Nexmo/nexmo-developer

station-0.5.11.gem: 9 vulnerabilities (highest severity is: 9.8) - autoclosed

mend-for-github-com opened this issue · 1 comments

mend-for-github-com commented
Vulnerable Library - station-0.5.11.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-21831 High 9.8 activestorage-6.1.4.4.gem Transitive N/A
WS-2022-0089 High 8.8 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2022-29181 High 8.2 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2022-24836 High 7.5 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2021-41098 High 7.5 nokogiri-1.11.7-x86_64-linux.gem Transitive N/A
CVE-2022-27777 Medium 6.1 actionview-6.1.4.4.gem Transitive N/A
CVE-2022-22577 Medium 6.1 actionpack-6.1.4.4.gem Transitive N/A
CVE-2022-23634 Medium 5.9 actionpack-6.1.4.4.gem Transitive N/A
CVE-2022-23633 Medium 5.9 actionpack-6.1.4.4.gem Transitive N/A

Details

CVE-2022-21831

Vulnerable Library - activestorage-6.1.4.4.gem

Attach cloud and local files in Rails applications.

Library home page: https://rubygems.org/gems/activestorage-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activestorage-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • rails-6.1.4.4.gem
      • activestorage-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments.

Publish Date: 2022-05-26

URL: CVE-2022-21831

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-w749-p3v6-hccq

Release Date: 2022-05-26

Fix Resolution: activestorage - 5.2.6.3,6.0.4.7,6.1.4.7,7.0.2.3

WS-2022-0089

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

CVE-2022-29181

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

CVE-2022-24836

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

CVE-2021-41098

Vulnerable Library - nokogiri-1.11.7-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.7-x86_64-linux.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.11.7.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • nokogiri-1.11.7-x86_64-linux.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Publish Date: 2021-09-27

URL: CVE-2021-41098

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098

Release Date: 2021-09-27

Fix Resolution: nokogiri - 1.12.5

CVE-2022-27777

Vulnerable Library - actionview-6.1.4.4.gem

Simple, battle-tested conventions and helpers for building web pages.

Library home page: https://rubygems.org/gems/actionview-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionview-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • activeadmin-2.13.1.gem
      • inherited_resources-1.13.1.gem
        • has_scope-0.8.0.gem
          • actionpack-6.1.4.4.gem
            • actionview-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes.

Publish Date: 2022-05-26

URL: CVE-2022-27777

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-ch3h-j2vf-95pv

Release Date: 2022-05-26

Fix Resolution: actionview - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2022-22577

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • activeadmin-2.13.1.gem
      • inherited_resources-1.13.1.gem
        • actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

Publish Date: 2022-05-26

URL: CVE-2022-22577

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-mm33-5vfq-3mm3

Release Date: 2022-05-26

Fix Resolution: actionpack - 5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4

CVE-2022-23634

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • activeadmin-2.13.1.gem
      • inherited_resources-1.13.1.gem
        • actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Publish Date: 2022-02-11

URL: CVE-2022-23634

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: puma - 4.3.11, 5.6.2; actionpack - 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

CVE-2022-23633

Vulnerable Library - actionpack-6.1.4.4.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-6.1.4.4.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/actionpack-6.1.4.4.gem

Dependency Hierarchy:

  • station-0.5.11.gem (Root Library)
    • activeadmin-2.13.1.gem
      • inherited_resources-1.13.1.gem
        • actionpack-6.1.4.4.gem (Vulnerable Library)

Found in HEAD commit: 7f4b6f4c36639a3d52a7192a3d7cdcf6d1b4b82c

Found in base branch: main

Vulnerability Details

Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is not notified of a close, ActionDispatch::Executor will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.

Publish Date: 2022-02-11

URL: CVE-2022-23633

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wh98-p28r-vrc9

Release Date: 2022-02-11

Fix Resolution: 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2

mend-for-github-com commented

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.