rails-stall/stall

View on GitHub
Gemfile.lock

Summary

Maintainability
Test Coverage

Possible DoS Vulnerability in Action Controller Token Authentication
Open

    actionpack (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-22904

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Denial of Service Vulnerability in Rack Content-Disposition parsing
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44571

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Possible XSS vulnerability in ActionView
Open

    actionview (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-5267

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8

Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2

Possible DoS Vulnerability in Active Record PostgreSQL adapter
Open

    activerecord (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-22880

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

Solution: upgrade to >= 5.2.4.5, ~> 5.2.4, >= 6.0.3.5, ~> 6.0.3, >= 6.1.2.1

Possible shell escape sequence injection vulnerability in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-30123

Criticality: Critical

URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8164

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

CSRF Vulnerability in rails-ujs
Open

    actionview (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8167

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

ReDoS based DoS vulnerability in Active Support’s underscore
Open

    activesupport (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2023-22796

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Denial of service via header parsing in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44570

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1

Denial of service via multipart parsing in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44572

URL: https://github.com/rack/rack/releases/tag/v3.0.4.1

Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Potential XSS vulnerability in Action View
Open

    actionview (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-15169

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc

Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3

ReDoS based DoS vulnerability in GlobalID
Open

    globalid (0.4.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2023-22799

URL: https://github.com/rails/globalid/releases/tag/v1.0.1

Solution: upgrade to >= 1.0.1

Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
Open

    paperclip (4.3.7)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-0889

Criticality: Critical

URL: https://github.com/thoughtbot/paperclip/pull/2435

Solution: upgrade to >= 5.2.0

Denial of Service Vulnerability in Rack Multipart Parsing
Open

    rack (1.6.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-30122

Criticality: High

URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (1.8.3)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Open

    rack (1.6.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8184

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

Solution: upgrade to ~> 2.1.4, >= 2.2.3

simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Open

    simple_form (3.4.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16676

Criticality: Critical

URL: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx

Solution: upgrade to >= 5.0

Possible XSS Vulnerability in Action View tag helpers
Open

    actionview (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-27777

Criticality: Medium

URL: https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw

Solution: upgrade to >= 5.2.7.1, ~> 5.2.7, >= 6.0.4.8, ~> 6.0.4, >= 6.1.5.1, ~> 6.1.5, >= 7.0.2.4

Directory traversal in Rack::Directory app bundled with Rack
Open

    rack (1.6.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8161

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

Solution: upgrade to ~> 2.1.3, >= 2.2.0

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

    actionpack (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-22885

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2023-22795

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2023-22792

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Open

    activesupport (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8165

Criticality: Critical

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

CSRF vulnerability in OmniAuth's request phase
Open

    omniauth (1.6.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-9284

Criticality: High

URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

Solution: upgrade to >= 2.0.0

OS Command Injection in Rake
Open

    rake (10.4.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8130

Criticality: High

URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8

Solution: upgrade to >= 12.3.3

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

    activerecord (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-44566

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

haml failure to escape single quotes
Open

    haml (4.0.7)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-1002201

Criticality: Medium

URL: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2

Solution: upgrade to >= 5.0.0.beta.2

Possible RCE escalation bug with Serialized Columns in Active Record
Open

    activerecord (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

Insecure Source URI found: git://github.com/glyph-fr/redactor-rails.git
Open

  remote: git://github.com/glyph-fr/redactor-rails.git
Severity: Minor
Found in Gemfile.lock by bundler-audit

Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-9050

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1673

Solution: upgrade to >= 1.8.1

Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-30560

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Solution: upgrade to >= 1.13.2

Devise Gem for Ruby confirmation token validation with a blank string
Open

    devise (4.2.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16109

Criticality: Medium

URL: https://github.com/plataformatec/devise/issues/5071

Solution: upgrade to >= 4.7.1

Inefficient Regular Expression Complexity in Nokogiri
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24836

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Solution: upgrade to >= 1.13.4

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

Solution: upgrade to >= 1.13.5

Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-32209

Criticality: Medium

URL: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s

Solution: upgrade to >= 1.4.3

Potential XSS vulnerability in jQuery
Open

    jquery-rails (4.3.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11023

Criticality: Medium

URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released

Solution: upgrade to >= 4.4.0

Regular Expression Denial of Service in Addressable templates
Open

    addressable (2.4.0)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-32740

Criticality: High

URL: https://github.com/advisories/GHSA-jxhc-q857-3j6g

Solution: upgrade to >= 2.8.0

Cross-Site Scripting in Kaminari via original_script_name parameter
Open

    kaminari (1.0.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-11082

Criticality: Medium

URL: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433

Solution: upgrade to >= 1.2.1

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23519

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h

Solution: upgrade to >= 1.4.4

Loofah XSS Vulnerability
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-15587

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/171

Solution: upgrade to >= 2.3.1

i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
Open

    i18n (0.7.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2014-10077

URL: https://github.com/svenfuchs/i18n/pull/289

Solution: upgrade to >= 0.8.0

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-16932

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.1

Update bundled libxml2 to v2.10.3 to resolve multiple CVEs
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-11068

URL: https://github.com/sparklemotion/nokogiri/issues/1892

Solution: upgrade to >= 1.10.3

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

Moderate severity vulnerability that affects nokogiri
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-18258

Criticality: Medium

URL: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Solution: upgrade to >= 1.8.2

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-14404

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1785

Solution: upgrade to >= 1.8.5

Possible XSS vulnerability with certain configurations of rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23520

Criticality: Medium

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8

Solution: upgrade to >= 1.4.4

XSS vulnerability via data-target in bootstrap-sass
Open

    bootstrap-sass (3.3.7)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-10735

Criticality: Medium

URL: https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/

Solution: upgrade to >= 3.4.0

Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Open

    nokogiri (1.6.6.2)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-26247

Criticality: Low

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m

Solution: upgrade to >= 1.11.0.rc4

Out-of-bounds Write in zlib affects Nokogiri
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-25032

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5

Solution: upgrade to >= 1.13.4

XML Injection in Xerces Java affects Nokogiri
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23437

Criticality: Medium

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3

Solution: upgrade to >= 1.13.4

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Loofah XSS Vulnerability
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16468

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/154

Solution: upgrade to >= 2.2.3

Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5477

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1915

Solution: upgrade to >= 1.10.4

Improper Handling of Unexpected Data Type in Nokogiri
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-29181

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xh29-r2w5-wx8m

Solution: upgrade to >= 1.13.6

OmniAuth's lib/omniauth/failure_endpoint.rb does not escape message_key value
Open

    omniauth (1.6.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Denial of Service in rubyzip ("zip bombs")
Open

    rubyzip (1.2.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16892

Criticality: Medium

URL: https://github.com/rubyzip/rubyzip/pull/403

Solution: upgrade to >= 1.3.0

XSS vulnerability in bootstrap-sass
Open

    bootstrap-sass (3.3.7)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-8331

Criticality: Medium

URL: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/

Solution: upgrade to >= 3.4.1

Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
Open

    devise (4.2.0)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5421

Criticality: Critical

URL: https://github.com/plataformatec/devise/issues/4981

Solution: upgrade to >= 4.6.0

Loofah XSS Vulnerability
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-8048

Criticality: Medium

URL: https://github.com/flavorjones/loofah/issues/144

Solution: upgrade to >= 2.2.1

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-4658

Criticality: Critical

URL: https://github.com/sparklemotion/nokogiri/issues/1615

Solution: upgrade to >= 1.7.1

Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-5029

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1634

Solution: upgrade to >= 1.7.2

Inefficient Regular Expression Complexity in Loofah
Open

    loofah (2.0.3)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23514

Criticality: High

URL: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Solution: upgrade to >= 2.19.1

Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-15412

URL: https://github.com/sparklemotion/nokogiri/issues/1714

Solution: upgrade to >= 1.8.2

Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-13117

URL: https://github.com/sparklemotion/nokogiri/issues/1943

Solution: upgrade to >= 1.10.5

RuboCop gem Insecure use of /tmp
Open

    rubocop (0.36.0)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2017-8418

Criticality: Low

URL: https://github.com/bbatsov/rubocop/issues/4336

Solution: upgrade to >= 0.49.0

Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64

Solution: upgrade to >= 1.11.4

Revert libxml2 behavior in Nokogiri gem that could cause XSS
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-8048

URL: https://github.com/sparklemotion/nokogiri/pull/1746

Solution: upgrade to >= 1.8.3

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-23517

Criticality: High

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

Solution: upgrade to >= 1.4.4

Denial of service or RCE from libxml2 and libxslt
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-8806

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1473

Solution: upgrade to >= 1.6.8

ruby-ffi DDL loading issue on Windows OS
Open

    ffi (1.9.18)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000201

Criticality: High

URL: https://github.com/ffi/ffi/releases/tag/1.9.24

Solution: upgrade to >= 1.9.24

Possible Object Leak and Denial of Service attack in Action Pack
Open

    actionpack (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0751

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Nested attributes rejection proc bypass in Active Record
Open

    activerecord (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7577

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Nokogiri gem contains several vulnerabilities in libxml2
Open

    nokogiri (1.6.6.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-5312

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s

Solution: upgrade to >= 1.6.7.1

Possible information leak / session hijack vulnerability
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-16782

Criticality: Medium

URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

Solution: upgrade to ~> 1.6.12, >= 2.0.8

Timing attack vulnerability in basic authentication in Action Controller.
Open

    actionpack (4.2.4)
Severity: Info
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7576

Criticality: Low

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1

Denial of Service Vulnerability in Action View
Open

    actionview (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5419

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

Possible Information Leak Vulnerability in Action View
Open

    actionview (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0752

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7499

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM

Solution: upgrade to >= 1.6.7.2

XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3741

URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ

Solution: upgrade to >= 1.0.4

Directory Traversal in rubyzip
Open

    rubyzip (1.2.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-1000544

Criticality: Critical

URL: https://github.com/rubyzip/rubyzip/issues/369

Solution: upgrade to >= 1.2.2

Possible Input Validation Circumvention in Active Model
Open

    activemodel (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-0753

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ

Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Unsafe Query Generation Risk in Active Record
Open

    activerecord (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-6317

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s

Solution: upgrade to >= 4.2.7.1

Possible XSS vulnerability in Rack
Open

    rack (1.6.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16471

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

Solution: upgrade to ~> 1.6.11, >= 2.0.6

Possible XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7578

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI

Solution: upgrade to >= 1.0.3

TZInfo relative path traversal vulnerability allows loading of arbitrary files
Open

    tzinfo (1.2.2)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2022-31163

Criticality: High

URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx

Solution: upgrade to ~> 0.3.61, >= 1.2.10

Object leak vulnerability for wildcard controller routes in Action Pack
Open

    actionpack (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7581

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE

Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14

Possible XSS Vulnerability in Action View
Open

    actionview (4.2.4)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-6316

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk

Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1

File Content Disclosure in Action View
Open

    actionview (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-5418

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q

Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Path Traversal in Sprockets
Open

    sprockets (3.7.1)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-3760

Criticality: High

URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k

Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8

Possible remote code execution vulnerability in Action Pack
Open

    actionpack (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2016-2098

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q

Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14

Possible XSS vulnerability in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-7580

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI

Solution: upgrade to >= 1.0.3

Broken Access Control vulnerability in Active Job
Open

    activejob (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2018-16476

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw

Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Potential remote code execution of user-provided local names in ActionView
Open

    actionview (4.2.4)
Severity: Critical
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2020-8163

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0

Solution: upgrade to >= 4.2.11.2

Prototype pollution attack through jQuery $.extend
Open

    jquery-rails (4.3.1)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2019-11358

Criticality: Medium

URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/

Solution: upgrade to >= 4.3.4

Loofah 2.0.3 is vulnerable (CVE-2018-8048). Upgrade to 2.1.2
Open

    loofah (2.0.3)
Severity: Minor
Found in Gemfile.lock by brakeman

Rails 4.2.4 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1
Open

    rails (4.2.4)
Severity: Minor
Found in Gemfile.lock by brakeman

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2018-3741). Upgrade to 1.0.4
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by brakeman

Rails 4.2.4 contains a SQL injection vulnerability (CVE-2016-6317). Upgrade to 4.2.7.1
Open

    rails (4.2.4)
Severity: Critical
Found in Gemfile.lock by brakeman

Rails 4.2.4 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.2.5.1
Open

    rails (4.2.4)
Severity: Minor
Found in Gemfile.lock by brakeman

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7579). Upgrade to 1.0.3
Open

    rails (4.2.4)
Severity: Minor
Found in Gemfile.lock by brakeman

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7578). Upgrade to 1.0.3
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by brakeman

rails-html-sanitizer 1.0.2 is vulnerable (CVE-2015-7580). Upgrade to 1.0.3
Open

    rails-html-sanitizer (1.0.2)
Severity: Minor
Found in Gemfile.lock by brakeman

Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Open

    nokogiri (1.6.6.2)
Severity: Minor
Found in Gemfile.lock by bundler-audit

Advisory: CVE-2015-1819

URL: https://github.com/sparklemotion/nokogiri/issues/1374

Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

There are no issues that match your filters.

Category
Status