Showing 81 of 81 total issues
Directory traversal in Rack::Directory app bundled with Rack Open
rack (2.0.7)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open
nokogiri (1.10.5)
- Read upRead up
- Exclude checks
Advisory:
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
Solution: upgrade to >= 1.13.9
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Open
nokogiri (1.10.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-30560
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Solution: upgrade to >= 1.13.2
Improper Handling of Unexpected Data Type in Nokogiri Open
nokogiri (1.10.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-29181
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
Solution: upgrade to >= 1.13.6
Improper neutralization of data URIs may allow XSS in rails-html-sanitizer Open
rails-html-sanitizer (1.3.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23518
Criticality: Medium
URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
Solution: upgrade to >= 1.4.4
Server-side request forgery in CarrierWave Open
carrierwave (1.2.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-21288
Criticality: Medium
URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
Solution: upgrade to ~> 1.3.2, >= 2.1.1
Regular Expression Denial of Service in Addressable templates Open
addressable (2.4.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-32740
Criticality: High
URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g
Solution: upgrade to >= 2.8.0
Uncontrolled Recursion in Loofah Open
loofah (2.3.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23516
Criticality: High
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
Solution: upgrade to >= 2.19.1
Denial of Service in rubyzip ("zip bombs") Open
rubyzip (1.2.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16892
Criticality: Medium
URL: https://github.com/rubyzip/rubyzip/pull/403
Solution: upgrade to >= 1.3.0
Improper neutralization of data URIs may allow XSS in Loofah Open
loofah (2.3.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23515
Criticality: Medium
URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
Solution: upgrade to >= 2.19.1
Remote command execution via filename Open
mini_magick (4.8.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Solution: upgrade to >= 4.9.4
Out-of-bounds Write in zlib affects Nokogiri Open
nokogiri (1.10.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-25032
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Solution: upgrade to >= 1.13.4
Denial of Service (DoS) in Nokogiri on JRuby Open
nokogiri (1.10.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24839
Criticality: High
URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Solution: upgrade to >= 1.13.4
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open
json (2.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-10663
Criticality: High
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Solution: upgrade to >= 2.3.0
Function LoginForm
has 75 lines of code (exceeds 25 allowed). Consider refactoring. Open
var LoginForm = function () {
function LoginForm() {
_classCallCheck(this, LoginForm);
this.current = 0;
Function Shader
has 71 lines of code (exceeds 25 allowed). Consider refactoring. Open
var Shader = function () {
function Shader() {
_classCallCheck(this, Shader);
this.uniforms = {
Cyclomatic complexity for cli_arg_version is too high. [9/6] Open
def cli_arg_version
return unless invoked_as_script? # don't want to hijack other binstubs
return unless "update".start_with?(ARGV.first || " ") # must be running `bundle update`
bundler_version = nil
update_index = nil
- Read upRead up
- Exclude checks
This cop checks that the cyclomatic complexity of methods is not higher than the configured maximum. The cyclomatic complexity is the number of linearly independent paths through a method. The algorithm counts decision points and adds one.
An if statement (or unless or ?:) increases the complexity by one. An else branch does not, since it doesn't add a decision point. The && operator (or keyword and) can be converted to a nested if statement, and ||/or is shorthand for a sequence of ifs, so they also add one. Loops can be said to have an exit condition, so they add one.
Possible shell escape sequence injection vulnerability in Rack Open
rack (2.0.7)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Arbitrary path traversal and file access via yard server
Open
yard (0.9.19)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-1020001
Criticality: High
URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
Solution: upgrade to >= 0.9.20
Possible arbitrary path traversal and file access via yard server
Open
yard (0.9.19)
- Read upRead up
- Exclude checks
Advisory:
URL: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
Solution: upgrade to >= 0.9.20