HTTP Response Splitting (Early Hints) in Puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5249
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Possible shell escape sequence injection vulnerability in Rack Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
ReDoS based DoS vulnerability in Active Support’s underscore Open
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22796
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
XSS vulnerability via data-target in bootstrap-sass Open
bootstrap-sass (2.2.1.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-10735
Criticality: Medium
URL: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/
Solution: upgrade to >= 3.4.0
Directory traversal in Rack::Directory app bundled with Rack Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
RDoc OS command injection vulnerability Open
rdoc (3.12)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-31799
Criticality: High
URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1
Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44566
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Possible RCE escalation bug with Serialized Columns in Active Record Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-32224
Criticality: Critical
URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1
XSS vulnerability in bootstrap-sass Open
bootstrap-sass (2.2.1.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-8331
Criticality: Medium
URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/
Solution: upgrade to >= 3.4.1
HTTP Smuggling via Transfer-Encoding Header in Puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11077
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
Solution: upgrade to ~> 3.12.6, >= 4.3.5
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
Criticality: Critical
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Denial of service via header parsing in Rack Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44570
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1
Directory traversal vulnerability in rubyzip Open
rubyzip (0.9.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-5946
Criticality: Critical
URL: https://github.com/rubyzip/rubyzip/issues/315
Solution: upgrade to >= 1.2.1
Denial of Service in rubyzip ("zip bombs") Open
rubyzip (0.9.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16892
Criticality: Medium
URL: https://github.com/rubyzip/rubyzip/pull/403
Solution: upgrade to >= 1.3.0
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22792
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding Open
activeresource (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8151
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
Solution: upgrade to >= 5.1.1
Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Prototype pollution attack through jQuery $.extend Open
jquery-rails (2.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Solution: upgrade to >= 4.3.4
HTTP Request Smuggling in puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24790
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Solution: upgrade to ~> 4.3.12, >= 5.6.4
Keepalive thread overload/DoS in puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16770
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
Solution: upgrade to ~> 3.12.2, >= 4.3.1
HTTP Smuggling via Transfer-Encoding Header in Puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11076
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
Solution: upgrade to ~> 3.12.5, >= 4.3.4
Denial of Service Vulnerability in Rack Multipart Parsing Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30122
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
OS Command Injection in Rake Open
rake (10.0.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8130
Criticality: High
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Solution: upgrade to >= 12.3.3
simple_form Gem for Ruby Incorrect Access Control for forms based on user input Open
simple_form (2.0.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16676
Criticality: Critical
URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
Solution: upgrade to >= 5.0
CSRF Vulnerability in jquery-rails Open
jquery-rails (2.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Solution: upgrade to >= 4.0.4, ~> 3.1.3
HTTP Response Splitting vulnerability in puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5247
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Keepalive Connections Causing Denial Of Service in puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-29509
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Solution: upgrade to ~> 4.3.8, >= 5.3.1
uglifier incorrectly handles non-boolean comparisons during minification Open
uglifier (1.3.0)
- Read upRead up
- Exclude checks
Advisory: OSVDB-126747
URL: https://github.com/mishoo/UglifyJS2/issues/751
Solution: upgrade to >= 2.7.2
Potential XSS vulnerability in jQuery Open
jquery-rails (2.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Solution: upgrade to >= 4.4.0
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open
json (1.7.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-10663
Criticality: High
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Solution: upgrade to >= 2.3.0
Possible Information Disclosure / Unintended Method Execution in Action Pack Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22795
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Information Exposure with Puma when used with Rails Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23634
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Solution: upgrade to ~> 4.3.11, >= 5.6.2
Denial of service via multipart parsing in Rack Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44572
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Open
puma (1.6.3)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41136
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Solution: upgrade to ~> 4.3.9, >= 5.5.1
Denial of Service Vulnerability in Rack Content-Disposition parsing Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44571
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Directory Traversal in rubyzip Open
rubyzip (0.9.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000544
Criticality: Critical
URL: https://github.com/rubyzip/rubyzip/issues/369
Solution: upgrade to >= 1.2.2
Nokogiri gem, via libxslt, is affected by improper access control vulnerability Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11068
URL: https://github.com/sparklemotion/nokogiri/issues/1892
Solution: upgrade to >= 1.10.3
Moderate severity vulnerability that affects nokogiri Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-18258
Criticality: Medium
URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb
Solution: upgrade to >= 1.8.2
Possible information leak / session hijack vulnerability Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
XML Injection in Xerces Java affects Nokogiri Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23437
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Solution: upgrade to >= 1.13.4
Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-13117
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Solution: upgrade to >= 1.10.5
Improper Handling of Unexpected Data Type in Nokogiri Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-29181
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m
Solution: upgrade to >= 1.13.6
Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-30560
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Solution: upgrade to >= 1.13.2
Possible XSS vulnerability in Rack Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-7595
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Solution: upgrade to >= 1.10.8
Out-of-bounds Write in zlib affects Nokogiri Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-25032
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Solution: upgrade to >= 1.13.4
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-1819
URL: https://github.com/sparklemotion/nokogiri/issues/1374
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory:
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw
Solution: upgrade to >= 1.13.9
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-14404
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1785
Solution: upgrade to >= 1.8.5
Inefficient Regular Expression Complexity in Nokogiri Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24836
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Solution: upgrade to >= 1.13.4
Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-4658
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1615
Solution: upgrade to >= 1.7.1
Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5477
Criticality: Critical
URL: https://github.com/sparklemotion/nokogiri/issues/1915
Solution: upgrade to >= 1.10.4
Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64
Solution: upgrade to >= 1.11.4
Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-9050
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1673
Solution: upgrade to >= 1.8.1
Regular Expression Denial of Service in Addressable templates Open
addressable (2.3.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-32740
Criticality: High
URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g
Solution: upgrade to >= 2.8.0
Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-26247
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Solution: upgrade to >= 1.11.0.rc4
Denial of Service (DoS) in Nokogiri on JRuby Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24839
Criticality: High
URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Solution: upgrade to >= 1.13.4
Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41098
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
Solution: upgrade to >= 1.12.5
Integer Overflow or Wraparound in libxml2 affects Nokogiri Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory:
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5
Solution: upgrade to >= 1.13.5
Revert libxml2 behavior in Nokogiri gem that could cause XSS Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-8048
URL: https://github.com/sparklemotion/nokogiri/pull/1746
Solution: upgrade to >= 1.8.3
ruby-ffi DDL loading issue on Windows OS Open
ffi (1.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Solution: upgrade to >= 1.9.24
Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-5029
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1634
Solution: upgrade to >= 1.7.2
Path Traversal in Sprockets Open
sprockets (2.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS Open
i18n (0.6.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-10077
URL: https://github.com/svenfuchs/i18n/pull/289
Solution: upgrade to >= 0.8.0
Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
Remote DoS Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: OSVDB-118481
URL: https://github.com/sparklemotion/nokogiri/pull/1087
Solution: upgrade to >= 1.6.3
Nokogiri gem, via libxml, is affected by DoS vulnerabilities Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-16932
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.1
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses Open
mail (2.4.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-9097
Criticality: Medium
URL: https://hackerone.com/reports/137631
Solution: upgrade to >= 2.5.5
Nokogiri gem, via libxml, is affected by DoS vulnerabilities Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-15412
URL: https://github.com/sparklemotion/nokogiri/issues/1714
Solution: upgrade to >= 1.8.2
Possible XSS Vulnerability in Action View Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-6316
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1
Directory Traversal Vulnerability With Certain Route Configurations Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0130
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
Solution: upgrade to ~> 3.2.18, ~> 4.0.5, >= 4.1.1
Reflective XSS Vulnerability in Ruby on Rails Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4491
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory error Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0183
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0183
Solution: upgrade to ~> 1.3.8, >= 1.4.3
CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation Risk in Ruby on Rails Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0155
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0155
Solution: upgrade to ~> 2.3.16, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
Possible Denial of Service attack in Active Support Open
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3227
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
i18n missing translation error message XSS Open
i18n (0.6.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4492
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
Solution: upgrade to ~> 0.5.1, >= 0.6.6
CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0081
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0081
Solution: upgrade to ~> 3.2.17, ~> 4.0.3, >= 4.1.0.beta2
Timing attack vulnerability in basic authentication in Action Controller. Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7576
Criticality: Low
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Nested attributes rejection proc bypass in Active Record Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection Open
json (1.7.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0269
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0269
Solution: upgrade to ~> 1.5.5, ~> 1.6.8, >= 1.7.7
CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6461
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6461
Solution: upgrade to ~> 1.5.11, >= 1.6.1
CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents Open
nokogiri (1.5.5)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6460
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-6460
Solution: upgrade to ~> 1.5.11, >= 1.6.1
XSS Vulnerability in number_to_currency Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6415
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2012-6109
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2012-6109
Solution: upgrade to ~> 1.1.4, ~> 1.2.6, ~> 1.3.7, >= 1.4.2
CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1857
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1857
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2012-6496
Criticality: Medium
URL: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
Solution: upgrade to ~> 3.0.18, ~> 3.1.9, >= 3.2.10
CVE-2013-0262 rubygem-rack: Path sanitization information disclosure Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0262
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0262
Solution: upgrade to ~> 1.4.5, >= 1.5.2
XML Parsing Vulnerability affecting JRuby users Open
activesupport (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1856
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1856
Solution: upgrade to ~> 3.1.12, >= 3.2.13
Possible Object Leak and Denial of Service attack in Action Pack Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0751
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Possible remote code execution vulnerability in Action Pack Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2098
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14
CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter parsing in ActionPack Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0156
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0156
Solution: upgrade to ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11
CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0276
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0276
Solution: upgrade to ~> 2.3.17, ~> 3.1.11, >= 3.2.12
CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0263
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0263
Solution: upgrade to ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2
Potential Denial of Service Vulnerability in Rack Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3225
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure Open
sprockets (2.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7819
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
Solution: upgrade to ~> 2.0.5, ~> 2.1.4, ~> 2.2.3, ~> 2.3.3, ~> 2.4.6, ~> 2.5.1, ~> 2.7.1, ~> 2.8.3, ~> 2.9.4, ~> 2.10.2, ~> 2.11.3, ~> 2.12.3, >= 3.0.0.beta.3
CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS Open
rack (1.4.1)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0184
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0184
Solution: upgrade to ~> 1.1.5, ~> 1.2.7, ~> 1.3.9, >= 1.4.4
CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template Open
rdoc (3.12)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-0256
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-0256
Solution: upgrade to ~> 3.9.5, ~> 3.12.1, >= 4.0
CVE-2013-4389 rubygem-actionmailer: email address processing DoS Open
actionmailer (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-4389
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-4389
Solution: upgrade to >= 3.2.15
Possible Information Leak Vulnerability in Action View Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2097
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Solution: upgrade to ~> 3.2.22.2, ~> 4.1.14, >= 4.1.14.2
Arbitrary file existence disclosure in Action Pack Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8
Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6417
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
Solution: upgrade to ~> 3.2.16, >= 4.0.2
Denial of Service Vulnerability in Action View Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-6414
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
Solution: upgrade to ~> 3.2.16, >= 4.0.2
CVE-2014-2538 rubygem rack-ssl: URL error display XSS Open
rack-ssl (1.3.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-2538
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-2538
Solution: upgrade to >= 1.3.4
Possible Information Leak Vulnerability in Action View Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0752
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (0.3.35)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Arbitrary file existence disclosure in Action Pack Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7818
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3
CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-0082
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-0082
Solution: upgrade to >= 3.2.17
CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1854
Criticality: High
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1854
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in 'bitstring' quoting Open
activerecord (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-3482
URL: https://nvd.nist.gov/vuln/detail/CVE-2014-3482
Solution: upgrade to ~> 3.2.19
CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css Open
actionpack (3.2.9)
- Read upRead up
- Exclude checks
Advisory: CVE-2013-1855
Criticality: Medium
URL: https://nvd.nist.gov/vuln/detail/CVE-2013-1855
Solution: upgrade to ~> 2.3.18, ~> 3.1.12, >= 3.2.13
Rails 3.2.9 has a remote code execution vulnerability: upgrade to 3.2.11 or disable XML parsing Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 3.2.22.4 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 contains a SQL injection vulnerability (CVE-2012-5664). Upgrade to 3.2.18 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 has an XSS vulnerability in i18n (CVE-2013-4491). Upgrade to Rails version 4.0.2 or i18n 0.6.6 Open
i18n (0.6.1)
- Read upRead up
- Exclude checks
json gem version 1.7.5 has a remote code vulnerablity: upgrade to 1.7.7 Open
json (1.7.5)
- Read upRead up
- Exclude checks
Brakeman reports on several cases of remote code execution, in which a user is able to control and execute code in ways unintended by application authors.
The obvious form of this is the use of eval
with user input.
However, Brakeman also reports on dangerous uses of send
, constantize
, and other methods which allow creation of arbitrary objects or calling of arbitrary methods.
Rails 3.2.9 contains a SQL injection vulnerability (CVE-2014-3482). Upgrade to 3.2.19 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 contains a SQL injection vulnerability (CVE-2013-0155). Upgrade to 3.2.11 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 contains a SQL injection vulnerability (CVE-2014-3483). Upgrade to 3.2.19 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 has a vulnerability in number helpers (CVE-2014-0081). Upgrade to Rails version 3.2.17 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 contains a SQL injection vulnerability (CVE-2013-6417). Upgrade to 3.2.16 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 3.2.22.1 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 3.2.22 Open
rails (3.2.9)
- Read upRead up
- Exclude checks
Rails 3.2.9 has a denial of service vulnerability (CVE-2013-6414). Upgrade to Rails version 3.2.16 Open
rails (3.2.9)
- Read upRead up
- Exclude checks