Rubygems


reports in last 90 days

20

disclosed resolved issues

2

disclosed informative issues

2

disclosed N/A issues

Listed on HackerOne — Updated on 2019/10/15

Bug Title Bug Type Found By Report Info Report Status

Medium [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec

Cross-site Scripting (XSS) - Stored ysx Time to triage: 89 Days and 23 hours


Time to close: 9 Days and 5 hours
Resolved

Medium Delete directory using symlink when decompressing tar

Path Traversal ooooooo_q Time to triage: 293 Days and 12 hours


Time to close: 86 Days and 7 hours
Resolved

Low 65534 times efficient, Brute-force attack for api_key

None supplied ooooooo_q Time to triage: 0 Days and 4 hours


Time to close: 8 Days and 21 hours
Resolved

Low Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier

Command Injection - Generic claudijd Issue was not triaged


Time to close: 6 Days and 22 hours
Informative

Low Cross-Domain JavaScript Source File Inclusion

Cross-site Scripting (XSS) - Generic mrunal Issue was not triaged


Time to close: 18 Days and 5 hours
Informative

High DNS SRV lookup of file:// sources enables local hijacking of gems

Path Traversal plover Issue was not triaged


Time to close: 52 Days and 18 hours
Resolved

Medium Unpacker improperly validates symlinks, allowing gems writes to arbitrary locations

Path Traversal nmalkin Time to triage: 140 Days and 21 hours


Time to close: 20 Days and 6 hours
Resolved

Medium Gem signature forgery

Cryptographic Issues - Generic plover Time to triage: 128 Days and 23 hours


Time to close: 129 Days and 7 hours
Resolved

Critical Malware in `active-support` gem

Command Injection - Generic reed Time to triage: 0 Days and 3 hours


Time to close: 0 Days and 0 hours
Resolved

Medium Installer can modify other gems if gem name is specially crafted

Path Traversal nmalkin Time to triage: 140 Days and 20 hours


Time to close: 9 Days and 5 hours
Resolved

Low Negative size in tar header causes infinite loop

Denial of Service plover Time to triage: 89 Days and 11 hours


Time to close: 30 Days and 13 hours
Resolved

Medium [gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec

Cross-site Scripting (XSS) - Stored ysx Time to triage: 89 Days and 23 hours


Time to close: 9 Days and 5 hours
Resolved

Low Host header Injection rubygems.org

Open Redirect bugs3ra Issue was not triaged


Time to close: 0 Days and 19 hours
Not-applicable

None Host Header Injection/Redirection

Violation of Secure Design Principles gorkhali Issue was not triaged


Time to close: 38 Days and 6 hours
Duplicate

No rating RCE,SQL,Vulnerability + Exploit Method.

Command Injection - Generic exploit_in Issue was not triaged


Time to close: 0 Days and 0 hours
Not-applicable

Critical Remote code execution on rubygems.org

Deserialization of Untrusted Data max Time to triage: 0 Days and 2 hours


Time to close: 3 Days and 16 hours
Resolved

Low Escape sequence injection in "summary" field

Command Injection - Generic mame Issue was not triaged


Time to close: 114 Days and 12 hours
Resolved

High Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier

Code Injection claudijd Issue was not triaged


Time to close: 147 Days and 8 hours
Resolved

High Installing a crafted gem package may create or overwrite files

Path Traversal mame Issue was not triaged


Time to close: 62 Days and 16 hours
Resolved

High No limit of summary length allows Denail of Service

Denial of Service mame Issue was not triaged


Time to close: 63 Days and 18 hours
Resolved

None Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly

None supplied ahsan Issue was not triaged


Time to close: 0 Days and 0 hours
Resolved

No rating Invalid username updating

None supplied ghjfgjggfdfhfgsdfssdf Issue was not triaged


Time to close: 8 Days and 12 hours
Resolved

No rating Login credentials transmitted in cleartext on index.rubygems.org

Violation of Secure Design Principles eterm Issue was not triaged


Time to close: 2 Days and 1 hours
Resolved

No rating Password Reset emails missing TLS leads account takeover

Improper Authentication - Generic c0rte Time to triage: 2 Days and 4 hours


Time to close: 0 Days and 16 hours
Resolved

No rating Request Hijacking Vulnerability In RubyGems 2.4.6 And Earlier

None supplied claudijd Issue was not triaged


Time to close: 8 Days and 0 hours
Resolved