Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update gems to fix all the CVEs #96

Merged
merged 6 commits into from
Oct 10, 2020
Merged

Update gems to fix all the CVEs #96

merged 6 commits into from
Oct 10, 2020

Conversation

AdrianCann
Copy link
Collaborator

Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.2.1
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2018-16477
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Title: Bypass vulnerability in Active Storage
Solution: upgrade to >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2020-8162
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
Title: Circumvention of file size limits in ActiveStorage
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: activesupport
Version: 5.2.1
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: jquery-rails
Version: 4.3.3
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: json
Version: 2.0.2
Advisory: CVE-2020-10663
Criticality: Unknown
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Solution: upgrade to >= 2.3.0

Name: loofah
Version: 2.2.2
Advisory: CVE-2019-15587
Criticality: Unknown
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-5477
Criticality: High
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.5
Advisory: CVE-2020-7595
Criticality: Medium
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.5
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: puma
Version: 3.11.4
Advisory: CVE-2019-16770
Criticality: High
URL: GHSA-7xx3-m584-x994
Title: Keepalive thread overload/DoS in puma
Solution: upgrade to ~> 3.12.2, >= 4.3.1

Name: puma
Version: 3.11.4
Advisory: CVE-2020-5249
Criticality: Unknown
URL: GHSA-33vf-4xgg-9r58
Title: HTTP Response Splitting (Early Hints) in Puma
Solution: upgrade to ~> 3.12.4, >= 4.3.3

Name: puma
Version: 3.11.4
Advisory: CVE-2020-11076
Criticality: Unknown
URL: GHSA-x7jg-6pwg-fx5h
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.5, >= 4.3.4

Name: puma
Version: 3.11.4
Advisory: CVE-2020-11077
Criticality: Unknown
URL: GHSA-w64w-qqph-5gxm
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.6, >= 4.3.5

Name: puma
Version: 3.11.4
Advisory: CVE-2020-5247
Criticality: Unknown
URL: GHSA-84j7-475p-hp8v
Title: HTTP Response Splitting vulnerability in puma
Solution: upgrade to ~> 3.12.4, >= 4.3.3

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rack
Version: 2.0.5
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0

Name: rack
Version: 2.0.5
Advisory: CVE-2019-16782
Criticality: Unknown
URL: GHSA-hrqr-hxpp-chr3
Title: Possible information leak / session hijack vulnerability
Solution: upgrade to ~> 1.6.12, >= 2.0.8

Name: railties
Version: 5.2.1
Advisory: CVE-2019-5420
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
Title: Possible Remote Code Execution Exploit in Rails Development Mode
Solution: upgrade to ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: rake
Version: 12.3.1
Advisory: CVE-2020-8130
Criticality: High
URL: GHSA-jppv-gw3r-w3q8
Title: OS Command Injection in Rake
Solution: upgrade to >= 12.3.3

Name: rubyzip
Version: 1.2.2
Advisory: CVE-2019-16892
Criticality: Unknown
URL: rubyzip/rubyzip#403
Title: Denial of Service in rubyzip ("zip bombs")
Solution: upgrade to >= 1.3.0

Name: simple_form
Version: 4.0.1
Advisory: CVE-2019-16676
Criticality: Unknown
URL: GHSA-r74q-gxcg-73hx
Title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Solution: upgrade to >= 5.0

Name: websocket-extensions
Version: 0.1.3
Advisory: CVE-2020-7663
Criticality: Unknown
URL: GHSA-g6wq-qcwm-j5g2
Title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
Solution: upgrade to >= 0.1.5

Vulnerabilities found!

Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.2.1
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.2.1
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.2.1
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2018-16477
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Title: Bypass vulnerability in Active Storage
Solution: upgrade to >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2020-8162
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
Title: Circumvention of file size limits in ActiveStorage
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: activesupport
Version: 5.2.1
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1
ruby-advisory-db: 472 advisories
Name: jquery-rails
Version: 4.3.3
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4
Name: json
Version: 2.0.2
Advisory: CVE-2020-10663
Criticality: Unknown
URL: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
Solution: upgrade to >= 2.3.0
Name: puma
Version: 3.11.4
Advisory: CVE-2019-16770
Criticality: High
URL: GHSA-7xx3-m584-x994
Title: Keepalive thread overload/DoS in puma
Solution: upgrade to ~> 3.12.2, >= 4.3.1
ruby-advisory-db: 472 advisories
Name: rubyzip
Version: 1.2.2
Advisory: CVE-2019-16892
Criticality: Unknown
URL: rubyzip/rubyzip#403
Title: Denial of Service in rubyzip ("zip bombs")
Solution: upgrade to >= 1.3.0
Name: simple_form
Version: 4.0.1
Advisory: CVE-2019-16676
Criticality: Unknown
URL: GHSA-r74q-gxcg-73hx
Title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
Solution: upgrade to >= 5.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant