Possible DoS Vulnerability in Action Controller Token Authentication Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-22904
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2
Possible shell escape sequence injection vulnerability in Rack Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30123
Criticality: Critical
URL: https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Possible XSS vulnerability in ActionView Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5267
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Solution: upgrade to >= 5.2.4.2, ~> 5.2.4, >= 6.0.2.2
CSRF Vulnerability in rails-ujs Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8167
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
RDoc OS command injection vulnerability Open
rdoc (4.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-31799
Criticality: High
URL: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Solution: upgrade to ~> 6.1.2.1, ~> 6.2.1.1, >= 6.3.1
Denial of service via multipart parsing in Rack Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44572
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open
json (1.8.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-10663
Criticality: High
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Solution: upgrade to >= 2.3.0
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-41136
Criticality: Low
URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
Solution: upgrade to ~> 4.3.9, >= 5.5.1
Denial of Service Vulnerability in Rack Multipart Parsing Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-30122
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
Solution: upgrade to >= 2.0.9.1, ~> 2.0.9, >= 2.1.4.1, ~> 2.1.4, >= 2.2.3.1
Keepalive Connections Causing Denial Of Service in puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-29509
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5
Solution: upgrade to ~> 4.3.8, >= 5.3.1
rack-cors directory traversal via path Open
rack-cors (0.4.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-18978
Criticality: Medium
URL: https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
Solution: upgrade to >= 1.0.4
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22792
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Possible XSS Vulnerability in Action View tag helpers Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-27777
Criticality: Medium
URL: https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
Solution: upgrade to >= 5.2.7.1, ~> 5.2.7, >= 6.0.4.8, ~> 6.0.4, >= 6.1.5.1, ~> 6.1.5, >= 7.0.2.4
Denial of service via header parsing in Rack Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44570
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.2, ~> 2.2.6, >= 3.0.4.1
Ability to forge per-form CSRF tokens given a global CSRF token Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open
activerecord (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44566
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Possible RCE escalation bug with Serialized Columns in Active Record Open
activerecord (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-32224
Criticality: Critical
URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1
OS Command Injection in Rake Open
rake (0.9.6)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8130
Criticality: High
URL: https://github.com/advisories/GHSA-jppv-gw3r-w3q8
Solution: upgrade to >= 12.3.3
Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Open
activesupport (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8165
Criticality: Critical
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Possible Strong Parameters Bypass in ActionPack Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8164
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1
Potential XSS vulnerability in jQuery Open
jquery-rails (3.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Solution: upgrade to >= 4.4.0
Prototype pollution attack through jQuery $.extend Open
jquery-rails (3.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Solution: upgrade to >= 4.3.4
Denial of Service Vulnerability in Rack Content-Disposition parsing Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-44571
URL: https://github.com/rack/rack/releases/tag/v3.0.4.1
Solution: upgrade to >= 2.0.9.2, ~> 2.0.9, >= 2.1.4.2, ~> 2.1.4, >= 2.2.6.1, ~> 2.2.6, >= 3.0.4.1
Directory traversal in Rack::Directory app bundled with Rack Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8161
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Solution: upgrade to ~> 2.1.3, >= 2.2.0
ReDoS based DoS vulnerability in Action Dispatch Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22795
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Potential XSS vulnerability in Action View Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-15169
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Solution: upgrade to >= 5.2.4.4, ~> 5.2.4, >= 6.0.3.3
Percent-encoded cookies can be used to overwrite existing prefixed cookie names Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8184
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Solution: upgrade to ~> 2.1.4, >= 2.2.3
Possible Information Disclosure / Unintended Method Execution in Action Pack Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2
ReDoS based DoS vulnerability in Active Support’s underscore Open
activesupport (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2023-22796
URL: https://github.com/rails/rails/releases/tag/v7.0.4.1
Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1
Information Exposure with Puma when used with Rails Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-23634
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h
Solution: upgrade to ~> 4.3.11, >= 5.6.2
HTTP Request Smuggling in puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-24790
Criticality: Critical
URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
Solution: upgrade to ~> 4.3.12, >= 5.6.4
Keepalive thread overload/DoS in puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16770
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
Solution: upgrade to ~> 3.12.2, >= 4.3.1
Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module Open
devise (4.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5421
Criticality: Critical
URL: https://github.com/plataformatec/devise/issues/4981
Solution: upgrade to >= 4.6.0
File Content Disclosure in Action View Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3
HTTP Smuggling via Transfer-Encoding Header in Puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11076
Criticality: High
URL: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
Solution: upgrade to ~> 3.12.5, >= 4.3.4
i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS Open
i18n (0.7.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-10077
URL: https://github.com/svenfuchs/i18n/pull/289
Solution: upgrade to >= 0.8.0
Possible XSS vulnerability in Rack Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-16471
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Possible information leak / session hijack vulnerability Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16782
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Solution: upgrade to ~> 1.6.12, >= 2.0.8
Potential remote code execution of user-provided local names in ActionView Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-8163
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
Solution: upgrade to >= 4.2.11.2
HTTP Smuggling via Transfer-Encoding Header in Puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-11077
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
Solution: upgrade to ~> 3.12.6, >= 4.3.5
HTTP Response Splitting (Early Hints) in Puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5249
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Possible XSS Vulnerability in Action View Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-6316
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Solution: upgrade to ~> 4.2.7.1, ~> 4.2.8, >= 5.0.0.1
HTTP Response Splitting vulnerability in puma Open
puma (3.6.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2020-5247
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Solution: upgrade to ~> 3.12.4, >= 4.3.3
Denial of Service Vulnerability in Action View Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11
Devise Gem for Ruby confirmation token validation with a blank string Open
devise (4.2.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2019-16109
Criticality: Medium
URL: https://github.com/plataformatec/devise/issues/5071
Solution: upgrade to >= 4.7.1
Possible remote code execution vulnerability in Action Pack Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2098
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14
Possible Object Leak and Denial of Service attack in Action Pack Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0751
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Potential Denial of Service Vulnerability in Rack Open
rack (1.5.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3225
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
Possible Denial of Service attack in Active Support Open
activesupport (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3227
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
TZInfo relative path traversal vulnerability allows loading of arbitrary files Open
tzinfo (1.2.2)
- Read upRead up
- Exclude checks
Advisory: CVE-2022-31163
Criticality: High
URL: https://github.com/tzinfo/tzinfo/security/advisories/GHSA-5cm2-9h8c-rvfx
Solution: upgrade to ~> 0.3.61, >= 1.2.10
Possible Input Validation Circumvention in Active Model Open
activemodel (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0753
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
Timing attack vulnerability in basic authentication in Action Controller. Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7576
Criticality: Low
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
Arbitrary file existence disclosure in Action Pack Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7818
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses Open
mail (2.5.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-9097
Criticality: Medium
URL: https://hackerone.com/reports/137631
Solution: upgrade to >= 2.5.5
Arbitrary file existence disclosure in Action Pack Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8
Possible Information Leak Vulnerability in Action View Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-0752
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
Nested attributes rejection proc bypass in Active Record Open
activerecord (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1
rack-cors Gem Missing Anchor permits unauthorized CORS requests Open
rack-cors (0.4.0)
- Read upRead up
- Exclude checks
Advisory: CVE-2017-11173
Criticality: High
URL: https://github.com/cyu/rack-cors/issues/86
Solution: upgrade to >= 0.4.1
Path Traversal in Sprockets Open
sprockets (2.12.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2018-3760
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Object leak vulnerability for wildcard controller routes in Action Pack Open
actionpack (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-7581
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
Solution: upgrade to >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14
Possible Information Leak Vulnerability in Action View Open
actionview (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2016-2097
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Solution: upgrade to >= 4.1.14.2, ~> 4.1.14
Data Injection Vulnerability in Active Record Open
activerecord (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2014-3514
Criticality: High
URL: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
Solution: upgrade to ~> 4.0.9, >= 4.1.5
XSS Vulnerability in ActiveSupport::JSON.encode Open
activesupport (4.1.4)
- Read upRead up
- Exclude checks
Advisory: CVE-2015-3226
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
Solution: upgrade to >= 4.2.2, ~> 4.1.11
Rails 4.1.4 does not encode JSON keys (CVE-2015-3226). Upgrade to Rails version 4.1.11 Open
rails (4.1.4)
- Read upRead up
- Exclude checks
create_with is vulnerable to strong params bypass. Upgrade to Rails 4.1.5 or patch Open
rails (4.1.4)
- Read upRead up
- Exclude checks
Rails 4.1.4 is vulnerable to denial of service via mime type caching (CVE-2016-0751). Upgrade to Rails version 4.1.14.1 Open
rails (4.1.4)
- Read upRead up
- Exclude checks
Rails 4.1.4 is vulnerable to denial of service via XML parsing (CVE-2015-3227). Upgrade to Rails version 4.1.11 Open
rails (4.1.4)
- Read upRead up
- Exclude checks
Rails 4.1.4 content_tag does not escape double quotes in attribute values (CVE-2016-6316). Upgrade to 4.2.7.1 Open
rails (4.1.4)
- Read upRead up
- Exclude checks