CVE-2018-7212 (Medium) detected in rack-protection-1.5.5.gem, sinatra-1.4.8.gem
mend-bolt-for-github opened this issue · 0 comments
CVE-2018-7212 - Medium Severity Vulnerability
Vulnerable Libraries - rack-protection-1.5.5.gem, sinatra-1.4.8.gem
rack-protection-1.5.5.gem
You should use protection!
Library home page: https://rubygems.org/gems/rack-protection-1.5.5.gem
Path to dependency file: /tmp/ws-scm/blacksuan19.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/rack-protection-1.5.5.gem
Dependency Hierarchy:
- jekyll-admin-0.9.0.gem (Root Library)
- sinatra-contrib-1.4.7.gem
- ❌ rack-protection-1.5.5.gem (Vulnerable Library)
- sinatra-contrib-1.4.7.gem
sinatra-1.4.8.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-1.4.8.gem
Path to dependency file: /tmp/ws-scm/blacksuan19.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/sinatra-1.4.8.gem
Dependency Hierarchy:
- jekyll-admin-0.9.0.gem (Root Library)
- sinatra-contrib-1.4.7.gem
- ❌ sinatra-1.4.8.gem (Vulnerable Library)
- sinatra-contrib-1.4.7.gem
Found in HEAD commit: d2943ea76e87ad85ec01dbd6b4e625b3aad6f177
Vulnerability Details
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.
Publish Date: 2018-02-18
URL: CVE-2018-7212
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7212
Release Date: 2018-02-18
Fix Resolution: 2.0.1
Step up your Open Source Security Game with WhiteSource here