Nexmo/nexmo-developer

station-0.5.8.gem: 5 vulnerabilities (highest severity is: 9.8) - autoclosed

mend-for-github-com opened this issue · 1 comments

mend-for-github-com commented
Vulnerable Library - station-0.5.8.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-21831 High 9.8 activestorage-6.1.4.4.gem Transitive N/A
CVE-2022-27777 Medium 6.1 actionview-6.1.4.4.gem Transitive N/A
CVE-2022-22577 Medium 6.1 actionpack-6.1.4.4.gem Transitive N/A
CVE-2022-23634 Medium 5.9 actionpack-6.1.4.4.gem Transitive N/A
CVE-2022-23633 Medium 5.9 actionpack-6.1.4.4.gem Transitive N/A

Details

CVE-2022-21831

Vulnerable Library - activestorage-6.1.4.4.gem

Attach cloud and local files in Rails applications.

Library home page: https://rubygems.org/gems/activestorage-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activestorage-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.8.gem (Root Library)
    • rails-6.1.4.4.gem
      • activestorage-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.

Publish Date: 2022-05-26

URL: CVE-2022-21831

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w749-p3v6-hccq

Release Date: 2022-05-26

Fix Resolution: activestorage - 5.2.6.3,6.0.4.7,6.1.4.7,7.0.2.3

CVE-2022-27777

Vulnerable Library - actionview-6.1.4.4.gem

Simple, battle-tested conventions and helpers for building web pages.

Library home page: https://rubygems.org/gems/actionview-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionview-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.8.gem (Root Library)
    • nexmo-oas-renderer-2.7.2.gem
      • nexmo_markdown_renderer-0.9.2.gem
        • actionview-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

Publish Date: 2022-05-26

URL: CVE-2022-27777

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-ch3h-j2vf-95pv

Release Date: 2022-05-26

Fix Resolution: actionview - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2022-22577

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.8.gem (Root Library)
    • coffee-rails-5.0.0.gem
      • railties-6.1.4.4.gem
        • actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

Publish Date: 2022-05-26

URL: CVE-2022-22577

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mm33-5vfq-3mm3

Release Date: 2022-05-26

Fix Resolution: actionpack - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2022-23634

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.8.gem (Root Library)
    • coffee-rails-5.0.0.gem
      • railties-6.1.4.4.gem
        • actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Publish Date: 2022-02-11

URL: CVE-2022-23634

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: puma - 4.3.11, 5.6.2; actionpack - 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

CVE-2022-23633

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.8.gem (Root Library)
    • coffee-rails-5.0.0.gem
      • railties-6.1.4.4.gem
        • actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Publish Date: 2022-02-11

URL: CVE-2022-23633

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

mend-for-github-com commented

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.