Created
March 13, 2020 20:37
-
-
Save bronzdoc/05179f5ee1aca530e8090e9ca6c703ab to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Insecure Source URI found: http://rubygems.org/ | |
| Name: RedCloth | |
| Version: 4.2.9 | |
| Advisory: CVE-2012-6684 | |
| Criticality: Medium | |
| URL: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6684 | |
| Title: RedCloth Gem for Ruby Textile Link Parsing XSS | |
| Solution: upgrade to >= 4.3.0 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2016-2098 | |
| Criticality: Unknown | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q | |
| Title: Possible remote code execution vulnerability in Action Pack | |
| Solution: upgrade to ~> 3.2.22.2, >= 4.2.5.2, ~> 4.2.5, >= 4.1.14.2, ~> 4.1.14 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2014-0081 | |
| Criticality: Medium | |
| URL: http://osvdb.org/show/osvdb/103439 | |
| Title: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human | |
| Solution: upgrade to ~> 3.2.17, ~> 4.0.3, >= 4.1.0.beta2 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2015-7576 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k | |
| Title: Timing attack vulnerability in basic authentication in Action Controller. | |
| Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2013-6415 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0 | |
| Title: XSS Vulnerability in number_to_currency | |
| Solution: upgrade to ~> 3.2.16, >= 4.0.2 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2013-6417 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4 | |
| Title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) | |
| Solution: upgrade to ~> 3.2.16, >= 4.0.2 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2012-1099 | |
| Criticality: Medium | |
| URL: http://www.osvdb.org/show/osvdb/79727 | |
| Title: Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb Manually Generated Select Tag Options XSS | |
| Solution: upgrade to ~> 3.0.12, ~> 3.1.4, >= 3.2.2 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2014-0130 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o | |
| Title: Directory Traversal Vulnerability With Certain Route Configurations | |
| Solution: upgrade to ~> 3.2.18, ~> 4.0.5, >= 4.1.1 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2012-3424 | |
| Criticality: Medium | |
| URL: http://www.osvdb.org/show/osvdb/84243 | |
| Title: Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS | |
| Solution: upgrade to ~> 3.0.16, ~> 3.1.7, >= 3.2.7 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2016-0752 | |
| Criticality: Unknown | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00 | |
| Title: Possible Information Leak Vulnerability in Action View | |
| Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2016-0751 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc | |
| Title: Possible Object Leak and Denial of Service attack in Action Pack | |
| Solution: upgrade to >= 5.0.0.beta1.1, >= 4.2.5.1, ~> 4.2.5, >= 4.1.14.1, ~> 4.1.14, ~> 3.2.22.1 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2012-3465 | |
| Criticality: Medium | |
| URL: http://www.osvdb.org/show/osvdb/84513 | |
| Title: Ruby on Rails strip_tags Helper Method XSS | |
| Solution: upgrade to ~> 3.0.17, ~> 3.1.8, >= 3.2.8 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2014-0082 | |
| Criticality: Medium | |
| URL: http://osvdb.org/show/osvdb/103440 | |
| Title: Denial of Service Vulnerability in Action View when using render :text | |
| Solution: upgrade to >= 3.2.17 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2011-4319 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU | |
| Title: XSS vulnerability in the translate helper method in Ruby on Rails | |
| Solution: upgrade to ~> 3.0.11, >= 3.1.2 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2013-4491 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998 | |
| Title: Reflective XSS Vulnerability in Ruby on Rails | |
| Solution: upgrade to ~> 3.2.16, >= 4.0.2 | |
| Name: actionpack | |
| Version: 2.3.18 | |
| Advisory: CVE-2016-2097 | |
| Criticality: Unknown | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4 | |
| Title: Possible Information Leak Vulnerability in Action View | |
| Solution: upgrade to ~> 3.2.22.2, ~> 4.1.14, >= 4.1.14.2 | |
| Name: activerecord | |
| Version: 2.3.18 | |
| Advisory: CVE-2014-3482 | |
| Criticality: Unknown | |
| URL: http://osvdb.org/show/osvdb/108664 | |
| Title: SQL Injection Vulnerability in Active Record | |
| Solution: upgrade to ~> 3.2.19 | |
| Name: activerecord | |
| Version: 2.3.18 | |
| Advisory: CVE-2012-6496 | |
| Criticality: Medium | |
| URL: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM | |
| Title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass | |
| Solution: upgrade to ~> 3.0.18, ~> 3.1.9, >= 3.2.10 | |
| Name: activerecord | |
| Version: 2.3.18 | |
| Advisory: CVE-2012-2660 | |
| Criticality: High | |
| URL: http://www.osvdb.org/show/osvdb/82610 | |
| Title: Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query Arbitrary IS NULL Clause Injection | |
| Solution: upgrade to ~> 3.0.13, ~> 3.1.5, >= 3.2.4 | |
| Name: activesupport | |
| Version: 2.3.18 | |
| Advisory: CVE-2012-3464 | |
| Criticality: Medium | |
| URL: http://www.osvdb.org/show/osvdb/84516 | |
| Title: Ruby on Rails HTML Escaping Code XSS | |
| Solution: upgrade to ~> 3.0.17, ~> 3.1.8, >= 3.2.8 | |
| Name: activesupport | |
| Version: 2.3.18 | |
| Advisory: CVE-2015-3227 | |
| Criticality: Unknown | |
| URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk | |
| Title: Possible Denial of Service attack in Active Support | |
| Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22 | |
| Name: ffi | |
| Version: 1.9.3 | |
| Advisory: CVE-2018-1000201 | |
| Criticality: High | |
| URL: https://github.com/ffi/ffi/releases/tag/1.9.24 | |
| Title: ruby-ffi DDL loading issue on Windows OS | |
| Solution: upgrade to >= 1.9.24 | |
| Name: haml | |
| Version: 3.1.8 | |
| Advisory: CVE-2017-1002201 | |
| Criticality: Medium | |
| URL: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 | |
| Title: haml failure to escape single quotes | |
| Solution: upgrade to >= 5.0.0.beta.2 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2019-5477 | |
| Criticality: High | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1915 | |
| Title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file | |
| Solution: upgrade to >= 1.10.4 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2019-11068 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1892 | |
| Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability | |
| Solution: upgrade to >= 1.10.3 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2017-9050 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1673 | |
| Title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities | |
| Solution: upgrade to >= 1.8.1 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2018-14404 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1785 | |
| Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities | |
| Solution: upgrade to >= 1.8.5 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2017-15412 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1714 | |
| Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities | |
| Solution: upgrade to >= 1.8.2 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2015-1819 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1374 | |
| Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt | |
| Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: 118481 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/pull/1087 | |
| Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption | |
| Remote DoS | |
| Solution: upgrade to >= 1.6.3 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2016-4658 | |
| Criticality: High | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1615 | |
| Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt | |
| Solution: upgrade to >= 1.7.1 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2013-6461 | |
| Criticality: Unknown | |
| URL: http://www.osvdb.org/show/osvdb/101458 | |
| Title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS | |
| Solution: upgrade to ~> 1.5.11, >= 1.6.1 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2017-5029 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1634 | |
| Title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 | |
| Solution: upgrade to >= 1.7.2 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2018-8048 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/pull/1746 | |
| Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS | |
| Solution: upgrade to >= 1.8.3 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2013-6460 | |
| Criticality: Medium | |
| URL: http://osvdb.org/show/osvdb/101179 | |
| Title: Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS | |
| Solution: upgrade to ~> 1.5.11, >= 1.6.1 | |
| Name: nokogiri | |
| Version: 1.5.10 | |
| Advisory: CVE-2017-16932 | |
| Criticality: Unknown | |
| URL: https://github.com/sparklemotion/nokogiri/issues/1714 | |
| Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities | |
| Solution: upgrade to >= 1.8.1 | |
| Name: paperclip | |
| Version: 2.3.6 | |
| Advisory: CVE-2015-2963 | |
| Criticality: Medium | |
| URL: https://robots.thoughtbot.com/paperclip-security-release | |
| Title: Paperclip Gem for Ruby vulnerable to content type spoofing | |
| Solution: upgrade to >= 4.2.2 | |
| Name: paperclip | |
| Version: 2.3.6 | |
| Advisory: CVE-2017-0889 | |
| Criticality: High | |
| URL: https://github.com/thoughtbot/paperclip/pull/2435 | |
| Title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability | |
| in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class. | |
| Solution: upgrade to >= 5.2.0 | |
| Name: paperclip | |
| Version: 2.3.6 | |
| Advisory: 103151 | |
| Criticality: Unknown | |
| URL: http://osvdb.org/show/osvdb/103151 | |
| Title: Paperclip Gem for Ruby contains a flaw | |
| Solution: upgrade to >= 4.0.0 | |
| Name: rack | |
| Version: 1.1.6 | |
| Advisory: CVE-2018-16471 | |
| Criticality: Unknown | |
| URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o | |
| Title: Possible XSS vulnerability in Rack | |
| Solution: upgrade to ~> 1.6.11, >= 2.0.6 | |
| Name: rack | |
| Version: 1.1.6 | |
| Advisory: CVE-2015-3225 | |
| Criticality: Unknown | |
| URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc | |
| Title: Potential Denial of Service Vulnerability in Rack | |
| Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6 | |
| Name: rack | |
| Version: 1.1.6 | |
| Advisory: CVE-2013-0262 | |
| Criticality: Medium | |
| URL: http://osvdb.org/show/osvdb/89938 | |
| Title: Rack Rack::File Function Symlink Traversal Arbitrary File Disclosure | |
| Solution: upgrade to ~> 1.4.5, >= 1.5.2 | |
| Name: rack | |
| Version: 1.1.6 | |
| Advisory: CVE-2013-0183 | |
| Criticality: Medium | |
| URL: http://osvdb.org/show/osvdb/89320 | |
| Title: Rack Long String Parsing Memory Consumption Remote DoS | |
| Solution: upgrade to ~> 1.3.8, >= 1.4.3 | |
| Name: rubyzip | |
| Version: 0.9.9 | |
| Advisory: CVE-2019-16892 | |
| Criticality: Unknown | |
| URL: https://github.com/rubyzip/rubyzip/pull/403 | |
| Title: Denial of Service in rubyzip ("zip bombs") | |
| Solution: upgrade to >= 1.3.0 | |
| Name: rubyzip | |
| Version: 0.9.9 | |
| Advisory: CVE-2017-5946 | |
| Criticality: High | |
| URL: https://github.com/rubyzip/rubyzip/issues/315 | |
| Title: Directory traversal vulnerability in rubyzip | |
| Solution: upgrade to >= 1.2.1 | |
| Name: rubyzip | |
| Version: 0.9.9 | |
| Advisory: CVE-2018-1000544 | |
| Criticality: Unknown | |
| URL: https://github.com/rubyzip/rubyzip/issues/369 | |
| Title: Directory Traversal in rubyzip | |
| Solution: upgrade to >= 1.2.2 | |
| Vulnerabilities found! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment