search

neinteractiveliterature / larp_library

A site for hosting free-to-run larps
MIT License
1 stars 1 forks source link

rails-7.2.1.gem: 2 vulnerabilities (highest severity is: 5.3) - autoclosed #2294

Closed mend-bolt-for-github[bot] closed 2 weeks ago

mend-bolt-for-github[bot] commented 1 month ago
Vulnerable Library - rails-7.2.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actiontext-7.2.1.gem

Found in HEAD commit: 4a75abf863bd6723db62be0fb3425aa5ae9504e8

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (rails version) Remediation Possible**
CVE-2024-47889 Medium 5.3 actionmailer-7.2.1.gem Transitive N/A*
CVE-2024-47888 Medium 5.3 actiontext-7.2.1.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-47889 ### Vulnerable Library - actionmailer-7.2.1.gem

Email on Rails. Compose, deliver, and test emails using the familiar controller/view pattern. First-class support for multipart email and attachments.

Library home page: https://rubygems.org/gems/actionmailer-7.2.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionmailer-7.2.1.gem

Dependency Hierarchy: - rails-7.2.1.gem (Root Library) - :x: **actionmailer-7.2.1.gem** (Vulnerable Library)

Found in HEAD commit: 4a75abf863bd6723db62be0fb3425aa5ae9504e8

Found in base branch: main

### Vulnerability Details

Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Publish Date: 2024-10-16

URL: CVE-2024-47889

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6

Release Date: 2024-10-16

Fix Resolution: actionmailer - 6.1.7.9,7.0.8.5,7.1.4.1,7.2.1.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-47888 ### Vulnerable Library - actiontext-7.2.1.gem

Edit and display rich text in Rails applications.

Library home page: https://rubygems.org/gems/actiontext-7.2.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actiontext-7.2.1.gem

Dependency Hierarchy: - rails-7.2.1.gem (Root Library) - :x: **actiontext-7.2.1.gem** (Vulnerable Library)

Found in HEAD commit: 4a75abf863bd6723db62be0fb3425aa5ae9504e8

Found in base branch: main

### Vulnerability Details

Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cause the `plain_text_for_blockquote_node` helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Publish Date: 2024-10-16

URL: CVE-2024-47888

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw

Release Date: 2024-10-16

Fix Resolution: actiontext - 6.1.7.9,7.0.8.5,7.1.4.1,7.2.1.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 2 weeks ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.