Vulnerable Library - nokogiri-1.5.11.gem

Nokogiri (�) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn�t solve your problems, you are not using
enough of it.

path: /var/lib/gems/2.3.0/cache/nokogiri-1.5.11.gem

Library home page: http://rubygems.org/gems/nokogiri-1.5.11.gem

Dependency Hierarchy:

• aws-sdk-1.20.0.gem (Root Library)
  • ❌ nokogiri-1.5.11.gem (Vulnerable Library)

Vulnerability Details

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

Publish Date: 2017-05-18

URL: CVE-2017-9050

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201711-01

Release Date: 2017-11-10

Fix Resolution: All libxml2 users should upgrade to the latest version >= libxml2-2.9.4-r3

Vulnerable Library - mail-2.5.4.gem

A really Ruby Mail handler.

path: /var/lib/gems/2.3.0/cache/mail-2.5.4.gem

Library home page: http://rubygems.org/gems/mail-2.5.4.gem

Dependency Hierarchy:

• masonry-rails-0.2.1.gem (Root Library)
  • rails-4.1.2.gem
    • actionmailer-5.2.3.gem
      • ❌ mail-2.5.4.gem (Vulnerable Library)

Vulnerability Details

The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

Publish Date: 2017-06-12

URL: CVE-2015-9097

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9097

Release Date: 2017-06-12

Fix Resolution: 2.5.5

Vulnerable Library - paperclip-3.5.4.gem

Easy upload management for ActiveRecord

path: /gems/2.3.0/cache/paperclip-3.5.4.gem

Library home page: http://rubygems.org/gems/paperclip-3.5.4.gem

Dependency Hierarchy:

• ❌ paperclip-3.5.4.gem (Vulnerable Library)

Vulnerability Details

Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.

Publish Date: 2017-11-13

URL: CVE-2017-0889

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: thoughtbot/paperclip@d3d63aa

Release Date: 2017-04-21

Fix Resolution: Replace or update the following files: nil_adapter.rb, uploaded_file_adapter.rb, stringio_adapter.rb, http_url_proxy_adapter.rb, data_uri_adapter_spec.rb, Gemfile, uri_adapter_spec.rb, 4.2.gemfile, 5.0.gemfile, empty_string_adapter.rb, registry.rb, identity_adapter.rb, uri_adapter.rb, rails_steps.rb, file_adapter.rb, http_url_proxy_adapter_spec.rb, attachment_adapter.rb, env.rb, data_uri_adapter.rb, basic_integration.feature

Vulnerable Library - rails-4.1.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

path: /var/lib/gems/2.3.0/cache/rails-4.1.2.gem

Library home page: http://rubygems.org/gems/rails-4.1.2.gem

Dependency Hierarchy:

• masonry-rails-0.2.1.gem (Root Library)
  • ❌ rails-4.1.2.gem (Vulnerable Library)

Vulnerability Details

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-0752.

Publish Date: 2016-04-07

URL: CVE-2016-2097

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2097

Release Date: 2016-04-07

Fix Resolution: 3.2.22.2,4.1.14.2

Vulnerable Library - i18n-0.6.9.gem

New wave Internationalization support for Ruby.

path: /var/lib/gems/2.3.0/cache/i18n-0.6.9.gem

Library home page: http://rubygems.org/gems/i18n-0.6.9.gem

Dependency Hierarchy:

• masonry-rails-0.2.1.gem (Root Library)
  • rails-4.1.2.gem
    • actionmailer-5.2.3.gem
      • actionpack-5.2.3.gem
        • actionview-5.2.3.gem
          • activesupport-5.2.3.gem
            • ❌ i18n-0.6.9.gem (Vulnerable Library)

Vulnerability Details

Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.

Publish Date: 2018-11-06

URL: CVE-2014-10077

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10077

Release Date: 2018-11-06

Fix Resolution: 0.8.0

Vulnerable Library - rails-4.1.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

path: /var/lib/gems/2.3.0/cache/rails-4.1.2.gem

Library home page: http://rubygems.org/gems/rails-4.1.2.gem

Dependency Hierarchy:

• masonry-rails-0.2.1.gem (Root Library)
  • ❌ rails-4.1.2.gem (Vulnerable Library)

Vulnerability Details

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

Publish Date: 2016-04-07

URL: CVE-2016-2098

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2098

Release Date: 2016-04-07

Fix Resolution: 3.2.22.2,4.1.14.2,4.2.5.2

Vulnerable Library - jquery-rails-3.1.1.gem

This gem provides jQuery and the jQuery-ujs driver for your Rails 3+ application.

path: /gems/2.3.0/cache/jquery-rails-3.1.1.gem

Library home page: http://rubygems.org/gems/jquery-rails-3.1.1.gem

Dependency Hierarchy:

• ❌ jquery-rails-3.1.1.gem (Vulnerable Library)

Vulnerability Details

jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value.

Publish Date: 2015-07-26

URL: CVE-2015-1840

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-1840

Release Date: 2015-07-26

Fix Resolution: jquery-rails - 3.1.3,4.0.4;jquery-ujs - 1.0.4

Vulnerable Library - devise-3.2.4.gem

Flexible authentication solution for Rails with Warden

path: /gems/2.3.0/cache/devise-3.2.4.gem

Library home page: http://rubygems.org/gems/devise-3.2.4.gem

Dependency Hierarchy:

• ❌ devise-3.2.4.gem (Vulnerable Library)

Vulnerability Details

Devise version before 3.5.4 uses cookies to implement a “Remember me” functionality.However, it generates the same cookie for all devices.
If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

Publish Date: 2015-12-16

URL: CVE-2015-8314

CVSS 2 Score Details (5.1)

Base Score Metrics not available

Vulnerable Library - mail-2.5.4.gem

A really Ruby Mail handler.

path: /var/lib/gems/2.3.0/cache/mail-2.5.4.gem

Library home page: http://rubygems.org/gems/mail-2.5.4.gem

Dependency Hierarchy:

• masonry-rails-0.2.1.gem (Root Library)
  • rails-4.1.2.gem
    • actionmailer-5.2.3.gem
      • ❌ mail-2.5.4.gem (Vulnerable Library)

Vulnerability Details

Because the Mail Gem for Ruby does not validate or impose a length limit on email address fields, an attacker can modify messages sent with the gem via a specially-crafted recipient email address.

Publish Date: 2015-12-09

URL: WS-2015-0029

CVSS 2 Score Details (5.9)

Base Score Metrics not available

Vulnerable Library - rails-4.1.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

path: /var/lib/gems/2.3.0/cache/rails-4.1.2.gem

Library home page: http://rubygems.org/gems/rails-4.1.2.gem

Dependency Hierarchy:

• masonry-rails-0.2.1.gem (Root Library)
  • ❌ rails-4.1.2.gem (Vulnerable Library)

Vulnerability Details

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Publish Date: 2016-02-16

URL: CVE-2016-0752

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0752

Release Date: 2016-02-16

Fix Resolution: 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1

Vulnerable Library - uglifier-2.5.1.gem

Uglifier minifies JavaScript files by wrapping UglifyJS to be accessible in Ruby

path: /gems/2.3.0/cache/uglifier-2.5.1.gem

Library home page: http://rubygems.org/gems/uglifier-2.5.1.gem

Dependency Hierarchy:

• ❌ uglifier-2.5.1.gem (Vulnerable Library)

Vulnerability Details

The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification.

Publish Date: 2015-07-21

URL: WS-2015-0033

CVSS 2 Score Details (6.3)

Base Score Metrics not available

Vulnerable Library - paperclip-3.5.4.gem

Easy upload management for ActiveRecord

path: /gems/2.3.0/cache/paperclip-3.5.4.gem

Library home page: http://rubygems.org/gems/paperclip-3.5.4.gem

Dependency Hierarchy:

• ❌ paperclip-3.5.4.gem (Vulnerable Library)

Vulnerability Details

The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.

Publish Date: 2015-07-10

URL: CVE-2015-2963

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-2963

Release Date: 2015-07-10

Fix Resolution: 4.2.2

Vulnerable Library - rails-4.1.2.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

path: /var/lib/gems/2.3.0/cache/rails-4.1.2.gem

Library home page: http://rubygems.org/gems/rails-4.1.2.gem

Dependency Hierarchy:

• masonry-rails-0.2.1.gem (Root Library)
  • ❌ rails-4.1.2.gem (Vulnerable Library)

Vulnerability Details

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

Publish Date: 2016-02-16

URL: CVE-2016-0751

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-0751

Release Date: 2016-02-16

Fix Resolution: 3.2.22.1,4.1.14.1,4.2.5.1,5.0.0.beta1.1