Description

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/122

Description

There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

Impact

The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

A proxy can be configured to limit the POST body size which will mitigate this issue.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/75

Description

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/93

Description

There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter.

This has been assigned the CVE identifier CVE-2022-44566.

Versions Affected: All. Not affected: None. Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1

Impact:
In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
Releases

The fixed releases are available at the normal locations.
Workarounds

Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.

6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series
7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/120

Description

In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/108

Description

parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/107

Description

Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/105

Description

zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/110

Description

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/109

Description

Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production.

All users running an affected release should either upgrade or use one of the work arounds immediately.

Workaround:

In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.

This work around will not be possible in all hosting environments and upgrading is advised.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/84

Description

In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/104

Description

Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/94

Description

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. GitHub is notifying on nokogiri as uses libxml2.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/82

Description

In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/117

Description

There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/116

Description

Impact

Impacted code uses authenticate_or_request_with_http_token or
authenticate_with_http_token for request authentication. Impacted code will
look something like this:

class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around
the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

• 5-2-http-authentication-dos.patch - Patch for 5.2 series
• 6-0-http-authentication-dos.patch - Patch for 6.0 series
• 6-1-http-authentication-dos.patch - Patch for 6.1 series

Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at
present. Users of earlier unsupported releases are advised to upgrade as soon
as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.

Credits

Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/96

Description

xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/86

Description

Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/123

Description

The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Nokogiri prior to 1.7.2, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/85

Description

ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/87

Description

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/90

Description

Type confusion in xsltNumberFormatGetMultipleLevel prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.

Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/118

Description

rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..

This is similar to CVE-2017-5946 which was patched in 1.2.1 but the fix in that case was incomplete.

Informations

Manifest Path: Gemfile.lock

Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/88