sinatra-activerecord-2.0.21.gem: 7 vulnerabilities (highest severity is: 9.8) #6
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.3.4.gem
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - activerecord-6.0.3.4.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.3.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.3.4.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.
Publish Date: 2022-12-05
URL: CVE-2022-32224
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3hhc-qp5v-9p2j
Release Date: 2022-12-05
Fix Resolution: activerecord - 5.2.8.1,6.0.5.1,6.1.6.1,7.0.3.1
Vulnerable Library - activerecord-6.0.3.4.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.3.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.3.4.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the
annotatequery method, theoptimizer_hintsquery method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.Publish Date: 2023-02-09
URL: CVE-2023-22794
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hq7p-j377-6v63
Release Date: 2023-02-09
Fix Resolution: activerecord - 6.0.6.1,6.1.7.1,7.0.4.1
Vulnerable Library - activesupport-6.0.3.4.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-6.0.3.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.3.4.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
Publish Date: 2023-02-09
URL: CVE-2023-22796
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-j6gc-792m-qgm2
Release Date: 2023-02-09
Fix Resolution: activesupport - 6.1.7.1,7.0.4.1
Vulnerable Library - activerecord-6.0.3.4.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.3.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.3.4.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
Publish Date: 2023-02-09
URL: CVE-2022-44566
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-579w-22j4-4749
Release Date: 2023-02-09
Fix Resolution: activerecord - 6.1.7.1,7.0.4.1
Vulnerable Library - tzinfo-1.2.8.gem
TZInfo provides daylight savings aware transformations between times in different time zones.
Library home page: https://rubygems.org/gems/tzinfo-1.2.8.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/tzinfo-1.2.8.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with
requireon demand. In the affected versions,TZInfo::Timezone.getfails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later,TZInfo::Timezone.getcan be made to load unintended files withrequire, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix oftzinfo/definitionwithin a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing toTZInfo::Timezone.getby ensuring it matches the regular expression\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.Publish Date: 2022-07-21
URL: CVE-2022-31163
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-5cm2-9h8c-rvfx
Release Date: 2022-07-22
Fix Resolution: tzinfo - 0.3.61,1.2.10
Vulnerable Library - activerecord-6.0.3.4.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-6.0.3.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.0.3.4.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the
moneytype of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.Publish Date: 2021-02-11
URL: CVE-2021-22880
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.6%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
Release Date: 2021-02-11
Fix Resolution: 5.2.4.5,6.0.3.5,6.1.2.1
Vulnerable Library - activesupport-6.0.3.4.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-6.0.3.4.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.3.4.gem
Dependency Hierarchy:
Found in HEAD commit: 9e80ef2568d1e0d9f52f4f6143251fe7d1a9a97d
Found in base branch: main
Vulnerability Details
Active Support Possibly Discloses Locally Encrypted Files
Publish Date: 2023-07-12
URL: CVE-2023-38037
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-cr5q-6q9f-rq6q
Release Date: 2023-07-12
Fix Resolution: activesupport - 6.1.7.5,7.0.7.1
The text was updated successfully, but these errors were encountered: