Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Brakeman reporting false positive on CVE-2018-8048 #209

Closed
jarkko opened this issue Jun 7, 2021 · 7 comments
Closed

Brakeman reporting false positive on CVE-2018-8048 #209

jarkko opened this issue Jun 7, 2021 · 7 comments

Comments

@jarkko
Copy link

jarkko commented Jun 7, 2021

We're getting this with our Rails app, with the brand new loofah 2.10:

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 503

However, the CVE is from 2018, and 2.10.0 is clearly > 2.2.1. Can it be that the "10" is somehow detected as smaller than "2" (perhaps sorting as a string instead of a number)?
@psantos10
Copy link

We're getting this with our Rails app, with the brand new loofah 2.10:

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock
Line: 503

However, the CVE is from 2018, and 2.10.0 is clearly > 2.2.1. Can it be that the "10" is somehow detected as smaller than "2" (perhaps sorting as a string instead of a number)?

Same issue here

@pezholio
Copy link

pezholio commented Jun 7, 2021

This is an issue with the Loofah version detection in Brakeman: presidentbeef/brakeman#1603. There's a fix waiting to go in here presidentbeef/brakeman#1604

@flavorjones
Copy link
Owner

@pezholio Thanks for the pointer, I'll leave this open until that's resolved so folks understand what's going on.

@jarkko
Copy link
Author

jarkko commented Jun 8, 2021

Wait, how the heck did I end up posting this to the loofah issues, thought all the time I was in the Brakeman GitHub repo 🙈. Monday mood, indeed.

@pezholio
Copy link

pezholio commented Jun 8, 2021

@jarkko Happens to the best of us!

@pezholio
Copy link

pezholio commented Jun 8, 2021

FWIW - the fix is now in for Brakeman (presidentbeef/brakeman#1607), and a new version has been pushed to RubyGems, so I think this can be closed

@flavorjones
Copy link
Owner

Thanks for your patience, everybody!

@flavorjones flavorjones mentioned this issue Jun 28, 2021
Closed
@flavorjones flavorjones changed the title Minor version detection seems broken Brakeman reporting false positive on CVE-2018-8048 Jul 14, 2021
@flavorjones flavorjones pinned this issue Jul 14, 2021
@flavorjones flavorjones mentioned this issue Jul 14, 2021
Closed
tobyprivett added a commit to DEFRA/waste-carriers-back-office that referenced this issue Dec 22, 2021
@tobyprivett
Force loofah 2.3 in response to CVE-2018-8048
db6adac 
- The report actually says:
"loofah gem 2.13.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1."

- On closer inspection, you'll see that 2.2.1 is a *downgrade* from 2.13.0
A known issue:
flavorjones/loofah#209
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jarkko @flavorjones @pezholio @psantos10