Gemfile.lock from georgebellos/real_estate

Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.

The obvious form of this is the use of eval with user input.

However, Brakeman also reports on dangerous uses of send, constantize, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.

Rails 3.2.9 contains a SQL injection vulnerability (CVE-2013-0155). Upgrade to 3.2.11
New

    rails (3.2.9)

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Denial of service via header parsing in Rack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44570

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1

Directory traversal in Rack::Directory app bundled with Rack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8161

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

ReDoS based DoS vulnerability in Action Dispatch
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22792

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

XSS vulnerability via data-target in bootstrap-sass
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-10735

Criticality: Medium

URL: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/

Solution: upgrade to >= 3.4.0

Remote command execution via filename
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13574

Criticality: High

URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/

Solution: upgrade to >= 4.9.4

Keepalive thread overload/DoS in puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16770

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994

Solution: upgrade to ~> 3.12.2, >= 4.3.1

Code Injection vulnerability in CarrierWave::RMagick
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21305

Criticality: High

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4

Solution: upgrade to ~> 1.3.2, >= 2.1.1

HTTP Request Smuggling in puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24790

Criticality: Critical

URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9

Solution: upgrade to ~> 4.3.12, >= 5.6.4

Older releases of better_errors open to Cross-Site Request Forgery attack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-39197

Criticality: Medium

URL: https://github.com/BetterErrors/better_errors/security/advisories/GHSA-w3j4-76qw-wwjm

Solution: upgrade to >= 2.8.0

Potential XSS vulnerability in jQuery
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11023

Criticality: Medium

URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

Solution: upgrade to >= 4.4.0

Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element Reflected XSS
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: OSVDB-125676

URL: https://github.com/mperham/sidekiq/issues/2330

Solution: upgrade to >= 3.4.0

Possible RCE escalation bug with Serialized Columns in Active Record
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8151

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8

Solution: upgrade to >= 5.1.1

Possible Information Disclosure / Unintended Method Execution in Action Pack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22885

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Denial of service in sidekiq
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23837

Criticality: High

URL: https://github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956

Solution: upgrade to >= 6.4.0, ~> 5.2.10

ReDoS based DoS vulnerability in Active Support’s underscore
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22796

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Cross-site Scripting in Sidekiq
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-30151

Criticality: Medium

URL: https://github.com/advisories/GHSA-grh7-935j-hg6w

Solution: upgrade to ~> 5.2.0, >= 6.2.1

HTTP Smuggling via Transfer-Encoding Header in Puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11076

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h

Solution: upgrade to ~> 3.12.5, >= 4.3.4

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41136

Criticality: Low

URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Solution: upgrade to ~> 4.3.9, >= 5.5.1

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

OS Command Injection in Rake
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8130

Criticality: High

URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8

Solution: upgrade to >= 12.3.3

Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: OSVDB-125678

URL: https://github.com/mperham/sidekiq/pull/2309

Solution: upgrade to >= 3.4.0

HTTP Response Splitting vulnerability in puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-5247

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v

Solution: upgrade to ~> 3.12.4, >= 4.3.3

Information Exposure with Puma when used with Rails
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23634

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

Solution: upgrade to ~> 4.3.11, >= 5.6.2

Denial of Service Vulnerability in Rack Content-Disposition parsing
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44571

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Sidekiq Gem for Ruby Multiple Unspecified CSRF
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: OSVDB-125675

URL: https://github.com/mperham/sidekiq/pull/2422

Solution: upgrade to >= 3.4.2

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5421

Criticality: Critical

URL: https://github.com/plataformatec/devise/issues/4981

Solution: upgrade to >= 4.6.0

CSRF vulnerability in OmniAuth's request phase
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-9284

Criticality: High

URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

Solution: upgrade to >= 2.0.0

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8184

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

RDoc OS command injection vulnerability
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-31799

Criticality: High

URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/

Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1

ReDoS based DoS vulnerability in Action Dispatch
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22795

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

XSS vulnerability in bootstrap-sass
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-8331

Criticality: Medium

URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Solution: upgrade to >= 3.4.1

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44566

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

HTTP Response Splitting (Early Hints) in Puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-5249

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

Solution: upgrade to ~> 3.12.4, >= 4.3.3

Denial of service via multipart parsing in Rack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44572

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Keepalive Connections Causing Denial Of Service in puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-29509

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5

Solution: upgrade to ~> 4.3.8, >= 5.3.1

simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16676

Criticality: Critical

URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx

Solution: upgrade to >= 5.0

Prototype pollution attack through jQuery $.extend
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11358

Criticality: Medium

URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Solution: upgrade to >= 4.3.4

Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-8314

URL: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/

Solution: upgrade to >= 3.5.4

Cross-Site Scripting in Kaminari via `original_script_name` parameter
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11082

Criticality: Medium

URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433

Solution: upgrade to >= 1.2.1

HTTP Smuggling via Transfer-Encoding Header in Puma
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11077

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Solution: upgrade to ~> 3.12.6, >= 4.3.5

Ability to forge per-form CSRF tokens given a global CSRF token
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Server-side request forgery in CarrierWave
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21288

Criticality: Medium

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Devise Gem for Ruby confirmation token validation with a blank string
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16109

Criticality: Medium

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Denial of Service Vulnerability in Rack Multipart Parsing
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-30122

Criticality: High

URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Possible shell escape sequence injection vulnerability in Rack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-30123

Criticality: Critical

URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-1819

URL: https://github.com/sparklemotion/nokogiri/issues/1374

Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Regular Expression Denial of Service in Addressable templates
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-4658

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1615

Solution: upgrade to >= 1.7.1

uglifier incorrectly handles non-boolean comparisons during minification
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: OSVDB-126747

URL: https://github.com/mishoo/UglifyJS2/issues/751

Solution: upgrade to >= 2.7.2

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Out-of-bounds Write in zlib affects Nokogiri
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

rest-client ruby gem logs sensitive information
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-3448

Criticality: Low

URL: https://github.com/rest-client/rest-client/issues/349

Solution: upgrade to >= 1.7.3

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-16932

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.1

omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-4593

Criticality: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4593

Solution: upgrade to >= 1.5.1

Improper Handling of Unexpected Data Type in Nokogiri
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

Denial of Service (DoS) in Nokogiri on JRuby
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Revert libxml2 behavior in Nokogiri gem that could cause XSS
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-8048

URL: https://github.com/sparklemotion/nokogiri/pull/1746

Solution: upgrade to >= 1.8.3

omniauth leaks authenticity token in callback params
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-18076

Criticality: High

URL: https://github.com/omniauth/omniauth/pull/867

Solution: upgrade to >= 1.3.2

Possible XSS vulnerability in Rack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

XML Injection in Xerces Java affects Nokogiri
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

Inefficient Regular Expression Complexity in Nokogiri
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

ruby-ffi DDL loading issue on Windows OS
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-1000201

Criticality: High

URL: https://github.com/ffi/ffi/releases/tag/1.9.24

Solution: upgrade to >= 1.9.24

Geocoder gem for Ruby contains possible SQL injection vulnerability
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7981

Criticality: Critical

URL: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23

Solution: upgrade to >= 1.6.1

Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: OSVDB-118481

URL: https://github.com/sparklemotion/nokogiri/pull/1087

Solution: upgrade to >= 1.6.3

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-14404

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1785

Solution: upgrade to >= 1.8.5

CSRF Vulnerability in jquery-rails
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-1840

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY

Solution: upgrade to >= 4.0.4, ~> 3.1.3

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-15412

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.2

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

Solution: upgrade to >= 1.13.5

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-9050

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1673

Solution: upgrade to >= 1.8.1

Race condition when using persistent connections
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16779

Criticality: Medium

URL: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9

Solution: upgrade to >= 0.71.0

Moderate severity vulnerability that affects nokogiri
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-18258

Criticality: Medium

URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Solution: upgrade to >= 1.8.2

Improper Certificate Validation in oauth ruby gem
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-11086

Criticality: High

URL: https://github.com/advisories/GHSA-7359-3c6r-hfc2

Solution: upgrade to >= 0.5.5

omniauth-facebook Gem for Ruby Unspecified CSRF
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-4562

Criticality: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4562

Solution: upgrade to >= 1.5.0

Possible information leak / session hijack vulnerability
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16782

Criticality: Medium

URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Solution: upgrade to ~> 1.6.12, >= 2.0.8

CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-1820

Criticality: Critical

URL: https://github.com/rest-client/rest-client/issues/369

Solution: upgrade to >= 1.8.0

Missing TLS certificate verification in faye-websocket
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-15133

Criticality: High

URL: https://github.com/faye/faye-websocket-ruby/security/advisories/GHSA-2v5c-755p-p4gv

Solution: upgrade to >= 0.11.0

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

OmniAuth's `lib/omniauth/failure_endpoint.rb` does not escape `message_key` value
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-36599

Criticality: Critical

URL: https://github.com/omniauth/omniauth/commit/43a396f181ef7d0ed2ec8291c939c95e3ed3ff00#diff-575abda9deb9b1a77bf534e898a923029b9a61e991d626db88dc6e8b34260aa2

Solution: upgrade to ~> 1.9.2, >= 2.0.0

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-5029

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1634

Solution: upgrade to >= 1.7.2

CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-0081

Criticality: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0081

Solution: upgrade to ~> 3.2.17, ~> 4.0.3, >= 4.1.0.beta2

CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-9097

Criticality: Medium

URL: https://hackerone.com/reports/137631

Solution: upgrade to >= 2.5.5

CVE-2013-4389 rubygem-actionmailer: email address processing DoS
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-4389

Criticality: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4389

Solution: upgrade to >= 3.2.15

Arbitrary file existence disclosure in Action Pack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-7818

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo

Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3

CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-3482

URL: https://nvd.nist.gov/vuln/detail/CVE-2014-3482

Solution: upgrade to ~> 3.2.19

Possible remote code execution vulnerability in Action Pack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-2098

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q

Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

XSS Vulnerability in number_to_currency
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-6415

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0

Solution: upgrade to ~> 3.2.16, >= 4.0.2

Denial of Service Vulnerability in Action View
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-6414

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg

Solution: upgrade to ~> 3.2.16, >= 4.0.2

CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-6461

URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6461

Solution: upgrade to ~> 1.5.11, >= 1.6.1

Potential Denial of Service Vulnerability in Rack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-3225

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc

Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

Possible Information Leak Vulnerability in Action View
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-2097

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4

Solution: upgrade to ~> 3.2.22.2, ~> 4.1.14, >= 4.1.14.2

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

Directory Traversal Vulnerability With Certain Route Configurations
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-0130

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o

Solution: upgrade to ~> 3.2.18, ~> 4.0.5, >= 4.1.1

CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-0082

Criticality: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0082

Solution: upgrade to >= 3.2.17

CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-6460

Criticality: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6460

Solution: upgrade to ~> 1.5.11, >= 1.6.1

Possible Object Leak and Denial of Service attack in Action Pack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-0751

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Possible Denial of Service attack in Active Support
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-3227

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk

Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Possible Information Leak Vulnerability in Action View
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-0752

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

CVE-2014-2538 rubygem rack-ssl: URL error display XSS
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-2538

Criticality: Medium

URL: https://nvd.nist.gov/vuln/detail/CVE-2014-2538

Solution: upgrade to >= 1.3.4

Possible XSS Vulnerability in Action View
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2016-6316

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk

Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1

Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-6417

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4

Solution: upgrade to ~> 3.2.16, >= 4.0.2

Reflective XSS Vulnerability in Ruby on Rails
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2013-4491

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998

Solution: upgrade to ~> 3.2.16, >= 4.0.2

redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: OSVDB-96425

URL: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release

Solution: upgrade to >= 1.3.1, ~> 1.2.2, ~> 1.1.1, ~> 1.0.4

Arbitrary file existence disclosure in Action Pack
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2014-7829

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk

Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8

Timing attack vulnerability in basic authentication in Action Controller.
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7576

Criticality: Low

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Nested attributes rejection proc bypass in Active Record
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-7577

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

CSRF token fixation attacks in Devise
Fixed

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: OSVDB-114435

URL: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/

Solution: upgrade to ~> 2.2.5, >= 3.0.1

Rails 3.2.13 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 3.2.22.4
Fixed

Found in Gemfile.lock by brakeman

Read up
Read up
Exclude checks
- Disable engine
- Disable check

georgebellos/real_estate

Summary

Maintainability

Test Coverage

HTTP Response Splitting (Early Hints) in Puma New

Percent-encoded cookies can be used to overwrite existing prefixed cookie names New

Possible shell escape sequence injection vulnerability in Rack New

ReDoS based DoS vulnerability in Active Support’s underscore New

XSS vulnerability via data-target in bootstrap-sass New

Directory traversal in Rack::Directory app bundled with Rack New

RDoc OS command injection vulnerability New

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter New

Possible RCE escalation bug with Serialized Columns in Active Record New

XSS vulnerability in bootstrap-sass New

HTTP Smuggling via Transfer-Encoding Header in Puma New

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore New

Denial of service via header parsing in Rack New

ReDoS based DoS vulnerability in Action Dispatch New

activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding New

Ability to forge per-form CSRF tokens given a global CSRF token New

Prototype pollution attack through jQuery $.extend New

HTTP Request Smuggling in puma New

Keepalive thread overload/DoS in puma New

HTTP Smuggling via Transfer-Encoding Header in Puma New

Denial of Service Vulnerability in Rack Multipart Parsing New

OS Command Injection in Rake New

simple_form Gem for Ruby Incorrect Access Control for forms based on user input New

CSRF Vulnerability in jquery-rails New

HTTP Response Splitting vulnerability in puma New

Keepalive Connections Causing Denial Of Service in puma New

uglifier incorrectly handles non-boolean comparisons during minification New

Potential XSS vulnerability in jQuery New

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) New

Possible Information Disclosure / Unintended Method Execution in Action Pack New

ReDoS based DoS vulnerability in Action Dispatch New

Information Exposure with Puma when used with Rails New

Denial of service via multipart parsing in Rack New

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma New

Denial of Service Vulnerability in Rack Content-Disposition parsing New

Nokogiri gem, via libxslt, is affected by improper access control vulnerability New

Moderate severity vulnerability that affects nokogiri New

Possible information leak / session hijack vulnerability New

XML Injection in Xerces Java affects Nokogiri New

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities New

Improper Handling of Unexpected Data Type in Nokogiri New

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) New

Possible XSS vulnerability in Rack New

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation New

Out-of-bounds Write in zlib affects Nokogiri New

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt New

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs New

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities New

Inefficient Regular Expression Complexity in Nokogiri New

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt New

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file New

Update packaged dependency libxml2 from 2.9.10 to 2.9.12 New

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities New

Regular Expression Denial of Service in Addressable templates New

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability New

Denial of Service (DoS) in Nokogiri on JRuby New

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby New

Integer Overflow or Wraparound in libxml2 affects Nokogiri New

Revert libxml2 behavior in Nokogiri gem that could cause XSS New

ruby-ffi DDL loading issue on Windows OS New

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 New

Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS New

Nokogiri gem, via libxml, is affected by DoS vulnerabilities New

CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses New

Nokogiri gem, via libxml, is affected by DoS vulnerabilities New

Possible XSS Vulnerability in Action View New

Directory Traversal Vulnerability With Certain Route Configurations New

Reflective XSS Vulnerability in Ruby on Rails New

CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error New

CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails New

Possible Denial of Service attack in Active Support New

CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability New

Timing attack vulnerability in basic authentication in Action Controller. New

Nested attributes rejection proc bypass in Active Record New

CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection New

CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities New

HTTP Response Splitting (Early Hints) in Puma
New

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
New

Possible shell escape sequence injection vulnerability in Rack
New

ReDoS based DoS vulnerability in Active Support’s underscore
New

XSS vulnerability via data-target in bootstrap-sass
New

Directory traversal in Rack::Directory app bundled with Rack
New

RDoc OS command injection vulnerability
New

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
New

Possible RCE escalation bug with Serialized Columns in Active Record
New

XSS vulnerability in bootstrap-sass
New

HTTP Smuggling via Transfer-Encoding Header in Puma
New

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
New

Denial of service via header parsing in Rack
New

ReDoS based DoS vulnerability in Action Dispatch
New

activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding
New

Ability to forge per-form CSRF tokens given a global CSRF token
New

Prototype pollution attack through jQuery $.extend
New

HTTP Request Smuggling in puma
New

Keepalive thread overload/DoS in puma
New

HTTP Smuggling via Transfer-Encoding Header in Puma
New

Denial of Service Vulnerability in Rack Multipart Parsing
New

OS Command Injection in Rake
New

simple_form Gem for Ruby Incorrect Access Control for forms based on user input
New

CSRF Vulnerability in jquery-rails
New

HTTP Response Splitting vulnerability in puma
New

Keepalive Connections Causing Denial Of Service in puma
New

uglifier incorrectly handles non-boolean comparisons during minification
New

Potential XSS vulnerability in jQuery
New

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
New

Possible Information Disclosure / Unintended Method Execution in Action Pack
New

ReDoS based DoS vulnerability in Action Dispatch
New

Information Exposure with Puma when used with Rails
New

Denial of service via multipart parsing in Rack
New

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
New

Denial of Service Vulnerability in Rack Content-Disposition parsing
New

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
New

Moderate severity vulnerability that affects nokogiri
New

Possible information leak / session hijack vulnerability
New

XML Injection in Xerces Java affects Nokogiri
New

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
New

Improper Handling of Unexpected Data Type in Nokogiri
New

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
New

Possible XSS vulnerability in Rack
New

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
New

Out-of-bounds Write in zlib affects Nokogiri
New

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
New

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
New

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
New

Inefficient Regular Expression Complexity in Nokogiri
New

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
New

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
New

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
New

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
New

Regular Expression Denial of Service in Addressable templates
New

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
New

Denial of Service (DoS) in Nokogiri on JRuby
New

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
New

Integer Overflow or Wraparound in libxml2 affects Nokogiri
New

Revert libxml2 behavior in Nokogiri gem that could cause XSS
New

ruby-ffi DDL loading issue on Windows OS
New

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
New

Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS
New

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
New

CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses
New

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
New

Possible XSS Vulnerability in Action View
New

Directory Traversal Vulnerability With Certain Route Configurations
New

Reflective XSS Vulnerability in Ruby on Rails
New

CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error
New

CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails
New

Possible Denial of Service attack in Active Support
New

CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
New

Timing attack vulnerability in basic authentication in Action Controller.
New

Nested attributes rejection proc bypass in Active Record
New

CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection
New

CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities
New

CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents
New

XSS Vulnerability in number_to_currency
New

CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS
New

CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails
New