Vulnerable Libraries - activesupport-7.0.7.gem, activesupport-6.0.3.2.gem

Found in base branch: main

Vulnerability Details

Active Support Possibly Discloses Locally Encrypted Files

Publish Date: 2023-07-12

URL: CVE-2023-38037

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cr5q-6q9f-rq6q

Release Date: 2023-07-12

Fix Resolution: activesupport - 6.1.7.5,7.0.7.1

Vulnerable Library - kramdown-2.3.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-2.3.0.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • ❌ kramdown-2.3.0.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Publish Date: 2021-03-19

URL: CVE-2021-28834

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-19

Fix Resolution: 2.3.1

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-commonmark-ghpages-0.1.6.gem
    • ❌ commonmarker-0.17.13.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Publish Date: 2022-09-21

URL: WS-2022-0320

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4qw4-jpp4-8gvp

Release Date: 2022-09-21

Fix Resolution: commonmarker - 0.23.6

Vulnerable Library - activesupport-6.0.3.2.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.0.3.2.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-mentions-1.5.1.gem
    • html-pipeline-2.14.0.gem
      • ❌ activesupport-6.0.3.2.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Publish Date: 2023-02-09

URL: CVE-2023-22796

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j6gc-792m-qgm2

Release Date: 2023-02-09

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-commonmark-ghpages-0.1.6.gem
    • ❌ commonmarker-0.17.13.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

commonmarker versions prior to 0.23.4 are vulnerable to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns.
The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

Publish Date: 2022-02-03

URL: WS-2022-0093

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fmx4-26r3-wxpf

Release Date: 2022-02-03

Fix Resolution: commonmarker - 0.23.4

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-commonmark-ghpages-0.1.6.gem
    • ❌ commonmarker-0.17.13.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of > or - characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Publish Date: 2023-03-31

URL: CVE-2023-24824

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-48wp-p9qv-4j64

Release Date: 2023-03-31

Fix Resolution: commonmarker - 0.23.9

Vulnerable Library - nokogiri-1.10.10.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.10.gem

Dependency Hierarchy:

• html-proofer-3.17.4.gem (Root Library)
  • nokogumbo-2.0.4.gem
    • ❌ nokogiri-1.10.10.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

Vulnerable Library - addressable-2.7.0.gem

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.

Library home page: https://rubygems.org/gems/addressable-2.7.0.gem

Dependency Hierarchy:

• html-proofer-3.17.4.gem (Root Library)
  • ❌ addressable-2.7.0.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Publish Date: 2021-07-06

URL: CVE-2021-32740

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jxhc-q857-3j6g

Release Date: 2021-07-06

Fix Resolution: addressable - 2.8.0

Vulnerable Library - nokogiri-1.10.10.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.10.gem

Dependency Hierarchy:

• html-proofer-3.17.4.gem (Root Library)
  • nokogumbo-2.0.4.gem
    • ❌ nokogiri-1.10.10.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

Vulnerable Library - nokogiri-1.10.10.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.10.gem

Dependency Hierarchy:

• html-proofer-3.17.4.gem (Root Library)
  • nokogumbo-2.0.4.gem
    • ❌ nokogiri-1.10.10.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Publish Date: 2020-12-30

URL: CVE-2020-26247

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-30

Fix Resolution: 1.11.0.rc4

Vulnerable Library - nokogiri-1.10.10.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.10.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • ❌ nokogiri-1.10.10.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

nokogiri up to and including 1.13.8 is affected by several vulnerabilities (CVE-2022-40303, CVE-2022-40304 and CVE-2022-2309) in the dependency bundled libxml2 library. Version 1.13.9 of nokogiri contains a patch where the dependency is upgraded with the patches as well.

Publish Date: 2022-10-18

URL: WS-2022-0334

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qc6-mcvw-92cw

Release Date: 2022-10-18

Fix Resolution: nokogiri - 1.13.9

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-commonmark-ghpages-0.1.6.gem
    • ❌ commonmarker-0.17.13.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of _ characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both cmark and cmark-gfm. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in github/cmark-gfm

Publish Date: 2023-03-31

URL: CVE-2023-26485

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-48wp-p9qv-4j64

Release Date: 2023-03-31

Fix Resolution: commonmarker - 0.23.9

Vulnerable Library - nokogiri-1.10.10.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.10.gem

Dependency Hierarchy:

• html-proofer-3.17.4.gem (Root Library)
  • nokogumbo-2.0.4.gem
    • ❌ nokogiri-1.10.10.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Publish Date: 2021-09-27

URL: CVE-2021-41098

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098

Release Date: 2021-09-27

Fix Resolution: nokogiri - 1.12.5

Gemfile

• github-pages '>= 207'
• html-proofer '>= 3.13.0'

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-commonmark-ghpages-0.1.6.gem
    • ❌ commonmarker-0.17.13.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Publish Date: 2023-04-12

URL: WS-2023-0095

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-48wp-p9qv-4j64

Release Date: 2023-04-12

Fix Resolution: commonmarker - 0.23.9

What is GitHub?

I'm glad you asked! Many people come to GitHub because they want to contribute to open source ^📖 projects, or they're invited by teammates or classmates who use it for their projects. Why do people use GitHub for these projects?

At its heart, GitHub is a collaboration platform.

From software to legal documents, you can count on GitHub to help you do your best work with the collaboration and security tools your team needs. With GitHub, you can keep projects completely private, invite the world to collaborate, and streamline every step of your project.

GitHub is also a powerful version control tool.

GitHub uses Git ^📖, the most popular open source version control software, to track every contribution and contributor ^📖 to your project--so you know exactly where every line of code came from.

GitHub helps people do much more.

GitHub is used to build some of the most advanced technologies in the world. Whether you're visualizing data or building a new game, there's a whole community and set of tools on GitHub that can get you to the next step. This course starts with the basics, but we'll dig into the rest later!

📺 Video: What is GitHub?

Exploring a GitHub repository

📺 Video: Exploring a repository

More features

The video covered some of the most commonly-used features. Here are a few other items you can find in GitHub repositories:

• Project boards: Create Kanban-style task tracking board within GitHub
• Wiki: Create and store relevant project documentation
• Insights: View a drop-down menu that contains links to analytics tools for your repository including:
  • Pulse: Find information about the work that has been completed and the work that’s in-progress in this project dashboard
  • Graphs: Graphs provide a more granular view of the repository activity including who contributed to the repository, who forked it, and when they completed the work

Special Files

In the video you learned about a special file called the README.md. Here are a few other special files you can add to your repositories:

• CONTRIBUTING.md: The CONTRIBUTING.md is used to describe the process for contributing to the repository. A link to the CONTRIBUTING.md file is shown anytime someone creates a new issue or pull request.
• ISSUE_TEMPLATE.md: The ISSUE_TEMPLATE.md is another file you can use to pre-populate the body of an issue. For example, if you always need the same types of information for bug reports, include it in the issue template, and every new issue will be opened with your recommended starter text.

Using GitHub issues

Issues are used to discuss ideas, enhancements, tasks, and bugs. They make collaboration easier by:

• Providing everyone (even future team members) with the complete story in one place
• Allowing you to cross-link to other issues and pull requests ^📖
• Creating a single, comprehensive record of how and why you made certain decisions
• Allowing you to easily pull the right people and teams into a conversation with @-mentions

📺 Video: Using issues

Managing notifications

📺 Video: Watching, notifications, stars, and explore

Once you've commented on an issue or pull request, you'll start receiving email notifications when there's activity in the thread.

How to silence or unmute specific conversations

1. Go to the issue or pull request
2. Under "Notifications", click the Unsubscribe button on the right to silence notifications or Subscribe to unmute them

You'll see a short description that explains your current notification status.

How to customize notifications in Settings

1. Click your profile icon
2. Click Settings
3. Click Notifications from the menu on the left and adjust your notification preferences

Repository notification options

• Watch: You'll receive a notification when a new issue, pull request or comment is posted, and when an issue is closed or a pull request is merged
• Not watching: You'll no longer receive notifications unless you're @-mentioned
• Ignore: You'll no longer receive any notifications from the repository

How to review notifications for the repositories you're watching

1. Click your profile icon
2. Click Settings
3. Click Notification from the menu on the left
4. Click on the things you’re watching link
5. Select the Watching tab
6. Click the Unwatch button to disable notifications, or Watch to enable them

Vulnerable Library - nokogiri-1.10.10.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.10.gem

Dependency Hierarchy:

• html-proofer-3.17.4.gem (Root Library)
  • nokogumbo-2.0.4.gem
    • ❌ nokogiri-1.10.10.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

Vulnerable Library - tzinfo-1.2.7.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.7.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-mentions-1.5.1.gem
    • html-pipeline-2.14.0.gem
      • activesupport-6.0.3.2.gem
        • ❌ tzinfo-1.2.7.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-22

URL: CVE-2022-31163

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-22

Fix Resolution: tzinfo - 0.3.61,1.2.10

Vulnerable Library - rexml-3.2.4.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.2.4.gem

Dependency Hierarchy:

• github-pages-207.gem (Root Library)
  • jekyll-sitemap-1.4.0.gem
    • jekyll-3.9.0.gem
      • kramdown-2.3.0.gem
        • ❌ rexml-3.2.4.gem (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Publish Date: 2021-04-21

URL: CVE-2021-28965

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cr8-4vfw-mr7h

Release Date: 2021-04-21

Fix Resolution: rexml - 3.1.9.1, 3.2.5