search

uclibs / ucrate

Scholar@UC: University of Cincinnati's self-submission institutional repository
https://scholar.uc.edu
Other
5 stars 3 forks source link

Install bundler-audit gem #934

Closed scherztc closed 3 years ago

scherztc commented 3 years ago

Descriptive summary

Include a concise description of the issue and any relevant tracebacks if you're reporting a bug.

Expected behavior

Actual behavior

Steps to reproduce the behavior

  1. Do this
  2. Then do this...

Related work

Link to related issues or prior related work here.

bsp3ars commented 3 years ago

Results of running the bundler-audit check command:

Name: actionpack Version: 5.1.7 CVE: CVE-2021-22885 GHSA: GHSA-hjg4-8q5f-x6fm Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionpack Version: 5.1.7 CVE: CVE-2020-8166 GHSA: GHSA-jp5v-5gx4-jmj9 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack Version: 5.1.7 CVE: CVE-2020-8164 GHSA: GHSA-8727-m6gj-mc37 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: actionpack Version: 5.1.7 CVE: CVE-2021-22904 GHSA: GHSA-7wjx-3g7j-8584 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2

Name: actionview Version: 5.1.7 CVE: CVE-2020-15169 GHSA: GHSA-cfjv-5498-mph5 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3

Name: actionview Version: 5.1.7 CVE: CVE-2020-5267 GHSA: GHSA-65cv-r6x7-79hv Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2

Name: actionview Version: 5.1.7 CVE: CVE-2020-8167 GHSA: GHSA-xq5j-gw7f-jgj8 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: activerecord Version: 5.1.7 CVE: CVE-2021-22880 GHSA: GHSA-8hc4-xxm3-5ppp Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1

Name: activesupport Version: 5.1.7 CVE: CVE-2020-8165 GHSA: GHSA-2p68-f74v-9wc6 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1

Name: devise Version: 4.6.0 CVE: CVE-2019-16109 GHSA: GHSA-fcjw-8rhj-gwwc Criticality: Medium URL: https://github.com/plataformatec/devise/issues/5071 Title: Devise Gem for Ruby confirmation token validation with a blank string Solution: upgrade to >= 4.7.1

Name: omniauth Version: 1.9.1 CVE: CVE-2015-9284 GHSA: GHSA-ww4x-rwq6-qpgf Criticality: High URL: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 Title: CSRF vulnerability in OmniAuth's request phase Solution: upgrade to >= 2.0.0

Name: puma Version: 3.12.6 CVE: CVE-2021-29509 GHSA: GHSA-q28m-8xjw-8vr5 Criticality: High URL: https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 Title: Keepalive Connections Causing Denial Of Service in puma Solution: upgrade to ~> 4.3.8, >= 5.3.1

Name: rack Version: 2.0.8 CVE: CVE-2020-8184 GHSA: GHSA-j6w9-fv6q-3q52 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak Title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names Solution: upgrade to ~> 2.1.4, >= 2.2.3

Name: rack Version: 2.0.8 CVE: CVE-2020-8161 GHSA: GHSA-5f9h-9pjv-v6j7 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA Title: Directory traversal in Rack::Directory app bundled with Rack Solution: upgrade to ~> 2.1.3, >= 2.2.0

Name: ruby_parser-legacy Version: 1.0.0 CVE: CVE-2019-18409 GHSA: GHSA-hhwc-8g49-j8jx Criticality: High URL: https://github.com/zenspider/ruby_parser-legacy/issues/1 Title: ruby_parser-legacy world writable files allow local privilege escalation Solution: remove or disable this gem until a patch is available!

hortongn commented 3 years ago

@bsp3ars Thanks for this. All of those action* gems will be remediated by upgrading to rails 5.2.4.6. Please create a new issue for "bundle update". For that issue we want to run a bundle update and also verify that the gems listed above are remediated.