Sign upLogin

codeforamerica/michigan-benefits

View on GitHub
Star

Showing 371 of 372 total issues

Information Exposure with Puma when used with Rails
Open

    puma (3.12.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23634

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

Solution: upgrade to ~> 4.3.11, >= 5.6.2

ReDoS based DoS vulnerability in GlobalID
Open

    globalid (0.4.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2023-22799

URL: https://github.com/rails/globalid/releases/tag/v1.0.1

Solution: upgrade to >= 1.0.1

Keepalive Connections Causing Denial Of Service in puma
Open

    puma (3.12.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-29509

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5

Solution: upgrade to ~> 4.3.8, >= 5.3.1

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Open

    puma (3.12.0)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-41136

Criticality: Low

URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Solution: upgrade to ~> 4.3.9, >= 5.5.1

HTTP Request Smuggling in puma
Open

    puma (3.12.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24790

Criticality: Critical

URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9

Solution: upgrade to ~> 4.3.12, >= 5.6.4

File mb_form_builder.rb has 548 lines of code (exceeds 250 allowed). Consider refactoring.
Open

class MbFormBuilder < ActionView::Helpers::FormBuilder
  include ActionView::Helpers::DateHelper

  def mb_input_field(
    method,
Severity: Major
Found in app/helpers/mb_form_builder.rb - About 1 day to fix

    Cross-Site Scripting in Kaminari via original_script_name parameter
    Open

        kaminari (1.1.1)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-11082

    Criticality: Medium

    URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433

    Solution: upgrade to >= 1.2.1

    Improper neutralization of data URIs may allow XSS in Loofah
    Open

        loofah (2.2.3)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-23515

    Criticality: Medium

    URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

    Solution: upgrade to >= 2.19.1

    Denial of Service (DoS) in Nokogiri on JRuby
    Open

        nokogiri (1.8.5)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-24839

    Criticality: High

    URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

    Solution: upgrade to >= 1.13.4

    Directory traversal in Rack::Directory app bundled with Rack
    Open

        rack (2.0.6)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8161

    Criticality: High

    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

    Solution: upgrade to ~> 2.1.3, >= 2.2.0

    Sort order SQL injection via direction parameter in administrate
    Open

        administrate (0.10.0)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-5257

    Criticality: High

    URL: https://github.com/advisories/GHSA-2p5p-m353-833w

    Solution: upgrade to >= 0.13.0

    Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
    Open

        nokogiri (1.8.5)
    Severity: Info
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-26247

    Criticality: Low

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

    Solution: upgrade to >= 1.11.0.rc4

    Devise Gem for Ruby confirmation token validation with a blank string
    Open

        devise (4.5.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-16109

    Criticality: Medium

    URL: https://github.com/plataformatec/devise/issues/5071

    Solution: upgrade to >= 4.7.1

    Out-of-bounds Write in zlib affects Nokogiri
    Open

        nokogiri (1.8.5)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2018-25032

    Criticality: High

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

    Solution: upgrade to >= 1.13.4

    Improper Handling of Unexpected Data Type in Nokogiri
    Open

        nokogiri (1.8.5)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-29181

    Criticality: High

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

    Solution: upgrade to >= 1.13.6

    Geocoder gem for Ruby contains possible SQL injection vulnerability
    Open

        geocoder (1.5.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-7981

    Criticality: Critical

    URL: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23

    Solution: upgrade to >= 1.6.1

    Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
    Open

        devise (4.5.0)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2019-5421

    Criticality: Critical

    URL: https://github.com/plataformatec/devise/issues/4981

    Solution: upgrade to >= 4.6.0

    XML Injection in Xerces Java affects Nokogiri
    Open

        nokogiri (1.8.5)
    Severity: Minor
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2022-23437

    Criticality: Medium

    URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

    Solution: upgrade to >= 1.13.4

    libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
    Open

        nokogiri (1.8.5)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-7595

    Criticality: High

    URL: https://github.com/sparklemotion/nokogiri/issues/1992

    Solution: upgrade to >= 1.10.8

    Percent-encoded cookies can be used to overwrite existing prefixed cookie names
    Open

        rack (2.0.6)
    Severity: Critical
    Found in Gemfile.lock by bundler-audit

    Advisory: CVE-2020-8184

    Criticality: High

    URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

    Solution: upgrade to ~> 2.1.4, >= 2.2.3

    Severity
    Category
    Status
    Source
    Language