wiseadvice_public_repos
/
bundle-audit-results
3
0
Fork 0
Code Wiki
bundle-audit-results/bundle-audit.json

1 line
7.5 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

{"version":"0.9.1","created_at":"2024-02-27 08:43:10 +0100","results":[{"type":"unpatched_gem","gem":{"name":"actionpack","version":"7.1.3"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/actionpack/CVE-2024-26142.yml","id":"CVE-2024-26142","url":"https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946","title":"Possible ReDoS vulnerability in Accept header parsing in Action Dispatch","date":"2024-02-21","description":"There is a possible ReDoS vulnerability in the Accept header parsing routines\nof Action Dispatch. This vulnerability has been assigned the CVE identifier\nCVE-2024-26142.\n\nVersions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1\n\n# Impact\n\nCarefully crafted Accept headers can cause Accept header parsing in\nAction Dispatch to take an unexpected amount of time, possibly resulting in a\nDoS vulnerability. All users running an affected release should either upgrade\nor use one of the workarounds immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using\nRuby 3.2 or newer are unaffected.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-26142","osvdb":null,"ghsa":null,"unaffected_versions":["< 7.1.0"],"patched_versions":[">= 7.1.3.1"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"actionpack","version":"7.1.3"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/actionpack/CVE-2024-26143.yml","id":"CVE-2024-26143","url":"https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947","title":"Possible XSS Vulnerability in Action Controller","date":"2024-02-21","description":"There is a possible XSS vulnerability when using the translation helpers\n(`translate`, `t`, etc) in Action Controller. This vulnerability has been\nassigned the CVE identifier CVE-2024-26143.\n\nVersions Affected: >= 7.0.0\nNot affected: < 7.0.0\nFixed Versions: 7.1.3.1, 7.0.8.1\n\n# Impact\n\nApplications using translation methods like `translate`, or `t` on a\ncontroller, with a key ending in “_html”, a `:default` key which contains\nuntrusted user input, and the resulting string is used in a view, may be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted code will look something like this:\n\n```\nclass ArticlesController < ApplicationController\n def show\n @message = t(\"message_html\", default: untrusted_input)\n # The `show` template displays the contents of `@message`\n end\nend\n```\n\nTo reiterate the pre-conditions, applications must:\n\n* Use a translation function from a controller (i.e. *not* `I18n.t`, or\n`t` from a view)\n* Use a key that ends in `_html`\n* Use a default value where the default value is untrusted and unescaped input\n* Send the text to the victim (whether thats part of a template, or a\n `render` call)\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-26143","osvdb":null,"ghsa":null,"unaffected_versions":["< 7.0.0"],"patched_versions":["~> 7.0.8, >= 7.0.8.1",">= 7.1.3.1"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"rack","version":"3.0.9"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2024-25126.yml","id":"CVE-2024-25126","url":"https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941","title":"Denial of Service Vulnerability in Rack Content-Type Parsing","date":"2024-02-21","description":"There is a possible denial of service vulnerability in the content type\nparsing component of Rack. This vulnerability has been assigned the CVE\nidentifier CVE-2024-25126.\n\nVersions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1\n\n# Impact\n\nCarefully crafted content type headers can cause Racks media type parser to\ntake much longer than expected, leading to a possible denial of service\nvulnerability.\n\nImpacted code will use Racks media type parser to parse content type headers.\nThis code will look like below:\n\n```\nrequest.media_type\n\n## OR\nrequest.media_type_params\n\n## OR\nRack::MediaType.type(content_type)\n```\n\nSome frameworks (including Rails) call this code internally, so upgrading is\nrecommended!\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-25126","osvdb":null,"ghsa":null,"unaffected_versions":["< 0.4"],"patched_versions":["~> 2.2.8, >= 2.2.8.1",">= 3.0.9.1"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"rack","version":"3.0.9"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2024-26141.yml","id":"CVE-2024-26141","url":"https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944","title":"Possible DoS Vulnerability with Range Header in Rack","date":"2024-02-21","description":"There is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1\n\n# Impact\n\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-26141","osvdb":null,"ghsa":null,"unaffected_versions":["< 1.3.0"],"patched_versions":["~> 2.2.8, >= 2.2.8.1",">= 3.0.9.1"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"rack","version":"3.0.9"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2024-26146.yml","id":"CVE-2024-26146","url":"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942","title":"Possible Denial of Service Vulnerability in Rack Header Parsing","date":"2024-02-21","description":"There is a possible denial of service vulnerability in the header parsing\nroutines in Rack. This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\n# Impact\n\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. `Accept` and\n`Forwarded` headers are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using\nRuby 3.2 or newer are unaffected.\n\n# Releases\n\nThe fixed releases are available at the normal locations.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n","cvss_v2":null,"cvss_v3":null,"cve":"2024-26146","osvdb":null,"ghsa":null,"unaffected_versions":[],"patched_versions":["~> 2.0.9, >= 2.0.9.4","~> 2.1.4, >= 2.1.4.4","~> 2.2.8, >= 2.2.8.1",">= 3.0.9.1"],"criticality":null}}]}
View Git Blame Copy Permalink