rails-3.0.7.gem: 51 vulnerabilities (highest severity is: 9.8) #8
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
dev-mend-for-github-com
bot
changed the title
|
✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory. |
dev-mend-for-github-com
bot
changed the title
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
1 task
dev-mend-for-github-com
bot
changed the title
dev-mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - activerecord-3.0.7.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
Publish Date: 2022-12-05
URL: CVE-2022-32224
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3hhc-qp5v-9p2j
Release Date: 2022-12-05
Fix Resolution: activerecord - 5.2.8.1,6.0.5.1,6.1.6.1,7.0.3.1
Vulnerable Library - activerecord-3.0.7.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the
annotatequery method, theoptimizer_hintsquery method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.Publish Date: 2023-02-09
URL: CVE-2023-22794
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hq7p-j377-6v63
Release Date: 2023-02-09
Fix Resolution: activerecord - 6.0.6.1,6.1.7.1,7.0.4.1
Vulnerable Library - rack-1.2.3.gem
Rack provides minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.rubyforge.org.
Library home page: https://rubygems.org/gems/rack-1.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-1.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
Publish Date: 2020-07-02
URL: CVE-2020-8161
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: 2.2.0,2.1.3
Vulnerable Library - activesupport-3.0.7.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
Publish Date: 2023-02-09
URL: CVE-2023-22796
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j6gc-792m-qgm2
Release Date: 2023-02-09
Fix Resolution: activesupport - 6.1.7.1,7.0.4.1
Vulnerable Library - actionpack-3.0.7.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Publish Date: 2023-02-09
URL: CVE-2023-22795
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-02-09
Fix Resolution: actionpack - 6.1.7.1, 7.0.4.1
Vulnerable Library - actionpack-3.0.7.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Publish Date: 2023-02-09
URL: CVE-2023-22792
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-02-09
Fix Resolution: actionpack - 6.1.7.1,7.0.4.1
Vulnerable Library - activerecord-3.0.7.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
Publish Date: 2023-02-09
URL: CVE-2022-44566
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-579w-22j4-4749
Release Date: 2023-02-09
Fix Resolution: activerecord - 6.1.7.1,7.0.4.1
Vulnerable Library - rack-1.2.3.gem
Rack provides minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Also see http://rack.rubyforge.org.
Library home page: https://rubygems.org/gems/rack-1.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-1.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
Publish Date: 2020-06-19
URL: CVE-2020-8184
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/forum/#!topic/rubyonrails-security/OWtmozPH9Ak
Release Date: 2020-06-19
Fix Resolution: rack - 2.1.4, 2.2.3
Vulnerable Library - rails-3.0.7.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
Publish Date: 2016-02-16
URL: CVE-2016-0752
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0752
Release Date: 2016-02-16
Fix Resolution: 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Libraries - rails-3.0.7.gem, actionpack-3.0.7.gem
rails-3.0.7.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem
Dependency Hierarchy:
actionpack-3.0.7.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
Publish Date: 2016-02-16
URL: CVE-2016-0751
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0751
Release Date: 2016-02-16
Fix Resolution: 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - i18n-0.5.0.gem
New wave Internationalization support for Ruby.
Library home page: https://rubygems.org/gems/i18n-0.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/i18n-0.5.0.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.
Publish Date: 2018-11-06
URL: CVE-2014-10077
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10077
Release Date: 2018-11-06
Fix Resolution: 0.8.0
Vulnerable Library - actionpack-3.0.7.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.
Publish Date: 2014-05-07
URL: CVE-2014-0130
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0130
Release Date: 2014-05-07
Fix Resolution: 3.2.18,4.0.5,4.1.1
Vulnerable Libraries - rails-3.0.7.gem, actionpack-3.0.7.gem
rails-3.0.7.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem
Dependency Hierarchy:
actionpack-3.0.7.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Publish Date: 2016-04-07
URL: CVE-2016-2098
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2098
Release Date: 2016-04-07
Fix Resolution: 3.2.22.2,4.1.14.2,4.2.5.2
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - activerecord-3.0.7.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.
Publish Date: 2014-07-07
URL: CVE-2014-3482
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3482
Release Date: 2014-07-07
Fix Resolution: 3.2.19
Vulnerable Library - activesupport-3.0.7.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
Publish Date: 2013-01-30
URL: CVE-2013-0333
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-0333
Release Date: 2013-01-30
Fix Resolution: 2.3.16,3.0.20
Vulnerable Library - activesupport-3.0.7.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
Publish Date: 2013-01-13
URL: CVE-2013-0156
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-0156
Release Date: 2013-01-13
Fix Resolution: 2.3.15,3.0.19,3.1.10,3.2.11
Vulnerable Library - activerecord-3.0.7.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
Publish Date: 2013-01-04
URL: CVE-2012-6496
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6496
Release Date: 2013-01-04
Fix Resolution: 3.0.18,3.1.9,3.2.10
Vulnerable Library - activerecord-3.0.7.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
Publish Date: 2012-06-22
URL: CVE-2012-2695
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-2695
Release Date: 2012-06-22
Fix Resolution: 3.0.14,3.1.6,3.2.6
Vulnerable Library - mail-2.2.19.gem
A really Ruby Mail handler.
Library home page: https://rubygems.org/gems/mail-2.2.19.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/mail-2.2.19.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.
Publish Date: 2012-07-18
URL: CVE-2012-2140
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-2140
Release Date: 2012-07-18
Fix Resolution: 2.4.3
Vulnerable Library - rails-3.0.7.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
Publish Date: 2020-06-19
URL: CVE-2020-8167
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://rubygems.org/gems/rails/versions/6.0.3.1
Release Date: 2020-06-19
Fix Resolution: 6.0.3.1,5.2.4.3
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - actionpack-3.0.7.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem
Dependency Hierarchy:
Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921
Found in base branch: main
Vulnerability Details
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
Publish Date: 2013-12-07
URL: CVE-2013-6417
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6417
Release Date: 2013-12-07
Fix Resolution: 3.2.16,4.0.2
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: