Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open
activerecord (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2022-44566
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2021-41136
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Solution: upgrade to ~> 4.3.9, >= 5.5.1
Information Exposure with Puma when used with Rails Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2022-23634
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Solution: upgrade to ~> 4.3.11, >= 5.6.2
ReDoS based DoS vulnerability in Active Support’s underscore Open
activesupport (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2023-22796
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie Open
devise (2.2.4)- Read upRead up
- Exclude checks
Advisory: CVE-2015-8314
URL: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
Solution: upgrade to >= 3.5.4
Cross-Site Scripting in Kaminari via original_script_name parameter Open
kaminari (0.14.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-11082
Criticality: Medium
URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
Solution: upgrade to >= 1.2.1
CSRF vulnerability in OmniAuth's request phase Open
omniauth (1.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Solution: upgrade to >= 2.0.0
HTTP Request Smuggling in puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2022-24790
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Solution: upgrade to ~> 4.3.12, >= 5.6.4
HTTP Smuggling via Transfer-Encoding Header in Puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-11076
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
Solution: upgrade to ~> 3.12.5, >= 4.3.4
RDoc OS command injection vulnerability Open
rdoc (3.12.2)- Read upRead up
- Exclude checks
Advisory: CVE-2021-31799
Criticality: High
URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1
Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS Open
sidekiq (2.12.4)- Read upRead up
- Exclude checks
Advisory: OSVDB-125678
URL: https://github.com/mperham/sidekiq/pull/2309
Solution: upgrade to >= 3.4.0
Possible Information Disclosure / Unintended Method Execution in Action Pack Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2
XSS vulnerability in bootstrap-sass Open
bootstrap-sass (2.3.2.0)- Read upRead up
- Exclude checks
Advisory: CVE-2019-8331
Criticality: Medium
URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
Solution: upgrade to >= 3.4.1
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2023-22795
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Denial of Service Vulnerability in Rack Multipart Parsing Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2022-30122
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Older releases of better_errors open to Cross-Site Request Forgery attack Open
better_errors (0.9.0)- Read upRead up
- Exclude checks
Advisory: CVE-2021-39197
Criticality: Medium
URL: https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm
Solution: upgrade to >= 2.8.0
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Open
devise (2.2.4)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5421
Criticality: Critical
URL: https://github.com/plataformatec/devise/issues/4981
Solution: upgrade to >= 4.6.0
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open
json (1.8.0)- Read upRead up
- Exclude checks
Advisory: CVE-2020-10663
Criticality: High
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Solution: upgrade to >= 2.3.0
Keepalive Connections Causing Denial Of Service in puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2021-29509
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Solution: upgrade to ~> 4.3.8, >= 5.3.1
Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Potential XSS vulnerability in jQuery Open
jquery-rails (3.0.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Solution: upgrade to >= 4.4.0
Directory traversal in Rack::Directory app bundled with Rack Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
Reflected XSS Open
sidekiq (2.12.4)- Read upRead up
- Exclude checks
Advisory: OSVDB-125676
URL: https://github.com/mperham/sidekiq/issues/2330
Solution: upgrade to >= 3.4.0
Keepalive thread overload/DoS in puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16770
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
Solution: upgrade to ~> 3.12.2, >= 4.3.1
Devise Gem for Ruby confirmation token validation with a blank string Open
devise (2.2.4)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16109
Criticality: Medium
URL: https://github.com/plataformatec/devise/issues/5071
Solution: upgrade to >= 4.7.1
HTTP Smuggling via Transfer-Encoding Header in Puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-11077
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
Solution: upgrade to ~> 3.12.6, >= 4.3.5
Denial of service via header parsing in Rack Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2022-44570
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1
XSS vulnerability via data-target in bootstrap-sass Open
bootstrap-sass (2.3.2.0)- Read upRead up
- Exclude checks
Advisory: CVE-2016-10735
Criticality: Medium
URL: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
Solution: upgrade to >= 3.4.0
Code Injection vulnerability in CarrierWave::RMagick Open
carrierwave (0.8.0)- Read upRead up
- Exclude checks
Advisory: CVE-2021-21305
Criticality: High
URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4
Solution: upgrade to ~> 1.3.2, >= 2.1.1
Prototype pollution attack through jQuery $.extend Open
jquery-rails (3.0.1)- Read upRead up
- Exclude checks
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Solution: upgrade to >= 4.3.4
Sidekiq Gem for Ruby Multiple Unspecified CSRF Open
sidekiq (2.12.4)- Read upRead up
- Exclude checks
Advisory: OSVDB-125675
URL: https://github.com/mperham/sidekiq/pull/2422
Solution: upgrade to >= 3.4.2
Remote command execution via filename Open
mini_magick (3.6.0)- Read upRead up
- Exclude checks
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Solution: upgrade to >= 4.9.4
Denial of service via multipart parsing in Rack Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2022-44572
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Cross-site Scripting in Sidekiq Open
sidekiq (2.12.4)- Read upRead up
- Exclude checks
Advisory: CVE-2021-30151
Criticality: Medium
URL: https://github.com/advisories/GHSA-grh7-935j-hg6w
Solution: upgrade to ~> 5.2.0, >= 6.2.1
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2023-22792
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Possible RCE escalation bug with Serialized Columns in Active Record Open
activerecord (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2022-32224
Criticality: Critical
URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1
Denial of Service Vulnerability in Rack Content-Disposition parsing Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2022-44571
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
Criticality: Critical
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
OS Command Injection in Rake Open
rake (10.0.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8130
Criticality: High
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Solution: upgrade to >= 12.3.3
Directory traversal vulnerability in rubyzip Open
rubyzip (0.9.9)- Read upRead up
- Exclude checks
Advisory: CVE-2017-5946
Criticality: Critical
URL: https://github.com/rubyzip/rubyzip/issues/315
Solution: upgrade to >= 1.2.1
activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding Open
activeresource (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8151
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
Solution: upgrade to >= 5.1.1
HTTP Response Splitting vulnerability in puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-5247
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Directory Traversal in rubyzip Open
rubyzip (0.9.9)- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000544
Criticality: Critical
URL: https://github.com/rubyzip/rubyzip/issues/369
Solution: upgrade to >= 1.2.2
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Possible shell escape sequence injection vulnerability in Rack Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Denial of service in sidekiq Open
sidekiq (2.12.4)- Read upRead up
- Exclude checks
Advisory: CVE-2022-23837
Criticality: High
URL: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
Solution: upgrade to >= 6.4.0, ~> 5.2.10
simple_form Gem for Ruby Incorrect Access Control for forms based on user input Open
simple_form (2.1.0)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16676
Criticality: Critical
URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
Solution: upgrade to >= 5.0
Server-side request forgery in CarrierWave Open
carrierwave (0.8.0)- Read upRead up
- Exclude checks
Advisory: CVE-2021-21288
Criticality: Medium
URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
Solution: upgrade to ~> 1.3.2, >= 2.1.1
HTTP Response Splitting (Early Hints) in Puma Open
puma (2.1.1)- Read upRead up
- Exclude checks
Advisory: CVE-2020-5249
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Denial of Service in rubyzip ("zip bombs") Open
rubyzip (0.9.9)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16892
Criticality: Medium
URL: https://github.com/rubyzip/rubyzip/pull/403
Solution: upgrade to >= 1.3.0
Integer Overflow or Wraparound in libxml2 affects Nokogiri Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5
Solution: upgrade to >= 1.13.5
Geocoder gem for Ruby contains possible SQL injection vulnerability Open
geocoder (1.1.8)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7981
Criticality: Critical
URL: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23
Solution: upgrade to >= 1.6.1
Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64
Solution: upgrade to >= 1.11.4
Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
Remote DoS Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: OSVDB-118481
URL: https://github.com/sparklemotion/nokogiri/pull/1087
Solution: upgrade to >= 1.6.3
i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS Open
i18n (0.6.1)- Read upRead up
- Exclude checks
Advisory: CVE-2014-10077
URL: https://github.com/svenfuchs/i18n/pull/289
Solution: upgrade to >= 0.8.0
Improper Handling of Unexpected Data Type in Nokogiri Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2022-29181
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
Solution: upgrade to >= 1.13.6
Revert libxml2 behavior in Nokogiri gem that could cause XSS Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2018-8048
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Solution: upgrade to >= 1.8.3
XML Injection in Xerces Java affects Nokogiri Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2022-23437
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Solution: upgrade to >= 1.13.4
Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2017-5029
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Solution: upgrade to >= 1.7.2
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass Open
omniauth-facebook (1.4.1)- Read upRead up
- Exclude checks
Advisory: CVE-2013-4593
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4593
Solution: upgrade to >= 1.5.1
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses Open
rest-client (1.6.7)- Read upRead up
- Exclude checks
Advisory: CVE-2015-1820
Criticality: Critical
URL: https://github.com/rest-client/rest-client/issues/369
Solution: upgrade to >= 1.8.0
Inefficient Regular Expression Complexity in Nokogiri Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2022-24836
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Solution: upgrade to >= 1.13.4
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2021-41098
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
Solution: upgrade to >= 1.12.5
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2021-30560
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Solution: upgrade to >= 1.13.2
Improper Certificate Validation in oauth ruby gem Open
oauth (0.4.7)- Read upRead up
- Exclude checks
Advisory: CVE-2016-11086
Criticality: High
URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2
Solution: upgrade to >= 0.5.5
CSRF Vulnerability in jquery-rails Open
jquery-rails (3.0.1)- Read upRead up
- Exclude checks
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Solution: upgrade to >= 4.0.4, ~> 3.1.3
Nokogiri gem, via libxml, is affected by DoS vulnerabilities Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2017-16932
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.1
Moderate severity vulnerability that affects nokogiri Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2017-18258
Criticality: Medium
URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Solution: upgrade to >= 1.8.2
OmniAuth's lib/omniauth/failure_endpoint.rb does not escape message_key value Open
omniauth (1.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2020-36599
Criticality: Critical
Solution: upgrade to ~> 1.9.2, >= 2.0.0
Missing TLS certificate verification in faye-websocket Open
faye-websocket (0.4.7)- Read upRead up
- Exclude checks
Advisory: CVE-2020-15133
Criticality: High
URL: https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv
Solution: upgrade to >= 0.11.0
ruby-ffi DDL loading issue on Windows OS Open
ffi (1.8.1)- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
Denial of Service (DoS) in Nokogiri on JRuby Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2022-24839
Criticality: High
URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Solution: upgrade to >= 1.13.4
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2018-14404
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Solution: upgrade to >= 1.8.5
omniauth-facebook Gem for Ruby Unspecified CSRF Open
omniauth-facebook (1.4.1)- Read upRead up
- Exclude checks
Advisory: CVE-2013-4562
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4562
Solution: upgrade to >= 1.5.0
Out-of-bounds Write in zlib affects Nokogiri Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2018-25032
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Solution: upgrade to >= 1.13.4
omniauth leaks authenticity token in callback params Open
omniauth (1.1.4)- Read upRead up
- Exclude checks
Advisory: CVE-2017-18076
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/867
Solution: upgrade to >= 1.3.2
Path Traversal in Sprockets Open
sprockets (2.2.2)- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Regular Expression Denial of Service in Addressable templates Open
addressable (2.3.4)- Read upRead up
- Exclude checks
Advisory: CVE-2021-32740
Criticality: High
URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g
Solution: upgrade to >= 2.8.0
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4
Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2017-9050
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1673
Solution: upgrade to >= 1.8.1
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2015-1819
URL: https://github.com/sparklemotion/nokogiri/issues/1374
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
Nokogiri gem, via libxml, is affected by DoS vulnerabilities Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2017-15412
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.2
Race condition when using persistent connections Open
excon (0.23.0)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16779
Criticality: Medium
URL: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9
Solution: upgrade to >= 0.71.0
rest-client ruby gem logs sensitive information Open
rest-client (1.6.7)- Read upRead up
- Exclude checks
Advisory: CVE-2015-3448
Criticality: Low
URL: https://github.com/rest-client/rest-client/issues/349
Solution: upgrade to >= 1.7.3
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2016-4658
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Solution: upgrade to >= 1.7.1
Possible information leak / session hijack vulnerability Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory:
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
Solution: upgrade to >= 1.13.9
Possible XSS vulnerability in Rack Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
uglifier incorrectly handles non-boolean comparisons during minification Open
uglifier (2.1.1)- Read upRead up
- Exclude checks
Advisory: OSVDB-126747
URL: https://github.com/mishoo/UglifyJS2/issues/751
Solution: upgrade to >= 2.7.2
CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2014-0081
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0081
Solution: upgrade to ~> 3.2.17, ~> 4.0.3, >= 4.1.0.beta2
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (0.3.37)- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2013-6417
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
Solution: upgrade to ~> 3.2.16, >= 4.0.2
Reflective XSS Vulnerability in Ruby on Rails Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2013-4491
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
Solution: upgrade to ~> 3.2.16, >= 4.0.2
Possible Denial of Service attack in Active Support Open
activesupport (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2015-3227
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
i18n missing translation error message XSS Open
i18n (0.6.1)- Read upRead up
- Exclude checks
Advisory: CVE-2013-4492
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
Solution: upgrade to ~> 0.5.1, >= 0.6.6
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses Open
mail (2.5.4)- Read upRead up
- Exclude checks
Advisory: CVE-2015-9097
Criticality: Medium
URL: https://hackerone.com/reports/137631
Solution: upgrade to >= 2.5.5
Directory Traversal Vulnerability With Certain Route Configurations Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2014-0130
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
Solution: upgrade to ~> 3.2.18, ~> 4.0.5, >= 4.1.1
Timing attack vulnerability in basic authentication in Action Controller. Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2015-7576
Criticality: Low
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting Open
activerecord (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2014-3482
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-3482
Solution: upgrade to ~> 3.2.19
Possible Object Leak and Denial of Service attack in Action Pack Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2016-0751
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Possible Information Leak Vulnerability in Action View Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2016-0752
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Possible Information Leak Vulnerability in Action View Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2016-2097
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Solution: upgrade to ~> 3.2.22.2, ~> 4.1.14, >= 4.1.14.2
CVE-2014-2538 rubygem rack-ssl: URL error display XSS Open
rack-ssl (1.3.3)- Read upRead up
- Exclude checks
Advisory: CVE-2014-2538
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-2538
Solution: upgrade to >= 1.3.4
Arbitrary file existence disclosure in Action Pack Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8
Potential Denial of Service Vulnerability in Rack Open
rack (1.4.5)- Read upRead up
- Exclude checks
Advisory: CVE-2015-3225
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
redis-namespace Gem for Ruby contains a flaw in the method_missing implementation Open
redis-namespace (1.3.0)- Read upRead up
- Exclude checks
Advisory: OSVDB-96425
URL: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
Solution: upgrade to >= 1.3.1, ~> 1.2.2, ~> 1.1.1, ~> 1.0.4
XSS Vulnerability in number_to_currency Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2013-6415
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2013-6460
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6460
Solution: upgrade to ~> 1.5.11, >= 1.6.1
CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure Open
sprockets (2.2.2)- Read upRead up
- Exclude checks
Advisory: CVE-2014-7819
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
Solution: upgrade to ~> 2.0.5, ~> 2.1.4, ~> 2.2.3, ~> 2.3.3, ~> 2.4.6, ~> 2.5.1, ~> 2.7.1, ~> 2.8.3, ~> 2.9.4, ~> 2.10.2, ~> 2.11.3, ~> 2.12.3, >= 3.0.0.beta.3
Arbitrary file existence disclosure in Action Pack Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2014-7818
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3
CSRF token fixation attacks in Devise Open
devise (2.2.4)- Read upRead up
- Exclude checks
Advisory: OSVDB-114435
URL: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
Solution: upgrade to ~> 2.2.5, >= 3.0.1
CVE-2013-4389 rubygem-actionmailer: email address processing DoS Open
actionmailer (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2013-4389
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4389
Solution: upgrade to >= 3.2.15
Possible XSS Vulnerability in Action View Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2016-6316
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1
Denial of Service Vulnerability in Action View Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2013-6414
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
Solution: upgrade to ~> 3.2.16, >= 4.0.2
Possible remote code execution vulnerability in Action Pack Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2016-2098
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14
CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service Open
actionpack (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2014-0082
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0082
Solution: upgrade to >= 3.2.17
CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities Open
nokogiri (1.5.9)- Read upRead up
- Exclude checks
Advisory: CVE-2013-6461
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6461
Solution: upgrade to ~> 1.5.11, >= 1.6.1
Nested attributes rejection proc bypass in Active Record Open
activerecord (3.2.13)- Read upRead up
- Exclude checks
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Rails 3.2.13 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 3.2.16 Open
rails (3.2.13)- Read upRead up
- Exclude checks
Rails 3.2.13 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 3.2.22 Open
rails (3.2.13)- Read upRead up
- Exclude checks
Rails 3.2.13 contains a SQL injection vulnerability (CVE-2014-3483). Upgrade to 3.2.19 Open
rails (3.2.13)- Read upRead up
- Exclude checks
Rails 3.2.13 has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version 4.0.2 or i18n 0.6.6 Open
i18n (0.6.1)- Read upRead up
- Exclude checks
Rails 3.2.13 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 3.2.22.4 Open
rails (3.2.13)- Read upRead up
- Exclude checks
Rails 3.2.13 has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version 3.2.17 Open
rails (3.2.13)- Read upRead up
- Exclude checks
Rails 3.2.13 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 3.2.22.1 Open
rails (3.2.13)- Read upRead up
- Exclude checks
Rails 3.2.13 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 3.2.16 Open
rails (3.2.13)- Read upRead up
- Exclude checks
Rails 3.2.13 contains a SQL injection vulnerability (CVE-2014-3482). Upgrade to 3.2.19 Open
rails (3.2.13)- Read upRead up
- Exclude checks