swipely / bubz Goto Github PK
View Code? Open in Web Editor NEWBubz = weB stUBZ
License: MIT License
Bubz = weB stUBZ
License: MIT License
Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/122
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
A proxy can be configured to limit the POST body size which will mitigate this issue.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/75
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/93
There is a potential denial of service vulnerability present in ActiveRecord’s PostgreSQL adapter.
This has been assigned the CVE identifier CVE-2022-44566.
Versions Affected: All. Not affected: None. Fixed Versions: 5.2.8.15 (Rails LTS, which is a paid service and not part of the rubygem), 6.1.7.1, 7.0.4.1
Impact:
In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it will treat the target column type as numeric. Comparing integer values against numeric values can result in a slow sequential scan resulting in potential Denial of Service.
Releases
The fixed releases are available at the normal locations.
Workarounds
Ensure that user supplied input which is provided to ActiveRecord clauses do not contain integers wider than a signed 64bit representation or floats.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy 1 regarding security issues. They are in git-am format and consist of a single changeset.
6-1-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 6.1 series
7-0-Added-integer-width-check-to-PostgreSQL-Quoting.patch - Patch for 7.0 series
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/120
In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This could allow an attacker to discern whether a byte on the stack contains the characters A, a, I, i, or 0, or any other character.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/108
parser.c in libxml2 before 2.9.5 does not prevent infinite recursion in parameter entities.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/107
Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application's unrestricted use of the render method and providing a .. (dot dot) in a pathname.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/105
zlib 1.2.11 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/110
Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/109
Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Workaround:
In Rails applications, work around this issue, set config.assets.compile = false
and config.public_file_server.enabled = true
in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/84
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/104
Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/94
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839. GitHub is notifying on nokogiri as uses libxml2.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/82
In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/117
There's a flaw in libxml2 in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/116
Impacted code uses authenticate_or_request_with_http_token
or
authenticate_with_http_token
for request authentication. Impacted code will
look something like this:
class PostsController < ApplicationController
before_action :authenticate
private
def authenticate
authenticate_or_request_with_http_token do |token, options|
# ...
end
end
end
All users running an affected release should either upgrade or use one of the
workarounds immediately.
The fixed releases are available at the normal locations.
The following monkey patch placed in an initializer can be used to work around
the issue:
module ActionController::HttpAuthentication::Token
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at
present. Users of earlier unsupported releases are advised to upgrade as soon
as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.
Thank you to https://hackerone.com/wonda_tea_coffee for reporting this issue!
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/96
xpointer.c in libxml2 before 2.9.5 (as used in nokogiri before 1.7.1 amongst other products) does not forbid namespace nodes in XPointer ranges, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and memory corruption) via a crafted XML document.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/86
Use after free in libxml2 before 2.9.5, as used in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/123
The xsltAddTextString function in transform.c in libxslt 1.1.29, as used in Nokogiri prior to 1.7.2, lacked a check for integer overflow during a size calculation, which allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/85
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/87
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/90
Type confusion in xsltNumberFormatGetMultipleLevel
prior to libxslt 1.1.33 could allow attackers to potentially exploit heap corruption via crafted XML data.
Nokogiri prior to version 1.10.5 contains a vulnerable version of libxslt. Nokogiri version 1.10.5 upgrades the dependency to libxslt 1.1.34, which contains a patch for this issue.
Manifest Path: Gemfile.lock
Please look at dependabot report: https://github.com/swipely/bubz/security/dependabot/118
rubyzip gem rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability in Zip::File component that can result in write arbitrary files to the filesystem. This attack appear to be exploitable via If a site allows uploading of .zip files , an attacker can upload a malicious file that contains symlinks or files with absolute pathnames "../" to write arbitrary files to the filesystem..
This is similar to CVE-2017-5946 which was patched in 1.2.1 but the fix in that case was incomplete.
Manifest Path: Gemfile.lock
Please look at dependabot report :https://github.com/swipely/bubz/security/dependabot/88
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.