Issues - yogodoshi/cansei

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Open

    puma (3.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41136

Criticality: Low

URL: https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Solution: upgrade to ~> 4.3.9, >= 5.5.1

HTTP Request Smuggling in puma
Open

    puma (3.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24790

Criticality: Critical

URL: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9

Solution: upgrade to ~> 4.3.12, >= 5.6.4

Keepalive Connections Causing Denial Of Service in puma
Open

    puma (3.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-29509

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5

Solution: upgrade to ~> 4.3.8, >= 5.3.1

CSRF vulnerability in OmniAuth's request phase
Open

    omniauth (1.7.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2015-9284

Criticality: High

URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284

Solution: upgrade to >= 2.0.0

Information Exposure with Puma when used with Rails
Open

    puma (3.10.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23634

Criticality: High

URL: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h

Solution: upgrade to ~> 4.3.11, >= 5.6.2

ReDoS based DoS vulnerability in GlobalID
Open

    globalid (0.4.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22799

URL: https://github.com/rails/globalid/releases/tag/v1.0.1

Solution: upgrade to >= 1.0.1

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

    json (2.1.0)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-10663

Criticality: High

URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/

Solution: upgrade to >= 2.3.0

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-7595

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/issues/1992

Solution: upgrade to >= 1.10.8

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-41098

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h

Solution: upgrade to >= 1.12.5

Possible DoS Vulnerability in Action Controller Token Authentication
Open

    actionpack (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22904

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

    actionpack (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2021-22885

Criticality: High

URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, >= 6.0.3.7, ~> 6.0.3, >= 6.1.3.2

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory:

Criticality: High

URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-cgx6-hpwq-fhv5

Solution: upgrade to >= 1.13.5

Denial of Service (DoS) in Nokogiri on JRuby
Open

    nokogiri (1.8.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-24839

Criticality: High

URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv

Solution: upgrade to >= 1.13.4

Possible RCE escalation bug with Serialized Columns in Active Record
Open

    activerecord (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-32224

Criticality: Critical

URL: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U

Solution: upgrade to >= 5.2.8.1, ~> 5.2.8, >= 6.0.5.1, ~> 6.0.5, >= 6.1.6.1, ~> 6.1.6, >= 7.0.3.1

Ability to forge per-form CSRF tokens given a global CSRF token
Open

    actionpack (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8166

Criticality: Medium

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

ReDoS based DoS vulnerability in Action Dispatch
Open

    actionpack (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2023-22792

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

Denial of Service in rubyzip ("zip bombs")
Open

    rubyzip (1.2.1)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2019-16892

Criticality: Medium

URL: https://github.com/rubyzip/rubyzip/pull/403

Solution: upgrade to >= 1.3.0

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

    rails-html-sanitizer (1.0.3)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-23517

Criticality: High

URL: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w

Solution: upgrade to >= 1.4.4

Possible Strong Parameters Bypass in ActionPack
Open

    actionpack (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2020-8164

Criticality: High

URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY

Solution: upgrade to >= 5.2.4.3, ~> 5.2.4, >= 6.0.3.1

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

    activerecord (5.1.4)

Found in Gemfile.lock by bundler-audit

Read up
Read up
Exclude checks
- Disable engine
- Disable check

Advisory: CVE-2022-44566

URL: https://github.com/rails/rails/releases/tag/v7.0.4.1

Solution: upgrade to >= 5.2.8.15, ~> 5.2.8, >= 6.1.7.1, ~> 6.1.7, >= 7.0.4.1

yogodoshi/cansei

Showing 105 of 105 total issues

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Open

HTTP Request Smuggling in puma
Open

Keepalive Connections Causing Denial Of Service in puma
Open

CSRF vulnerability in OmniAuth's request phase
Open

Information Exposure with Puma when used with Rails
Open

ReDoS based DoS vulnerability in GlobalID
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

Denial of Service (DoS) in Nokogiri on JRuby
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Denial of Service in rubyzip ("zip bombs")
Open

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

Possible Strong Parameters Bypass in ActionPack
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open

Severity

Category

Status

Source

Language

yogodoshi/cansei

Showing 105 of 105 total issues

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Open

HTTP Request Smuggling in puma Open

Keepalive Connections Causing Denial Of Service in puma Open

CSRF vulnerability in OmniAuth's request phase Open

Information Exposure with Puma when used with Rails Open

ReDoS based DoS vulnerability in GlobalID Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Open

Possible DoS Vulnerability in Action Controller Token Authentication Open

Possible Information Disclosure / Unintended Method Execution in Action Pack Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri Open

Denial of Service (DoS) in Nokogiri on JRuby Open

Possible RCE escalation bug with Serialized Columns in Active Record Open

Ability to forge per-form CSRF tokens given a global CSRF token Open

ReDoS based DoS vulnerability in Action Dispatch Open

Denial of Service in rubyzip ("zip bombs") Open

Inefficient Regular Expression Complexity in rails-html-sanitizer Open

Possible Strong Parameters Bypass in ActionPack Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter Open

Severity

Category

Status

Source

Language

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Open

HTTP Request Smuggling in puma
Open

Keepalive Connections Causing Denial Of Service in puma
Open

CSRF vulnerability in OmniAuth's request phase
Open

Information Exposure with Puma when used with Rails
Open

ReDoS based DoS vulnerability in GlobalID
Open

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Open

libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Open

Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Open

Possible DoS Vulnerability in Action Controller Token Authentication
Open

Possible Information Disclosure / Unintended Method Execution in Action Pack
Open

Integer Overflow or Wraparound in libxml2 affects Nokogiri
Open

Denial of Service (DoS) in Nokogiri on JRuby
Open

Possible RCE escalation bug with Serialized Columns in Active Record
Open

Ability to forge per-form CSRF tokens given a global CSRF token
Open

ReDoS based DoS vulnerability in Action Dispatch
Open

Denial of Service in rubyzip ("zip bombs")
Open

Inefficient Regular Expression Complexity in rails-html-sanitizer
Open

Possible Strong Parameters Bypass in ActionPack
Open

Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
Open