search

ncr / rack-proxy

A request/response rewriting HTTP proxy. A Rack app.
MIT License
269 stars 94 forks source link

Vulnerabilities with rack 2.0.3 and rake 0.9.2.2 #97

Closed rahulbir closed 2 years ago

rahulbir commented 3 years ago

Seeing high severity vulnerabilities with rack-proxy-0.6.5. 

usr/local/bundle/gems/rack-proxy-0.6.5/Gemfile.lock
107
===================================================
108
Total: 3 (HIGH: 3, CRITICAL: 0)
109

110
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
111
| LIBRARY | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                TITLE                 |
112
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
113
| rack    | CVE-2020-8161    | HIGH     | 2.0.3             | 2.1.3         | rubygem-rack: directory              |
114
|         |                  |          |                   |               | traversal in Rack::Directory         |
115
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-8161 |
116
+         +------------------+          +                   +---------------+--------------------------------------+
117
|         | CVE-2020-8184    |          |                   | 2.2.3, 2.1.4  | rubygem-rack: percent-encoded        |
118
|         |                  |          |                   |               | cookies can be used to overwrite     |
119
|         |                  |          |                   |               | existing prefixed cookie names...    |
120
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-8184 |
121
+---------+------------------+          +-------------------+---------------+--------------------------------------+
122
| rake    | CVE-2020-8130    |          | 0.9.2.2           | 12.3.3        | rake: OS Command Injection           |
123
|         |                  |          |                   |               | via egrep in Rake::FileList          |
124
|         |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2020-8130 |
125
+---------+------------------+----------+-------------------+---------------+--------------------------------------+
rahulbir commented 3 years ago

Please merge the following PRs

Bump rake from 0.9.2.2 to 13.0.1 Bump rack from 2.0.3 to 2.2.3

ncr commented 3 years ago

I'd need some help fixing broken tests when upgrading to rack 2.2.3.

andrelaszlo commented 2 years ago

@ncr This seems fixed in 0.7.0? :+1: Close? :) Edit: Oh, #92 was reverted in d63bb03e1661a3513ff7f534f82b1018891b193a