commit by to_remotes 2025-05-09 10:44:11 +0200 from cicd

2025-05-09 10:44:11 +02:00 · 2025-05-09 10:44:11 +02:00 · 7c8ecc6541
parent 2ac19f77ec
commit 7c8ecc6541
4 changed files with 4 additions and 30 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2025-05-09T10:43:38+02:00
+2025-05-09T10:44:11+02:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.2","created_at":"2025-05-09 10:43:37 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.13"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-46727.yml","id":"CVE-2025-46727","url":"https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx","title":"Rack has an Unbounded-Parameter DoS in Rack::QueryParser","date":"2025-05-08","description":"## Summary\n\n`Rack::QueryParser` parses query strings and\n`application/x-www-form-urlencoded` bodies into Ruby data structures\nwithout imposing any limit on the number of parameters, allowing\nattackers to send requests with extremely large numbers of parameters.\n\n## Details\n\nThe vulnerability arises because `Rack::QueryParser` iterates over\neach `&`-separated key-value pair and adds it to a Hash without\nenforcing an upper bound on the total number of parameters. This\nallows an attacker to send a single request containing hundreds of\nthousands (or more) of parameters, which consumes excessive memory\nand CPU during parsing.\n\n## Impact\n\nAn attacker can trigger denial of service by sending specifically\ncrafted HTTP requests, which can cause memory exhaustion or pin CPU\nresources, stalling or crashing the Rack server. This results in\nfull service disruption until the affected worker is restarted.\n\n## Mitigation\n\n- Update to a version of Rack that limits the number of parameters parsed, or\n- Use middleware to enforce a maximum query string size or parameter count, or\n- Employ a reverse proxy (such as Nginx) to limit request sizes and\n  reject oversized query strings or bodies.\n\nLimiting request body sizes and query string lengths at the web\nserver or CDN level is an effective mitigation.\n","cvss_v2":null,"cvss_v3":7.5,"cve":"2025-46727","osvdb":null,"ghsa":"gjh7-p2fx-99vx","unaffected_versions":[],"patched_versions":["~> 2.2.14","~> 3.0.16",">= 3.1.14"],"criticality":"high"}},{"type":"unpatched_gem","gem":{"name":"rack-session","version":"2.1.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack-session/CVE-2025-46336.yml","id":"CVE-2025-46336","url":"https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj","title":"Rack session gets restored after deletion","date":"2025-05-08","description":"## Summary\n\nWhen using the `Rack::Session::Pool` middleware, simultaneous rack\nrequests can restore a deleted rack session, which allows the\nunauthenticated user to occupy that session.\n\n## Details\n\n[Rack session middleware](https://github.com/rack/rack-session/blob/v2.1.0/lib/rack/session/abstract/id.rb#L271-L278)\nprepares the session at the beginning of request, then saves is back\nto the store with possible changes applied by host rack application.\nThis way the session becomes to be a subject of race conditions in\ngeneral sense over concurrent rack requests.\n\n## Impact\n\nWhen using the `Rack::Session::Pool` middleware, and provided the\nattacker can acquire a session cookie (already a major issue), the\nsession may be restored if the attacker can trigger a long running\nrequest (within that same session) adjacent to the user logging out,\nin order to retain illicit access even after a user has attempted to logout.\n\n## Mitigation\n\n- Update to the latest version of `rack-session`, or\n- Ensure your application invalidates sessions atomically by marking\n  them as logged out e.g., using a `logged_out` flag, instead of\n  deleting them, and check this flag on every request to prevent reuse, or\n- Implement a custom session store that tracks session invalidation\n  timestamps and refuses to accept session data if the session was\n  invalidated after the request began.\n\n## Related\n\nThis code was previously part of `rack` in Rack < 3, see\n<https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g>\nfor the equivalent advisory in `rack` (affecting Rack < 3 only).\n","cvss_v2":null,"cvss_v3":4.2,"cve":"2025-46336","osvdb":null,"ghsa":"9j94-67jr-4cqj","unaffected_versions":["< 2.0.0"],"patched_versions":[">= 2.1.1"],"criticality":"medium"}}]}
+{"version":"0.9.2","created_at":"2025-05-09 10:44:11 +0200","results":[]}
--- a/report.txt
+++ b/report.txt
@ -1,19 +1 @@
-Name: rack
+No vulnerabilities found
 Version: 3.1.13
 CVE: CVE-2025-46727
 GHSA: GHSA-gjh7-p2fx-99vx
 Criticality: High
 URL: https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
 Title: Rack has an Unbounded-Parameter DoS in Rack::QueryParser
 Solution: update to '~> 2.2.14', '~> 3.0.16', '>= 3.1.14'
 Name: rack-session
 Version: 2.1.0
 CVE: CVE-2025-46336
 GHSA: GHSA-9j94-67jr-4cqj
 Criticality: Medium
 URL: https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
 Title: Rack session gets restored after deletion
 Solution: update to '>= 2.1.1'
 Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,13 +1,5 @@
 Updating ruby-advisory-db ...
-Updating 4b71fa5..1f5c25f
+Already up to date.
 Fast-forward
 gems/rack-session/CVE-2025-46336.yml | 58 ++++++++++++++++++++++++++++++++++++
 gems/rack/CVE-2025-32441.yml         | 57 +++++++++++++++++++++++++++++++++++
 gems/rack/CVE-2025-46727.yml         | 53 ++++++++++++++++++++++++++++++++
 3 files changed, 168 insertions(+)
 create mode 100644 gems/rack-session/CVE-2025-46336.yml
 create mode 100644 gems/rack/CVE-2025-32441.yml
 create mode 100644 gems/rack/CVE-2025-46727.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
  advisories:	981 advisories
`@ -1 +1 @@`
	`2025-05-09T10:43:38+02:00`	`2025-05-09T10:44:11+02:00`
		`@ -1 +1 @@`
			{"version":"0.9.2","created_at":"2025-05-09 10:43:37 +0200","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.13"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-46727.yml","id":"CVE-2025-46727","url":"https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx","title":"Rack has an Unbounded-Parameter DoS in Rack::QueryParser","date":"2025-05-08","description":"## Summary\n\n`Rack::QueryParser` parses query strings and\n`application/x-www-form-urlencoded` bodies into Ruby data structures\nwithout imposing any limit on the number of parameters, allowing\nattackers to send requests with extremely large numbers of parameters.\n\n## Details\n\nThe vulnerability arises because `Rack::QueryParser` iterates over\neach `&`-separated key-value pair and adds it to a Hash without\nenforcing an upper bound on the total number of parameters. This\nallows an attacker to send a single request containing hundreds of\nthousands (or more) of parameters, which consumes excessive memory\nand CPU during parsing.\n\n## Impact\n\nAn attacker can trigger denial of service by sending specifically\ncrafted HTTP requests, which can cause memory exhaustion or pin CPU\nresources, stalling or crashing the Rack server. This results in\nfull service disruption until the affected worker is restarted.\n\n## Mitigation\n\n- Update to a version of Rack that limits the number of parameters parsed, or\n- Use middleware to enforce a maximum query string size or parameter count, or\n- Employ a reverse proxy (such as Nginx) to limit request sizes and\n reject oversized query strings or bodies.\n\nLimiting request body sizes and query string lengths at the web\nserver or CDN level is an effective mitigation.\n","cvss_v2":null,"cvss_v3":7.5,"cve":"2025-46727","osvdb":null,"ghsa":"gjh7-p2fx-99vx","unaffected_versions":[],"patched_versions":["~> 2.2.14","~> 3.0.16",">= 3.1.14"],"criticality":"high"}},{"type":"unpatched_gem","gem":{"name":"rack-session","version":"2.1.0"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack-session/CVE-2025-46336.yml","id":"CVE-2025-46336","url":"https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj","title":"Rack session gets restored after deletion","date":"2025-05-08","description":"## Summary\n\nWhen using the `Rack::Session::Pool` middleware, simultaneous rack\nrequests can restore a deleted rack session, which allows the\nunauthenticated user to occupy that session.\n\n## Details\n\n[Rack session middleware](https://github.com/rack/rack-session/blob/v2.1.0/lib/rack/session/abstract/id.rb#L271-L278)\nprepares the session at the beginning of request, then saves is back\nto the store with possible changes applied by host rack application.\nThis way the session becomes to be a subject of race conditions in\ngeneral sense over concurrent rack requests.\n\n## Impact\n\nWhen using the `Rack::Session::Pool` middleware, and provided the\nattacker can acquire a session cookie (already a major issue), the\nsession may be restored if the attacker can trigger a long running\nrequest (within that same session) adjacent to the user logging out,\nin order to retain illicit access even after a user has attempted to logout.\n\n## Mitigation\n\n- Update to the latest version of `rack-session`, or\n- Ensure your application invalidates sessions atomically by marking\n them as logged out e.g., using a `logged_out` flag, instead of\n deleting them, and check this flag on every request to prevent reuse, or\n- Implement a custom session store that tracks session invalidation\n timestamps and refuses to accept session data if the session was\n invalidated after the request began.\n\n## Related\n\nThis code was previously part of `rack` in Rack < 3, see\n<https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g>\nfor the equivalent advisory in `rack` (affecting Rack < 3 only).\n","cvss_v2":null,"cvss_v3":4.2,"cve":"2025-46336","osvdb":null,"ghsa":"9j94-67jr-4cqj","unaffected_versions":["< 2.0.0"],"patched_versions":[">= 2.1.1"],"criticality":"medium"}}]}				`{"version":"0.9.2","created_at":"2025-05-09 10:44:11 +0200","results":[]}`