False positive with loofah CVE

flavorjones / loofah

Ruby library for HTML/XML transformation and sanitization

MIT License

934 stars 137 forks source link

False positive with loofah CVE #210

Closed mroach closed 3 years ago

mroach commented 3 years ago

There appears to be a false positive with identifying a loofah version vulnerable to a CVE.

This message started appearing after upgrading from 2.9.1 to 2.10.0. The nature of the error and the correlation with the version bump leads me to think there's a string vs numeric version comparison issue.

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock

Brakeman version 5.0.0

mroach commented 3 years ago

I posted this on the wrong repository. Hurrah! Sorry about that!

flavorjones commented 3 years ago

No worries! I expect it's the same problem reported at https://github.com/flavorjones/loofah/issues/209? If so, thanks for your patience.

mroach commented 3 years ago

Yeah it was (thanks for linking!), and I was searching around between brakeman and loofah to establish a chronology and after all that I realised I hadn’t updated brakeman which already fixed this. :)

On Mon, 28 Jun 2021 at 16:33, Mike Dalessio @.***> wrote:

No worries! I expect it's the same problem reported at #209 https://github.com/flavorjones/loofah/issues/209? If so, thanks for your patience.

— You are receiving this because you modified the open/close state. Reply to this email directly, view it on GitHub https://github.com/flavorjones/loofah/issues/210#issuecomment-870020938, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAATJHV3DZOJSWNJKV5XBP3TVDMDBANCNFSM47OUQ7NA .