CVE-2023-50727 (Medium) detected in resque-2.0.0.gem

[mend-bolt-for-github[bot]]

CVE-2023-50727 - Medium Severity Vulnerability

Vulnerable Library - resque-2.0.0.gem

Resque is a Redis-backed Ruby library for creating background jobs, placing those jobs on multiple queues, and processing them later. Background jobs can be any Ruby class or module that responds to perform. Your existing classes can easily be converted to background jobs or you can create new classes specifically to do work. Or, you can do both. Resque is heavily inspired by DelayedJob (which rocks) and is comprised of three parts: * A Ruby library for creating, querying, and processing jobs * A Rake task for starting a worker which processes jobs * A Sinatra app for monitoring queues, jobs, and workers.

Library home page: https://rubygems.org/gems/resque-2.0.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /Gemfile.lock

Dependency Hierarchy: - :x: **resque-2.0.0.gem** (Vulnerable Library)

Found in HEAD commit: 3a3902efe3788aa4f5410d439175653e42f854e6

Found in base branch: main

Vulnerability Details

Resque is a Redis-backed Ruby library for creating background jobs, placing them on multiple queues, and processing them later. Reflected XSS issue occurs when /queues is appended with /">. This issue has been patched in version 2.6.0.

Publish Date: 2023-12-22

URL: CVE-2023-50727

CVSS 3 Score Details (6.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/resque/resque/security/advisories/GHSA-r9mq-m72x-257g

Release Date: 2023-12-12

Fix Resolution: resque - 2.6.0

---

Step up your Open Source Security Game with Mend here