FastRuby Audit Tool Gemfile.lock Audit
44 Vulnerabilities found on your file
Advisories 44
VULNERABLE GEM: [email protected]
Name: Version: actionpack 4.2.10
ID: CVE-2021-22885 LINK
Possible Information Disclosure / Unintended Method Execution in Action Pack DESCRIPTION: There is a possible information disclosure / unintended method execution vulnerability in Action Pack which has been assigned the CVE identifier CVE-2021-22885. Versions Affected: >= 2.0.0. Not affected: < 2.0.0. Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 IMPACT There is a possible information disclosure / unintended method execution vulnerability in Action Pack when using the redirect_to or polymorphic_url helper with untrusted user input. Vulnerable code will look like this: redirect_to(params[:some_param])
All users running an affected release should either upgrade or use one of the workarounds immediately. WORKAROUNDS To work around this problem, it is recommended to use an allow list for valid parameters passed from the user. For example: private def check(param) case param when "valid" param else "/" end end def index redirect_to(check(params[:some_param])) end
Or force the user input to be cast to a string like this: def index redirect_to(params[:some_param].to_s) end
VULNERABLE GEM: [email protected]
Name: Version: actionpack 4.2.10
ID: CVE-2020-8166 LINK
Ability to forge per-form CSRF tokens given a global CSRF token DESCRIPTION: It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications without existing HTML injection vulnerabilities. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 IMPACT Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. WORKAROUNDS This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.
VULNERABLE GEM: [email protected]
Name: Version: actionpack 4.2.10
ID: CVE-2021-22904 LINK
Possible DoS Vulnerability in Action Controller Token Authentication DESCRIPTION: There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2021-22904. Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 IMPACT Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication. Impacted code will look something like this: class PostsController < ApplicationController before_action :authenticate
private
def authenticate authenticate_or_request_with_http_token do |token, options| # ... end end end
All users running an affected release should either upgrade or use one of the workarounds immediately. RELEASES The fixed releases are available at the normal locations. WORKAROUNDS The following monkey patch placed in an initializer can be used to work around the issue: module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end
VULNERABLE GEM: [email protected]
Name: Version: actionpack 4.2.10
ID: CVE-2020-8164 LINK
Possible Strong Parameters Bypass in ActionPack DESCRIPTION: There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 IMPACT In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each , or each_value , or each_pair will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end
Note the mistaken use of each in the clean_up_params method in the above example. WORKAROUNDS Do not use the return values of each , each_value , or each_pair in your application.
VULNERABLE GEM: [email protected]
Name: Version: actionview 4.2.10
ID: CVE-2020-5267 LINK
Possible XSS vulnerability in ActionView DESCRIPTION: There is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks. Versions Affected: All. Not affected: None. Fixed Versions: 6.0.2.2, 5.2.4.2 IMPACT There is a possible XSS vulnerability in the j and escape_javascript methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this: or