Open mend-for-github-com[bot] opened 1 year ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem
Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2023-0095
### Vulnerable Library - commonmarker-0.23.6.gemA fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.23.6.gem
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/commonmarker-0.23.6.gem
Dependency Hierarchy: - github-pages-227.gem (Root Library) - jekyll-commonmark-ghpages-0.2.0.gem - :x: **commonmarker-0.23.6.gem** (Vulnerable Library)
Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361
Found in base branch: master
### Vulnerability DetailsCommonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service
Publish Date: 2023-04-12
URL: WS-2023-0095
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-48wp-p9qv-4j64
Release Date: 2023-04-12
Fix Resolution: commonmarker - 0.23.9
CVE-2023-26485
### Vulnerable Library - commonmarker-0.23.6.gemA fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.23.6.gem
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/commonmarker-0.23.6.gem
Dependency Hierarchy: - github-pages-227.gem (Root Library) - jekyll-commonmark-ghpages-0.2.0.gem - :x: **commonmarker-0.23.6.gem** (Vulnerable Library)
Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361
Found in base branch: master
### Vulnerability Detailscmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `_` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept ``` $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext ``` Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD [cmark-gfm](https://github.com/github/cmark-gfm) is a fork of [cmark](https://github.com/commonmark/cmark) that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both `cmark` and `cmark-gfm`. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in [github/cmark-gfm](https://github.com/github/cmark-gfm)
Publish Date: 2023-03-31
URL: CVE-2023-26485
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-48wp-p9qv-4j64
Release Date: 2023-03-31
Fix Resolution: commonmarker - 0.23.9
CVE-2023-24824
### Vulnerable Library - commonmarker-0.23.6.gemA fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.23.6.gem
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/commonmarker-0.23.6.gem
Dependency Hierarchy: - github-pages-227.gem (Root Library) - jekyll-commonmark-ghpages-0.2.0.gem - :x: **commonmarker-0.23.6.gem** (Vulnerable Library)
Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361
Found in base branch: master
### Vulnerability Detailscmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of `>` or `-` characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.
Publish Date: 2023-03-31
URL: CVE-2023-24824
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-48wp-p9qv-4j64
Release Date: 2023-03-31
Fix Resolution: commonmarker - 0.23.9
CVE-2023-22796
### Vulnerable Library - activesupport-6.0.6.gemA toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-6.0.6.gem
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem
Dependency Hierarchy: - github-pages-227.gem (Root Library) - jemoji-0.12.0.gem - html-pipeline-2.14.2.gem - :x: **activesupport-6.0.6.gem** (Vulnerable Library)
Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361
Found in base branch: master
### Vulnerability DetailsA regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
Publish Date: 2023-02-09
URL: CVE-2023-22796
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-j6gc-792m-qgm2
Release Date: 2023-02-09
Fix Resolution: activesupport - 6.1.7.1,7.0.4.1
CVE-2022-23476
### Vulnerable Library - nokogiri-1.13.8-x86_64-linux.gemNokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.13.8-x86_64-linux.gem
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.13.8-x86_64-linux.gem
Dependency Hierarchy: - github-pages-227.gem (Root Library) - :x: **nokogiri-1.13.8-x86_64-linux.gem** (Vulnerable Library)
Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361
Found in base branch: master
### Vulnerability DetailsNokogiri is an open source XML and HTML library for the Ruby programming language. Nokogiri `1.13.8` and `1.13.9` fail to check the return value from `xmlTextReaderExpand` in the method `Nokogiri::XML::Reader#attribute_hash`. This can lead to a null pointer exception when invalid markup is being parsed. For applications using `XML::Reader` to parse untrusted inputs, this may potentially be a vector for a denial of service attack. Users are advised to upgrade to Nokogiri `>= 1.13.10`. Users may be able to search their code for calls to either `XML::Reader#attributes` or `XML::Reader#attribute_hash` to determine if they are affected.
Publish Date: 2022-12-08
URL: CVE-2022-23476
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2022-12-08
Fix Resolution: nokogiri - 1.13.10
CVE-2023-38037
### Vulnerable Library - activesupport-6.0.6.gemA toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-6.0.6.gem
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem
Dependency Hierarchy: - github-pages-227.gem (Root Library) - jemoji-0.12.0.gem - html-pipeline-2.14.2.gem - :x: **activesupport-6.0.6.gem** (Vulnerable Library)
Found in HEAD commit: 821b439313de9340f2f41fa36d5cee25e1ab2361
Found in base branch: master
### Vulnerability DetailsActive Support Possibly Discloses Locally Encrypted Files
Publish Date: 2023-07-12
URL: CVE-2023-38037
### CVSS 3 Score Details (4.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-cr5q-6q9f-rq6q
Release Date: 2023-07-12
Fix Resolution: activesupport - 6.1.7.5,7.0.7.1