nexmo-developer icon indicating copy to clipboard operation
nexmo-developer copied to clipboard

Published 20 hours ago verified publisher icon Nexmo

station-0.5.7.gem: 12 vulnerabilities (highest severity is: 9.8)

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments
trafficstars

Vulnerable Library - station-0.5.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-30123 High 9.8 rack-2.2.3.gem Transitive N/A
CVE-2022-21831 High 9.8 activestorage-6.1.4.4.gem Transitive N/A
WS-2022-0089 High 8.8 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2022-29181 High 8.2 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2022-24836 High 7.5 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2022-30122 High 7.5 rack-2.2.3.gem Transitive N/A
CVE-2021-41098 High 7.5 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2022-32224 High 7.0 activerecord-6.1.4.4.gem Transitive N/A
CVE-2022-27777 Medium 6.1 actionview-6.1.4.4.gem Transitive N/A
CVE-2022-22577 Medium 6.1 actionpack-6.1.4.4.gem Transitive N/A
CVE-2022-23634 Medium 5.9 actionpack-6.1.4.4.gem Transitive N/A
CVE-2022-23633 Medium 5.9 actionpack-6.1.4.4.gem Transitive N/A

Details

CVE-2022-30123

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • inherited_resources-1.13.1.gem
      • railties-6.1.4.4.gem
        • actionpack-6.1.4.4.gem
          • :x: rack-2.2.3.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger components of Rack before 2.0.9.1,2.1.4.1,2.2.3.1

Publish Date: 2022-05-03

URL: CVE-2022-30123

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wq4h-7r42-5hrr

Release Date: 2022-05-03

Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1

CVE-2022-21831

Vulnerable Library - activestorage-6.1.4.4.gem

Attach cloud and local files in Rails applications.

Library home page: https://rubygems.org/gems/activestorage-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activestorage-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • rails-6.1.4.4.gem
      • :x: activestorage-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.

Publish Date: 2022-05-26

URL: CVE-2022-21831

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-w749-p3v6-hccq

Release Date: 2022-05-26

Fix Resolution: activestorage - 5.2.6.3,6.0.4.7,6.1.4.7,7.0.2.3

WS-2022-0089

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • :x: nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

CVE-2022-29181

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • :x: nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

CVE-2022-24836

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • :x: nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

CVE-2022-30122

Vulnerable Library - rack-2.2.3.gem

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Library home page: https://rubygems.org/gems/rack-2.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rack-2.2.3.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • inherited_resources-1.13.1.gem
      • railties-6.1.4.4.gem
        • actionpack-6.1.4.4.gem
          • :x: rack-2.2.3.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

There is a possible denial of service vulnerability in the multipart parsing component of Rack before 2.0.9.1,2.1.4.1,2.2.3.1

Publish Date: 2022-05-03

URL: CVE-2022-30122

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hxqx-xwvh-44m2

Release Date: 2022-05-03

Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1

CVE-2021-41098

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • :x: nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Publish Date: 2021-09-27

URL: CVE-2021-41098

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098

Release Date: 2021-09-27

Fix Resolution: nokogiri - 1.12.5

CVE-2022-32224

Vulnerable Library - activerecord-6.1.4.4.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • rails-6.1.4.4.gem
      • :x: activerecord-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

RCE bug with Serialized Columns in Active Record before 5.2.8.1, 6.0.0 and before 6.0.5.1, 6.1.0 and before 6.1.6.1, 7.0.0 and before 7.0.3. When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

Publish Date: 2022-06-02

URL: CVE-2022-32224

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j

Release Date: 2022-06-02

Fix Resolution: activerecord - 5.2.8.1,6.0.5.1,6.1.6.1,7.0.3.1

CVE-2022-27777

Vulnerable Library - actionview-6.1.4.4.gem

Simple, battle-tested conventions and helpers for building web pages.

Library home page: https://rubygems.org/gems/actionview-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionview-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • inherited_resources-1.13.1.gem
      • railties-6.1.4.4.gem
        • actionpack-6.1.4.4.gem
          • :x: actionview-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

Publish Date: 2022-05-26

URL: CVE-2022-27777

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-ch3h-j2vf-95pv

Release Date: 2022-05-26

Fix Resolution: actionview - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2022-22577

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • inherited_resources-1.13.1.gem
      • :x: actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

Publish Date: 2022-05-26

URL: CVE-2022-22577

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-mm33-5vfq-3mm3

Release Date: 2022-05-26

Fix Resolution: actionpack - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2022-23634

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • inherited_resources-1.13.1.gem
      • :x: actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Publish Date: 2022-02-11

URL: CVE-2022-23634

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/puma/puma/security/advisories/GHSA-rmj8-8hhh-gv5h,https://github.com/advisories/GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: puma - 4.3.11, 5.6.2; actionpack - 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

CVE-2022-23633

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.7.gem (Root Library)
    • inherited_resources-1.13.1.gem
      • :x: actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 2cec597d4ad764f2445d0e96c8c36c2950c79bf4

Found in base branch: main

Vulnerability Details

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Publish Date: 2022-02-11

URL: CVE-2022-23633

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

mend-for-github-com[bot] avatar Aug 31 '22 16:08 mend-for-github-com[bot]