HTTP Response Splitting (Early Hints) in Puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5249
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Percent-encoded cookies can be used to overwrite existing prefixed cookie names New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Possible shell escape sequence injection vulnerability in Rack New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
ReDoS based DoS vulnerability in Active Support’s underscore New
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22796
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
XSS vulnerability via data-target in bootstrap-sass New
bootstrap-sass (2.2.1.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-10735
Criticality: Medium
URL: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
Solution: upgrade to >= 3.4.0
Directory traversal in Rack::Directory app bundled with Rack New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
RDoc OS command injection vulnerability New
rdoc (3.12)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-31799
Criticality: High
URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1
Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44566
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Possible RCE escalation bug with Serialized Columns in Active Record New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-32224
Criticality: Critical
URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1
XSS vulnerability in bootstrap-sass New
bootstrap-sass (2.2.1.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-8331
Criticality: Medium
URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
Solution: upgrade to >= 3.4.1
HTTP Smuggling via Transfer-Encoding Header in Puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11077
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
Solution: upgrade to ~> 3.12.6, >= 4.3.5
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore New
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
Criticality: Critical
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Denial of service via header parsing in Rack New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44570
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1
ReDoS based DoS vulnerability in Action Dispatch New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22792
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding New
activeresource (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8151
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
Solution: upgrade to >= 5.1.1
Ability to forge per-form CSRF tokens given a global CSRF token New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Prototype pollution attack through jQuery $.extend New
jquery-rails (2.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Solution: upgrade to >= 4.3.4
HTTP Request Smuggling in puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24790
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Solution: upgrade to ~> 4.3.12, >= 5.6.4
Keepalive thread overload/DoS in puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16770
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
Solution: upgrade to ~> 3.12.2, >= 4.3.1
HTTP Smuggling via Transfer-Encoding Header in Puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11076
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
Solution: upgrade to ~> 3.12.5, >= 4.3.4
Denial of Service Vulnerability in Rack Multipart Parsing New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30122
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
OS Command Injection in Rake New
rake (10.0.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8130
Criticality: High
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Solution: upgrade to >= 12.3.3
simple_form Gem for Ruby Incorrect Access Control for forms based on user input New
simple_form (2.0.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16676
Criticality: Critical
URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
Solution: upgrade to >= 5.0
CSRF Vulnerability in jquery-rails New
jquery-rails (2.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Solution: upgrade to >= 4.0.4, ~> 3.1.3
HTTP Response Splitting vulnerability in puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5247
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Keepalive Connections Causing Denial Of Service in puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-29509
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Solution: upgrade to ~> 4.3.8, >= 5.3.1
uglifier incorrectly handles non-boolean comparisons during minification New
uglifier (1.3.0)
- Read upRead up
- Exclude checks
Advisory: OSVDB-126747
URL: https://github.com/mishoo/UglifyJS2/issues/751
Solution: upgrade to >= 2.7.2
Potential XSS vulnerability in jQuery New
jquery-rails (2.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Solution: upgrade to >= 4.4.0
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) New
json (1.7.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-10663
Criticality: High
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Solution: upgrade to >= 2.3.0
Possible Information Disclosure / Unintended Method Execution in Action Pack New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2
ReDoS based DoS vulnerability in Action Dispatch New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22795
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Information Exposure with Puma when used with Rails New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23634
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Solution: upgrade to ~> 4.3.11, >= 5.6.2
Denial of service via multipart parsing in Rack New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44572
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma New
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41136
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Solution: upgrade to ~> 4.3.9, >= 5.5.1
Denial of Service Vulnerability in Rack Content-Disposition parsing New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44571
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Nokogiri gem, via libxslt, is affected by improper access control vulnerability New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
Moderate severity vulnerability that affects nokogiri New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-18258
Criticality: Medium
URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Solution: upgrade to >= 1.8.2
Possible information leak / session hijack vulnerability New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
XML Injection in Xerces Java affects Nokogiri New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23437
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Solution: upgrade to >= 1.13.4
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
Improper Handling of Unexpected Data Type in Nokogiri New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-29181
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
Solution: upgrade to >= 1.13.6
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-30560
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Solution: upgrade to >= 1.13.2
Possible XSS vulnerability in Rack New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Out-of-bounds Write in zlib affects Nokogiri New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-25032
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Solution: upgrade to >= 1.13.4
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-1819
URL: https://github.com/sparklemotion/nokogiri/issues/1374
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory:
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
Solution: upgrade to >= 1.13.9
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-14404
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Solution: upgrade to >= 1.8.5
Inefficient Regular Expression Complexity in Nokogiri New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24836
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Solution: upgrade to >= 1.13.4
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-4658
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Solution: upgrade to >= 1.7.1
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4
Update packaged dependency libxml2 from 2.9.10 to 2.9.12 New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64
Solution: upgrade to >= 1.11.4
Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-9050
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1673
Solution: upgrade to >= 1.8.1
Regular Expression Denial of Service in Addressable templates New
addressable (2.3.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-32740
Criticality: High
URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g
Solution: upgrade to >= 2.8.0
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Denial of Service (DoS) in Nokogiri on JRuby New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24839
Criticality: High
URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Solution: upgrade to >= 1.13.4
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41098
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
Solution: upgrade to >= 1.12.5
Integer Overflow or Wraparound in libxml2 affects Nokogiri New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5
Solution: upgrade to >= 1.13.5
Revert libxml2 behavior in Nokogiri gem that could cause XSS New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-8048
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Solution: upgrade to >= 1.8.3
ruby-ffi DDL loading issue on Windows OS New
ffi (1.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-5029
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Solution: upgrade to >= 1.7.2
Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
Remote DoS New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: OSVDB-118481
URL: https://github.com/sparklemotion/nokogiri/pull/1087
Solution: upgrade to >= 1.6.3
Nokogiri gem, via libxml, is affected by DoS vulnerabilities New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-16932
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.1
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses New
mail (2.4.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-9097
Criticality: Medium
URL: https://hackerone.com/reports/137631
Solution: upgrade to >= 2.5.5
Nokogiri gem, via libxml, is affected by DoS vulnerabilities New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-15412
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.2
Possible XSS Vulnerability in Action View New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-6316
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1
Directory Traversal Vulnerability With Certain Route Configurations New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0130
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
Solution: upgrade to ~> 3.2.18, ~> 4.0.5, >= 4.1.1
Reflective XSS Vulnerability in Ruby on Rails New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4491
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0183
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0183
Solution: upgrade to ~> 1.3.8, >= 1.4.3
CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0155
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0155
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
Possible Denial of Service attack in Active Support New
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3227
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0081
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0081
Solution: upgrade to ~> 3.2.17, ~> 4.0.3, >= 4.1.0.beta2
Timing attack vulnerability in basic authentication in Action Controller. New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7576
Criticality: Low
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Nested attributes rejection proc bypass in Active Record New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection New
json (1.7.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0269
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0269
Solution: upgrade to ~> 1.5.5, ~> 1.6.8, >= 1.7.7
CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6461
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6461
Solution: upgrade to ~> 1.5.11, >= 1.6.1
CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents New
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6460
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6460
Solution: upgrade to ~> 1.5.11, >= 1.6.1
XSS Vulnerability in number_to_currency New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6415
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2012-6109
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2012-6109
Solution: upgrade to ~> 1.1.4, ~> 1.2.6, ~> 1.3.7, >= 1.4.2
CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1857
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1857
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2012-6496
Criticality: Medium
URL: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
Solution: upgrade to ~> 3.0.18, ~> 3.1.9, >= 3.2.10
CVE-2013-0262 rubygem-rack: Path sanitization information disclosure New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0262
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0262
Solution: upgrade to ~> 1.4.5, >= 1.5.2
XML Parsing Vulnerability affecting JRuby users New
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1856
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1856
Solution: upgrade to ~> 3.1.12, >= 3.2.13
Possible Object Leak and Denial of Service attack in Action Pack New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0751
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Possible remote code execution vulnerability in Action Pack New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2098
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14
CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0156
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0156
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0276
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0276
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0263
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0263
Solution: upgrade to ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
Potential Denial of Service Vulnerability in Rack New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3225
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS New
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0184
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0184
Solution: upgrade to ~> 1.1.5, ~> 1.2.7, ~> 1.3.9, >= 1.4.4
CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template New
rdoc (3.12)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0256
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0256
Solution: upgrade to ~> 3.9.5, ~> 3.12.1, >= 4.0
CVE-2013-4389 rubygem-actionmailer: email address processing DoS New
actionmailer (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4389
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4389
Solution: upgrade to >= 3.2.15
Possible Information Leak Vulnerability in Action View New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2097
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Solution: upgrade to ~> 3.2.22.2, ~> 4.1.14, >= 4.1.14.2
Arbitrary file existence disclosure in Action Pack New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8
Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6417
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
Solution: upgrade to ~> 3.2.16, >= 4.0.2
Denial of Service Vulnerability in Action View New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6414
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2014-2538 rubygem rack-ssl: URL error display XSS New
rack-ssl (1.3.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-2538
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-2538
Solution: upgrade to >= 1.3.4
Possible Information Leak Vulnerability in Action View New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0752
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
TZInfo relative path traversal vulnerability allows loading of arbitrary files New
tzinfo (0.3.35)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Arbitrary file existence disclosure in Action Pack New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7818
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3
CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0082
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0082
Solution: upgrade to >= 3.2.17
CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1854
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1854
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting New
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-3482
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-3482
Solution: upgrade to ~> 3.2.19
CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css New
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1855
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1855
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
Rails 3.2.9 has a remote code execution vulnerability: upgrade to 3.2.11 or disable XML parsing New
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 3.2.22.4 New
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 contains a SQL injection vulnerability (CVE-2012-5664). Upgrade to 3.2.18 New
rails (3.2.9)
- Read upRead up
- Exclude checks
json gem version 1.7.5 has a remote code vulnerablity: upgrade to 1.7.7 New
json (1.7.5)
- Read upRead up
- Exclude checks
Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.
The obvious form of this is the use of eval
with user input.
However, Brakeman also reports on dangerous uses of send
, constantize
, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.
Rails 3.2.9 contains a SQL injection vulnerability (CVE-2013-0155). Upgrade to 3.2.11 New
rails (3.2.9)
- Read upRead up
- Exclude checks
Denial of service via header parsing in Rack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44570
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1
Directory traversal in Rack::Directory app bundled with Rack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
ReDoS based DoS vulnerability in Action Dispatch Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22792
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
XSS vulnerability via data-target in bootstrap-sass Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-10735
Criticality: Medium
URL: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
Solution: upgrade to >= 3.4.0
Remote command execution via filename Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Solution: upgrade to >= 4.9.4
Keepalive thread overload/DoS in puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16770
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
Solution: upgrade to ~> 3.12.2, >= 4.3.1
Code Injection vulnerability in CarrierWave::RMagick Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-21305
Criticality: High
URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4
Solution: upgrade to ~> 1.3.2, >= 2.1.1
HTTP Request Smuggling in puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24790
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Solution: upgrade to ~> 4.3.12, >= 5.6.4
Older releases of better_errors open to Cross-Site Request Forgery attack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-39197
Criticality: Medium
URL: https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm
Solution: upgrade to >= 2.8.0
Potential XSS vulnerability in jQuery Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Solution: upgrade to >= 4.4.0
Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
Reflected XSS Fixed
- Read upRead up
- Exclude checks
Advisory: OSVDB-125676
URL: https://github.com/mperham/sidekiq/issues/2330
Solution: upgrade to >= 3.4.0
Possible RCE escalation bug with Serialized Columns in Active Record Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-32224
Criticality: Critical
URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1
activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8151
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
Solution: upgrade to >= 5.1.1
Possible Information Disclosure / Unintended Method Execution in Action Pack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2
Denial of service in sidekiq Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23837
Criticality: High
URL: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956
Solution: upgrade to >= 6.4.0, ~> 5.2.10
ReDoS based DoS vulnerability in Active Support’s underscore Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22796
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Cross-site Scripting in Sidekiq Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-30151
Criticality: Medium
URL: https://github.com/advisories/GHSA-grh7-935j-hg6w
Solution: upgrade to ~> 5.2.0, >= 6.2.1
HTTP Smuggling via Transfer-Encoding Header in Puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11076
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
Solution: upgrade to ~> 3.12.5, >= 4.3.4
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41136
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Solution: upgrade to ~> 4.3.9, >= 5.5.1
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
Criticality: Critical
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
OS Command Injection in Rake Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8130
Criticality: High
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Solution: upgrade to >= 12.3.3
Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS Fixed
- Read upRead up
- Exclude checks
Advisory: OSVDB-125678
URL: https://github.com/mperham/sidekiq/pull/2309
Solution: upgrade to >= 3.4.0
HTTP Response Splitting vulnerability in puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5247
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Information Exposure with Puma when used with Rails Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23634
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Solution: upgrade to ~> 4.3.11, >= 5.6.2
Denial of Service Vulnerability in Rack Content-Disposition parsing Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44571
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Sidekiq Gem for Ruby Multiple Unspecified CSRF Fixed
- Read upRead up
- Exclude checks
Advisory: OSVDB-125675
URL: https://github.com/mperham/sidekiq/pull/2422
Solution: upgrade to >= 3.4.2
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5421
Criticality: Critical
URL: https://github.com/plataformatec/devise/issues/4981
Solution: upgrade to >= 4.6.0
CSRF vulnerability in OmniAuth's request phase Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-9284
Criticality: High
URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284
Solution: upgrade to >= 2.0.0
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
RDoc OS command injection vulnerability Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-31799
Criticality: High
URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1
ReDoS based DoS vulnerability in Action Dispatch Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22795
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
XSS vulnerability in bootstrap-sass Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-8331
Criticality: Medium
URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
Solution: upgrade to >= 3.4.1
Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44566
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
HTTP Response Splitting (Early Hints) in Puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5249
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Denial of service via multipart parsing in Rack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44572
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Keepalive Connections Causing Denial Of Service in puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-29509
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Solution: upgrade to ~> 4.3.8, >= 5.3.1
simple_form Gem for Ruby Incorrect Access Control for forms based on user input Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16676
Criticality: Critical
URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
Solution: upgrade to >= 5.0
Prototype pollution attack through jQuery $.extend Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Solution: upgrade to >= 4.3.4
Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-8314
URL: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
Solution: upgrade to >= 3.5.4
Cross-Site Scripting in Kaminari via original_script_name
parameter Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11082
Criticality: Medium
URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
Solution: upgrade to >= 1.2.1
HTTP Smuggling via Transfer-Encoding Header in Puma Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11077
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
Solution: upgrade to ~> 3.12.6, >= 4.3.5
Ability to forge per-form CSRF tokens given a global CSRF token Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Server-side request forgery in CarrierWave Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-21288
Criticality: Medium
URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
Solution: upgrade to ~> 1.3.2, >= 2.1.1
Devise Gem for Ruby confirmation token validation with a blank string Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16109
Criticality: Medium
URL: https://github.com/plataformatec/devise/issues/5071
Solution: upgrade to >= 4.7.1
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-10663
Criticality: High
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Solution: upgrade to >= 2.3.0
Denial of Service Vulnerability in Rack Multipart Parsing Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30122
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Possible shell escape sequence injection vulnerability in Rack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-1819
URL: https://github.com/sparklemotion/nokogiri/issues/1374
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
Regular Expression Denial of Service in Addressable templates Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-32740
Criticality: High
URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g
Solution: upgrade to >= 2.8.0
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-4658
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Solution: upgrade to >= 1.7.1
uglifier incorrectly handles non-boolean comparisons during minification Fixed
- Read upRead up
- Exclude checks
Advisory: OSVDB-126747
URL: https://github.com/mishoo/UglifyJS2/issues/751
Solution: upgrade to >= 2.7.2
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Fixed
- Read upRead up
- Exclude checks
Advisory:
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
Solution: upgrade to >= 1.13.9
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Out-of-bounds Write in zlib affects Nokogiri Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2018-25032
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Solution: upgrade to >= 1.13.4
rest-client ruby gem logs sensitive information Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3448
Criticality: Low
URL: https://github.com/rest-client/rest-client/issues/349
Solution: upgrade to >= 1.7.3
Nokogiri gem, via libxml, is affected by DoS vulnerabilities Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2017-16932
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.1
omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4593
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4593
Solution: upgrade to >= 1.5.1
Improper Handling of Unexpected Data Type in Nokogiri Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-29181
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
Solution: upgrade to >= 1.13.6
Denial of Service (DoS) in Nokogiri on JRuby Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24839
Criticality: High
URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Solution: upgrade to >= 1.13.4
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
Revert libxml2 behavior in Nokogiri gem that could cause XSS Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2018-8048
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Solution: upgrade to >= 1.8.3
omniauth leaks authenticity token in callback params Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2017-18076
Criticality: High
URL: https://github.com/omniauth/omniauth/pull/867
Solution: upgrade to >= 1.3.2
Possible XSS vulnerability in Rack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
XML Injection in Xerces Java affects Nokogiri Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23437
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Solution: upgrade to >= 1.13.4
Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Fixed
- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64
Solution: upgrade to >= 1.11.4
Inefficient Regular Expression Complexity in Nokogiri Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24836
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Solution: upgrade to >= 1.13.4
ruby-ffi DDL loading issue on Windows OS Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
Geocoder gem for Ruby contains possible SQL injection vulnerability Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-7981
Criticality: Critical
URL: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23
Solution: upgrade to >= 1.6.1
Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
Remote DoS Fixed
- Read upRead up
- Exclude checks
Advisory: OSVDB-118481
URL: https://github.com/sparklemotion/nokogiri/pull/1087
Solution: upgrade to >= 1.6.3
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2018-14404
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Solution: upgrade to >= 1.8.5
CSRF Vulnerability in jquery-rails Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Solution: upgrade to >= 4.0.4, ~> 3.1.3
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4
Nokogiri gem, via libxml, is affected by DoS vulnerabilities Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2017-15412
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.2
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-30560
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Solution: upgrade to >= 1.13.2
Integer Overflow or Wraparound in libxml2 affects Nokogiri Fixed
- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5
Solution: upgrade to >= 1.13.5
Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2017-9050
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1673
Solution: upgrade to >= 1.8.1
Race condition when using persistent connections Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16779
Criticality: Medium
URL: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9
Solution: upgrade to >= 0.71.0
Moderate severity vulnerability that affects nokogiri Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2017-18258
Criticality: Medium
URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Solution: upgrade to >= 1.8.2
Improper Certificate Validation in oauth ruby gem Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-11086
Criticality: High
URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2
Solution: upgrade to >= 0.5.5
omniauth-facebook Gem for Ruby Unspecified CSRF Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4562
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4562
Solution: upgrade to >= 1.5.0
Possible information leak / session hijack vulnerability Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-1820
Criticality: Critical
URL: https://github.com/rest-client/rest-client/issues/369
Solution: upgrade to >= 1.8.0
Missing TLS certificate verification in faye-websocket Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-15133
Criticality: High
URL: https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv
Solution: upgrade to >= 0.11.0
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41098
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
Solution: upgrade to >= 1.12.5
OmniAuth's lib/omniauth/failure_endpoint.rb
does not escape message_key
value Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2020-36599
Criticality: Critical
Solution: upgrade to ~> 1.9.2, >= 2.0.0
Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2017-5029
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Solution: upgrade to >= 1.7.2
CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0081
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0081
Solution: upgrade to ~> 3.2.17, ~> 4.0.3, >= 4.1.0.beta2
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-9097
Criticality: Medium
URL: https://hackerone.com/reports/137631
Solution: upgrade to >= 2.5.5
CVE-2013-4389 rubygem-actionmailer: email address processing DoS Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4389
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4389
Solution: upgrade to >= 3.2.15
Arbitrary file existence disclosure in Action Pack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7818
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3
CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2014-3482
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-3482
Solution: upgrade to ~> 3.2.19
Possible remote code execution vulnerability in Action Pack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2098
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14
XSS Vulnerability in number_to_currency Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6415
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
Solution: upgrade to ~> 3.2.16, >= 4.0.2
Denial of Service Vulnerability in Action View Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6414
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6461
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6461
Solution: upgrade to ~> 1.5.11, >= 1.6.1
Potential Denial of Service Vulnerability in Rack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3225
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
Possible Information Leak Vulnerability in Action View Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2097
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Solution: upgrade to ~> 3.2.22.2, ~> 4.1.14, >= 4.1.14.2
TZInfo relative path traversal vulnerability allows loading of arbitrary files Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Directory Traversal Vulnerability With Certain Route Configurations Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0130
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
Solution: upgrade to ~> 3.2.18, ~> 4.0.5, >= 4.1.1
CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0082
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0082
Solution: upgrade to >= 3.2.17
CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6460
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6460
Solution: upgrade to ~> 1.5.11, >= 1.6.1
Possible Object Leak and Denial of Service attack in Action Pack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0751
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Possible Denial of Service attack in Active Support Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3227
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
Possible Information Leak Vulnerability in Action View Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0752
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
CVE-2014-2538 rubygem rack-ssl: URL error display XSS Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2014-2538
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-2538
Solution: upgrade to >= 1.3.4
Possible XSS Vulnerability in Action View Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2016-6316
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1
Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6417
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
Solution: upgrade to ~> 3.2.16, >= 4.0.2
Reflective XSS Vulnerability in Ruby on Rails Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4491
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
Solution: upgrade to ~> 3.2.16, >= 4.0.2
redis-namespace Gem for Ruby contains a flaw in the method_missing implementation Fixed
- Read upRead up
- Exclude checks
Advisory: OSVDB-96425
URL: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
Solution: upgrade to >= 1.3.1, ~> 1.2.2, ~> 1.1.1, ~> 1.0.4
Arbitrary file existence disclosure in Action Pack Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8
Timing attack vulnerability in basic authentication in Action Controller. Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7576
Criticality: Low
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Nested attributes rejection proc bypass in Active Record Fixed
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
CSRF token fixation attacks in Devise Fixed
- Read upRead up
- Exclude checks
Advisory: OSVDB-114435
URL: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
Solution: upgrade to ~> 2.2.5, >= 3.0.1
Rails 3.2.13 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 3.2.22.4 Fixed
- Read upRead up
- Exclude checks