mend-for-github-com[bot]
commented
2 years ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/rails-5.0.7.gem
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Vulnerabilities
Details
CVE-2019-5419
### Vulnerable Library - rails-5.0.7.gemRuby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/rails-5.0.7.gem
Dependency Hierarchy: - :x: **rails-5.0.7.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsThere is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
Publish Date: 2019-03-27
URL: CVE-2019-5419
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
Release Date: 2020-10-16
Fix Resolution: 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2019-5418
### Vulnerable Library - rails-5.0.7.gemRuby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/rails-5.0.7.gem
Dependency Hierarchy: - :x: **rails-5.0.7.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsThere is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.
Publish Date: 2019-03-27
URL: CVE-2019-5418
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
Release Date: 2020-10-16
Fix Resolution: 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2018-3760
### Vulnerable Library - sprockets-3.7.1.gemSprockets is a Rack-based asset packaging system that concatenates and serves JavaScript, CoffeeScript, CSS, LESS, Sass, and SCSS.
Library home page: https://rubygems.org/gems/sprockets-3.7.1.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/sprockets-3.7.1.gem
Dependency Hierarchy: - rails-5.0.7.gem (Root Library) - sprockets-rails-3.2.1.gem - :x: **sprockets-3.7.1.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsThere is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
Publish Date: 2018-06-26
URL: CVE-2018-3760
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3760
Release Date: 2018-06-26
Fix Resolution: v3.7.2;v4.0.0.beta8;v2.12.5
CVE-2021-22880
### Vulnerable Libraries - activerecord-5.0.7.gem, rails-5.0.7.gem### activerecord-5.0.7.gem
Databases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-5.0.7.gem
Dependency Hierarchy: - rails-5.0.7.gem (Root Library) - :x: **activerecord-5.0.7.gem** (Vulnerable Library) ### rails-5.0.7.gem
Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/rails-5.0.7.gem
Dependency Hierarchy: - :x: **rails-5.0.7.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsThe PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input.
Publish Date: 2021-02-11
URL: CVE-2021-22880
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129
Release Date: 2021-02-11
Fix Resolution: 5.2.4.5,6.0.3.5,6.1.2.1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-7663
### Vulnerable Library - websocket-extensions-0.1.3.gemLibrary home page: https://rubygems.org/gems/websocket-extensions-0.1.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/websocket-extensions-0.1.3.gem
Dependency Hierarchy: - rails-5.0.7.gem (Root Library) - actioncable-5.0.7.gem - websocket-driver-0.6.5.gem - :x: **websocket-extensions-0.1.3.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability Detailswebsocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.
Publish Date: 2020-06-02
URL: CVE-2020-7663
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7663
Release Date: 2020-09-17
Fix Resolution: websocket-extensions:0.1.5
CVE-2018-16476
### Vulnerable Library - rails-5.0.7.gemRuby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/rails-5.0.7.gem
Dependency Hierarchy: - :x: **rails-5.0.7.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsA Broken Access Control vulnerability in Active Job versions >= 4.2.0 allows an attacker to craft user input which can cause Active Job to deserialize it using GlobalId and give them access to information that they should not have. This vulnerability has been fixed in versions 4.2.11, 5.0.7.1, 5.1.6.1, and 5.2.1.1.
Publish Date: 2018-11-30
URL: CVE-2018-16476
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://weblog.rubyonrails.org/2018/11/27/Rails-4-2-5-0-5-1-5-2-have-been-released/
Release Date: 2018-11-30
Fix Resolution: 5.2.2
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2022-32224
### Vulnerable Library - activerecord-5.0.7.gemDatabases on Rails. Build a persistent domain model by mapping database tables to Ruby classes. Strong conventions for associations, validations, aggregations, migrations, and testing come baked-in.
Library home page: https://rubygems.org/gems/activerecord-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activerecord-5.0.7.gem
Dependency Hierarchy: - rails-5.0.7.gem (Root Library) - :x: **activerecord-5.0.7.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsRCE bug with Serialized Columns in Active Record before 5.2.8.1, 6.0.0 and before 6.0.5.1, 6.1.0 and before 6.1.6.1, 7.0.0 and before 7.0.3. When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.
Publish Date: 2022-06-02
URL: CVE-2022-32224
### CVSS 3 Score Details (7.0)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-3hhc-qp5v-9p2j
Release Date: 2022-06-02
Fix Resolution: activerecord - 5.2.8.1,6.0.5.1,6.1.6.1,7.0.3.1
CVE-2010-3299
### Vulnerable Library - rails-5.0.7.gemRuby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/rails-5.0.7.gem
Dependency Hierarchy: - :x: **rails-5.0.7.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsThe encrypt/decrypt functions in Ruby on Rails 2.3 are vulnerable to padding oracle attacks.
Publish Date: 2019-11-12
URL: CVE-2010-3299
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3299
Release Date: 2019-11-12
Fix Resolution: rails - 5.2.0.beta1
:rescue_worker_helmet: Automatic Remediation is available for this issue
CVE-2020-8167
### Vulnerable Library - rails-5.0.7.gemRuby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.
Library home page: https://rubygems.org/gems/rails-5.0.7.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /em/ruby/2.7.0/cache/rails-5.0.7.gem
Dependency Hierarchy: - :x: **rails-5.0.7.gem** (Vulnerable Library)
Found in HEAD commit: ab21a9f862ff3da3db0787ca394d129f490c3cfe
Found in base branch: main
### Vulnerability DetailsA CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.
Publish Date: 2020-06-19
URL: CVE-2020-8167
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://rubygems.org/gems/rails/versions/6.0.3.1
Release Date: 2020-06-19
Fix Resolution: 6.0.3.1,5.2.4.3
:rescue_worker_helmet: Automatic Remediation is available for this issue:rescue_worker_helmet: Automatic Remediation is available for this issue.