.6, 0.8.5, 0.8.3 Major → 2.7.9

Instantly see if these rubygems-update vulnerabilities affect your code.

Scan for Free