adrijshikhar / darkdev Goto Github PK

Vulnerable Library - activesupport-7.0.3.1.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-7.0.3.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-7.0.3.1.gem

Dependency Hierarchy:

• github_changelog_generator-1.15.2.gem (Root Library)
  • ❌ activesupport-7.0.3.1.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Active Support Possibly Discloses Locally Encrypted Files

Publish Date: 2023-07-12

URL: CVE-2023-38037

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cr5q-6q9f-rq6q

Release Date: 2023-07-12

Fix Resolution: activesupport - 6.1.7.5,7.0.7.1

Vulnerable Library - protocol-http1-0.14.6.gem

Library home page: https://rubygems.org/gems/protocol-http1-0.14.6.gem

Dependency Hierarchy:

• github_changelog_generator-1.16.4.gem (Root Library)
  • async-http-faraday-0.11.0.gem
    • async-http-0.59.2.gem
      • ❌ protocol-http1-0.14.6.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

protocol-http1 provides a low-level implementation of the HTTP/1 protocol. RFC 9112 Section 7.1 defined the format of chunk size, chunk data and chunk extension. The value of Content-Length header should be a string of 0-9 digits, the chunk size should be a string of hex digits and should split from chunk data using CRLF, and the chunk extension shouldn't contain any invisible character. However, Falcon has following behaviors while disobey the corresponding RFCs: accepting Content-Length header values that have + prefix, accepting Content-Length header values that written in hexadecimal with 0x prefix, accepting 0x and + prefixed chunk size, and accepting LF in chunk extension. This behavior can lead to desync when forwarding through multiple HTTP parsers, potentially results in HTTP request smuggling and firewall bypassing. This issue is fixed in protocol-http1 v0.15.1. There are no known workarounds.

Publish Date: 2023-08-04

URL: CVE-2023-38697

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-6jwc-qr2q-7xwj

Release Date: 2023-08-04

Fix Resolution: protocol-http1 - 0.15.1

Vulnerable Library - tzinfo-1.2.7.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.7.gem

Dependency Hierarchy:

• github_changelog_generator-1.15.2.gem (Root Library)
  • activesupport-6.0.3.3.gem
    • ❌ tzinfo-1.2.7.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-22

URL: CVE-2022-31163

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-22

Fix Resolution: tzinfo - 0.3.61,1.2.10

Vulnerable Library - activesupport-7.0.3.1.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-7.0.3.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-7.0.3.1.gem

Dependency Hierarchy:

• github_changelog_generator-1.15.2.gem (Root Library)
  • ❌ activesupport-7.0.3.1.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Publish Date: 2023-02-09

URL: CVE-2023-22796

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j6gc-792m-qgm2

Release Date: 2023-02-09

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1