Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

Closed
flavorjones opened this issue Aug 15, 2018 · 3 comments
Closed

Investigate Ubuntu libxml2 patches in USN-3739-1 and USN-3739-2 #1785

flavorjones opened this issue Aug 15, 2018 · 3 comments

Comments

@flavorjones
Copy link
Member

flavorjones commented Aug 15, 2018

This issue is to drive investigation and potential action around a set of upstream patches that Canonical judged valuable enough to port to their distributions.

References:


Summary:

Two upstream patches, not yet available in an official libxml2 release, are candidates for patching in Nokogiri's vendored libxml2. A pull request has been created at #1786 for comments.

@flavorjones
Copy link
Member Author

USNs

https://usn.ubuntu.com/3739-1/ which addresses:

and https://usn.ubuntu.com/3739-2/ which addresses:

Note that 3739-2 addresses a subset of 3739-1.

CVEs

CVE-2016-9318

Permalink is https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-9318.html

Description:

libxml2 2.9.4 and earlier, as used in XMLSec 1.2.23 and earlier and other products, does not offer a flag directly indicating that the current document may be read but other files may not be opened, which makes it easier for remote attackers to conduct XML External Entity (XXE) attacks via a crafted document.

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates this is the patch that addresses the vulnerability:

https://git.gnome.org/browse/libxml2/commit/?id=ad88b54f1a28a8565964a370b5d387927b633c0d

Looking at libxml upstream:

$ git tag --contains ad88b54f1a28a8565964a370b5d387927b633c0d
v2.9.8
v2.9.8-rc1

... we see this was fixed in libxml 2.9.8, which Nokogiri has vendored since v1.8.3.

CVE-2017-16932

Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html

Description:

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates that this is the patch that addresses the vulnerability:

GNOME/libxml2@899a5d9

Looking at libxml upstream:

$ git tag --contains 899a5d9f0ed13b8e32449a08a361e0de127dd961 | cat
v2.9.5
v2.9.5-rc1
v2.9.5-rc2
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8
v2.9.8-rc1

... we see this has been fixed since libxml 2.9.5, which Nokogiri has vendored since v1.8.1.

CVE-2017-18258

Permalink is https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18258.html

Description:

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file

Canonical rates this vulnerability as "Priority: Low"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/e2a9122b8dde53d320750451e9907a7dcb2ca8bb

Looking at libxml upstream:

$ git tag --contains e2a9122b8dde53d320750451e9907a7dcb2ca8bb | cat
v2.9.6
v2.9.6-rc1
v2.9.7
v2.9.7-rc1
v2.9.8
v2.9.8-rc1

... we see this has been fixed since libxml 2.9.6, which Nokogiri has vendored since v1.8.2.

CVE-2018-14404

Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html

Description:

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application

Canonical rates this vulnerability as "Priority: Medium"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594

Looking at libxml upstream:

$ git tag --contains a436374994c47b12d5de1b8b1d191a098fa23594 | cat

... we see that this is not yet addressed in an upstream release. This is curious.

CVE-2018-14567

Permalink is https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html

Description:

infinite loop in LZMA decompression

Canonical rates this vulnerability as "Priority: Medium"

The CVE report indicates that this is the patch that addresses the vulnerability:

https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74

Looking at libxml upstream:

$ git tag --contains 2240fbf5912054af025fb6e01e26375100275e74 | cat

... we see that this is not yet addressed in an upstream release. This is curious.

@flavorjones
Copy link
Member Author

Conclusions

Of the five CVEs addressed in this USN, these three are already addressed by Nokogiri:

The remaining two CVEs are not yet addressed in an upstream libxml2 release. Here are the commits in question:

I guess I'll try including these patches and see what happens?

flavorjones added a commit that referenced this issue Aug 15, 2018
based on USN-3739-1 and -2.

see related #1785.
@flavorjones
Copy link
Member Author

I've created a PR at #1786 for comments. Please take a look and comment there.

@flavorjones flavorjones removed this from the 1.8.5 milestone Aug 15, 2018
@flavorjones flavorjones added this to the 1.8.5 milestone Oct 4, 2018
joenas referenced this issue in joenas/preschool Oct 5, 2018

<hr>

🚨 <b>Your version of nokogiri has known security vulnerabilities</b> 🚨

Advisory: CVE-2018-14404
Disclosed: October 04, 2018
URL: [https://github.com/sparklemotion/nokogiri/issues/1785](https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785)

<details>
<summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary>
<blockquote>
  <p>Nokogiri 1.8.5 has been released.</p>
<p>This is a security and bugfix release. It addresses two CVEs in upstream<br>
libxml2 rated as "medium" by Red Hat, for which details are below.</p>
<p>If you're using your distro's system libraries, rather than Nokogiri's<br>
vendored libraries, there's no security need to upgrade at this time,<br>
though you may want to check with your distro whether they've patched this<br>
(Canonical has patched Ubuntu packages). Note that these patches are not<br>
yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<p>Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>.<br>
[<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a></p>
<hr>
<p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404<br>
and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these<br>
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<hr>
<p>CVE-2018-14404</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a></p>
<p>Description:</p>
<p>A NULL pointer dereference vulnerability exists in the<br>
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when<br>
parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR<br>
case. Applications processing untrusted XSL format inputs with the use of<br>
the libxml2 library may be vulnerable to a denial of service attack due<br>
to a crash of the application</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
<hr>
<p>CVE-2018-14567</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a></p>
<p>Description:</p>
<p>infinite loop in LZMA decompression</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
</blockquote>
</details>
<br>
🚨 <b>We recommend to merge and deploy this update as soon as possible!</b> 🚨
<hr>


We've updated a dependency and here is what you need to know:

| name | version specification | old version | new version |
| --- | --- | --- | --- |
| nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 |



You should probably take a good look at the info here and the test results before merging this pull request, of course.

### What changed?


#### ↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)


<details>
<summary>Commits</summary>
<p><a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits:</p>

<ul>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch &#39;fix-1773&#39;</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li>
</ul>
</details>




---
[![Depfu Status](https://depfu.com/badges/e69c6c7bda228fd38f6335ea889589cb/stats.svg)](https://depfu.com/repos/joenas/preschool?project_id=4294 "See the full overview on Depfu")

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`.

<details><summary>All Depfu comment commands</summary>
<blockquote><dl>
<dt>@​depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd>
<dt>@​depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd>
<dt>@​depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd>
<dt>@​depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd>
</dl></blockquote>
Go to the <a href="https://depfu.com/repos/joenas/preschool?project_id=4294">Depfu Dashboard</a> to see the state of your dependencies and to customize how Depfu works.
</details>
roback added a commit to twingly/feedjira.herokuapp.com that referenced this issue Oct 5, 2018
roback added a commit to twingly/feedbag.herokuapp.com that referenced this issue Oct 5, 2018
wassimk referenced this issue in tulsarb/movies Oct 5, 2018

<hr>

🚨 <b>Your version of nokogiri has known security vulnerabilities</b> 🚨

Advisory: CVE-2018-14404
Disclosed: October 04, 2018
URL: [https://github.com/sparklemotion/nokogiri/issues/1785](https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785)

<details>
<summary>Nokogiri gem, via libxml2, is affected by multiple vulnerabilities</summary>
<blockquote>
  <p>Nokogiri 1.8.5 has been released.</p>
<p>This is a security and bugfix release. It addresses two CVEs in upstream<br>
libxml2 rated as "medium" by Red Hat, for which details are below.</p>
<p>If you're using your distro's system libraries, rather than Nokogiri's<br>
vendored libraries, there's no security need to upgrade at this time,<br>
though you may want to check with your distro whether they've patched this<br>
(Canonical has patched Ubuntu packages). Note that these patches are not<br>
yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<p>Full details about the security update are available in Github Issue <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>.<br>
[<a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>]: <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a></p>
<hr>
<p>[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404<br>
and CVE-2018-14567. Full details are available in <a href="https://bounce.depfu.com/github.com/sparklemotion/nokogiri/issues/1785">#1785</a>. Note that these<br>
patches are not yet (as of 2018-10-04) in an upstream release of libxml2.</p>
<hr>
<p>CVE-2018-14404</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14404.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html</a></p>
<p>Description:</p>
<p>A NULL pointer dereference vulnerability exists in the<br>
xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when<br>
parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR<br>
case. Applications processing untrusted XSL format inputs with the use of<br>
the libxml2 library may be vulnerable to a denial of service attack due<br>
to a crash of the application</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
<hr>
<p>CVE-2018-14567</p>
<p>Permalink:</p>
<p><a href="https://people.canonical.com/%7Eubuntu-security/cve/2018/CVE-2018-14567.html">https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html</a></p>
<p>Description:</p>
<p>infinite loop in LZMA decompression</p>
<p>Canonical rates this vulnerability as "Priority: Medium"</p>
</blockquote>
</details>
<br>
🚨 <b>We recommend to merge and deploy this update as soon as possible!</b> 🚨
<hr>


We've updated a dependency and here is what you need to know:

| name | version specification | old version | new version |
| --- | --- | --- | --- |
| nokogiri | _indirect dependency_ | 1.8.4 | 1.8.5 |



You should probably take a good look at the info here and the test results before merging this pull request, of course.

### What changed?


#### ↗️ nokogiri (_indirect_, 1.8.4 → 1.8.5) · [Repo](https://github.com/sparklemotion/nokogiri/) · [Changelog](https://github.com/sparklemotion/nokogiri/blob/master/CHANGELOG.md)


<details>
<summary>Commits</summary>
<p><a href="https://github.com/sparklemotion/nokogiri/compare/254f3414811b6d2fff8b0630efe4ce8d29778fb6...e28fa4bb2ed6844c3c63f58062d034e7b99fc90c">See the full diff on Github</a>. The new version differs by 11 commits:</p>

<ul>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/e28fa4bb2ed6844c3c63f58062d034e7b99fc90c"><code>version bump to v1.8.5</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/712edef8a8c7fa593e09517891d336758af42cba"><code>update changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7feb4c167a9ae1ba4e87923597ba7e7b309b1713"><code>Merge branch &#39;fix-1773&#39;</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7cc6cf6a74bd718b46182f0e646b63ff0a00f728"><code>Organize imports in XmlNode.java.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/169744261c5c023dff40de0811a826ad4d1fcc05"><code>Allow reparenting nodes to be a child of an empty document.</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/7b8cd0f5b15a926e92c869b450dd6f71cdd17b61"><code>Merge pull request #1786 from sparklemotion/1785-canonical-usns</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/5bff4bb3f1692069c617f4333b2ccc5570f0f414"><code>pull in upstream libxml2 patches</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/c232226448a44bb81220d3750a6453a0aef88fb1"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/862b88f39264b7b5e223a63e3d4d0eeade4db9ff"><code>changelog</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/b3750eb71e101287aa0e7a231232222c7213b3f3"><code>remove `-Wextra` CFLAG</code></a></li>
<li><a href="https://github.com/sparklemotion/nokogiri/commit/91a63d55eb92ef0bcb141b6c094a28ef026eaf16"><code>add tests for pkg-config failure scenario</code></a></li>
</ul>
</details>




---
![Depfu Status](https://depfu.com/badges/0a723c09b68149a932bdb420ef5f5e4e/stats.svg)

[Depfu](https://depfu.com) will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with `@depfu rebase`.

<details><summary>All Depfu comment commands</summary>
<blockquote><dl>
<dt>@​depfu rebase</dt><dd>Rebases against your default branch and redoes this update</dd>
<dt>@​depfu pause</dt><dd>Ignores all future updates for this dependency and closes this PR</dd>
<dt>@​depfu pause [minor|major]</dt><dd>Ignores all future minor/major updates for this dependency and closes this PR</dd>
<dt>@​depfu resume</dt><dd>Future versions of this dependency will create PRs again (leaves this PR as is)</dd>
</dl></blockquote>
</details>
SViccari added a commit to bostonrb/bostonrubygroup.com that referenced this issue Oct 5, 2018
Bundler-audit report the following security advisory for nokogiri. This
PR updates nokogiri to the recommended version.

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple
vulnerabilities
Solution: upgrade to >= 1.8.5
phallstrom added a commit to railslink/railslink that referenced this issue Oct 7, 2018
see https://circleci.com/gh/railslink/railslink/138

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5
phallstrom added a commit to railslink/railslink that referenced this issue Oct 7, 2018
see https://circleci.com/gh/railslink/railslink/138

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5
mjankowski added a commit to mjankowski/rubygems.org that referenced this issue Oct 11, 2018
AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
AdrianCann added a commit to sophomoric/secret that referenced this issue Oct 14, 2018
ruby-advisory-db: 323 advisories
Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rubyzip
Version: 1.2.1
Advisory: CVE-2018-1000544
Criticality: Unknown
URL: rubyzip/rubyzip#369
Title: Directory Traversal in rubyzip
Solution: upgrade to >= 1.2.2
rainerdema added a commit to nebulab/solidus_static_content-1 that referenced this issue Oct 18, 2018
Updated 'deface' to update 'nokogiri' dependency gem after vulnerability 
checks with 'audit':
Nokogiri gem, via libxml2, is affected by multiple vulnerabilities.

sparklemotion/nokogiri#1785
hugopl pushed a commit to hugopl/reviewit that referenced this issue Oct 22, 2018
Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities

Name: nokogiri
Version: 1.8.2
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS

Name: sprockets
Version: 2.12.4
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Nov 1, 2018
Upstream changes (from CHANGELOG.md):

# 1.8.5 / 2018-10-04

## Security Notes

[MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
and CVE-2018-14567. Full details are available in [#1785]
(sparklemotion/nokogiri#1785).
Note that these patches are not yet (as of 2018-10-04) in an upstream
release of libxml2.


## Bug fixes

* [MRI] Fix regression in installation when building against system
  libraries, where some systems would not be able to find libxml2 or
  libxslt when present. (Regression introduced in v1.8.3.) [#1722]
* [JRuby] Fix node reparenting when the destination doc is empty. [#1773]
Koronen added a commit to stringer-rss/stringer that referenced this issue Nov 1, 2018
As reported by `bundler-audit`:

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5
frederikspang pushed a commit to frederikspang/rails-html-sanitizer that referenced this issue Nov 2, 2018
matt-hh added a commit to produktgenuss/administrate that referenced this issue Nov 13, 2018
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes thoughtbot#1225
composerinteralia pushed a commit to thoughtbot/administrate that referenced this issue Nov 28, 2018
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes #1225
gabebw added a commit to hotline-webring/hotline-webring that referenced this issue Dec 12, 2018
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
gabebw added a commit to hotline-webring/hotline-webring that referenced this issue Dec 12, 2018
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
mapopa added a commit to mapopa/backup that referenced this issue Jan 22, 2019
Koronen added a commit to Koronen/koronen.github.io that referenced this issue Jan 22, 2019
Address a couple of CVEs (as reported by `bundler-audit`).

    Name: ffi
    Version: 1.9.23
    Advisory: CVE-2018-1000201
    Criticality: High
    URL: https://github.com/ffi/ffi/releases/tag/1.9.24
    Title: ruby-ffi DDL loading issue on Windows OS
    Solution: upgrade to >= 1.9.24

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: nokogiri
    Version: 1.8.2
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: rubyzip
    Version: 1.2.1
    Advisory: CVE-2018-1000544
    Criticality: Unknown
    URL: rubyzip/rubyzip#369
    Title: Directory Traversal in rubyzip
    Solution: upgrade to >= 1.2.2
alexdean added a commit to alexdean/focus_group that referenced this issue Jun 25, 2019
$ bundle exec bundle-audit check

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Name: activejob
Version: 5.2.1
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2018-16477
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Title: Bypass vulnerability in Active Storage
Solution: upgrade to >= 5.2.1.1

Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6

Name: railties
Version: 5.2.1
Advisory: CVE-2019-5420
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
Title: Possible Remote Code Execution Exploit in Rails Development Mode
Solution: upgrade to >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Vulnerabilities found!
svqualitydev pushed a commit to svqualitydev/admin-cms that referenced this issue Dec 16, 2019
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes #1225
senid231 added a commit to senid231/didww-v3-rails-sample that referenced this issue Feb 10, 2021
Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4.3, >= 6.0.3.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8161
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA
Title: Directory traversal in Rack::Directory app bundled with Rack
Solution: upgrade to ~> 2.1.3, >= 2.2.0

Name: rack
Version: 2.0.8
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: sprockets
Version: 3.7.1
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8
francois added a commit to francois/scoutinv that referenced this issue Nov 14, 2021
Numerous CVEs found:

     Name: loofah
     Version: 2.2.2
     Advisory: CVE-2018-16468
     Criticality: Unknown
     URL: flavorjones/loofah#154
     Title: Loofah XSS Vulnerability
     Solution: upgrade to >= 2.2.3

     Name: nokogiri
     Version: 1.8.4
     Advisory: CVE-2018-14404
     Criticality: Unknown
     URL: sparklemotion/nokogiri#1785
     Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
     Solution: upgrade to >= 1.8.5

     Name: rack
     Version: 2.0.5
     Advisory: CVE-2018-16470
     Criticality: Unknown
     URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
     Title: Possible DoS vulnerability in Rack
     Solution: upgrade to >= 2.0.6

     Name: rack
     Version: 2.0.5
     Advisory: CVE-2018-16471
     Criticality: Unknown
     URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
     Title: Possible XSS vulnerability in Rack
     Solution: upgrade to ~> 1.6.11, >= 2.0.6
mediafinger added a commit to mediafinger/wahlgenial-webapp that referenced this issue Apr 19, 2022
…VEs)

It found the following 53 vulnerabilities:

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22904
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Title: Possible DoS Vulnerability in Action Controller Token Authentication
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2022-23633
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
Title: Possible exposure of information vulnerability in Action Pack
Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activerecord
Version: 5.1.4
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: addressable
Version: 2.5.2
Advisory: CVE-2021-32740
Criticality: High
URL: GHSA-jxhc-q857-3j6g
Title: Regular Expression Denial of Service in Addressable templates
Solution: upgrade to >= 2.8.0

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21288
Criticality: Medium
URL: GHSA-fwcm-636p-68r5
Title: Server-side request forgery in CarrierWave
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21305
Criticality: High
URL: GHSA-cf3w-g86h-35x4
Title: Code Injection vulnerability in CarrierWave::RMagick
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Title: Potential XSS vulnerability in jQuery
Solution: upgrade to >= 4.4.0

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: jquery-ui-rails
Version: 5.0.5
Advisory: CVE-2016-7103
Criticality: Medium
URL: jquery/api.jqueryui.com#281
Title: XSS Vulnerability on closeText option of Dialog jQuery UI
Solution: upgrade to >= 6.0.0

Name: kaminari
Version: 1.1.1
Advisory: CVE-2020-11082
Criticality: Medium
URL: GHSA-r5jw-62xg-j433
Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter
Solution: upgrade to >= 1.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Medium
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: mini_magick
Version: 4.8.0
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Title: Remote command execution via filename
Solution: upgrade to >= 4.9.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-41098
Criticality: High
URL: GHSA-2rr5-8q37-2w7h
Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Solution: upgrade to >= 1.12.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: High
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24839
Criticality: High
URL: GHSA-9849-p7jc-9rmv
Title: Denial of Service (DoS) in Nokogiri on JRuby
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-23437
Criticality: Medium
URL: GHSA-xxx9-3xcr-gjj3
Title: XML Injection in Xerces Java affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-30560
Criticality: High
URL: GHSA-fq42-c5rg-92c2
Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Solution: upgrade to >= 1.13.2

Name: nokogiri
Version: 1.8.1
Advisory: GHSA-7rrm-v45f-jp64
Criticality: High
URL: GHSA-7rrm-v45f-jp64
Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Solution: upgrade to >= 1.11.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-25032
Criticality: High
URL: GHSA-v6gp-9mmm-c6p5
Title: Out-of-bounds Write in zlib affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24836
Criticality: High
URL: GHSA-crjr-9rc5-ghw8
Title: Inefficient Regular Expression Complexity in Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: puma
Version: 4.3.3
Advisory: CVE-2021-29509
Criticality: High
URL: GHSA-q28m-8xjw-8vr5
Title: Keepalive Connections Causing Denial Of Service in puma
Solution: upgrade to ~> 4.3.8, >= 5.3.1

Name: puma
Version: 4.3.3
Advisory: CVE-2022-24790
Criticality: Critical
URL: GHSA-h99w-9q5r-gjq9
Title: HTTP Request Smuggling in puma
Solution: upgrade to ~> 4.3.12, >= 5.6.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11076
Criticality: High
URL: GHSA-x7jg-6pwg-fx5h
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.5, >= 4.3.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11077
Criticality: Medium
URL: GHSA-w64w-qqph-5gxm
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.6, >= 4.3.5

Name: puma
Version: 4.3.3
Advisory: CVE-2022-23634
Criticality: High
URL: GHSA-rmj8-8hhh-gv5h
Title: Information Exposure with Puma when used with Rails
Solution: upgrade to ~> 4.3.11, >= 5.6.2

Name: puma
Version: 4.3.3
Advisory: CVE-2021-41136
Criticality: Low
URL: GHSA-48w2-rm65-62xx
Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Solution: upgrade to ~> 4.3.9, >= 5.5.1

Name: rack
Version: 2.2.2
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2020-36190
Criticality: Medium
URL: railsadminteam/rails_admin@d72090e
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to ~> 1.4.3, >= 2.0.2

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2017-12098
Criticality: Medium
URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to >= 1.3.0

Name: rake
Version: 12.3.0
Advisory: CVE-2020-8130
Criticality: High
URL: GHSA-jppv-gw3r-w3q8
Title: OS Command Injection in Rake
Solution: upgrade to >= 12.3.3

Name: redcarpet
Version: 3.4.0
Advisory: CVE-2020-26298
Criticality: Medium
URL: vmg/redcarpet@a699c82
Title: Injection/XSS in Redcarpet
Solution: upgrade to >= 3.5.1

Name: websocket-extensions
Version: 0.1.3
Advisory: CVE-2020-7663
Criticality: High
URL: GHSA-g6wq-qcwm-j5g2
Title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
Solution: upgrade to >= 0.1.5
mediafinger added a commit to mediafinger/wahlgenial-webapp that referenced this issue Apr 19, 2022
…VEs)

It found the following 53 vulnerabilities:

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22885
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8166
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2020-8164
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
Title: Possible Strong Parameters Bypass in ActionPack
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack
Version: 5.1.4
Advisory: CVE-2021-22904
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
Title: Possible DoS Vulnerability in Action Controller Token Authentication
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack
Version: 5.1.4
Advisory: CVE-2022-23633
Criticality: High
URL: https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ
Title: Possible exposure of information vulnerability in Action Pack
Solution: upgrade to ~> 5.2.6, >= 5.2.6.2, ~> 6.0.4, >= 6.0.4.6, ~> 6.1.4, >= 6.1.4.6, >= 7.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-15169
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc
Title: Potential XSS vulnerability in Action View
Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-5267
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
Title: Possible XSS vulnerability in ActionView
Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview
Version: 5.1.4
Advisory: CVE-2020-8167
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
Title: CSRF Vulnerability in rails-ujs
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5419
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, ~> 5.2.2, >= 5.2.2.1, ~> 5.1.6, >= 5.1.6.2, ~> 5.0.7, >= 5.0.7.2, ~> 4.2.11, >= 4.2.11.1

Name: actionview
Version: 5.1.4
Advisory: CVE-2019-5418
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to ~> 4.2.11, >= 4.2.11.1, ~> 5.0.7, >= 5.0.7.2, ~> 5.1.6, >= 5.1.6.2, ~> 5.2.2, >= 5.2.2.1, >= 6.0.0.beta3

Name: activejob
Version: 5.1.4
Advisory: CVE-2018-16476
Criticality: High
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activerecord
Version: 5.1.4
Advisory: CVE-2021-22880
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1

Name: activesupport
Version: 5.1.4
Advisory: CVE-2020-8165
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: addressable
Version: 2.5.2
Advisory: CVE-2021-32740
Criticality: High
URL: GHSA-jxhc-q857-3j6g
Title: Regular Expression Denial of Service in Addressable templates
Solution: upgrade to >= 2.8.0

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21288
Criticality: Medium
URL: GHSA-fwcm-636p-68r5
Title: Server-side request forgery in CarrierWave
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: carrierwave
Version: 1.2.1
Advisory: CVE-2021-21305
Criticality: High
URL: GHSA-cf3w-g86h-35x4
Title: Code Injection vulnerability in CarrierWave::RMagick
Solution: upgrade to ~> 1.3.2, >= 2.1.1

Name: ffi
Version: 1.9.18
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2020-11023
Criticality: Medium
URL: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
Title: Potential XSS vulnerability in jQuery
Solution: upgrade to >= 4.4.0

Name: jquery-rails
Version: 4.3.1
Advisory: CVE-2019-11358
Criticality: Medium
URL: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
Title: Prototype pollution attack through jQuery $.extend
Solution: upgrade to >= 4.3.4

Name: jquery-ui-rails
Version: 5.0.5
Advisory: CVE-2016-7103
Criticality: Medium
URL: jquery/api.jqueryui.com#281
Title: XSS Vulnerability on closeText option of Dialog jQuery UI
Solution: upgrade to >= 6.0.0

Name: kaminari
Version: 1.1.1
Advisory: CVE-2020-11082
Criticality: Medium
URL: GHSA-r5jw-62xg-j433
Title: Cross-Site Scripting in Kaminari via `original_script_name` parameter
Solution: upgrade to >= 1.2.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2019-15587
Criticality: Medium
URL: flavorjones/loofah#171
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.3.1

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-16468
Criticality: Medium
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: loofah
Version: 2.1.1
Advisory: CVE-2018-8048
Criticality: Medium
URL: flavorjones/loofah#144
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.1

Name: mini_magick
Version: 4.8.0
Advisory: CVE-2019-13574
Criticality: High
URL: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
Title: Remote command execution via filename
Solution: upgrade to >= 4.9.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-5477
Criticality: Critical
URL: sparklemotion/nokogiri#1915
Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
Solution: upgrade to >= 1.10.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-41098
Criticality: High
URL: GHSA-2rr5-8q37-2w7h
Title: Improper Restriction of XML External Entity Reference (XXE) in Nokogiri on JRuby
Solution: upgrade to >= 1.12.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-14404
Criticality: High
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2017-15412
Criticality: Unknown
URL: sparklemotion/nokogiri#1714
Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
Solution: upgrade to >= 1.8.2

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24839
Criticality: High
URL: GHSA-9849-p7jc-9rmv
Title: Denial of Service (DoS) in Nokogiri on JRuby
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-23437
Criticality: Medium
URL: GHSA-xxx9-3xcr-gjj3
Title: XML Injection in Xerces Java affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2021-30560
Criticality: High
URL: GHSA-fq42-c5rg-92c2
Title: Update packaged libxml2 (2.9.12 → 2.9.13) and libxslt (1.1.34 → 1.1.35)
Solution: upgrade to >= 1.13.2

Name: nokogiri
Version: 1.8.1
Advisory: GHSA-7rrm-v45f-jp64
Criticality: High
URL: GHSA-7rrm-v45f-jp64
Title: Update packaged dependency libxml2 from 2.9.10 to 2.9.12
Solution: upgrade to >= 1.11.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-25032
Criticality: High
URL: GHSA-v6gp-9mmm-c6p5
Title: Out-of-bounds Write in zlib affects Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2018-8048
Criticality: Unknown
URL: sparklemotion/nokogiri#1746
Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
Solution: upgrade to >= 1.8.3

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-7595
Criticality: High
URL: sparklemotion/nokogiri#1992
Title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
Solution: upgrade to >= 1.10.8

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2019-13117
Criticality: Unknown
URL: sparklemotion/nokogiri#1943
Title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.10.5

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2022-24836
Criticality: High
URL: GHSA-crjr-9rc5-ghw8
Title: Inefficient Regular Expression Complexity in Nokogiri
Solution: upgrade to >= 1.13.4

Name: nokogiri
Version: 1.8.1
Advisory: CVE-2020-26247
Criticality: Low
URL: GHSA-vr8q-g5c7-m54m
Title: Nokogiri::XML::Schema trusts input by default, exposing risk of an XXE vulnerability
Solution: upgrade to >= 1.11.0.rc4

Name: puma
Version: 4.3.3
Advisory: CVE-2021-29509
Criticality: High
URL: GHSA-q28m-8xjw-8vr5
Title: Keepalive Connections Causing Denial Of Service in puma
Solution: upgrade to ~> 4.3.8, >= 5.3.1

Name: puma
Version: 4.3.3
Advisory: CVE-2022-24790
Criticality: Critical
URL: GHSA-h99w-9q5r-gjq9
Title: HTTP Request Smuggling in puma
Solution: upgrade to ~> 4.3.12, >= 5.6.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11076
Criticality: High
URL: GHSA-x7jg-6pwg-fx5h
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.5, >= 4.3.4

Name: puma
Version: 4.3.3
Advisory: CVE-2020-11077
Criticality: Medium
URL: GHSA-w64w-qqph-5gxm
Title: HTTP Smuggling via Transfer-Encoding Header in Puma
Solution: upgrade to ~> 3.12.6, >= 4.3.5

Name: puma
Version: 4.3.3
Advisory: CVE-2022-23634
Criticality: High
URL: GHSA-rmj8-8hhh-gv5h
Title: Information Exposure with Puma when used with Rails
Solution: upgrade to ~> 4.3.11, >= 5.6.2

Name: puma
Version: 4.3.3
Advisory: CVE-2021-41136
Criticality: Low
URL: GHSA-48w2-rm65-62xx
Title: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Solution: upgrade to ~> 4.3.9, >= 5.5.1

Name: rack
Version: 2.2.2
Advisory: CVE-2020-8184
Criticality: Unknown
URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rails-html-sanitizer
Version: 1.0.3
Advisory: CVE-2018-3741
Criticality: Unknown
URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
Title: XSS vulnerability in rails-html-sanitizer
Solution: upgrade to >= 1.0.4

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2020-36190
Criticality: Medium
URL: railsadminteam/rails_admin@d72090e
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to ~> 1.4.3, >= 2.0.2

Name: rails_admin
Version: 1.2.0
Advisory: CVE-2017-12098
Criticality: Medium
URL: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450
Title: rails_admin ruby gem XSS vulnerability
Solution: upgrade to >= 1.3.0

Name: rake
Version: 12.3.0
Advisory: CVE-2020-8130
Criticality: High
URL: GHSA-jppv-gw3r-w3q8
Title: OS Command Injection in Rake
Solution: upgrade to >= 12.3.3

Name: redcarpet
Version: 3.4.0
Advisory: CVE-2020-26298
Criticality: Medium
URL: vmg/redcarpet@a699c82
Title: Injection/XSS in Redcarpet
Solution: upgrade to >= 3.5.1

Name: websocket-extensions
Version: 0.1.3
Advisory: CVE-2020-7663
Criticality: High
URL: GHSA-g6wq-qcwm-j5g2
Title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
Solution: upgrade to >= 0.1.5
KingTiger001 added a commit to KingTiger001/admin-Rails-project that referenced this issue Jan 15, 2023
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes #1225
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant