Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate libxml2 vulnerabilities patched in USN-4274-1 #1992

Closed
flavorjones opened this issue Feb 10, 2020 · 4 comments · Fixed by #1993
Closed

Investigate libxml2 vulnerabilities patched in USN-4274-1 #1992

flavorjones opened this issue Feb 10, 2020 · 4 comments · Fixed by #1993

Comments

@flavorjones
Copy link
Member

flavorjones commented Feb 10, 2020

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:


Summary

Synthesis

CVE-2019-19956 was addressed in upstream libxml2 release v2.9.10, which has been vendored in Nokogiri since v1.10.5 on 2019-10-31.

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.

Actions

Nokogiri has backported the patch for CVE-2020-7595 into its vendored version of libxml2, and released this as v1.10.8: https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.8

If you are using Nokogiri <= v1.10.7, please upgrade to v1.10.8 or later.


History of this notification

  • 2020-02-10: USN-4274-1 published by Canonical
  • 2020-02-10: this github issue created
  • 2020-02-10: Nokogiri v1.10.8 is released with patched libxml2
@flavorjones
Copy link
Member Author

Analysis

CVE-2019-19956

permalink: https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-19956.html

bug report: https://gitlab.gnome.org/GNOME/libxml2/issues/82

description:

xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs.

priority: low

fix commit: https://gitlab.gnome.org/GNOME/libxml2/commit/5a02583c7e683896d84878bd90641d8d9b0d0549

in upstream libxml2 release?

$ git tag --contains 5a02583c7e683896d84878bd90641d8d9b0d0549
v2.9.10
v2.9.10-rc1

CVE-2020-7595

permalink: https://people.canonical.com/~ubuntu-security/cve/2020/CVE-2020-7595.html

bug report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=949582

description:

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

priority: medium

fix commit: https://gitlab.gnome.org/GNOME/libxml2/commit/0e1a49c8907645d2e155f0d89d4d9895ac5112b5

in upstream libxml2 release?

$ git tag --contains 0e1a49c8907645d2e155f0d89d4d9895ac5112b5
# no, not in an upstream release

@flavorjones
Copy link
Member Author

Synthesis

CVE-2019-19956 was addressed in upstream libxml2 release v2.9.10, which has been vendored in Nokogiri since v1.10.5 on 2019-10-31.

CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and so Nokogiri versions <= v1.10.7 are vulnerable.

Recommendations

Nokogiri should backport the patch for CVE-2020-7595 into its vendored version of libxml2.

flavorjones added a commit that referenced this issue Feb 10, 2020
@flavorjones flavorjones linked a pull request Feb 10, 2020 that will close this issue
flavorjones added a commit that referenced this issue Feb 10, 2020
@flavorjones flavorjones reopened this Feb 10, 2020
@flavorjones
Copy link
Member Author

Patch has been backported onto master. Now waiting for the v1.10.x branch to go green so I can cut a patch release.

@flavorjones flavorjones added this to the v1.10.x patch releases milestone Feb 10, 2020
flavorjones added a commit that referenced this issue Feb 10, 2020
flavorjones added a commit that referenced this issue Feb 10, 2020
@flavorjones
Copy link
Member Author

v1.10.8 has been released: https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.8

Aupajo added a commit to kilterset/kiwi-ruby-haiku that referenced this issue Feb 12, 2020
Patches a Nokogiri vulnerability. sparklemotion/nokogiri#1992
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Feb 16, 2020
Upstream changelog (from CHANGELOG.md):

## 1.10.8 / 2020-02-10

### Security

[MRI] Pulled in upstream patch from libxml that addresses CVE-2020-7595.
Full details are available in [#1992](sparklemotion/nokogiri#1992).
Note that this patch is not yet (as of 2020-02-10) in an upstream release of libxml.
primeos added a commit to NixOS/nixpkgs that referenced this issue Feb 28, 2020
primeos added a commit to NixOS/nixpkgs that referenced this issue Feb 28, 2020
primeos added a commit to NixOS/nixpkgs that referenced this issue Feb 28, 2020
primeos added a commit to NixOS/nixpkgs that referenced this issue Feb 28, 2020
This updates nokogiri to 1.10.8 for CVE-2020-7595 [0].

[0]: sparklemotion/nokogiri#1992

(cherry picked from commit a0d61c0)
primeos added a commit to NixOS/nixpkgs that referenced this issue Feb 28, 2020
This updates nokogiri to 1.10.8 for CVE-2020-7595 [0].

[0]: sparklemotion/nokogiri#1992

(cherry picked from commit 9b0defc)
primeos added a commit to NixOS/nixpkgs that referenced this issue Feb 28, 2020
This updates nokogiri to 1.10.8 for CVE-2020-7595 [0].

[0]: sparklemotion/nokogiri#1992

(cherry picked from commit ad0c620)
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this issue Feb 29, 2020
This updates nokogiri to 1.10.8 for CVE-2020-7595 [0].

[0]: sparklemotion/nokogiri#1992

(cherry picked from commit a0d61c0)
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this issue Feb 29, 2020
This updates nokogiri to 1.10.8 for CVE-2020-7595 [0].

[0]: sparklemotion/nokogiri#1992

(cherry picked from commit ad0c620)
senid231 added a commit to senid231/didww-v3-rails-sample that referenced this issue Feb 10, 2021
Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: sprockets
Version: 3.7.1
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8
wenderjean pushed a commit to Codeminer42/Punchclock that referenced this issue Aug 30, 2021
* Rake upgraded to 12.3.3
	Issue: GHSA-jppv-gw3r-w3q8
* Nokogiri upgraded to 1.10.8
	Issue: sparklemotion/nokogiri#1992
mediafinger added a commit to mediafinger/wahlgenial-webapp that referenced this issue Apr 19, 2022
…VEs)

It found the following 53 vulnerabilities:

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22904
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Title: Possible DoS Vulnerability in Action Controller Token Authentication
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2022-23633
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
Title: Possible exposure of information vulnerability in Action Pack
Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activerecord
Version: 5.1.4
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: addressable
Version: 2.5.2
Advisory: CVE-2021-32740
Criticality: High
URL: GHSA-jxhc-q857-3j6g
Title: Regular Expression Denial of Service in Addressable templates
Solution: upgrade to >= 2.8.0

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21288
Criticality: Medium
URL: GHSA-fwcm-636p-68r5
Title: Server-side request forgery in CarrierWave
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21305
Criticality: High
URL: GHSA-cf3w-g86h-35x4
Title: Code Injection vulnerability in CarrierWave::RMagick
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Title: Potential XSS vulnerability in jQuery
Solution: upgrade to >= 4.4.0

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: jquery-ui-rails
Version: 5.0.5
Advisory: CVE-2016-7103
Criticality: Medium
URL: jquery/api.jqueryui.com#281
Title: XSS Vulnerability on closeText option of Dialog jQuery UI
Solution: upgrade to >= 6.0.0

Name: kaminari
Version: 1.1.1
Advisory: CVE-2020-11082
Criticality: Medium
URL: GHSA-r5jw-62xg-j433
Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter
Solution: upgrade to >= 1.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Medium
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: mini_magick
Version: 4.8.0
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Title: Remote command execution via filename
Solution: upgrade to >= 4.9.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-41098
Criticality: High
URL: GHSA-2rr5-8q37-2w7h
Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Solution: upgrade to >= 1.12.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: High
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24839
Criticality: High
URL: GHSA-9849-p7jc-9rmv
Title: Denial of Service (DoS) in Nokogiri on JRuby
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-23437
Criticality: Medium
URL: GHSA-xxx9-3xcr-gjj3
Title: XML Injection in Xerces Java affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-30560
Criticality: High
URL: GHSA-fq42-c5rg-92c2
Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Solution: upgrade to >= 1.13.2

Name: nokogiri
Version: 1.8.1
Advisory: GHSA-7rrm-v45f-jp64
Criticality: High
URL: GHSA-7rrm-v45f-jp64
Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Solution: upgrade to >= 1.11.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-25032
Criticality: High
URL: GHSA-v6gp-9mmm-c6p5
Title: Out-of-bounds Write in zlib affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24836
Criticality: High
URL: GHSA-crjr-9rc5-ghw8
Title: Inefficient Regular Expression Complexity in Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: puma
Version: 4.3.3
Advisory: CVE-2021-29509
Criticality: High
URL: GHSA-q28m-8xjw-8vr5
Title: Keepalive Connections Causing Denial Of Service in puma
Solution: upgrade to ~> 4.3.8, >= 5.3.1

Name: puma
Version: 4.3.3
Advisory: CVE-2022-24790
Criticality: Critical
URL: GHSA-h99w-9q5r-gjq9
Title: HTTP Request Smuggling in puma
Solution: upgrade to ~> 4.3.12, >= 5.6.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11076
Criticality: High
URL: GHSA-x7jg-6pwg-fx5h
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.5, >= 4.3.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11077
Criticality: Medium
URL: GHSA-w64w-qqph-5gxm
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.6, >= 4.3.5

Name: puma
Version: 4.3.3
Advisory: CVE-2022-23634
Criticality: High
URL: GHSA-rmj8-8hhh-gv5h
Title: Information Exposure with Puma when used with Rails
Solution: upgrade to ~> 4.3.11, >= 5.6.2

Name: puma
Version: 4.3.3
Advisory: CVE-2021-41136
Criticality: Low
URL: GHSA-48w2-rm65-62xx
Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Solution: upgrade to ~> 4.3.9, >= 5.5.1

Name: rack
Version: 2.2.2
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2020-36190
Criticality: Medium
URL: railsadminteam/rails_admin@d72090e
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to ~> 1.4.3, >= 2.0.2

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2017-12098
Criticality: Medium
URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to >= 1.3.0

Name: rake
Version: 12.3.0
Advisory: CVE-2020-8130
Criticality: High
URL: GHSA-jppv-gw3r-w3q8
Title: OS Command Injection in Rake
Solution: upgrade to >= 12.3.3

Name: redcarpet
Version: 3.4.0
Advisory: CVE-2020-26298
Criticality: Medium
URL: vmg/redcarpet@a699c82
Title: Injection/XSS in Redcarpet
Solution: upgrade to >= 3.5.1

Name: websocket-extensions
Version: 0.1.3
Advisory: CVE-2020-7663
Criticality: High
URL: GHSA-g6wq-qcwm-j5g2
Title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
Solution: upgrade to >= 0.1.5
mediafinger added a commit to mediafinger/wahlgenial-webapp that referenced this issue Apr 19, 2022
…VEs)

It found the following 53 vulnerabilities:

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22904
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Title: Possible DoS Vulnerability in Action Controller Token Authentication
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2022-23633
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
Title: Possible exposure of information vulnerability in Action Pack
Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activerecord
Version: 5.1.4
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: addressable
Version: 2.5.2
Advisory: CVE-2021-32740
Criticality: High
URL: GHSA-jxhc-q857-3j6g
Title: Regular Expression Denial of Service in Addressable templates
Solution: upgrade to >= 2.8.0

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21288
Criticality: Medium
URL: GHSA-fwcm-636p-68r5
Title: Server-side request forgery in CarrierWave
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21305
Criticality: High
URL: GHSA-cf3w-g86h-35x4
Title: Code Injection vulnerability in CarrierWave::RMagick
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Title: Potential XSS vulnerability in jQuery
Solution: upgrade to >= 4.4.0

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: jquery-ui-rails
Version: 5.0.5
Advisory: CVE-2016-7103
Criticality: Medium
URL: jquery/api.jqueryui.com#281
Title: XSS Vulnerability on closeText option of Dialog jQuery UI
Solution: upgrade to >= 6.0.0

Name: kaminari
Version: 1.1.1
Advisory: CVE-2020-11082
Criticality: Medium
URL: GHSA-r5jw-62xg-j433
Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter
Solution: upgrade to >= 1.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Medium
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: mini_magick
Version: 4.8.0
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Title: Remote command execution via filename
Solution: upgrade to >= 4.9.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-41098
Criticality: High
URL: GHSA-2rr5-8q37-2w7h
Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Solution: upgrade to >= 1.12.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: High
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24839
Criticality: High
URL: GHSA-9849-p7jc-9rmv
Title: Denial of Service (DoS) in Nokogiri on JRuby
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-23437
Criticality: Medium
URL: GHSA-xxx9-3xcr-gjj3
Title: XML Injection in Xerces Java affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-30560
Criticality: High
URL: GHSA-fq42-c5rg-92c2
Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Solution: upgrade to >= 1.13.2

Name: nokogiri
Version: 1.8.1
Advisory: GHSA-7rrm-v45f-jp64
Criticality: High
URL: GHSA-7rrm-v45f-jp64
Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Solution: upgrade to >= 1.11.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-25032
Criticality: High
URL: GHSA-v6gp-9mmm-c6p5
Title: Out-of-bounds Write in zlib affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24836
Criticality: High
URL: GHSA-crjr-9rc5-ghw8
Title: Inefficient Regular Expression Complexity in Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: puma
Version: 4.3.3
Advisory: CVE-2021-29509
Criticality: High
URL: GHSA-q28m-8xjw-8vr5
Title: Keepalive Connections Causing Denial Of Service in puma
Solution: upgrade to ~> 4.3.8, >= 5.3.1

Name: puma
Version: 4.3.3
Advisory: CVE-2022-24790
Criticality: Critical
URL: GHSA-h99w-9q5r-gjq9
Title: HTTP Request Smuggling in puma
Solution: upgrade to ~> 4.3.12, >= 5.6.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11076
Criticality: High
URL: GHSA-x7jg-6pwg-fx5h
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.5, >= 4.3.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11077
Criticality: Medium
URL: GHSA-w64w-qqph-5gxm
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.6, >= 4.3.5

Name: puma
Version: 4.3.3
Advisory: CVE-2022-23634
Criticality: High
URL: GHSA-rmj8-8hhh-gv5h
Title: Information Exposure with Puma when used with Rails
Solution: upgrade to ~> 4.3.11, >= 5.6.2

Name: puma
Version: 4.3.3
Advisory: CVE-2021-41136
Criticality: Low
URL: GHSA-48w2-rm65-62xx
Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Solution: upgrade to ~> 4.3.9, >= 5.5.1

Name: rack
Version: 2.2.2
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2020-36190
Criticality: Medium
URL: railsadminteam/rails_admin@d72090e
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to ~> 1.4.3, >= 2.0.2

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2017-12098
Criticality: Medium
URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to >= 1.3.0

Name: rake
Version: 12.3.0
Advisory: CVE-2020-8130
Criticality: High
URL: GHSA-jppv-gw3r-w3q8
Title: OS Command Injection in Rake
Solution: upgrade to >= 12.3.3

Name: redcarpet
Version: 3.4.0
Advisory: CVE-2020-26298
Criticality: Medium
URL: vmg/redcarpet@a699c82
Title: Injection/XSS in Redcarpet
Solution: upgrade to >= 3.5.1

Name: websocket-extensions
Version: 0.1.3
Advisory: CVE-2020-7663
Criticality: High
URL: GHSA-g6wq-qcwm-j5g2
Title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
Solution: upgrade to >= 0.1.5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant