RubyGems - HackerOne Reports
View on HackerOne28
Total Reports
2
Critical
4
High
7
Medium
7
Low
Negative size in tar header causes infinite loop
Reported by:
plover
|
Disclosed:
Low
Weakness: Uncontrolled Resource Consumption
Delete directory using symlink when decompressing tar
Reported by:
ooooooo_q
|
Disclosed:
Medium
Weakness: Path Traversal
Bounty: $500.00
[gem server] Stored XSS via crafted JavaScript URL inclusion in Gemspec
Reported by:
ysx
|
Disclosed:
Medium
Weakness: Cross-site Scripting (XSS) - Stored
Possible Subdomain Takeover at http://production.s3.rubygems.org/ pointing to Fastly
Reported by:
ahsan
|
Disclosed:
`/names.nsf` and all `/names*` files route to public API on rubygems.org
Reported by:
jagat-singh
|
Disclosed:
Weakness: Improper Access Control - Generic
Request Hijacking Vulnerability in RubyGems 2.6.13 and earlier
Reported by:
claudijd
|
Disclosed:
Low
Weakness: Command Injection - Generic
CVEs:
CVE-2017-0902
Request Hijacking Vulnerability in RubyGems 2.6.11 and earlier
Reported by:
claudijd
|
Disclosed:
High
Weakness: Code Injection
Gem signature forgery
Reported by:
plover
|
Disclosed:
Medium
Weakness: Cryptographic Issues - Generic
Previous
Page 2 of 2