MidnightBSD

Advisories for yukihiro_matsumoto

CVE-2004-0755 LOW

The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.

CVSS 2.0

Severity: LOW

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yukihiro_matsumoto ruby 1.6
yukihiro_matsumoto ruby 1.8
CVE-2004-0983 MEDIUM

The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
mandrakesoft mandrake_linux 10.1
mandrakesoft mandrake_linux 9.2
yukihiro_matsumoto ruby 1.6.7
yukihiro_matsumoto ruby 1.8.2_pre2
gentoo linux *
yukihiro_matsumoto ruby 1.8.2_pre1
mandrakesoft mandrake_linux_corporate_server 2.1
yukihiro_matsumoto ruby 1.6
ubuntu ubuntu_linux 4.1
yukihiro_matsumoto ruby 1.8
mandrakesoft mandrake_linux 10.0
yukihiro_matsumoto ruby 1.8.1
CVE-2005-1992 HIGH

The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands.

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yukihiro_matsumoto ruby 1.8
CVE-2005-2337 HIGH

Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin).

CVSS 2.0

Severity: HIGH

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yukihiro_matsumoto ruby 1.6.4
yukihiro_matsumoto ruby 1.6.7
yukihiro_matsumoto ruby 1.6.1
yukihiro_matsumoto ruby 1.6.5
yukihiro_matsumoto ruby 1.8.2_pre2
yukihiro_matsumoto ruby 1.6.3
yukihiro_matsumoto ruby 1.8.2_pre1
yukihiro_matsumoto ruby 1.6
yukihiro_matsumoto ruby 1.6.2
yukihiro_matsumoto ruby 1.8
yukihiro_matsumoto ruby 1.6.6
yukihiro_matsumoto ruby 1.8.1
CVE-2006-1931 MEDIUM

The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data.

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yukihiro_matsumoto ruby 1.6
yukihiro_matsumoto ruby 1.6.2
yukihiro_matsumoto ruby 1.6.4
yukihiro_matsumoto ruby 1.8
yukihiro_matsumoto ruby 1.6.7
yukihiro_matsumoto ruby 1.6.6
yukihiro_matsumoto ruby 1.6.1
yukihiro_matsumoto ruby 1.6.5
yukihiro_matsumoto ruby 1.6.3
yukihiro_matsumoto ruby 1.8.1
CVE-2006-3694 MEDIUM

Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations".

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-Other,

Products Affected

Vendor Product Version
yukihiro_matsumoto ruby 1.8.3
yukihiro_matsumoto ruby 1.8.4
yukihiro_matsumoto ruby 1.8.2