Fixed CVE's (!8) · Merge requests · hodlhodl-public / webface_rails

Name: actionpack
Version: 5.2.3
CVE: CVE-2021-22885
GHSA: GHSA-hjg4-8q5f-x6fm
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.2.3
CVE: CVE-2022-22577
GHSA: GHSA-mm33-5vfq-3mm3
Criticality: Unknown
URL: https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
Title: Possible XSS Vulnerability in Action Pack
Solution: upgrade to ~> 5.2.7, >= 5.2.7.1, ~> 6.0.4, >= 6.0.4.8, ~> 6.1.5, >= 6.1.5.1, >= 7.0.2.4

Name: actionpack
Version: 5.2.3
CVE: CVE-2020-8166
GHSA: GHSA-jp5v-5gx4-jmj9
Criticality: Medium
URL: https://groups.google.com/forum/\#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.2.3
CVE: CVE-2020-8164
GHSA: GHSA-8727-m6gj-mc37
Criticality: Unknown
URL: https://groups.google.com/forum/\#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.2.3
CVE: CVE-2021-22904
GHSA: GHSA-7wjx-3g7j-8584
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Title: Possible DoS Vulnerability in Action Controller Token Authentication
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.2.3
CVE: CVE-2022-23633
GHSA: GHSA-wh98-p28r-vrc9
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
Title: Possible exposure of information vulnerability in Action Pack
Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2

Name: actionview
Version: 5.2.3
CVE: CVE-2020-15169
GHSA: GHSA-cfjv-5498-mph5
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.2.3
CVE: CVE-2020-5267
GHSA: GHSA-65cv-r6x7-79hv
Criticality: Medium
URL: https://groups.google.com/forum/\#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.2.3
CVE: CVE-2022-27777
GHSA: GHSA-ch3h-j2vf-95pv
Criticality: Unknown
URL: https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
Title: Possible XSS Vulnerability in Action View tag helpers
Solution: upgrade to ~> 5.2.7, >= 5.2.7.1, ~> 6.0.4, >= 6.0.4.8, ~> 6.1.5, >= 6.1.5.1, >= 7.0.2.4

Name: actionview
Version: 5.2.3
CVE: CVE-2020-8167
GHSA: GHSA-xq5j-gw7f-jgj8
Criticality: Medium
URL: https://groups.google.com/forum/\#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: activerecord
Version: 5.2.3
CVE: CVE-2021-22880
GHSA: GHSA-8hc4-xxm3-5ppp
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1

Name: activestorage
Version: 5.2.3
CVE: CVE-2022-21831
GHSA: GHSA-w749-p3v6-hccq
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/n-p-W1yxatI
Title: Possible code injection vulnerability in Rails / Active Storage
Solution: upgrade to ~> 5.2.6, >= 5.2.6.3, ~> 6.0.4, >= 6.0.4.7, ~> 6.1.4, >= 6.1.4.7, >= 7.0.2.3

Name: activestorage
Version: 5.2.3
CVE: CVE-2020-8162
GHSA: GHSA-m42x-37p3-fv5w
Criticality: Unknown
URL: https://groups.google.com/forum/\#!topic/rubyonrails-security/PjU3946mreQ
Title: Circumvention of file size limits in ActiveStorage
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: activesupport
Version: 5.2.3
CVE: CVE-2020-8165
GHSA: GHSA-2p68-f74v-9wc6
Criticality: Unknown
URL: https://groups.google.com/forum/\#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: loofah
Version: 2.2.3
CVE: CVE-2019-15587
GHSA: GHSA-c3gv-9cxf-6f57
Criticality: Medium
URL: https://github.com/flavorjones/loofah/issues/171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: nokogiri
Version: 1.10.4
CVE: CVE-2021-41098
GHSA: GHSA-2rr5-8q37-2w7h
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-2rr5-8q37-2w7h
Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Solution: upgrade to >= 1.12.5

Name: nokogiri
Version: 1.10.4
CVE: CVE-2022-24839
GHSA: GHSA-gx8x-g87m-h5q6
Criticality: High
URL: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
Title: Denial of Service (DoS) in Nokogiri on JRuby
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.10.4
CVE: CVE-2022-23437
GHSA: GHSA-xxx9-3xcr-gjj3
Criticality: Medium
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
Title: XML Injection in Xerces Java affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.10.4
CVE: CVE-2021-30560
GHSA: GHSA-fq42-c5rg-92c2
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Solution: upgrade to >= 1.13.2

Name: nokogiri
Version: 1.10.4
GHSA: GHSA-7rrm-v45f-jp64
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-7rrm-v45f-jp64
Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Solution: upgrade to >= 1.11.4

Name: nokogiri
Version: 1.10.4
CVE: CVE-2018-25032
GHSA: GHSA-v6gp-9mmm-c6p5
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
Title: Out-of-bounds Write in zlib affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.10.4
CVE: CVE-2020-7595
GHSA: GHSA-7553-jr98-vx47
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/issues/1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.10.4
CVE: CVE-2019-13117
Criticality: Unknown
URL: https://github.com/sparklemotion/nokogiri/issues/1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: nokogiri
Version: 1.10.4
CVE: CVE-2022-24836
GHSA: GHSA-crjr-9rc5-ghw8
Criticality: High
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8
Title: Inefficient Regular Expression Complexity in Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.10.4
CVE: CVE-2020-26247
GHSA: GHSA-vr8q-g5c7-m54m
Criticality: Low
URL: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: rack
Version: 2.0.7
CVE: CVE-2020-8184
GHSA: GHSA-j6w9-fv6q-3q52
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rack
Version: 2.0.7
CVE: CVE-2020-8161
GHSA: GHSA-5f9h-9pjv-v6j7
Criticality: Unknown
URL: https://groups.google.com/forum/\#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0

Name: rack
Version: 2.0.7
CVE: CVE-2019-16782
GHSA: GHSA-hrqr-hxpp-chr3
Criticality: Medium
URL: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Title: Possible information leak / session hijack vulnerability
Solution: upgrade to ~> 1.6.12, >= 2.0.8

Name: websocket-extensions
Version: 0.1.4
CVE: CVE-2020-7663
GHSA: GHSA-g6wq-qcwm-j5g2
Criticality: High
URL: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
Title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
Solution: upgrade to >= 0.1.5
Fixed CVE's

Merge request reports
