-
-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785
Comments
USNshttps://usn.ubuntu.com/3739-1/ which addresses:
and https://usn.ubuntu.com/3739-2/ which addresses:
Note that 3739-2 addresses a subset of 3739-1. CVEsCVE-2016-9318Permalink is https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9318.html Description:
Canonical rates this vulnerability as "Priority: Low" The CVE report indicates this is the patch that addresses the vulnerability:
Looking at libxml upstream:
... we see this was fixed in libxml 2.9.8, which Nokogiri has vendored since v1.8.3. CVE-2017-16932Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html Description:
Canonical rates this vulnerability as "Priority: Low" The CVE report indicates that this is the patch that addresses the vulnerability: Looking at libxml upstream:
... we see this has been fixed since libxml 2.9.5, which Nokogiri has vendored since v1.8.1. CVE-2017-18258Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html Description:
Canonical rates this vulnerability as "Priority: Low" The CVE report indicates that this is the patch that addresses the vulnerability:
Looking at libxml upstream:
... we see this has been fixed since libxml 2.9.6, which Nokogiri has vendored since v1.8.2. CVE-2018-14404Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html Description:
Canonical rates this vulnerability as "Priority: Medium" The CVE report indicates that this is the patch that addresses the vulnerability:
Looking at libxml upstream:
... we see that this is not yet addressed in an upstream release. This is curious. CVE-2018-14567Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html Description:
Canonical rates this vulnerability as "Priority: Medium" The CVE report indicates that this is the patch that addresses the vulnerability:
Looking at libxml upstream:
... we see that this is not yet addressed in an upstream release. This is curious. |
ConclusionsOf the five CVEs addressed in this USN, these three are already addressed by Nokogiri:
The remaining two CVEs are not yet addressed in an upstream libxml2 release. Here are the commits in question:
I guess I'll try including these patches and see what happens? |
based on USN-3739-1 and -2. see related #1785.
I've created a PR at #1786 for comments. Please take a look and comment there. |
<hr> 🚨 <b>Your version of nokogiri has known security vulnerabilities</b> 🚨 Advisory: CVE-2018-14404 Disclosed: October 04, 2018 URL: [https://github.com/sparklemotion/nokogiri/issues/1785](https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785) <details> <summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary> <blockquote> <p>Nokogiri 1.8.5 has been released.</p> <p>This is a security and bugfix release. It addresses two CVEs in upstream<br> libxml2 rated as "medium" by Red Hat, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's<br> vendored libraries, there's no security need to upgrade at this time,<br> though you may want to check with your distro whether they've patched this<br> (Canonical has patched Ubuntu packages). Note that these patches are not<br> yet (as of 2018-10-04) in an upstream release of libxml2.</p> <p>Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>.<br> [<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a></p> <hr> <p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404<br> and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these<br> patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <hr> <p>CVE-2018-14404</p> <p>Permalink:</p> <p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a></p> <p>Description:</p> <p>A NULL pointer dereference vulnerability exists in the<br> xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when<br> parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR<br> case. Applications processing untrusted XSL format inputs with the use of<br> the libxml2 library may be vulnerable to a denial of service attack due<br> to a crash of the application</p> <p>Canonical rates this vulnerability as "Priority: Medium"</p> <hr> <p>CVE-2018-14567</p> <p>Permalink:</p> <p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a></p> <p>Description:</p> <p>infinite loop in LZMA decompression</p> <p>Canonical rates this vulnerability as "Priority: Medium"</p> </blockquote> </details> <br> 🚨 <b>We recommend to merge and deploy this update as soon as possible!</b> 🚨 <hr> We've updated a dependency and here is what you need to know: | name | version specification | old version | new version | | --- | --- | --- | --- | | nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 | You should probably take a good look at the info here and the test results before merging this pull request, of course. ### What changed? ####↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) <details> <summary>Commits</summary> <p><a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits:</p> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch 'fix-1773'</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li> </ul> </details> --- [![Depfu Status](https://depfu.com/badges/e69c6c7bda228fd38f6335ea889589cb/stats.svg)](https://depfu.com/repos/joenas/preschool?project_id=4294 "See the full overview on Depfu") Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`. <details><summary>All Depfu comment commands</summary> <blockquote><dl> <dt>@depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd> <dt>@depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd> <dt>@depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd> <dt>@depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd> </dl></blockquote> Go to the <a href="https://depfu.com/repos/joenas/preschool?project_id=4294">Depfu Dashboard</a> to see the state of your dependencies and to customize how Depfu works. </details>
<hr> 🚨 <b>Your version of nokogiri has known security vulnerabilities</b> 🚨 Advisory: CVE-2018-14404 Disclosed: October 04, 2018 URL: [https://github.com/sparklemotion/nokogiri/issues/1785](https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785) <details> <summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary> <blockquote> <p>Nokogiri 1.8.5 has been released.</p> <p>This is a security and bugfix release. It addresses two CVEs in upstream<br> libxml2 rated as "medium" by Red Hat, for which details are below.</p> <p>If you're using your distro's system libraries, rather than Nokogiri's<br> vendored libraries, there's no security need to upgrade at this time,<br> though you may want to check with your distro whether they've patched this<br> (Canonical has patched Ubuntu packages). Note that these patches are not<br> yet (as of 2018-10-04) in an upstream release of libxml2.</p> <p>Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>.<br> [<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a></p> <hr> <p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404<br> and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these<br> patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p> <hr> <p>CVE-2018-14404</p> <p>Permalink:</p> <p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a></p> <p>Description:</p> <p>A NULL pointer dereference vulnerability exists in the<br> xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when<br> parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR<br> case. Applications processing untrusted XSL format inputs with the use of<br> the libxml2 library may be vulnerable to a denial of service attack due<br> to a crash of the application</p> <p>Canonical rates this vulnerability as "Priority: Medium"</p> <hr> <p>CVE-2018-14567</p> <p>Permalink:</p> <p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a></p> <p>Description:</p> <p>infinite loop in LZMA decompression</p> <p>Canonical rates this vulnerability as "Priority: Medium"</p> </blockquote> </details> <br> 🚨 <b>We recommend to merge and deploy this update as soon as possible!</b> 🚨 <hr> We've updated a dependency and here is what you need to know: | name | version specification | old version | new version | | --- | --- | --- | --- | | nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 | You should probably take a good look at the info here and the test results before merging this pull request, of course. ### What changed? ####↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md) <details> <summary>Commits</summary> <p><a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits:</p> <ul> <li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch 'fix-1773'</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li> <li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li> </ul> </details> --- ![Depfu Status](https://depfu.com/badges/0a723c09b68149a932bdb420ef5f5e4e/stats.svg) [Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`. <details><summary>All Depfu comment commands</summary> <blockquote><dl> <dt>@depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd> <dt>@depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd> <dt>@depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd> <dt>@depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd> </dl></blockquote> </details>
Bundler-audit report the following security advisory for nokogiri. This PR updates nokogiri to the recommended version. Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5
see https://circleci.com/gh/railslink/railslink/138 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5
see https://circleci.com/gh/railslink/railslink/138 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5
Resolves CVE described here: sparklemotion/nokogiri#1785
ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
ruby-advisory-db: 323 advisories Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
Updated 'deface' to update 'nokogiri' dependency gem after vulnerability checks with 'audit': Nokogiri gem, via libxml2, is affected by multiple vulnerabilities. sparklemotion/nokogiri#1785
Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Name: sprockets Version: 2.12.4 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets
Upstream changes (from CHANGELOG.md): # 1.8.5 / 2018-10-04 ## Security Notes [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 and CVE-2018-14567. Full details are available in [#1785] (sparklemotion/nokogiri#1785). Note that these patches are not yet (as of 2018-10-04) in an upstream release of libxml2. ## Bug fixes * [MRI] Fix regression in installation when building against system libraries, where some systems would not be able to find libxml2 or libxslt when present. (Regression introduced in v1.8.3.) [#1722] * [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
As reported by `bundler-audit`: Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5
- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes thoughtbot#1225
- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225
The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Address a couple of CVEs (as reported by `bundler-audit`). Name: ffi Version: 1.9.23 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
$ bundle exec bundle-audit check Name: actionview Version: 5.2.1 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11 Name: actionview Version: 5.2.1 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Name: activejob Version: 5.2.1 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activestorage Version: 5.2.1 Advisory: CVE-2018-16477 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg Title: Bypass vulnerability in Active Storage Solution: upgrade to >= 5.2.1.1 Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: railties Version: 5.2.1 Advisory: CVE-2019-5420 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw Title: Possible Remote Code Execution Exploit in Rails Development Mode Solution: upgrade to >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3 Vulnerabilities found!
- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225
Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: rack Version: 2.0.8 Advisory: CVE-2020-8161 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA Title: Directory traversal in Rack::Directory app bundled with Rack Solution: upgrade to ~> 2.1.3, >= 2.2.0 Name: rack Version: 2.0.8 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8
Numerous CVEs found: Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6
…VEs) It found the following 53 vulnerabilities: Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22885 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22904 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2022-23633 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ Title: Possible exposure of information vulnerability in Action Pack Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activerecord Version: 5.1.4 Advisory: CVE-2021-22880 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: addressable Version: 2.5.2 Advisory: CVE-2021-32740 Criticality: High URL: GHSA-jxhc-q857-3j6g Title: Regular Expression Denial of Service in Addressable templates Solution: upgrade to >= 2.8.0 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21288 Criticality: Medium URL: GHSA-fwcm-636p-68r5 Title: Server-side request forgery in CarrierWave Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21305 Criticality: High URL: GHSA-cf3w-g86h-35x4 Title: Code Injection vulnerability in CarrierWave::RMagick Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2020-11023 Criticality: Medium URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released Title: Potential XSS vulnerability in jQuery Solution: upgrade to >= 4.4.0 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: jquery-ui-rails Version: 5.0.5 Advisory: CVE-2016-7103 Criticality: Medium URL: jquery/api.jqueryui.com#281 Title: XSS Vulnerability on closeText option of Dialog jQuery UI Solution: upgrade to >= 6.0.0 Name: kaminari Version: 1.1.1 Advisory: CVE-2020-11082 Criticality: Medium URL: GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Medium URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: mini_magick Version: 4.8.0 Advisory: CVE-2019-13574 Criticality: High URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ Title: Remote command execution via filename Solution: upgrade to >= 4.9.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-41098 Criticality: High URL: GHSA-2rr5-8q37-2w7h Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Solution: upgrade to >= 1.12.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: High URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24839 Criticality: High URL: GHSA-9849-p7jc-9rmv Title: Denial of Service (DoS) in Nokogiri on JRuby Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-23437 Criticality: Medium URL: GHSA-xxx9-3xcr-gjj3 Title: XML Injection in Xerces Java affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-30560 Criticality: High URL: GHSA-fq42-c5rg-92c2 Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Solution: upgrade to >= 1.13.2 Name: nokogiri Version: 1.8.1 Advisory: GHSA-7rrm-v45f-jp64 Criticality: High URL: GHSA-7rrm-v45f-jp64 Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Solution: upgrade to >= 1.11.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-25032 Criticality: High URL: GHSA-v6gp-9mmm-c6p5 Title: Out-of-bounds Write in zlib affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24836 Criticality: High URL: GHSA-crjr-9rc5-ghw8 Title: Inefficient Regular Expression Complexity in Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: puma Version: 4.3.3 Advisory: CVE-2021-29509 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1 Name: puma Version: 4.3.3 Advisory: CVE-2022-24790 Criticality: Critical URL: GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: upgrade to ~> 4.3.12, >= 5.6.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11076 Criticality: High URL: GHSA-x7jg-6pwg-fx5h Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.5, >= 4.3.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11077 Criticality: Medium URL: GHSA-w64w-qqph-5gxm Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.6, >= 4.3.5 Name: puma Version: 4.3.3 Advisory: CVE-2022-23634 Criticality: High URL: GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: upgrade to ~> 4.3.11, >= 5.6.2 Name: puma Version: 4.3.3 Advisory: CVE-2021-41136 Criticality: Low URL: GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: upgrade to ~> 4.3.9, >= 5.5.1 Name: rack Version: 2.2.2 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: rails_admin Version: 1.2.0 Advisory: CVE-2020-36190 Criticality: Medium URL: railsadminteam/rails_admin@d72090e Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to ~> 1.4.3, >= 2.0.2 Name: rails_admin Version: 1.2.0 Advisory: CVE-2017-12098 Criticality: Medium URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to >= 1.3.0 Name: rake Version: 12.3.0 Advisory: CVE-2020-8130 Criticality: High URL: GHSA-jppv-gw3r-w3q8 Title: OS Command Injection in Rake Solution: upgrade to >= 12.3.3 Name: redcarpet Version: 3.4.0 Advisory: CVE-2020-26298 Criticality: Medium URL: vmg/redcarpet@a699c82 Title: Injection/XSS in Redcarpet Solution: upgrade to >= 3.5.1 Name: websocket-extensions Version: 0.1.3 Advisory: CVE-2020-7663 Criticality: High URL: GHSA-g6wq-qcwm-j5g2 Title: Regular Expression Denial of Service in websocket-extensions (RubyGem) Solution: upgrade to >= 0.1.5
…VEs) It found the following 53 vulnerabilities: Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22885 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22904 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2022-23633 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ Title: Possible exposure of information vulnerability in Action Pack Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activerecord Version: 5.1.4 Advisory: CVE-2021-22880 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: addressable Version: 2.5.2 Advisory: CVE-2021-32740 Criticality: High URL: GHSA-jxhc-q857-3j6g Title: Regular Expression Denial of Service in Addressable templates Solution: upgrade to >= 2.8.0 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21288 Criticality: Medium URL: GHSA-fwcm-636p-68r5 Title: Server-side request forgery in CarrierWave Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21305 Criticality: High URL: GHSA-cf3w-g86h-35x4 Title: Code Injection vulnerability in CarrierWave::RMagick Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2020-11023 Criticality: Medium URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released Title: Potential XSS vulnerability in jQuery Solution: upgrade to >= 4.4.0 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: jquery-ui-rails Version: 5.0.5 Advisory: CVE-2016-7103 Criticality: Medium URL: jquery/api.jqueryui.com#281 Title: XSS Vulnerability on closeText option of Dialog jQuery UI Solution: upgrade to >= 6.0.0 Name: kaminari Version: 1.1.1 Advisory: CVE-2020-11082 Criticality: Medium URL: GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Medium URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: mini_magick Version: 4.8.0 Advisory: CVE-2019-13574 Criticality: High URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ Title: Remote command execution via filename Solution: upgrade to >= 4.9.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-41098 Criticality: High URL: GHSA-2rr5-8q37-2w7h Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Solution: upgrade to >= 1.12.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: High URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24839 Criticality: High URL: GHSA-9849-p7jc-9rmv Title: Denial of Service (DoS) in Nokogiri on JRuby Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-23437 Criticality: Medium URL: GHSA-xxx9-3xcr-gjj3 Title: XML Injection in Xerces Java affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-30560 Criticality: High URL: GHSA-fq42-c5rg-92c2 Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Solution: upgrade to >= 1.13.2 Name: nokogiri Version: 1.8.1 Advisory: GHSA-7rrm-v45f-jp64 Criticality: High URL: GHSA-7rrm-v45f-jp64 Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Solution: upgrade to >= 1.11.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-25032 Criticality: High URL: GHSA-v6gp-9mmm-c6p5 Title: Out-of-bounds Write in zlib affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24836 Criticality: High URL: GHSA-crjr-9rc5-ghw8 Title: Inefficient Regular Expression Complexity in Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: puma Version: 4.3.3 Advisory: CVE-2021-29509 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1 Name: puma Version: 4.3.3 Advisory: CVE-2022-24790 Criticality: Critical URL: GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: upgrade to ~> 4.3.12, >= 5.6.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11076 Criticality: High URL: GHSA-x7jg-6pwg-fx5h Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.5, >= 4.3.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11077 Criticality: Medium URL: GHSA-w64w-qqph-5gxm Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.6, >= 4.3.5 Name: puma Version: 4.3.3 Advisory: CVE-2022-23634 Criticality: High URL: GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: upgrade to ~> 4.3.11, >= 5.6.2 Name: puma Version: 4.3.3 Advisory: CVE-2021-41136 Criticality: Low URL: GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: upgrade to ~> 4.3.9, >= 5.5.1 Name: rack Version: 2.2.2 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: rails_admin Version: 1.2.0 Advisory: CVE-2020-36190 Criticality: Medium URL: railsadminteam/rails_admin@d72090e Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to ~> 1.4.3, >= 2.0.2 Name: rails_admin Version: 1.2.0 Advisory: CVE-2017-12098 Criticality: Medium URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to >= 1.3.0 Name: rake Version: 12.3.0 Advisory: CVE-2020-8130 Criticality: High URL: GHSA-jppv-gw3r-w3q8 Title: OS Command Injection in Rake Solution: upgrade to >= 12.3.3 Name: redcarpet Version: 3.4.0 Advisory: CVE-2020-26298 Criticality: Medium URL: vmg/redcarpet@a699c82 Title: Injection/XSS in Redcarpet Solution: upgrade to >= 3.5.1 Name: websocket-extensions Version: 0.1.3 Advisory: CVE-2020-7663 Criticality: High URL: GHSA-g6wq-qcwm-j5g2 Title: Regular Expression Denial of Service in websocket-extensions (RubyGem) Solution: upgrade to >= 0.1.5
- Fix some vulnerabilities ``` Name: loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: nokogiri Version: 1.8.4 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rack Version: 2.0.5 Advisory: CVE-2018-16470 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk Title: Possible DoS vulnerability in Rack Solution: upgrade to >= 2.0.6 Name: rack Version: 2.0.5 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 ``` - Fix factory_bot issues - Closes #1225
This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.
References:
Summary:
Two upstream patches, not yet available in an official libxml2 release, are candidates for patching in Nokogiri's vendored libxml2. A pull request has been created at #1786 for comments.
The text was updated successfully, but these errors were encountered: