This repository has been archived by the owner on Mar 7, 2024. It is now read-only.
rdoc-3.12.gem: 4 vulnerabilities (highest severity is: 7.5) #2
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the +rdoc+ and +ri+ tools for generating and displaying online documentation.
See RDoc for a description of RDoc's markup and basic use.
Library home page: https://rubygems.org/gems/rdoc-3.12.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rdoc-3.12.gem
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - json-1.7.6.gem
This is a JSON implementation as a Ruby extension in C.
Library home page: https://rubygems.org/gems/json-1.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/json-1.7.6.gem
Dependency Hierarchy:
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Publish Date: 2020-04-28
URL: CVE-2020-10663
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Release Date: 2020-04-28
Fix Resolution: 2.3.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - json-1.7.6.gem
This is a JSON implementation as a Ruby extension in C.
Library home page: https://rubygems.org/gems/json-1.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/json-1.7.6.gem
Dependency Hierarchy:
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Publish Date: 2013-02-13
URL: CVE-2013-0269
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269
Release Date: 2013-02-13
Fix Resolution: json - 1.5.5,1.6.8,1.7.7
Step up your Open Source Security Game with Mend here
Vulnerable Library - rdoc-3.12.gem
RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the +rdoc+ and +ri+ tools for generating and displaying online documentation.
See RDoc for a description of RDoc's markup and basic use.
Library home page: https://rubygems.org/gems/rdoc-3.12.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rdoc-3.12.gem
Dependency Hierarchy:
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
Publish Date: 2021-07-30
URL: CVE-2021-31799
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Release Date: 2021-07-30
Fix Resolution: rdoc - 6.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - rdoc-3.12.gem
RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the +rdoc+ and +ri+ tools for generating and displaying online documentation.
See RDoc for a description of RDoc's markup and basic use.
Library home page: https://rubygems.org/gems/rdoc-3.12.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rdoc-3.12.gem
Dependency Hierarchy:
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
Publish Date: 2013-03-01
URL: CVE-2013-0256
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-0256
Release Date: 2013-03-01
Fix Resolution: 4.0.0.preview2.1
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: