Showing 91 of 91 total issues
Possible timing attack in derivation_endpoint Open
shrine (2.11.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-15237
Criticality: Medium
URL: https://github.com/shrinerb/shrine/security/advisories/GHSA-5jjv-x4fq-qjwp
Solution: upgrade to >= 3.3.0
Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (5.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open
nokogiri (1.8.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open
json (2.1.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-10663
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Solution: upgrade to >= 2.3.0
Loofah XSS Vulnerability Open
loofah (2.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-15587
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/171
Solution: upgrade to >= 2.3.1
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open
nokogiri (1.8.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Directory traversal in Rack::Directory app bundled with Rack Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
CSRF Vulnerability in rails-ujs Open
actionview (5.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8167
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Gon gem lack of escaping certain input when outputting as JSON Open
gon (6.2.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-25739
Criticality: Medium
URL: https://github.com/gazay/gon/commit/fe3c7b2191a992386dc9edd37de5447a4e809bc7
Solution: upgrade to >= 6.4.0
Devise Gem for Ruby confirmation token validation with a blank string Open
devise (4.4.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16109
URL: https://github.com/plataformatec/devise/issues/5071
Solution: upgrade to >= 4.7.1
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open
nokogiri (1.8.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
Potential XSS vulnerability in Action View Open
actionview (5.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-15169
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3
Possible XSS vulnerability in ActionView Open
actionview (5.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5267
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (5.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open
nokogiri (1.8.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4
Remote command execution via filename Open
mini_magick (4.8.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Solution: upgrade to >= 4.9.4
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (2.0.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Possible Strong Parameters Bypass in ActionPack Open
actionpack (5.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8164
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible DoS Vulnerability in Active Record PostgreSQL adapter Open
activerecord (5.1.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, ~> 6.0.3.5, >= 6.1.2.1
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Open
devise (4.4.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5421
Criticality: Critical
URL: https://github.com/plataformatec/devise/issues/4981
Solution: upgrade to >= 4.6.0