Vulnerable Library - webpacker-4.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

CVE-2022-37601

Vulnerable Libraries - loader-utils-1.2.3.tgz, loader-utils-1.4.0.tgz

loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • webpack-cli-3.3.11.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • sass-loader-7.3.1.tgz
    • ❌ loader-utils-1.4.0.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils 2.0.0 via the name variable in parseQuery.js.

Publish Date: 2022-10-12

URL: CVE-2022-37601

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-76p3-8jx3-jpfq

Release Date: 2022-10-12

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

Fix Resolution (loader-utils): 1.4.1

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-44906

Vulnerable Library - minimist-1.2.5.tgz

parse argument options

Library home page: https://registry.npmjs.org/minimist/-/minimist-1.2.5.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/minimist/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • node-sass-4.13.1.tgz
    • mkdirp-0.5.5.tgz
      • ❌ minimist-1.2.5.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).

Publish Date: 2022-03-17

URL: CVE-2021-44906

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xvch-5gv4-984h

Release Date: 2022-03-17

Fix Resolution (minimist): 1.2.6

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7774

Vulnerable Libraries - y18n-3.2.1.tgz, y18n-4.0.0.tgz

y18n-3.2.1.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-3.2.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • node-sass-4.13.1.tgz
    • sass-graph-2.2.4.tgz
      • yargs-7.1.0.tgz
        • ❌ y18n-3.2.1.tgz (Vulnerable Library)

y18n-4.0.0.tgz

the bare-bones internationalization library used by yargs

Library home page: https://registry.npmjs.org/y18n/-/y18n-4.0.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/y18n/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • webpack-cli-3.3.11.tgz
    • yargs-13.2.4.tgz
      • ❌ y18n-4.0.0.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution.

Publish Date: 2020-11-17

URL: CVE-2020-7774

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/1654

Release Date: 2020-11-17

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

Fix Resolution (y18n): 3.2.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-45133

Vulnerable Library - traverse-7.9.0.tgz

The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes

Library home page: https://registry.npmjs.org/@babel/traverse/-/traverse-7.9.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/@babel/traverse/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • preset-env-7.9.0.tgz
    • plugin-proposal-async-generator-functions-7.8.3.tgz
      • helper-remap-async-to-generator-7.8.3.tgz
        • ❌ traverse-7.9.0.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods. Known affected plugins are @babel/plugin-transform-runtime; @babel/preset-env when using its useBuiltIns option; and any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator. No other plugins under the @babel/ namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in @babel/[email protected] and @babel/[email protected]. Those who cannot upgrade @babel/traverse and are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions: @babel/plugin-transform-runtime v7.23.2, @babel/preset-env v7.23.2, @babel/helper-define-polyfill-provider v0.4.3, babel-plugin-polyfill-corejs2 v0.4.6, babel-plugin-polyfill-corejs3 v0.8.5, babel-plugin-polyfill-es-shims v0.10.0, babel-plugin-polyfill-regenerator v0.5.3.

Publish Date: 2023-10-12

URL: CVE-2023-45133

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-67hx-6x53-jw92

Release Date: 2023-10-12

Fix Resolution (@babel/traverse): 7.23.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-46175

Vulnerable Libraries - json5-1.0.1.tgz, json5-2.1.3.tgz

json5-1.0.1.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-1.0.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • webpack-cli-3.3.11.tgz
    • loader-utils-1.2.3.tgz
      • ❌ json5-1.0.1.tgz (Vulnerable Library)

json5-2.1.3.tgz

JSON for humans.

Library home page: https://registry.npmjs.org/json5/-/json5-2.1.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json5/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • core-7.9.0.tgz
    • ❌ json5-2.1.3.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

JSON5 is an extension to the popular JSON file format that aims to be easier to write and maintain by hand (e.g. for config files). The parse method of the JSON5 library before and including versions 1.0.1 and 2.2.1 does not restrict parsing of keys named __proto__, allowing specially crafted strings to pollute the prototype of the resulting object. This vulnerability pollutes the prototype of the object returned by JSON5.parse and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations. This vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from JSON5.parse. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution. JSON5.parse should restrict parsing of __proto__ keys when parsing JSON strings to objects. As a point of reference, the JSON.parse method included in JavaScript ignores __proto__ keys. Simply changing JSON5.parse to JSON.parse in the examples above mitigates this vulnerability. This vulnerability is patched in json5 versions 1.0.2, 2.2.2, and later.

Publish Date: 2022-12-24

URL: CVE-2022-46175

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-46175

Release Date: 2022-12-24

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

Fix Resolution (json5): 1.0.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37713

Vulnerable Library - tar-2.2.2.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • node-sass-4.13.1.tgz
    • node-gyp-3.8.0.tgz
      • ❌ tar-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is, in part, accomplished by sanitizing absolute paths of entries within the archive, skipping archive entries that contain .. path portions, and resolving the sanitized paths against the extraction target directory. This logic was insufficient on Windows systems when extracting tar files that contained a path that was not an absolute path, but specified a drive letter different from the extraction target, such as C:some\path. If the drive letter does not match the extraction target, for example D:\extraction\dir, then the result of path.resolve(extractionDirectory, entryPath) would resolve against the current working directory on the C: drive, rather than the extraction target directory. Additionally, a .. portion of the path could occur immediately after the drive letter, such as C:../foo, and was not properly sanitized by the logic that checked for .. within the normalized and split portions of the path. This only affects users of node-tar on Windows systems. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. There is no reasonable way to work around this issue without performing the same path normalization procedures that node-tar now does. Users are encouraged to upgrade to the latest patched versions of node-tar, rather than attempt to sanitize paths themselves.

Publish Date: 2021-08-31

URL: CVE-2021-37713

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5955-9wpr-37jh

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (@rails/webpacker): 5.2.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37712

Vulnerable Library - tar-2.2.2.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • node-sass-4.13.1.tgz
    • node-gyp-3.8.0.tgz
      • ❌ tar-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with names containing unicode values that normalized to the same value. Additionally, on Windows systems, long path portions would resolve to the same file system entities as their 8.3 "short path" counterparts. A specially crafted tar archive could thus include a directory with one form of the path, followed by a symbolic link with a different string that resolves to the same file system entity, followed by a file using the first form. By first creating a directory, and then replacing that directory with a symlink that had a different apparent name that resolved to the same entry in the filesystem, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. These issues were addressed in releases 4.4.18, 5.0.10 and 6.1.9. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-qq89-hq3f-393p.

Publish Date: 2021-08-31

URL: CVE-2021-37712

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-qq89-hq3f-393p

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.18

Direct dependency fix Resolution (@rails/webpacker): 5.2.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37701

Vulnerable Library - tar-2.2.2.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • node-sass-4.13.1.tgz
    • node-gyp-3.8.0.tgz
      • ❌ tar-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory, where the symlink and directory names in the archive entry used backslashes as a path separator on posix systems. The cache checking logic used both \ and / characters as path separators, however \ is a valid filename character on posix systems. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. Additionally, a similar confusion could arise on case-insensitive filesystems. If a tar archive contained a directory at FOO, followed by a symbolic link named foo, then on case-insensitive file systems, the creation of the symbolic link would remove the directory from the filesystem, but not from the internal directory cache, as it would not be treated as a cache hit. A subsequent file entry within the FOO directory would then be placed in the target of the symbolic link, thinking that the directory had already been created. These issues were addressed in releases 4.4.16, 5.0.8 and 6.1.7. The v3 branch of node-tar has been deprecated and did not receive patches for these issues. If you are still using a v3 release we recommend you update to a more recent version of node-tar. If this is not possible, a workaround is available in the referenced GHSA-9r2w-394v-53qc.

Publish Date: 2021-08-31

URL: CVE-2021-37701

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9r2w-394v-53qc

Release Date: 2021-08-31

Fix Resolution (tar): 4.4.16

Direct dependency fix Resolution (@rails/webpacker): 5.2.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-32804

Vulnerable Library - tar-2.2.2.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • node-sass-4.13.1.tgz
    • node-gyp-3.8.0.tgz
      • ❌ tar-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the preservePaths flag is not set to true. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example /home/user/.bashrc would turn into home/user/.bashrc. This logic was insufficient when file paths contained repeated path roots such as ////home/user/.bashrc. node-tar would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. ///home/user/.bashrc) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom onentry method which sanitizes the entry.path or a filter method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.

Publish Date: 2021-08-03

URL: CVE-2021-32804

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3jfq-g458-7qm9

Release Date: 2021-08-03

Fix Resolution (tar): 3.2.2

Direct dependency fix Resolution (@rails/webpacker): 5.2.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-32803

Vulnerable Library - tar-2.2.2.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tar/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • node-sass-4.13.1.tgz
    • node-gyp-3.8.0.tgz
      • ❌ tar-2.2.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary stat calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the node-tar directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where node-tar checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass node-tar symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.

Publish Date: 2021-08-03

URL: CVE-2021-32803

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-r628-mhmh-qjhw

Release Date: 2021-08-03

Fix Resolution (tar): 3.2.3

Direct dependency fix Resolution (@rails/webpacker): 5.2.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-7660

Vulnerable Library - serialize-javascript-2.1.2.tgz

Serialize JavaScript to a superset of JSON that includes regular expressions and functions.

Library home page: https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-2.1.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/serialize-javascript/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • compression-webpack-plugin-3.1.0.tgz
    • ❌ serialize-javascript-2.1.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

Publish Date: 2020-06-01

URL: CVE-2020-7660

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7660

Release Date: 2020-06-08

Fix Resolution (serialize-javascript): 3.1.0

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-13822

Vulnerable Library - elliptic-6.5.2.tgz

EC cryptography

Library home page: https://registry.npmjs.org/elliptic/-/elliptic-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/elliptic/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • webpack-4.42.1.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • browserify-sign-4.0.4.tgz
          • ❌ elliptic-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' bytes, or integer overflows. This could conceivably have a security-relevant impact if an application relied on a single canonical signature.

Publish Date: 2020-06-04

URL: CVE-2020-13822

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution (elliptic): 6.5.3

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2021-0152

Vulnerable Library - color-string-1.5.3.tgz

Parser and generator for CSS color strings

Library home page: https://registry.npmjs.org/color-string/-/color-string-1.5.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/color-string/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • optimize-css-assets-webpack-plugin-5.0.3.tgz
    • cssnano-4.1.10.tgz
      • cssnano-preset-default-4.0.7.tgz
        • postcss-colormin-4.0.3.tgz
          • color-3.1.2.tgz
            • ❌ color-string-1.5.3.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Regular Expression Denial of Service (ReDoS) was found in color-string before 1.5.5.

Publish Date: 2021-03-12

URL: WS-2021-0152

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-12

Fix Resolution (color-string): 1.5.5

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-46234

Vulnerable Library - browserify-sign-4.0.4.tgz

adds node crypto signing for browsers

Library home page: https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/browserify-sign/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • webpack-4.42.1.tgz
    • node-libs-browser-2.2.1.tgz
      • crypto-browserify-3.12.0.tgz
        • ❌ browserify-sign-4.0.4.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

browserify-sign is a package to duplicate the functionality of node's crypto public key functions, much of this is based on Fedor Indutny's work on indutny/tls.js. An upper bound check issue in dsaVerify function allows an attacker to construct signatures that can be successfully verified by any public key, thus leading to a signature forgery attack. All places in this project that involve DSA verification of user-input signatures will be affected by this vulnerability. This issue has been patched in version 4.2.2.

Publish Date: 2023-10-26

URL: CVE-2023-46234

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-x9w5-v3q2-3rhw

Release Date: 2023-10-26

Fix Resolution (browserify-sign): 4.2.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-38900

Vulnerable Library - decode-uri-component-0.2.0.tgz

A better decodeURIComponent

Library home page: https://registry.npmjs.org/decode-uri-component/-/decode-uri-component-0.2.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/decode-uri-component/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • webpack-4.42.1.tgz
    • micromatch-3.1.10.tgz
      • snapdragon-0.8.2.tgz
        • source-map-resolve-0.5.3.tgz
          • ❌ decode-uri-component-0.2.0.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS.

Publish Date: 2022-11-28

URL: CVE-2022-38900

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w573-4hg7-7wgq

Release Date: 2022-11-28

Fix Resolution (decode-uri-component): 0.2.1

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-37603

Vulnerable Libraries - loader-utils-1.4.0.tgz, loader-utils-1.2.3.tgz

loader-utils-1.4.0.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.4.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • sass-loader-7.3.1.tgz
    • ❌ loader-utils-1.4.0.tgz (Vulnerable Library)

loader-utils-1.2.3.tgz

utils for webpack loaders

Library home page: https://registry.npmjs.org/loader-utils/-/loader-utils-1.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/loader-utils/package.json

Dependency Hierarchy:

• webpacker-4.2.2.tgz (Root Library)
  • webpack-cli-3.3.11.tgz
    • ❌ loader-utils-1.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A Regular expression denial of service (ReDoS) flaw was found in Function interpolateName in interpolateName.js in webpack loader-utils 2.0.0 via the url variable in interpolateName.js.

Publish Date: 2022-10-14

URL: CVE-2022-37603

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3rfm-jhwj-7488

Release Date: 2022-10-14

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

Fix Resolution (loader-utils): 1.4.2

Direct dependency fix Resolution (@rails/webpacker): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - opentok-2.9.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

CVE-2023-26136

Vulnerable Library - tough-cookie-2.5.0.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.5.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/tough-cookie/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • request-2.88.2.tgz
    • ❌ tough-cookie-2.5.0.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in rejectPublicSuffixes=false mode. This issue arises from the manner in which the objects are initialized.

Publish Date: 2023-07-01

URL: CVE-2023-26136

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-26136

Release Date: 2023-07-01

Fix Resolution (tough-cookie): 4.1.3

Direct dependency fix Resolution (opentok): 2.17.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-3918

Vulnerable Library - json-schema-0.2.3.tgz

JSON Schema validation and specifications

Library home page: https://registry.npmjs.org/json-schema/-/json-schema-0.2.3.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/json-schema/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • request-2.88.2.tgz
    • http-signature-1.2.0.tgz
      • jsprim-1.4.1.tgz
        • ❌ json-schema-0.2.3.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Publish Date: 2021-11-13

URL: CVE-2021-3918

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-3918

Release Date: 2021-11-13

Fix Resolution (json-schema): 0.4.0

Direct dependency fix Resolution (opentok): 2.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23539

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Versions <=8.5.1 of jsonwebtoken library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm. You are affected if you are using an algorithm and a key type other than a combination listed in the GitHub Security Advisory as unaffected. This issue has been fixed, please update to version 9.0.0. This version validates for asymmetric key type and algorithm combinations. Please refer to the above mentioned algorithm / key type combinations for the valid secure configuration. After updating to version 9.0.0, if you still intend to continue with signing or verifying tokens using invalid key type/algorithm value combinations, you’ll need to set the allowInvalidAsymmetricKeyTypes option to true in the sign() and/or verify() functions.

Publish Date: 2022-12-23

URL: CVE-2022-23539

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cf7-32gw-wr33

Release Date: 2022-12-23

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (opentok): 2.15.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23540

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

In versions <=8.5.1 of jsonwebtoken library, lack of algorithm definition in the jwt.verify() function can lead to signature validation bypass due to defaulting to the none algorithm for signature verification. Users are affected if you do not specify algorithms in the jwt.verify() function. This issue has been fixed, please update to version 9.0.0 which removes the default support for the none algorithm in the jwt.verify() method. There will be no impact, if you update to version 9.0.0 and you don’t need to allow for the none algorithm. If you need 'none' algorithm, you have to explicitly specify that in jwt.verify() options.

Publish Date: 2022-12-22

URL: CVE-2022-23540

CVSS 3 Score Details (7.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-23540

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (opentok): 2.15.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25883

Vulnerable Library - semver-5.7.1.tgz

The semantic version parser used by npm.

Library home page: https://registry.npmjs.org/semver/-/semver-5.7.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/semver/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • jsonwebtoken-8.5.1.tgz
    • ❌ semver-5.7.1.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Publish Date: 2023-06-21

URL: CVE-2022-25883

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-c2qf-rxjj-qqgw

Release Date: 2023-06-21

Fix Resolution (semver): 5.7.2

Direct dependency fix Resolution (opentok): 2.15.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24999

Vulnerable Library - qs-6.5.2.tgz

A querystring parser that supports nesting and arrays, with a depth limit

Library home page: https://registry.npmjs.org/qs/-/qs-6.5.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/qs/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • request-2.88.2.tgz
    • ❌ qs-6.5.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[proto]=b&a[proto]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has "deps: [email protected]" in its release description, is not vulnerable).

Publish Date: 2022-11-26

URL: CVE-2022-24999

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2022-24999

Release Date: 2022-11-26

Fix Resolution (qs): 6.5.3

Direct dependency fix Resolution (opentok): 2.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-23337

Vulnerable Library - lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • ❌ lodash-4.17.19.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.

Publish Date: 2021-02-15

URL: CVE-2021-23337

CVSS 3 Score Details (7.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-35jh-r3h4-6jhm

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (opentok): 2.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23541

Vulnerable Library - jsonwebtoken-8.5.1.tgz

JSON Web Token implementation (symmetric and asymmetric)

Library home page: https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-8.5.1.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/jsonwebtoken/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • ❌ jsonwebtoken-8.5.1.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

jsonwebtoken is an implementation of JSON Web Tokens. Versions <= 8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm and key combination in verification, other than the one that was used to sign the tokens. Specifically, tokens signed with an asymmetric public key could be verified with a symmetric HS256 algorithm. This can lead to successful validation of forged tokens. If your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function. This issue has been patched, please update to version 9.0.0.

Publish Date: 2022-12-22

URL: CVE-2022-23541

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjrf-2m68-5959

Release Date: 2022-12-22

Fix Resolution (jsonwebtoken): 9.0.0

Direct dependency fix Resolution (opentok): 2.15.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-28155

Vulnerable Library - request-2.88.2.tgz

Simplified HTTP request client.

Library home page: https://registry.npmjs.org/request/-/request-2.88.2.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/request/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • ❌ request-2.88.2.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The request package through 2.88.2 for Node.js and the @cypress/request package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).NOTE: The request package is no longer supported by the maintainer.

Publish Date: 2023-03-16

URL: CVE-2023-28155

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8p7-x288-28g6

Release Date: 2023-03-16

Fix Resolution: @cypress/request - 3.0.0

CVE-2020-15366

Vulnerable Library - ajv-6.12.0.tgz

Another JSON Schema Validator

Library home page: https://registry.npmjs.org/ajv/-/ajv-6.12.0.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/ajv/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • request-2.88.2.tgz
    • har-validator-5.1.3.tgz
      • ❌ ajv-6.12.0.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)

Publish Date: 2020-07-15

URL: CVE-2020-15366

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-15

Fix Resolution (ajv): 6.12.3

Direct dependency fix Resolution (opentok): 2.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-28500

Vulnerable Library - lodash-4.17.19.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.19.tgz

Path to dependency file: /package.json

Path to vulnerable library: /node_modules/lodash/package.json

Dependency Hierarchy:

• opentok-2.9.2.tgz (Root Library)
  • ❌ lodash-4.17.19.tgz (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Mend Note: After conducting further research, Mend has determined that CVE-2020-28500 only affects environments with versions 4.0.0 to 4.17.20 of Lodash.

Publish Date: 2021-02-15

URL: CVE-2020-28500

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500

Release Date: 2021-02-15

Fix Resolution (lodash): 4.17.21

Direct dependency fix Resolution (opentok): 2.10.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - rails-6.0.2.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /rails-6.0.2.2.gem

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

CVE-2022-32224

Vulnerable Library - activerecord-6.0.2.2.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.2.2.gem

Dependency Hierarchy:

• rails-6.0.2.2.gem (Root Library)
  • ❌ activerecord-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

Publish Date: 2022-12-05

URL: CVE-2022-32224

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3hhc-qp5v-9p2j

Release Date: 2022-12-05

Fix Resolution: activerecord - 5.2.8.1,6.0.5.1,6.1.6.1,7.0.3.1

CVE-2022-21831

Vulnerable Library - activestorage-6.0.2.2.gem

Attach cloud and local files in Rails applications.

Library home page: https://rubygems.org/gems/activestorage-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activestorage-6.0.2.2.gem

Dependency Hierarchy:

• rails-6.0.2.2.gem (Root Library)
  • ❌ activestorage-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.

Publish Date: 2022-05-26

URL: CVE-2022-21831

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-w749-p3v6-hccq

Release Date: 2022-05-26

Fix Resolution: activestorage - 5.2.6.3,6.0.4.7,6.1.4.7,7.0.2.3

CVE-2023-22794

Vulnerable Library - activerecord-6.0.2.2.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.2.2.gem

Dependency Hierarchy:

• rails-6.0.2.2.gem (Root Library)
  • ❌ activerecord-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the annotate query method, the optimizer_hints query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.

Publish Date: 2023-02-09

URL: CVE-2023-22794

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hq7p-j377-6v63

Release Date: 2023-02-09

Fix Resolution: activerecord - 6.0.6.1,6.1.7.1,7.0.4.1

CVE-2023-22799

Vulnerable Library - globalid-0.4.2.gem

URIs for your models makes it easy to pass references around.

Library home page: https://rubygems.org/gems/globalid-0.4.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/globalid-0.4.2.gem

Dependency Hierarchy:

• rails-6.0.2.2.gem (Root Library)
  • activestorage-6.0.2.2.gem
    • activejob-6.0.2.2.gem
      • ❌ globalid-0.4.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.

Publish Date: 2023-02-09

URL: CVE-2023-22799

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-23c2-gwp5-pxw9

Release Date: 2023-02-09

Fix Resolution: globalid - 1.0.1

CVE-2022-44566

Vulnerable Library - activerecord-6.0.2.2.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.2.2.gem

Dependency Hierarchy:

• rails-6.0.2.2.gem (Root Library)
  • ❌ activerecord-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

Publish Date: 2023-02-09

URL: CVE-2022-44566

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-579w-22j4-4749

Release Date: 2023-02-09

Fix Resolution: activerecord - 6.1.7.1,7.0.4.1

CVE-2021-22880

Vulnerable Libraries - rails-6.0.2.2.gem, activerecord-6.0.2.2.gem

rails-6.0.2.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /rails-6.0.2.2.gem

Dependency Hierarchy:

• ❌ rails-6.0.2.2.gem (Vulnerable Library)

activerecord-6.0.2.2.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.2.2.gem

Dependency Hierarchy:

• rails-6.0.2.2.gem (Root Library)
  • ❌ activerecord-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the money type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.

Publish Date: 2021-02-11

URL: CVE-2021-22880

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129

Release Date: 2021-02-11

Fix Resolution: 5.2.4.5,6.0.3.5,6.1.2.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8162

Vulnerable Library - activestorage-6.0.2.2.gem

Attach cloud and local files in Rails applications.

Library home page: https://rubygems.org/gems/activestorage-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activestorage-6.0.2.2.gem

Dependency Hierarchy:

• rails-6.0.2.2.gem (Root Library)
  • ❌ activestorage-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.

Publish Date: 2020-06-19

URL: CVE-2020-8162

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-m42x-37p3-fv5w

Release Date: 2020-06-19

Fix Resolution: 5.2.4.3,6.0.3.1

CVE-2020-8167

Vulnerable Library - rails-6.0.2.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /rails-6.0.2.2.gem

Dependency Hierarchy:

• ❌ rails-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

Publish Date: 2020-06-19

URL: CVE-2020-8167

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://rubygems.org/gems/rails/versions/6.0.3.1

Release Date: 2020-06-19

Fix Resolution: 6.0.3.1,5.2.4.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-28120

Vulnerable Library - rails-6.0.2.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /rails-6.0.2.2.gem

Dependency Hierarchy:

• ❌ rails-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A Possible XSS Security Vulnerability was discovered in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. All versions before 6.1.7.3 and 7.x before 7.0.4.3 are affected.

Publish Date: 2023-03-11

URL: CVE-2023-28120

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469

Release Date: 2023-03-11

Fix Resolution: rails - 6.1.7.3,7.0.4.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-23913

Vulnerable Library - rails-6.0.2.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /rails-6.0.2.2.gem

Dependency Hierarchy:

• ❌ rails-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

There is a potential DOM based cross-site scripting issue in rails-ujs from 5.1.0 before 6.1.7.3 and 7.0.0 before 7.0.4.3, which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

Publish Date: 2023-01-20

URL: CVE-2023-23913

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468

Release Date: 2023-01-20

Fix Resolution: rails - 6.1.7.3,7.0.4.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22881

Vulnerable Library - rails-6.0.2.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /rails-6.0.2.2.gem

Dependency Hierarchy:

• ❌ rails-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

Publish Date: 2021-02-11

URL: CVE-2021-22881

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

Release Date: 2021-02-11

Fix Resolution: 6.0.3.5,6.1.2.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-26144

Vulnerable Library - rails-6.0.2.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /rails-6.0.2.2.gem

Dependency Hierarchy:

• ❌ rails-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

Publish Date: 2024-02-27

URL: CVE-2024-26144

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8h22-8cf7-hq6g

Release Date: 2024-02-27

Fix Resolution: rails - 6.1.7.7,7.0.8.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - puma-4.3.5.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /puma-4.3.5.gem

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

CVE-2023-40175

Vulnerable Library - puma-4.3.5.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /puma-4.3.5.gem

Dependency Hierarchy:

• ❌ puma-4.3.5.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Puma is a Ruby/Rack web server built for parallelism. Prior to versions 6.3.1 and 5.6.7, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling. Severity of this issue is highly dependent on the nature of the web site using puma is. This could be caused by either incorrect parsing of trailing fields in chunked transfer encoding bodies or by parsing of blank/zero-length Content-Length headers. Both issues have been addressed and this vulnerability has been fixed in versions 6.3.1 and 5.6.7. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Publish Date: 2023-08-18

URL: CVE-2023-40175

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-40175

Release Date: 2023-08-18

Fix Resolution: puma - 5.6.7,6.3.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-21647

Vulnerable Library - puma-4.3.5.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /puma-4.3.5.gem

Dependency Hierarchy:

• ❌ puma-4.3.5.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

Publish Date: 2024-01-08

URL: CVE-2024-21647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-21647

Release Date: 2024-01-08

Fix Resolution: puma - 5.6.8,6.4.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-29509

Vulnerable Library - puma-4.3.5.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /puma-4.3.5.gem

Dependency Hierarchy:

• ❌ puma-4.3.5.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A puma server which received more concurrent keep-alive connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. This problem has been fixed in puma 4.3.8 and 5.3.1. Setting queue_requests false also fixes the issue. This is not advised when using puma without a reverse proxy, such as nginx or apache, because you will open yourself to slow client attacks (e.g. slowloris). The fix is very small and a git patch is available for those using unsupported versions of Puma.

Publish Date: 2021-05-11

URL: CVE-2021-29509

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q28m-8xjw-8vr5

Release Date: 2021-05-11

Fix Resolution: puma - 4.3.8,5.3.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23634

Vulnerable Library - puma-4.3.5.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /puma-4.3.5.gem

Dependency Hierarchy:

• ❌ puma-4.3.5.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Publish Date: 2022-02-11

URL: CVE-2022-23634

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: puma - 4.3.11, 5.6.2; actionpack - 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-41136

Vulnerable Library - puma-4.3.5.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /puma-4.3.5.gem

Dependency Hierarchy:

• ❌ puma-4.3.5.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using puma with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with puma.

Publish Date: 2021-10-12

URL: CVE-2021-41136

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-48w2-rm65-62xx

Release Date: 2021-10-12

Fix Resolution: puma - 4.3.9, 5.5.1

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - rspec-rails-4.0.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

CVE-2020-8165

Vulnerable Library - activesupport-6.0.2.2.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ activesupport-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

Publish Date: 2020-06-19

URL: CVE-2020-8165

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2p68-f74v-9wc6

Release Date: 2020-06-19

Fix Resolution: 5.2.4.3,6.0.3.1

CVE-2022-30123

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ rack-2.2.3.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger components of Rack before 2.0.9.1,2.1.4.1,2.2.3.1

Publish Date: 2022-05-03

URL: CVE-2022-30123

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wq4h-7r42-5hrr

Release Date: 2022-05-03

Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1

WS-2022-0089

Vulnerable Library - nokogiri-1.10.9.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • rails-html-sanitizer-1.3.0.gem
          • loofah-2.4.0.gem
            • ❌ nokogiri-1.10.9.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

CVE-2022-29181

Vulnerable Library - nokogiri-1.10.9.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • rails-html-sanitizer-1.3.0.gem
          • loofah-2.4.0.gem
            • ❌ nokogiri-1.10.9.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

CVE-2022-31163

Vulnerable Library - tzinfo-1.2.7.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/tzinfo-1.2.7.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • activesupport-6.0.2.2.gem
          • ❌ tzinfo-1.2.7.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-22

URL: CVE-2022-31163

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-22

Fix Resolution: tzinfo - 0.3.61,1.2.10

CVE-2020-8164

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

Publish Date: 2020-06-19

URL: CVE-2020-8164

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8727-m6gj-mc37

Release Date: 2020-06-19

Fix Resolution: 5.2.4.3,6.0.3.1

CVE-2021-41098

Vulnerable Library - nokogiri-1.10.9.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • rails-html-sanitizer-1.3.0.gem
          • loofah-2.4.0.gem
            • ❌ nokogiri-1.10.9.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Publish Date: 2021-09-27

URL: CVE-2021-41098

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098

Release Date: 2021-09-27

Fix Resolution: nokogiri - 1.12.5

CVE-2022-30122

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ rack-2.2.3.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

There is a possible denial of service vulnerability in the multipart parsing component of Rack before 2.0.9.1,2.1.4.1,2.2.3.1

Publish Date: 2022-05-03

URL: CVE-2022-30122

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hxqx-xwvh-44m2

Release Date: 2022-05-03

Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1

CVE-2021-22885

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the redirect_to or polymorphic_urlhelper with untrusted user input.

Publish Date: 2021-05-27

URL: CVE-2021-22885

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hjg4-8q5f-x6fm

Release Date: 2021-05-27

Fix Resolution: actionpack - 5.2.4.6,5.2.6,6.0.3.7,6.1.3.2

CVE-2022-24836

Vulnerable Library - nokogiri-1.10.9.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • rails-html-sanitizer-1.3.0.gem
          • loofah-2.4.0.gem
            • ❌ nokogiri-1.10.9.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

CVE-2021-22902

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Publish Date: 2021-06-11

URL: CVE-2021-22902

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-11

Fix Resolution: actionpack - 6.0.3.7,6.1.3.2

CVE-2021-22904

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication.

Publish Date: 2021-06-11

URL: CVE-2021-22904

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-11

Fix Resolution: actionpack - 5.2.4.6,5.2.6,6.0.3.7,6.1.3.2

CVE-2020-8185

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

Publish Date: 2020-07-02

URL: CVE-2020-8185

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution: v6.0.3.2

CVE-2020-8264

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware.

Publish Date: 2021-01-06

URL: CVE-2020-8264

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2021-01-06

Fix Resolution: v6.0.3.4

CVE-2022-32209

Vulnerable Library - rails-html-sanitizer-1.3.0.gem

HTML sanitization for Rails applications

Library home page: https://rubygems.org/gems/rails-html-sanitizer-1.3.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rails-html-sanitizer-1.3.0.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ rails-html-sanitizer-1.3.0.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both select and style elements.Code is only impacted if allowed tags are being overridden. This may be done via application configuration:ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may be done with a :tags option to the Action View helper sanitize:<%= sanitize @comment.body, tags: ["select", "style"] %>see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be done with Rails::Html::SafeListSanitizer directly:ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]orruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at the normal locations.## WorkaroundsRemove either select or style from the overridden allowed tags.## CreditsThis vulnerability was responsibly reported by windshock.

Publish Date: 2022-06-24

URL: CVE-2022-32209

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2022-32209-possible-xss-vulnerability-in-rails-sanitizer/80800

Release Date: 2022-06-24

Fix Resolution: rails-html-sanitizer - 1.4.3

CVE-2021-22881

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted Host headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted Host header can be used to redirect to a malicious website.

Publish Date: 2021-02-11

URL: CVE-2021-22881

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

Release Date: 2021-02-11

Fix Resolution: 6.0.3.5,6.1.2.1

CVE-2021-22942

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.

Publish Date: 2021-10-18

URL: CVE-2021-22942

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-22942

Release Date: 2021-10-18

Fix Resolution: actionpack - 6.0.4.1,6.1.4.1

CVE-2022-22577

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

Publish Date: 2022-05-26

URL: CVE-2022-22577

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-mm33-5vfq-3mm3

Release Date: 2022-05-26

Fix Resolution: actionpack - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2022-27777

Vulnerable Library - actionview-6.0.2.2.gem

Simple, battle-tested conventions and helpers for building web pages.

Library home page: https://rubygems.org/gems/actionview-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionview-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ actionview-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

Publish Date: 2022-05-26

URL: CVE-2022-27777

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-ch3h-j2vf-95pv

Release Date: 2022-05-26

Fix Resolution: actionview - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2020-15169

Vulnerable Library - actionview-6.0.2.2.gem

Simple, battle-tested conventions and helpers for building web pages.

Library home page: https://rubygems.org/gems/actionview-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionview-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ actionview-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the t and translate helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.

Publish Date: 2020-09-11

URL: CVE-2020-15169

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://rubygems.org/gems/actionview/versions/6.0.3.3

Release Date: 2020-09-11

Fix Resolution: 6.0.3.3, 5.2.4.4

CVE-2021-44528

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

Publish Date: 2022-01-10

URL: CVE-2021-44528

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-qphc-hf5q-v8fc

Release Date: 2022-01-10

Fix Resolution: actionpack - 6.0.4.2,6.1.4.2

CVE-2022-23634

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Publish Date: 2022-02-11

URL: CVE-2022-23634

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: puma - 4.3.11, 5.6.2; actionpack - 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

CVE-2022-23633

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• rspec-rails-4.0.0.gem (Root Library)
  • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Publish Date: 2022-02-11

URL: CVE-2022-23633

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

Vulnerable Library - opentok-4.0.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/httparty-0.18.0.gem

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

WS-2023-0001

Vulnerable Library - httparty-0.18.0.gem

Makes http fun! Also, makes consuming restful web services dead easy.

Library home page: https://rubygems.org/gems/httparty-0.18.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/httparty-0.18.0.gem

Dependency Hierarchy:

• opentok-4.0.1.gem (Root Library)
  • ❌ httparty-0.18.0.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

httparty prior to 0.21.0 has multipart/form-data request tampering vulnerability, which is caused by Content-Disposition "filename" lack of escaping in httparty. By exploiting this problem, an attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field, and attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.

Publish Date: 2023-01-03

URL: WS-2023-0001

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5pq7-52mg-hr42

Release Date: 2023-01-03

Fix Resolution: httparty - 0.21.0

CVE-2024-22049

Vulnerable Library - httparty-0.18.0.gem

Makes http fun! Also, makes consuming restful web services dead easy.

Library home page: https://rubygems.org/gems/httparty-0.18.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/httparty-0.18.0.gem

Dependency Hierarchy:

• opentok-4.0.1.gem (Root Library)
  • ❌ httparty-0.18.0.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.

Publish Date: 2024-01-04

URL: CVE-2024-22049

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-22049

Release Date: 2024-01-04

Fix Resolution: httparty - 0.21.0

Vulnerable Library - rubocop-0.82.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rexml-3.2.4.gem

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

CVE-2021-28965

Vulnerable Library - rexml-3.2.4.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.2.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rexml-3.2.4.gem

Dependency Hierarchy:

• rubocop-0.82.0.gem (Root Library)
  • ❌ rexml-3.2.4.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Publish Date: 2021-04-21

URL: CVE-2021-28965

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cr8-4vfw-mr7h

Release Date: 2021-04-21

Fix Resolution: rexml - 3.1.9.1, 3.2.5

Vulnerable Library - webpacker-4.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

CVE-2022-30123

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ rack-2.2.3.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

Publish Date: 2022-12-05

URL: CVE-2022-30123

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-wq4h-7r42-5hrr

Release Date: 2022-12-05

Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1

CVE-2020-8165

Vulnerable Library - activesupport-6.0.2.2.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.2.2.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • ❌ activesupport-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.

Publish Date: 2020-06-19

URL: CVE-2020-8165

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2p68-f74v-9wc6

Release Date: 2020-06-19

Fix Resolution: 5.2.4.3,6.0.3.1

WS-2022-0089

Vulnerable Library - nokogiri-1.10.9.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • rails-html-sanitizer-1.3.0.gem
          • loofah-2.4.0.gem
            • ❌ nokogiri-1.10.9.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

CVE-2022-29181

Vulnerable Library - nokogiri-1.10.9.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.10.9.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • rails-html-sanitizer-1.3.0.gem
          • loofah-2.4.0.gem
            • ❌ nokogiri-1.10.9.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

CVE-2022-31163

Vulnerable Library - tzinfo-1.2.7.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/tzinfo-1.2.7.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • actionview-6.0.2.2.gem
        • activesupport-6.0.2.2.gem
          • ❌ tzinfo-1.2.7.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-22

URL: CVE-2022-31163

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-22

Fix Resolution: tzinfo - 0.3.61,1.2.10

WS-2023-0224

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

In actionpack prior to 6.1.5 there is a Possible DOS in app with crashing exceptions_app.

Publish Date: 2023-06-28

URL: WS-2023-0224

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-06-28

Fix Resolution: actionpack - 6.1.5

CVE-2023-27539

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ rack-2.2.3.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. The issue is fixed versions 2.2.6.4 and 3.0.6.1

Publish Date: 2023-03-03

URL: CVE-2023-27539

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466

Release Date: 2023-03-03

Fix Resolution: rack - 2.2.6.4,3.0.6.1

CVE-2023-27530

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • actionpack-6.0.2.2.gem
      • ❌ rack-2.2.3.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.

Publish Date: 2023-03-10

URL: CVE-2023-27530

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-03-10

Fix Resolution: rack - 2.0.9.3,2.1.4.3,2.2.6.3,3.0.4.2

CVE-2023-22796

Vulnerable Library - activesupport-6.0.2.2.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.2.2.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • ❌ activesupport-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Publish Date: 2023-02-09

URL: CVE-2023-22796

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j6gc-792m-qgm2

Release Date: 2023-02-09

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1

CVE-2023-22795

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Publish Date: 2023-02-09

URL: CVE-2023-22795

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-02-09

Fix Resolution: actionpack - 6.1.7.1, 7.0.4.1

CVE-2023-22792

Vulnerable Library - actionpack-6.0.2.2.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.0.2.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.0.2.2.gem

Dependency Hierarchy:

• webpacker-4.2.2.gem (Root Library)
  • railties-6.0.2.2.gem
    • ❌ actionpack-6.0.2.2.gem (Vulnerable Library)

Found in HEAD commit: 5473125c0050f0e991eee16c626c4cca1e562b27

Found in base branch: main

Vulnerability Details

A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Publish Date: 2023-02-09

URL: CVE-2023-22792

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2023-02-09

Fix Resolution: actionpack - 6.1.7.1,7.0.4.1

CVE-2022-44572

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem