-
-
Notifications
You must be signed in to change notification settings - Fork 905
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
revert libxml unescaped attrs #1746
revert libxml unescaped attrs #1746
Conversation
libxml2 >= 2.9.2 fails to escape comments within some attributes. It wants to ensure these comments can be treated as "server-side includes", but as a result fails to ensure that serialization is well-formed, resulting in an opportunity for XSS injection of code into a final re-parsed document (presumably in a browser). the offending commit is: GNOME/libxml2@960f0e2 we'll test this by parsing the HTML, serializing it, then re-parsing it to ensure there isn't any ambiguity in the output that might allow code injection into a browser consuming "sanitized" output. complaints have been made upstream about this behavior, notably at https://bugzilla.gnome.org/show_bug.cgi?id=769760 and multiple CVEs have been declared and fixed in downstream libraries as a result, a list is being kept up to date here: flavorjones/loofah#144
to restore original behavior around escaping html attributes related to commit 6c58c55
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Extremely unfortunate that we have to do this, but I think keeping our users safe is more important than "clean code".
Tests are (correctly) failing when using system libraries. Will try to work around that ... somehow. |
because upstream has a bug which is likely in all the distros' versions as well.
This actually went green despite the CI failure above. Merging. |
1.8.2 has an XSS vuln, see: sparklemotion/nokogiri#1746
Thanks, bundler-audit! sparklemotion/nokogiri#1746
Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
ruby-advisory-db: 318 advisories Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
ruby-advisory-db: 318 advisories Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Name: sprockets Version: 2.12.4 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets
As reported by `bundler-audit`: Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5
The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
The vulnerability message is below. In order to upgrade activejob, I had to upgrade Rails to version 5.1.6.1, which touched quite a few other gems. Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: rack Version: 2.0.3 Advisory: CVE-2018-16471 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o Title: Possible XSS vulnerability in Rack Solution: upgrade to ~> 1.6.11, >= 2.0.6 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
Address a couple of CVEs (as reported by `bundler-audit`). Name: ffi Version: 1.9.23 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: rubyzip Version: 1.2.1 Advisory: CVE-2018-1000544 Criticality: Unknown URL: rubyzip/rubyzip#369 Title: Directory Traversal in rubyzip Solution: upgrade to >= 1.2.2
ruby-advisory-db: 318 advisories Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: Unknown URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: rack Version: 2.0.8 Advisory: CVE-2020-8161 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA Title: Directory traversal in Rack::Directory app bundled with Rack Solution: upgrade to ~> 2.1.3, >= 2.2.0 Name: rack Version: 2.0.8 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: sprockets Version: 3.7.1 Advisory: CVE-2018-3760 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k Title: Path Traversal in Sprockets Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8
…VEs) It found the following 53 vulnerabilities: Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22885 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22904 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2022-23633 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ Title: Possible exposure of information vulnerability in Action Pack Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activerecord Version: 5.1.4 Advisory: CVE-2021-22880 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: addressable Version: 2.5.2 Advisory: CVE-2021-32740 Criticality: High URL: GHSA-jxhc-q857-3j6g Title: Regular Expression Denial of Service in Addressable templates Solution: upgrade to >= 2.8.0 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21288 Criticality: Medium URL: GHSA-fwcm-636p-68r5 Title: Server-side request forgery in CarrierWave Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21305 Criticality: High URL: GHSA-cf3w-g86h-35x4 Title: Code Injection vulnerability in CarrierWave::RMagick Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2020-11023 Criticality: Medium URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released Title: Potential XSS vulnerability in jQuery Solution: upgrade to >= 4.4.0 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: jquery-ui-rails Version: 5.0.5 Advisory: CVE-2016-7103 Criticality: Medium URL: jquery/api.jqueryui.com#281 Title: XSS Vulnerability on closeText option of Dialog jQuery UI Solution: upgrade to >= 6.0.0 Name: kaminari Version: 1.1.1 Advisory: CVE-2020-11082 Criticality: Medium URL: GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Medium URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: mini_magick Version: 4.8.0 Advisory: CVE-2019-13574 Criticality: High URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ Title: Remote command execution via filename Solution: upgrade to >= 4.9.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-41098 Criticality: High URL: GHSA-2rr5-8q37-2w7h Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Solution: upgrade to >= 1.12.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: High URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24839 Criticality: High URL: GHSA-9849-p7jc-9rmv Title: Denial of Service (DoS) in Nokogiri on JRuby Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-23437 Criticality: Medium URL: GHSA-xxx9-3xcr-gjj3 Title: XML Injection in Xerces Java affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-30560 Criticality: High URL: GHSA-fq42-c5rg-92c2 Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Solution: upgrade to >= 1.13.2 Name: nokogiri Version: 1.8.1 Advisory: GHSA-7rrm-v45f-jp64 Criticality: High URL: GHSA-7rrm-v45f-jp64 Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Solution: upgrade to >= 1.11.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-25032 Criticality: High URL: GHSA-v6gp-9mmm-c6p5 Title: Out-of-bounds Write in zlib affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24836 Criticality: High URL: GHSA-crjr-9rc5-ghw8 Title: Inefficient Regular Expression Complexity in Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: puma Version: 4.3.3 Advisory: CVE-2021-29509 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1 Name: puma Version: 4.3.3 Advisory: CVE-2022-24790 Criticality: Critical URL: GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: upgrade to ~> 4.3.12, >= 5.6.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11076 Criticality: High URL: GHSA-x7jg-6pwg-fx5h Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.5, >= 4.3.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11077 Criticality: Medium URL: GHSA-w64w-qqph-5gxm Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.6, >= 4.3.5 Name: puma Version: 4.3.3 Advisory: CVE-2022-23634 Criticality: High URL: GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: upgrade to ~> 4.3.11, >= 5.6.2 Name: puma Version: 4.3.3 Advisory: CVE-2021-41136 Criticality: Low URL: GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: upgrade to ~> 4.3.9, >= 5.5.1 Name: rack Version: 2.2.2 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: rails_admin Version: 1.2.0 Advisory: CVE-2020-36190 Criticality: Medium URL: railsadminteam/rails_admin@d72090e Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to ~> 1.4.3, >= 2.0.2 Name: rails_admin Version: 1.2.0 Advisory: CVE-2017-12098 Criticality: Medium URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to >= 1.3.0 Name: rake Version: 12.3.0 Advisory: CVE-2020-8130 Criticality: High URL: GHSA-jppv-gw3r-w3q8 Title: OS Command Injection in Rake Solution: upgrade to >= 12.3.3 Name: redcarpet Version: 3.4.0 Advisory: CVE-2020-26298 Criticality: Medium URL: vmg/redcarpet@a699c82 Title: Injection/XSS in Redcarpet Solution: upgrade to >= 3.5.1 Name: websocket-extensions Version: 0.1.3 Advisory: CVE-2020-7663 Criticality: High URL: GHSA-g6wq-qcwm-j5g2 Title: Regular Expression Denial of Service in websocket-extensions (RubyGem) Solution: upgrade to >= 0.1.5
…VEs) It found the following 53 vulnerabilities: Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22885 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8166 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2020-8164 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionpack Version: 5.1.4 Advisory: CVE-2021-22904 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2 Name: actionpack Version: 5.1.4 Advisory: CVE-2022-23633 Criticality: High URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ Title: Possible exposure of information vulnerability in Action Pack Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-15169 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3 Name: actionview Version: 5.1.4 Advisory: CVE-2020-5267 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2 Name: actionview Version: 5.1.4 Advisory: CVE-2020-8167 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5419 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI Title: Denial of Service Vulnerability in Action View Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1 Name: actionview Version: 5.1.4 Advisory: CVE-2019-5418 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q Title: File Content Disclosure in Action View Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3 Name: activejob Version: 5.1.4 Advisory: CVE-2018-16476 Criticality: High URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw Title: Broken Access Control vulnerability in Active Job Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1 Name: activerecord Version: 5.1.4 Advisory: CVE-2021-22880 Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1 Name: activesupport Version: 5.1.4 Advisory: CVE-2020-8165 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1 Name: addressable Version: 2.5.2 Advisory: CVE-2021-32740 Criticality: High URL: GHSA-jxhc-q857-3j6g Title: Regular Expression Denial of Service in Addressable templates Solution: upgrade to >= 2.8.0 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21288 Criticality: Medium URL: GHSA-fwcm-636p-68r5 Title: Server-side request forgery in CarrierWave Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: carrierwave Version: 1.2.1 Advisory: CVE-2021-21305 Criticality: High URL: GHSA-cf3w-g86h-35x4 Title: Code Injection vulnerability in CarrierWave::RMagick Solution: upgrade to ~> 1.3.2, >= 2.1.1 Name: ffi Version: 1.9.18 Advisory: CVE-2018-1000201 Criticality: High URL: https://github.com/ffi/ffi/releases/tag/1.9.24 Title: ruby-ffi DDL loading issue on Windows OS Solution: upgrade to >= 1.9.24 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2020-11023 Criticality: Medium URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released Title: Potential XSS vulnerability in jQuery Solution: upgrade to >= 4.4.0 Name: jquery-rails Version: 4.3.1 Advisory: CVE-2019-11358 Criticality: Medium URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ Title: Prototype pollution attack through jQuery $.extend Solution: upgrade to >= 4.3.4 Name: jquery-ui-rails Version: 5.0.5 Advisory: CVE-2016-7103 Criticality: Medium URL: jquery/api.jqueryui.com#281 Title: XSS Vulnerability on closeText option of Dialog jQuery UI Solution: upgrade to >= 6.0.0 Name: kaminari Version: 1.1.1 Advisory: CVE-2020-11082 Criticality: Medium URL: GHSA-r5jw-62xg-j433 Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter Solution: upgrade to >= 1.2.1 Name: loofah Version: 2.1.1 Advisory: CVE-2019-15587 Criticality: Medium URL: flavorjones/loofah#171 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.3.1 Name: loofah Version: 2.1.1 Advisory: CVE-2018-16468 Criticality: Medium URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3 Name: loofah Version: 2.1.1 Advisory: CVE-2018-8048 Criticality: Medium URL: flavorjones/loofah#144 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.1 Name: mini_magick Version: 4.8.0 Advisory: CVE-2019-13574 Criticality: High URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ Title: Remote command execution via filename Solution: upgrade to >= 4.9.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-5477 Criticality: Critical URL: sparklemotion/nokogiri#1915 Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file Solution: upgrade to >= 1.10.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-41098 Criticality: High URL: GHSA-2rr5-8q37-2w7h Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby Solution: upgrade to >= 1.12.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-11068 Criticality: Unknown URL: sparklemotion/nokogiri#1892 Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability Solution: upgrade to >= 1.10.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-14404 Criticality: High URL: sparklemotion/nokogiri#1785 Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities Solution: upgrade to >= 1.8.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2017-15412 Criticality: Unknown URL: sparklemotion/nokogiri#1714 Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities Solution: upgrade to >= 1.8.2 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24839 Criticality: High URL: GHSA-9849-p7jc-9rmv Title: Denial of Service (DoS) in Nokogiri on JRuby Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-23437 Criticality: Medium URL: GHSA-xxx9-3xcr-gjj3 Title: XML Injection in Xerces Java affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2021-30560 Criticality: High URL: GHSA-fq42-c5rg-92c2 Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35) Solution: upgrade to >= 1.13.2 Name: nokogiri Version: 1.8.1 Advisory: GHSA-7rrm-v45f-jp64 Criticality: High URL: GHSA-7rrm-v45f-jp64 Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12 Solution: upgrade to >= 1.11.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-25032 Criticality: High URL: GHSA-v6gp-9mmm-c6p5 Title: Out-of-bounds Write in zlib affects Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-7595 Criticality: High URL: sparklemotion/nokogiri#1992 Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation Solution: upgrade to >= 1.10.8 Name: nokogiri Version: 1.8.1 Advisory: CVE-2019-13117 Criticality: Unknown URL: sparklemotion/nokogiri#1943 Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities Solution: upgrade to >= 1.10.5 Name: nokogiri Version: 1.8.1 Advisory: CVE-2022-24836 Criticality: High URL: GHSA-crjr-9rc5-ghw8 Title: Inefficient Regular Expression Complexity in Nokogiri Solution: upgrade to >= 1.13.4 Name: nokogiri Version: 1.8.1 Advisory: CVE-2020-26247 Criticality: Low URL: GHSA-vr8q-g5c7-m54m Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability Solution: upgrade to >= 1.11.0.rc4 Name: puma Version: 4.3.3 Advisory: CVE-2021-29509 Criticality: High URL: GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1 Name: puma Version: 4.3.3 Advisory: CVE-2022-24790 Criticality: Critical URL: GHSA-h99w-9q5r-gjq9 Title: HTTP Request Smuggling in puma Solution: upgrade to ~> 4.3.12, >= 5.6.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11076 Criticality: High URL: GHSA-x7jg-6pwg-fx5h Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.5, >= 4.3.4 Name: puma Version: 4.3.3 Advisory: CVE-2020-11077 Criticality: Medium URL: GHSA-w64w-qqph-5gxm Title: HTTP Smuggling via Transfer-Encoding Header in Puma Solution: upgrade to ~> 3.12.6, >= 4.3.5 Name: puma Version: 4.3.3 Advisory: CVE-2022-23634 Criticality: High URL: GHSA-rmj8-8hhh-gv5h Title: Information Exposure with Puma when used with Rails Solution: upgrade to ~> 4.3.11, >= 5.6.2 Name: puma Version: 4.3.3 Advisory: CVE-2021-41136 Criticality: Low URL: GHSA-48w2-rm65-62xx Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma Solution: upgrade to ~> 4.3.9, >= 5.5.1 Name: rack Version: 2.2.2 Advisory: CVE-2020-8184 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3 Name: rails-html-sanitizer Version: 1.0.3 Advisory: CVE-2018-3741 Criticality: Unknown URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ Title: XSS vulnerability in rails-html-sanitizer Solution: upgrade to >= 1.0.4 Name: rails_admin Version: 1.2.0 Advisory: CVE-2020-36190 Criticality: Medium URL: railsadminteam/rails_admin@d72090e Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to ~> 1.4.3, >= 2.0.2 Name: rails_admin Version: 1.2.0 Advisory: CVE-2017-12098 Criticality: Medium URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 Title: rails_admin ruby gem XSS vulnerability Solution: upgrade to >= 1.3.0 Name: rake Version: 12.3.0 Advisory: CVE-2020-8130 Criticality: High URL: GHSA-jppv-gw3r-w3q8 Title: OS Command Injection in Rake Solution: upgrade to >= 12.3.3 Name: redcarpet Version: 3.4.0 Advisory: CVE-2020-26298 Criticality: Medium URL: vmg/redcarpet@a699c82 Title: Injection/XSS in Redcarpet Solution: upgrade to >= 3.5.1 Name: websocket-extensions Version: 0.1.3 Advisory: CVE-2020-7663 Criticality: High URL: GHSA-g6wq-qcwm-j5g2 Title: Regular Expression Denial of Service in websocket-extensions (RubyGem) Solution: upgrade to >= 0.1.5
ruby-advisory-db: 318 advisories Name: nokogiri Version: 1.8.2 Advisory: CVE-2018-8048 Criticality: Unknown URL: sparklemotion/nokogiri#1746 Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS Solution: upgrade to >= 1.8.3
libxml2 >= 2.9.2 fails to escape comments within some attributes. It
wants to ensure these comments can be treated as "server-side includes",
but as a result fails to ensure that serialization is well-formed,
resulting in an opportunity for XSS injection of code into a final
re-parsed document (presumably in a browser).
the offending commit is:
we'll test this by parsing the HTML, serializing it, then
re-parsing it to ensure there isn't any ambiguity in the output
that might allow code injection into a browser consuming
"sanitized" output.
complaints have been made upstream about this behavior, notably at
and multiple CVEs have been declared and fixed in downstream
libraries as a result, a list is being kept up to date here: