RubyGems


18 total issues disclosed

$6,500 total paid publicly


Most disclosed (3 disclosures) — None supplied

View disclosed reports



Disclosed Reports


Report Title Vulnerability Type Disclosed By Severity Disclosed on
Malware in `active-support` gem Command Injection - Generic reed Critical 2018-08-09
Gem signature forgery Cryptographic Issues - Generic plover Medium 2018-08-03
Installer can modify other gems if gem name is specially crafted Path Traversal nmalkin Medium 2018-03-22
Negative size in tar header causes infinite loop Denial of Service plover Low 2018-03-01
[gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec Cross-site Scripting (XSS) - Stored ysx Medium 2018-02-22
RCE,SQL,Vulnerability + Exploit Method. Command Injection - Generic exploit_in No rating 2018-02-09
Host Header Injection/Redirection Violation of Secure Design Principles gorkhali None 2018-02-09
Host header Injection rubygems.org Open Redirect bugs3ra Low 2018-02-09
Remote code execution on rubygems.org Deserialization of Untrusted Data max Critical 2017-11-09
No limit of summary length allows Denail of Service Denial of Service mame High 2017-09-01
Installing a crafted gem package may create or overwrite files Path Traversal mame High 2017-09-01
Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier Code Injection claudijd High 2017-08-31
Escape sequence injection in "summary" field Command Injection - Generic mame Low 2017-08-31
Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly None supplied ahsan None 2017-03-06
Login credentials transmitted in cleartext on index.rubygems.org Violation of Secure Design Principles eterm No rating 2016-10-17
Invalid username updating None supplied ghjfgjggfdfhfgsdfssdf No rating 2016-10-17
Password Reset emails missing TLS leads account takeover Improper Authentication - Generic c0rte No rating 2016-10-04
Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier None supplied claudijd No rating 2015-05-14