Closed mend-for-github-com[bot] closed 12 months ago
mend-for-github-com[bot]
commented
12 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
mend-for-github-com[bot]
commented
12 months ago :heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-2.2.0.gem
Path to dependency file: /src/emailservice/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-2.2.0.gem
Found in HEAD commit: dbe873acc75992a5ca0724bd1222561d2651439d
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-45442
### Vulnerable Library - sinatra-2.2.0.gemSinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-2.2.0.gem
Path to dependency file: /src/emailservice/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-2.2.0.gem
Dependency Hierarchy: - :x: **sinatra-2.2.0.gem** (Vulnerable Library)
Found in HEAD commit: dbe873acc75992a5ca0724bd1222561d2651439d
Found in base branch: main
### Vulnerability DetailsSinatra is a domain-specific language for creating web applications in Ruby. An issue was discovered in Sinatra 2.0 before 2.2.3 and 3.0 before 3.0.4. An application is vulnerable to a reflected file download (RFD) attack that sets the Content-Disposition header of a response when the filename is derived from user-supplied input. Version 2.2.3 and 3.0.4 contain patches for this issue.
Publish Date: 2022-11-28
URL: CVE-2022-45442
### CVSS 3 Score Details (8.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/sinatra/sinatra/security/advisories/GHSA-2x8x-jmrp-phxw
Release Date: 2022-11-28
Fix Resolution: sinatra - 2.2.3,3.0.4
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-27530
### Vulnerable Library - rack-2.2.3.1.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.1.gem
Path to dependency file: /src/emailservice/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.1.gem
Dependency Hierarchy: - sinatra-2.2.0.gem (Root Library) - :x: **rack-2.2.3.1.gem** (Vulnerable Library)
Found in HEAD commit: dbe873acc75992a5ca0724bd1222561d2651439d
Found in base branch: main
### Vulnerability DetailsA DoS vulnerability exists in RackPublish Date: 2023-03-10
### CVSS 3 Score Details (7.5)URL: CVE-2023-27530
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2023-03-10
Fix Resolution: rack - 2.0.9.3,2.1.4.3,2.2.6.3,3.0.4.2
CVE-2022-44571
### Vulnerable Library - rack-2.2.3.1.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.1.gem
Path to dependency file: /src/emailservice/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.1.gem
Dependency Hierarchy: - sinatra-2.2.0.gem (Root Library) - :x: **rack-2.2.3.1.gem** (Vulnerable Library)
Found in HEAD commit: dbe873acc75992a5ca0724bd1222561d2651439d
Found in base branch: main
### Vulnerability DetailsThere is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44571
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-93pm-5p5f-3ghx
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
CVE-2022-44570
### Vulnerable Library - rack-2.2.3.1.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.1.gem
Path to dependency file: /src/emailservice/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.1.gem
Dependency Hierarchy: - sinatra-2.2.0.gem (Root Library) - :x: **rack-2.2.3.1.gem** (Vulnerable Library)
Found in HEAD commit: dbe873acc75992a5ca0724bd1222561d2651439d
Found in base branch: main
### Vulnerability DetailsA denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44570
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-65f5-mfpf-vfhj
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
CVE-2023-27539
### Vulnerable Library - rack-2.2.3.1.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.1.gem
Path to dependency file: /src/emailservice/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.1.gem
Dependency Hierarchy: - sinatra-2.2.0.gem (Root Library) - :x: **rack-2.2.3.1.gem** (Vulnerable Library)
Found in HEAD commit: dbe873acc75992a5ca0724bd1222561d2651439d
Found in base branch: main
### Vulnerability DetailsThere is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. The issue is fixed versions 2.2.6.4 and 3.0.6.1
Publish Date: 2023-03-03
URL: CVE-2023-27539
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
Release Date: 2023-03-03
Fix Resolution: rack - 2.2.6.4,3.0.6.1
CVE-2022-44572
### Vulnerable Library - rack-2.2.3.1.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.3.1.gem
Path to dependency file: /src/emailservice/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.3.1.gem
Dependency Hierarchy: - sinatra-2.2.0.gem (Root Library) - :x: **rack-2.2.3.1.gem** (Vulnerable Library)
Found in HEAD commit: dbe873acc75992a5ca0724bd1222561d2651439d
Found in base branch: main
### Vulnerability DetailsA denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44572
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/advisories/GHSA-rqv2-275x-2jq5
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.