forked from OWASP/railsgoat
-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rails-6.0.0.gem: 12 vulnerabilities (highest severity is: 9.3) #82
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
label
Oct 19, 2022
This was referenced Oct 19, 2022
mend-for-github-com
bot
changed the title
rails-6.0.0.gem: 6 vulnerabilities (highest severity is: 9.8)
rails-6.0.0.gem: 6 vulnerabilities (highest severity is: 9.8) - autoclosed
Oct 20, 2022
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
mend-for-github-com
bot
changed the title
rails-6.0.0.gem: 6 vulnerabilities (highest severity is: 9.8) - autoclosed
rails-6.0.0.gem: 6 vulnerabilities (highest severity is: 9.8)
Oct 31, 2022
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
mend-for-github-com
bot
changed the title
rails-6.0.0.gem: 6 vulnerabilities (highest severity is: 9.8)
rails-6.0.0.gem: 9 vulnerabilities (highest severity is: 9.8)
Jan 22, 2023
mend-for-github-com
bot
changed the title
rails-6.0.0.gem: 9 vulnerabilities (highest severity is: 9.8)
rails-6.0.0.gem: 10 vulnerabilities (highest severity is: 9.8)
Mar 16, 2023
mend-for-github-com
bot
changed the title
rails-6.0.0.gem: 10 vulnerabilities (highest severity is: 9.8)
rails-6.0.0.gem: 11 vulnerabilities (highest severity is: 9.8)
Mar 23, 2023
mend-for-github-com
bot
changed the title
rails-6.0.0.gem: 11 vulnerabilities (highest severity is: 9.8)
rails-6.0.0.gem: 11 vulnerabilities (highest severity is: 9.3)
Mar 6, 2024
mend-for-github-com
bot
changed the title
rails-6.0.0.gem: 11 vulnerabilities (highest severity is: 9.3)
rails-6.0.0.gem: 12 vulnerabilities (highest severity is: 9.3)
Mar 18, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
0 participants
Vulnerable Library - rails-6.0.0.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-6.0.0.gem
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-32224
Vulnerable Library - activerecord-6.0.0.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
Publish Date: 2022-12-05
URL: CVE-2022-32224
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 4 Score Details (9.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-3hhc-qp5v-9p2j
Release Date: 2022-12-05
Fix Resolution: activerecord - 5.2.8.1,6.0.5.1,6.1.6.1,7.0.3.1
CVE-2022-21831
Vulnerable Library - activestorage-6.0.0.gem
Attach cloud and local files in Rails applications.
Library home page: https://rubygems.org/gems/activestorage-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activestorage-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.
Publish Date: 2022-05-26
URL: CVE-2022-21831
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 4.8%
CVSS 4 Score Details (9.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-w749-p3v6-hccq
Release Date: 2022-05-26
Fix Resolution: activestorage - 5.2.6.3,6.0.4.7,6.1.4.7,7.0.2.3
CVE-2023-22799
Vulnerable Library - globalid-0.4.2.gem
URIs for your models makes it easy to pass references around.
Library home page: https://rubygems.org/gems/globalid-0.4.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/globalid-0.4.2.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.
Publish Date: 2023-02-09
URL: CVE-2023-22799
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-23c2-gwp5-pxw9
Release Date: 2023-02-09
Fix Resolution: globalid - 1.0.1
CVE-2023-22794
Vulnerable Library - activerecord-6.0.0.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the
annotate
query method, theoptimizer_hints
query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.Publish Date: 2023-02-09
URL: CVE-2023-22794
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-hq7p-j377-6v63
Release Date: 2023-02-09
Fix Resolution: activerecord - 6.0.6.1,6.1.7.1,7.0.4.1
CVE-2022-44566
Vulnerable Library - activerecord-6.0.0.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
Publish Date: 2023-02-09
URL: CVE-2022-44566
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-579w-22j4-4749
Release Date: 2023-02-09
Fix Resolution: activerecord - 6.1.7.1,7.0.4.1
CVE-2020-8162
Vulnerable Library - activestorage-6.0.0.gem
Attach cloud and local files in Rails applications.
Library home page: https://rubygems.org/gems/activestorage-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activestorage-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.
Publish Date: 2020-06-19
URL: CVE-2020-8162
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 4 Score Details (8.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-m42x-37p3-fv5w
Release Date: 2020-06-19
Fix Resolution: 5.2.4.3,6.0.3.1
CVE-2021-22880
Vulnerable Libraries - rails-6.0.0.gem, activerecord-6.0.0.gem
rails-6.0.0.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-6.0.0.gem
Dependency Hierarchy:
activerecord-6.0.0.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the
money
type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.Publish Date: 2021-02-11
URL: CVE-2021-22880
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.6%
CVSS 4 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
Release Date: 2021-02-11
Fix Resolution: 5.2.4.5,6.0.3.5,6.1.2.1
In order to enable automatic remediation, please create workflow rules
CVE-2020-8167
Vulnerable Library - rails-6.0.0.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
Publish Date: 2020-06-19
URL: CVE-2020-8167
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 4 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://rubygems.org/gems/rails/versions/6.0.3.1
Release Date: 2020-06-19
Fix Resolution: 6.0.3.1,5.2.4.3
In order to enable automatic remediation, please create workflow rules
CVE-2024-26144
Vulnerable Library - rails-6.0.0.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.
Publish Date: 2024-02-27
URL: CVE-2024-26144
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 4 Score Details (6.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-8h22-8cf7-hq6g
Release Date: 2024-02-27
Fix Resolution: rails - 6.1.7.7,7.0.8.1
In order to enable automatic remediation, please create workflow rules
CVE-2023-28120
Vulnerable Library - rails-6.0.0.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
A Possible XSS Security Vulnerability was discovered in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. All versions before 6.1.7.3 and 7.x before 7.0.4.3 are affected.
Publish Date: 2023-03-11
URL: CVE-2023-28120
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 4 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
Release Date: 2023-03-11
Fix Resolution: rails - 6.1.7.3,7.0.4.3
In order to enable automatic remediation, please create workflow rules
CVE-2023-23913
Vulnerable Library - rails-6.0.0.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
There is a potential DOM based cross-site scripting issue in rails-ujs from 5.1.0 before 6.1.7.3 and 7.0.0 before 7.0.4.3, which leverages the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.
Publish Date: 2023-01-20
URL: CVE-2023-23913
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 4 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468
Release Date: 2023-01-20
Fix Resolution: rails - 6.1.7.3,7.0.4.3
In order to enable automatic remediation, please create workflow rules
CVE-2021-22881
Vulnerable Library - rails-6.0.0.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-6.0.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-6.0.0.gem
Dependency Hierarchy:
Found in HEAD commit: 10b00bba83d518df58b71c164d0be7c229d4b799
Found in base branch: master
Vulnerability Details
The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted
Host
headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially craftedHost
header can be used to redirect to a malicious website.Publish Date: 2021-02-11
URL: CVE-2021-22881
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 4 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130
Release Date: 2024-08-01
Fix Resolution: 6.0.3.5,6.1.2.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: