Currently our version of Rails is 5.1.7, however due to some security concerns I am recommending upgrading to 5.2.4.6 or higher
The following reports should be fixes as a result:
Confidence: Medium
Category: Cross-Site Request Forgery
Check: CSRFTokenForgeryCVE
Message: Rails 5.1.7 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch
File: Gemfile.lock
Line: 804
Name: actionpack
Version: 5.1.7
CVE: CVE-2021-22885
GHSA: GHSA-hjg4-8q5f-x6fm
Criticality: High
URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI
Title: Possible Information Disclosure / Unintended Method Execution in Action Pack
Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2
Name: actionpack
Version: 5.1.7
CVE: CVE-2020-8166
GHSA: GHSA-jp5v-5gx4-jmj9
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
Title: Ability to forge per-form CSRF tokens given a global CSRF token
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
Name: activerecord
Version: 5.1.7
CVE: CVE-2021-22880
GHSA: GHSA-8hc4-xxm3-5ppp
Criticality: Medium
URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI
Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter
Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1
Name: activesupport
Version: 5.1.7
CVE: CVE-2020-8165
GHSA: GHSA-2p68-f74v-9wc6
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
Descriptive summary
Currently our version of Rails is 5.1.7, however due to some security concerns I am recommending upgrading to 5.2.4.6 or higher
The following reports should be fixes as a result:
Confidence: Medium Category: Cross-Site Request Forgery Check: CSRFTokenForgeryCVE Message: Rails 5.1.7 has a vulnerability that may allow CSRF token forgery. Upgrade to Rails 5.2.4.3 or patch File: Gemfile.lock Line: 804
Name: actionpack Version: 5.1.7 CVE: CVE-2021-22885 GHSA: GHSA-hjg4-8q5f-x6fm Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI Title: Possible Information Disclosure / Unintended Method Execution in Action Pack Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2
Name: actionpack Version: 5.1.7 CVE: CVE-2020-8166 GHSA: GHSA-jp5v-5gx4-jmj9 Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw Title: Ability to forge per-form CSRF tokens given a global CSRF token Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
Name: actionpack Version: 5.1.7 CVE: CVE-2020-8164 GHSA: GHSA-8727-m6gj-mc37 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY Title: Possible Strong Parameters Bypass in ActionPack Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
Name: actionpack Version: 5.1.7 CVE: CVE-2021-22904 GHSA: GHSA-7wjx-3g7j-8584 Criticality: High URL: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ Title: Possible DoS Vulnerability in Action Controller Token Authentication Solution: upgrade to ~> 5.2.4.6, ~> 5.2.6, ~> 6.0.3, >= 6.0.3.7, >= 6.1.3.2
Name: actionview Version: 5.1.7 CVE: CVE-2020-15169 GHSA: GHSA-cfjv-5498-mph5 Criticality: Unknown URL: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc Title: Potential XSS vulnerability in Action View Solution: upgrade to ~> 5.2.4, >= 5.2.4.4, >= 6.0.3.3
Name: actionview Version: 5.1.7 CVE: CVE-2020-5267 GHSA: GHSA-65cv-r6x7-79hv Criticality: Medium URL: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 Title: Possible XSS vulnerability in ActionView Solution: upgrade to ~> 5.2.4, >= 5.2.4.2, >= 6.0.2.2
Name: actionview Version: 5.1.7 CVE: CVE-2020-8167 GHSA: GHSA-xq5j-gw7f-jgj8 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0 Title: CSRF Vulnerability in rails-ujs Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1
Name: activerecord Version: 5.1.7 CVE: CVE-2021-22880 GHSA: GHSA-8hc4-xxm3-5ppp Criticality: Medium URL: https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI Title: Possible DoS Vulnerability in Active Record PostgreSQL adapter Solution: upgrade to ~> 5.2.4, >= 5.2.4.5, ~> 6.0.3, >= 6.0.3.5, >= 6.1.2.1
Name: activesupport Version: 5.1.7 CVE: CVE-2020-8165 GHSA: GHSA-2p68-f74v-9wc6 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c Title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore Solution: upgrade to ~> 5.2.4, >= 5.2.4.3, >= 6.0.3.1