DEV-REPO-URIEL / TEST_AINAT_CHANGE

0 stars 1 forks source link

rails-3.0.7.gem: 51 vulnerabilities (highest severity is: 9.8) #8

Open dev-mend-for-github-com[bot] opened 1 year ago

dev-mend-for-github-com[bot] commented 1 year ago
Vulnerable Library - rails-3.0.7.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (rails version) Remediation Possible**
CVE-2022-32224 Critical 9.8 activerecord-3.0.7.gem Transitive N/A*
CVE-2023-22794 High 8.8 activerecord-3.0.7.gem Transitive N/A*
CVE-2020-8161 High 8.6 rack-1.2.3.gem Transitive N/A*
CVE-2023-22796 High 7.5 activesupport-3.0.7.gem Transitive N/A*
CVE-2023-22795 High 7.5 actionpack-3.0.7.gem Transitive N/A*
CVE-2023-22792 High 7.5 actionpack-3.0.7.gem Transitive N/A*
CVE-2022-44566 High 7.5 activerecord-3.0.7.gem Transitive N/A*
CVE-2020-8184 High 7.5 rack-1.2.3.gem Transitive N/A*
CVE-2016-0752 High 7.5 rails-3.0.7.gem Direct 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1
CVE-2016-0751 High 7.5 detected in multiple dependencies Direct 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1
CVE-2014-10077 High 7.5 i18n-0.5.0.gem Transitive N/A*
CVE-2014-0130 High 7.5 actionpack-3.0.7.gem Transitive N/A*
CVE-2016-2098 High 7.3 detected in multiple dependencies Direct 3.2.22.2,4.1.14.2,4.2.5.2
CVE-2014-3482 High 7.3 activerecord-3.0.7.gem Transitive N/A*
CVE-2013-0333 High 7.3 activesupport-3.0.7.gem Transitive N/A*
CVE-2013-0156 High 7.3 activesupport-3.0.7.gem Transitive N/A*
CVE-2012-6496 High 7.3 activerecord-3.0.7.gem Transitive N/A*
CVE-2012-2695 High 7.3 activerecord-3.0.7.gem Transitive N/A*
CVE-2012-2140 High 7.3 mail-2.2.19.gem Transitive N/A*
CVE-2020-8167 Medium 6.5 rails-3.0.7.gem Direct 6.0.3.1,5.2.4.3
CVE-2013-6417 Medium 6.5 actionpack-3.0.7.gem Transitive N/A*
CVE-2012-2660 Medium 6.5 actionpack-3.0.7.gem Transitive N/A*
CVE-2010-3299 Medium 6.5 rails-3.0.7.gem Direct rails - 5.2.0.beta1
CVE-2020-8130 Medium 6.4 rake-0.9.0.gem Transitive N/A*
CVE-2019-16782 Medium 6.3 rack-1.2.3.gem Transitive N/A*
CVE-2018-16471 Medium 6.1 rack-1.2.3.gem Transitive N/A*
CVE-2016-6316 Medium 6.1 actionpack-3.0.7.gem Transitive N/A*
CVE-2015-9097 Medium 6.1 mail-2.2.19.gem Transitive N/A*
CVE-2013-0263 Medium 5.6 rack-1.2.3.gem Transitive N/A*
WS-2017-0283 Medium 5.3 rack-1.2.3.gem Transitive N/A*
CVE-2015-3225 Medium 5.3 rack-1.2.3.gem Transitive N/A*
CVE-2014-7829 Medium 5.3 actionpack-3.0.7.gem Transitive N/A*
CVE-2014-0082 Medium 5.3 actionpack-3.0.7.gem Transitive N/A*
CVE-2012-2661 Medium 5.3 activerecord-3.0.7.gem Transitive N/A*
CVE-2012-2139 Medium 5.3 mail-2.2.19.gem Transitive N/A*
CVE-2011-5036 Medium 5.3 rack-1.2.3.gem Transitive N/A*
CVE-2011-2929 Medium 5.3 actionpack-3.0.7.gem Transitive N/A*
CVE-2013-1856 Medium 4.8 activesupport-3.0.7.gem Transitive N/A*
CVE-2015-7576 Low 3.7 actionpack-3.0.7.gem Transitive N/A*
CVE-2014-0081 Low 3.7 actionpack-3.0.7.gem Transitive N/A*
CVE-2013-6415 Low 3.7 actionpack-3.0.7.gem Transitive N/A*
CVE-2013-4492 Low 3.7 i18n-0.5.0.gem Transitive N/A*
CVE-2013-4491 Low 3.7 actionpack-3.0.7.gem Transitive N/A*
CVE-2013-1855 Low 3.7 actionpack-3.0.7.gem Transitive N/A*
CVE-2013-0184 Low 3.7 rack-1.2.3.gem Transitive N/A*
CVE-2012-6109 Low 3.7 rack-1.2.3.gem Transitive N/A*
CVE-2012-3464 Low 3.7 activesupport-3.0.7.gem Transitive N/A*
CVE-2012-3463 Low 3.7 actionpack-3.0.7.gem Transitive N/A*
CVE-2012-1099 Low 3.7 rails-3.0.7.gem Direct 3.0.12,3.1.4,3.2.2
CVE-2011-2932 Low 3.7 rails-3.0.7.gem Direct 2.3.13,3.0.10,3.1.0.rc5
CVE-2011-2197 Low 3.7 rails-3.0.7.gem Direct 2.3.12,3.0.8,3.1.0.rc2

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (21 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2022-32224 ### Vulnerable Library - activerecord-3.0.7.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activerecord-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record < 7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the database (via means like SQL injection), the ability to escalate to an RCE.

Publish Date: 2022-12-05

URL: CVE-2022-32224

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j

Release Date: 2022-12-05

Fix Resolution: activerecord - 5.2.8.1,6.0.5.1,6.1.6.1,7.0.3.1

CVE-2023-22794 ### Vulnerable Library - activerecord-3.0.7.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activerecord-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments. If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment.

Publish Date: 2023-02-09

URL: CVE-2023-22794

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-hq7p-j377-6v63

Release Date: 2023-02-09

Fix Resolution: activerecord - 6.0.6.1,6.1.7.1,7.0.4.1

CVE-2020-8161 ### Vulnerable Library - rack-1.2.3.gem

Rack provides minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Also see http://rack.rubyforge.org.

Library home page: https://rubygems.org/gems/rack-1.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-1.2.3.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - actionmailer-3.0.7.gem - actionpack-3.0.7.gem - :x: **rack-1.2.3.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

Publish Date: 2020-07-02

URL: CVE-2020-8161

### CVSS 3 Score Details (8.6)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-07-02

Fix Resolution: 2.2.0,2.1.3

CVE-2023-22796 ### Vulnerable Library - activesupport-3.0.7.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activesupport-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Publish Date: 2023-02-09

URL: CVE-2023-22796

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-j6gc-792m-qgm2

Release Date: 2023-02-09

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1

CVE-2023-22795 ### Vulnerable Library - actionpack-3.0.7.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **actionpack-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Publish Date: 2023-02-09

URL: CVE-2023-22795

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-02-09

Fix Resolution: actionpack - 6.1.7.1, 7.0.4.1

CVE-2023-22792 ### Vulnerable Library - actionpack-3.0.7.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **actionpack-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Publish Date: 2023-02-09

URL: CVE-2023-22792

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-02-09

Fix Resolution: actionpack - 6.1.7.1,7.0.4.1

CVE-2022-44566 ### Vulnerable Library - activerecord-3.0.7.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activerecord-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.

Publish Date: 2023-02-09

URL: CVE-2022-44566

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-579w-22j4-4749

Release Date: 2023-02-09

Fix Resolution: activerecord - 6.1.7.1,7.0.4.1

CVE-2020-8184 ### Vulnerable Library - rack-1.2.3.gem

Rack provides minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Also see http://rack.rubyforge.org.

Library home page: https://rubygems.org/gems/rack-1.2.3.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-1.2.3.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - actionmailer-3.0.7.gem - actionpack-3.0.7.gem - :x: **rack-1.2.3.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.

Publish Date: 2020-06-19

URL: CVE-2020-8184

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://groups.google.com/forum/#!topic/rubyonrails-security/OWtmozPH9Ak

Release Date: 2020-06-19

Fix Resolution: rack - 2.1.4, 2.2.3

CVE-2016-0752 ### Vulnerable Library - rails-3.0.7.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem

Dependency Hierarchy: - :x: **rails-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Publish Date: 2016-02-16

URL: CVE-2016-0752

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0752

Release Date: 2016-02-16

Fix Resolution: 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2016-0751 ### Vulnerable Libraries - rails-3.0.7.gem, actionpack-3.0.7.gem

### rails-3.0.7.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem

Dependency Hierarchy: - :x: **rails-3.0.7.gem** (Vulnerable Library) ### actionpack-3.0.7.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **actionpack-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

Publish Date: 2016-02-16

URL: CVE-2016-0751

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0751

Release Date: 2016-02-16

Fix Resolution: 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-10077 ### Vulnerable Library - i18n-0.5.0.gem

New wave Internationalization support for Ruby.

Library home page: https://rubygems.org/gems/i18n-0.5.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/i18n-0.5.0.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - activeresource-3.0.7.gem - activemodel-3.0.7.gem - :x: **i18n-0.5.0.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.

Publish Date: 2018-11-06

URL: CVE-2014-10077

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10077

Release Date: 2018-11-06

Fix Resolution: 0.8.0

CVE-2014-0130 ### Vulnerable Library - actionpack-3.0.7.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **actionpack-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

Directory traversal vulnerability in actionpack/lib/abstract_controller/base.rb in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.

Publish Date: 2014-05-07

URL: CVE-2014-0130

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0130

Release Date: 2014-05-07

Fix Resolution: 3.2.18,4.0.5,4.1.1

CVE-2016-2098 ### Vulnerable Libraries - rails-3.0.7.gem, actionpack-3.0.7.gem

### rails-3.0.7.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem

Dependency Hierarchy: - :x: **rails-3.0.7.gem** (Vulnerable Library) ### actionpack-3.0.7.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **actionpack-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

Publish Date: 2016-04-07

URL: CVE-2016-2098

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2098

Release Date: 2016-04-07

Fix Resolution: 3.2.22.2,4.1.14.2,4.2.5.2

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2014-3482 ### Vulnerable Library - activerecord-3.0.7.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activerecord-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper bitstring quoting.

Publish Date: 2014-07-07

URL: CVE-2014-3482

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3482

Release Date: 2014-07-07

Fix Resolution: 3.2.19

CVE-2013-0333 ### Vulnerable Library - activesupport-3.0.7.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activesupport-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.

Publish Date: 2013-01-30

URL: CVE-2013-0333

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-0333

Release Date: 2013-01-30

Fix Resolution: 2.3.16,3.0.20

CVE-2013-0156 ### Vulnerable Library - activesupport-3.0.7.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activesupport-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.

Publish Date: 2013-01-13

URL: CVE-2013-0156

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-0156

Release Date: 2013-01-13

Fix Resolution: 2.3.15,3.0.19,3.1.10,3.2.11

CVE-2012-6496 ### Vulnerable Library - activerecord-3.0.7.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activerecord-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.

Publish Date: 2013-01-04

URL: CVE-2012-6496

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6496

Release Date: 2013-01-04

Fix Resolution: 3.0.18,3.1.9,3.2.10

CVE-2012-2695 ### Vulnerable Library - activerecord-3.0.7.gem

Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.

Library home page: https://rubygems.org/gems/activerecord-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activerecord-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **activerecord-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.

Publish Date: 2012-06-22

URL: CVE-2012-2695

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-2695

Release Date: 2012-06-22

Fix Resolution: 3.0.14,3.1.6,3.2.6

CVE-2012-2140 ### Vulnerable Library - mail-2.2.19.gem

A really Ruby Mail handler.

Library home page: https://rubygems.org/gems/mail-2.2.19.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/mail-2.2.19.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - actionmailer-3.0.7.gem - :x: **mail-2.2.19.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.

Publish Date: 2012-07-18

URL: CVE-2012-2140

### CVSS 3 Score Details (7.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-2140

Release Date: 2012-07-18

Fix Resolution: 2.4.3

CVE-2020-8167 ### Vulnerable Library - rails-3.0.7.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rails-3.0.7.gem

Dependency Hierarchy: - :x: **rails-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.

Publish Date: 2020-06-19

URL: CVE-2020-8167

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://rubygems.org/gems/rails/versions/6.0.3.1

Release Date: 2020-06-19

Fix Resolution: 6.0.3.1,5.2.4.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2013-6417 ### Vulnerable Library - actionpack-3.0.7.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-3.0.7.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-3.0.7.gem

Dependency Hierarchy: - rails-3.0.7.gem (Root Library) - :x: **actionpack-3.0.7.gem** (Vulnerable Library)

Found in HEAD commit: 1855a834302dd3f0182c78b12ce583c7af3a2921

Found in base branch: main

### Vulnerability Details

actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.

Publish Date: 2013-12-07

URL: CVE-2013-6417

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6417

Release Date: 2013-12-07

Fix Resolution: 3.2.16,4.0.2


:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

dev-mend-for-github-com[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

dev-mend-for-github-com[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.