search

nexmo-community / nexmo-sinatra-voice-alerts-demo

A Voice Alerts Broadcast System using Sinatra and the Nexmo Text-to-Speech API
https://nexmo.com
1 stars 0 forks source link

rake-12.3.1.gem: 1 vulnerabilities (highest severity is: 6.4) - autoclosed #8

Closed mend-for-github-com[bot] closed 2 years ago

mend-for-github-com[bot] commented 2 years ago
Vulnerable Library - rake-12.3.1.gem

Rake is a Make-like program implemented in Ruby. Tasks and dependencies are specified in standard Ruby syntax. Rake has the following features: * Rakefiles (rake's version of Makefiles) are completely defined in standard Ruby syntax. No XML files to edit. No quirky Makefile syntax to worry about (is that a tab or a space?) * Users can specify tasks with prerequisites. * Rake supports rule patterns to synthesize implicit tasks. * Flexible FileLists that act like arrays but know about manipulating file names and paths. * Supports parallel execution of tasks.

Library home page: https://rubygems.org/gems/rake-12.3.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /e-12.3.1.gem

Found in HEAD commit: 997b77737857e578b32815f3af9cce98dbadd556

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-8130 Medium 6.4 rake-12.3.1.gem Direct v12.3.3

Details

CVE-2020-8130 ### Vulnerable Library - rake-12.3.1.gem

Rake is a Make-like program implemented in Ruby. Tasks and dependencies are specified in standard Ruby syntax. Rake has the following features: * Rakefiles (rake's version of Makefiles) are completely defined in standard Ruby syntax. No XML files to edit. No quirky Makefile syntax to worry about (is that a tab or a space?) * Users can specify tasks with prerequisites. * Rake supports rule patterns to synthesize implicit tasks. * Flexible FileLists that act like arrays but know about manipulating file names and paths. * Supports parallel execution of tasks.

Library home page: https://rubygems.org/gems/rake-12.3.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /e-12.3.1.gem

Dependency Hierarchy: - :x: **rake-12.3.1.gem** (Vulnerable Library)

Found in HEAD commit: 997b77737857e578b32815f3af9cce98dbadd556

Found in base branch: subscriptions

### Vulnerability Details

There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in Rake::FileList when supplying a filename that begins with the pipe character `|`.

Publish Date: 2020-02-24

URL: CVE-2020-8130

### CVSS 3 Score Details (6.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: High - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8130

Release Date: 2020-06-30

Fix Resolution: v12.3.3

:rescue_worker_helmet: Automatic Remediation is available for this issue

:rescue_worker_helmet: Automatic Remediation is available for this issue.

mend-for-github-com[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.