Issues - nerdhub/hcking

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

    puma (3.11.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-11076

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h

Solution: upgrade to ~> 3.12.5, >= 4.3.4

Devise Gem for Ruby confirmation token validation with a blank string
Open

    devise (4.4.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16109

Criticality: Medium

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

Code Injection vulnerability in CarrierWave::RMagick
Open

    carrierwave (1.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21305

Criticality: High

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Keepalive thread overload/DoS in puma
Open

    puma (3.11.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16770

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994

Solution: upgrade to ~> 3.12.2, >= 4.3.1

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23518

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m

Solution: upgrade to >= 1.4.4

Injection/XSS in Redcarpet
Open

    redcarpet (3.4.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-26298

Criticality: Medium

URL: https://github.com/vmg/redcarpet/commit/a699c82292b17c8e6a62e1914d5eccc252272793

Solution: upgrade to >= 3.5.1

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

    geocoder (1.4.5)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7981

Criticality: Critical

URL: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23

Solution: upgrade to >= 1.6.1

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2qc6-mcvw-92cw

Solution: upgrade to >= 1.13.9

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

Solution: upgrade to >= 1.13.5

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.5.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23519

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

Solution: upgrade to >= 1.4.4

Uncontrolled Recursion in Loofah
Open

    loofah (2.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23516

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm

Solution: upgrade to >= 2.19.1

Remote command execution via filename
Open

    mini_magick (4.8.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13574

Criticality: High

URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/

Solution: upgrade to >= 4.9.4

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

Server-side request forgery in CarrierWave
Open

    carrierwave (1.2.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-21288

Criticality: Medium

URL: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5

Solution: upgrade to ~> 1.3.2, >= 2.1.1

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.8.2)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

nerdhub/hcking

Showing 144 of 144 total issues

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Devise Gem for Ruby confirmation token validation with a blank string
Open

Code Injection vulnerability in CarrierWave::RMagick
Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

Keepalive thread overload/DoS in puma
Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

Injection/XSS in Redcarpet
Open

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

Regular Expression Denial of Service in Addressable templates
Open

Inefficient Regular Expression Complexity in Nokogiri
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Uncontrolled Recursion in Loofah
Open

Remote command execution via filename
Open

XML Injection in Xerces Java affects Nokogiri
Open

Server-side request forgery in CarrierWave
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

Severity

Category

Status

Source

Language

nerdhub/hcking

Showing 144 of 144 total issues

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open

HTTP Smuggling via Transfer-Encoding Header in Puma Open

Devise Gem for Ruby confirmation token validation with a blank string Open

Code Injection vulnerability in CarrierWave::RMagick Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Open

Keepalive thread overload/DoS in puma Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer Open

Injection/XSS in Redcarpet Open

Geocoder gem for Ruby contains possible SQL injection vulnerability Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri Open

Regular Expression Denial of Service in Addressable templates Open

Inefficient Regular Expression Complexity in Nokogiri Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer Open

Uncontrolled Recursion in Loofah Open

Remote command execution via filename Open

XML Injection in Xerces Java affects Nokogiri Open

Server-side request forgery in CarrierWave Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Open

Severity

Category

Status

Source

Language

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

HTTP Smuggling via Transfer-Encoding Header in Puma
Open

Devise Gem for Ruby confirmation token validation with a blank string
Open

Code Injection vulnerability in CarrierWave::RMagick
Open

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

Keepalive thread overload/DoS in puma
Open

Improper neutralization of data URIs may allow XSS in rails-html-sanitizer
Open

Injection/XSS in Redcarpet
Open

Geocoder gem for Ruby contains possible SQL injection vulnerability
Open

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

Regular Expression Denial of Service in Addressable templates
Open

Inefficient Regular Expression Complexity in Nokogiri
Open

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

Uncontrolled Recursion in Loofah
Open

Remote command execution via filename
Open

XML Injection in Xerces Java affects Nokogiri
Open

Server-side request forgery in CarrierWave
Open

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open