Issues - jordifierro/rails-api-base

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

CSRF Vulnerability in rails-ujs
Open

    actionview (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8167

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11077

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Solution: upgrade to ~> 3.12.6, >= 4.3.5

Loofah XSS Vulnerability
Open

    loofah (2.1.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22792

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (2.1.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

Solution: upgrade to >= 1.13.5

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

    activerecord (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44566

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Loofah XSS Vulnerability
Open

    loofah (2.1.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-16468

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/154

Solution: upgrade to >= 2.2.3

HTTP Response Splitting (Early Hints) in Puma
Open

    puma (3.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-5249

Criticality: Medium

URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

Solution: upgrade to ~> 3.12.4, >= 4.3.3

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23519

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

Solution: upgrade to >= 1.4.4

Possible shell escape sequence injection vulnerability in Rack
Open

    rack (2.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-30123

Criticality: Critical

URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

File Content Disclosure in Action View
Open

    actionview (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Moderate severity vulnerability that affects nokogiri
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2017-18258

Criticality: Medium

URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Solution: upgrade to >= 1.8.2

XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2018-3741

URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Solution: upgrade to >= 1.0.4

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

jordifierro/rails-api-base

Showing 93 of 93 total issues

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

CSRF Vulnerability in rails-ujs
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Loofah XSS Vulnerability
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

Loofah XSS Vulnerability
Open

HTTP Response Splitting (Early Hints) in Puma
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Possible shell escape sequence injection vulnerability in Rack
Open

File Content Disclosure in Action View
Open

Moderate severity vulnerability that affects nokogiri
Open

XSS vulnerability in rails-html-sanitizer
Open

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

Severity

Category

Status

Source

Language

jordifierro/rails-api-base

Showing 93 of 93 total issues

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Open

CSRF Vulnerability in rails-ujs Open

HTTP Smuggling via Transfer-Encoding Header in Puma Open

Loofah XSS Vulnerability Open

Ability to forge per-form CSRF tokens given a global CSRF token Open

ReDoS based DoS vulnerability in Action Dispatch Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open

Loofah XSS Vulnerability Open

HTTP Response Splitting (Early Hints) in Puma Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Possible shell escape sequence injection vulnerability in Rack Open

File Content Disclosure in Action View Open

Moderate severity vulnerability that affects nokogiri Open

XSS vulnerability in rails-html-sanitizer Open

TZInfo relative path traversal vulnerability allows loading of arbitrary files Open

Severity

Category

Status

Source

Language

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

CSRF Vulnerability in rails-ujs
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Loofah XSS Vulnerability
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

Loofah XSS Vulnerability
Open

HTTP Response Splitting (Early Hints) in Puma
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Possible shell escape sequence injection vulnerability in Rack
Open

File Content Disclosure in Action View
Open

Moderate severity vulnerability that affects nokogiri
Open

XSS vulnerability in rails-html-sanitizer
Open

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open