commit by to_remotes 2025-05-09 10:43:38 +0200 from cicd

bundle-audit-time.txt

@@ -1 +1 @@
-2025-05-08T11:45:22+02:00
+2025-05-09T10:43:38+02:00

bundle-audit.json

@@ -1 +1 @@
-{"version":"0.9.2","created_at":"2025-05-08 11:45:22 +0200","results":[]}
+{"version":"0.9.2","created_at":"2025-05-09 10:43:37 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.13"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-46727.yml","id":"CVE-2025-46727","url":"https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx","title":"Rack has an Unbounded-Parameter DoS in Rack::QueryParser","date":"2025-05-08","description":"## Summary\n\n`Rack::QueryParser` parses query strings and\n`application/x-www-form-urlencoded` bodies into Ruby data structures\nwithout imposing any limit on the number of parameters, allowing\nattackers to send requests with extremely large numbers of parameters.\n\n## Details\n\nThe vulnerability arises because `Rack::QueryParser` iterates over\neach `&`-separated key-value pair and adds it to a Hash without\nenforcing an upper bound on the total number of parameters. This\nallows an attacker to send a single request containing hundreds of\nthousands (or more) of parameters, which consumes excessive memory\nand CPU during parsing.\n\n## Impact\n\nAn attacker can trigger denial of service by sending specifically\ncrafted HTTP requests, which can cause memory exhaustion or pin CPU\nresources, stalling or crashing the Rack server. This results in\nfull service disruption until the affected worker is restarted.\n\n## Mitigation\n\n- Update to a version of Rack that limits the number of parameters parsed, or\n- Use middleware to enforce a maximum query string size or parameter count, or\n- Employ a reverse proxy (such as Nginx) to limit request sizes and\n  reject oversized query strings or bodies.\n\nLimiting request body sizes and query string lengths at the web\nserver or CDN level is an effective mitigation.\n","cvss_v2":null,"cvss_v3":7.5,"cve":"2025-46727","osvdb":null,"ghsa":"gjh7-p2fx-99vx","unaffected_versions":[],"patched_versions":["~> 2.2.14","~> 3.0.16",">= 3.1.14"],"criticality":"high"}},{"type":"unpatched_gem","gem":{"name":"rack-session","version":"2.1.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack-session/CVE-2025-46336.yml","id":"CVE-2025-46336","url":"https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj","title":"Rack session gets restored after deletion","date":"2025-05-08","description":"## Summary\n\nWhen using the `Rack::Session::Pool` middleware, simultaneous rack\nrequests can restore a deleted rack session, which allows the\nunauthenticated user to occupy that session.\n\n## Details\n\n[Rack session middleware](https://github.com/rack/rack-session/blob/v2.1.0/lib/rack/session/abstract/id.rb#L271-L278)\nprepares the session at the beginning of request, then saves is back\nto the store with possible changes applied by host rack application.\nThis way the session becomes to be a subject of race conditions in\ngeneral sense over concurrent rack requests.\n\n## Impact\n\nWhen using the `Rack::Session::Pool` middleware, and provided the\nattacker can acquire a session cookie (already a major issue), the\nsession may be restored if the attacker can trigger a long running\nrequest (within that same session) adjacent to the user logging out,\nin order to retain illicit access even after a user has attempted to logout.\n\n## Mitigation\n\n- Update to the latest version of `rack-session`, or\n- Ensure your application invalidates sessions atomically by marking\n  them as logged out e.g., using a `logged_out` flag, instead of\n  deleting them, and check this flag on every request to prevent reuse, or\n- Implement a custom session store that tracks session invalidation\n  timestamps and refuses to accept session data if the session was\n  invalidated after the request began.\n\n## Related\n\nThis code was previously part of `rack` in Rack < 3, see\n<https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g>\nfor the equivalent advisory in `rack` (affecting Rack < 3 only).\n","cvss_v2":null,"cvss_v3":4.2,"cve":"2025-46336","osvdb":null,"ghsa":"9j94-67jr-4cqj","unaffected_versions":["< 2.0.0"],"patched_versions":[">= 2.1.1"],"criticality":"medium"}}]}

report.txt

@@ -1 +1,19 @@
-No vulnerabilities found
+Name: rack
+Version: 3.1.13
+CVE: CVE-2025-46727
+GHSA: GHSA-gjh7-p2fx-99vx
+Criticality: High
+URL: https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
+Title: Rack has an Unbounded-Parameter DoS in Rack::QueryParser
+Solution: update to '~> 2.2.14', '~> 3.0.16', '>= 3.1.14'
+
+Name: rack-session
+Version: 2.1.0
+CVE: CVE-2025-46336
+GHSA: GHSA-9j94-67jr-4cqj
+Criticality: Medium
+URL: https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
+Title: Rack session gets restored after deletion
+Solution: update to '>= 2.1.1'
+
+Vulnerabilities found!

update-info.txt

@@ -1,7 +1,15 @@
 Updating ruby-advisory-db ...
-Already up to date.
+Updating 4b71fa5..1f5c25f
+Fast-forward
+ gems/rack-session/CVE-2025-46336.yml | 58 ++++++++++++++++++++++++++++++++++++
+ gems/rack/CVE-2025-32441.yml         | 57 +++++++++++++++++++++++++++++++++++
+ gems/rack/CVE-2025-46727.yml         | 53 ++++++++++++++++++++++++++++++++
+ 3 files changed, 168 insertions(+)
+ create mode 100644 gems/rack-session/CVE-2025-46336.yml
+ create mode 100644 gems/rack/CVE-2025-32441.yml
+ create mode 100644 gems/rack/CVE-2025-46727.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	978 advisories
+  advisories:	981 advisories
-  last updated:	2025-05-04 11:51:11 -0700
+  last updated:	2025-05-08 20:37:31 -0700
-  commit:	4b71fa5ab88bbdecb125153a103637e79cde85d3
+  commit:	1f5c25f54aba5099d9d3525e7a7f29a32f043516