vladzima / arbatovme Goto Github PK

Vulnerable Library - rack-protection-1.5.5.gem

You should use protection!

path: /var/lib/gems/2.3.0/cache/rack-protection-1.5.5.gem

Library home page: https://rubygems.org/gems/rack-protection-1.5.5.gem

Dependency Hierarchy:

• jekyll-admin-0.8.1.gem (Root Library)
  • sinatra-1.4.8.gem
    • ❌ rack-protection-1.5.5.gem (Vulnerable Library)

Found in HEAD commit: b3959e9cf7e18549f4a5e974ecb62239f3b8eaf2

Vulnerability Details

An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.

Publish Date: 2018-02-18

URL: CVE-2018-7212

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: sinatra/sinatra@d17aa95#diff-6c83ca93df5ee9912c1da85f96d278cc

Release Date: 2018-01-09

Fix Resolution: Replace or update the following files: path_traversal.rb, base.rb

Vulnerable Library - sinatra-1.4.8.gem

Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.

path: /var/lib/gems/2.3.0/cache/sinatra-1.4.8.gem

Library home page: https://rubygems.org/gems/sinatra-1.4.8.gem

Dependency Hierarchy:

• jekyll-admin-0.8.1.gem (Root Library)
  • ❌ sinatra-1.4.8.gem (Vulnerable Library)

Found in HEAD commit: b3959e9cf7e18549f4a5e974ecb62239f3b8eaf2

Vulnerability Details

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

Publish Date: 2018-05-31

URL: CVE-2018-11627

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: sinatra/sinatra@1278686

Release Date: 2018-05-30

Fix Resolution: Replace or update the following file: base.rb

Vulnerable Library - sinatra-1.4.8.gem

Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.

path: /var/lib/gems/2.3.0/cache/sinatra-1.4.8.gem

Library home page: https://rubygems.org/gems/sinatra-1.4.8.gem

Dependency Hierarchy:

• jekyll-admin-0.8.1.gem (Root Library)
  • ❌ sinatra-1.4.8.gem (Vulnerable Library)

Found in HEAD commit: b3959e9cf7e18549f4a5e974ecb62239f3b8eaf2

Vulnerability Details

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Publish Date: 2018-03-07

URL: CVE-2018-1000119

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: sinatra/sinatra@8aa6c42#commitcomment-27964109

Release Date: 2016-07-26

Fix Resolution: Replace or update the following files: authenticity_token.rb, base.rb