Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- {
- "version": "2.1",
- "vulnerabilities": [
- {
- "category": "dependency_scanning",
- "message": "ruby-ffi DDL loading issue on Windows OS",
- "cve": "Gemfile.lock:ffi:cve:CVE-2018-1000201",
- "severity": "High",
- "solution": "upgrade to \u003e= 1.9.24",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "ffi"
- },
- "version": "1.9.21"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2018-1000201",
- "value": "CVE-2018-1000201",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000201"
- }
- ],
- "links": [
- {
- "url": "https://github.com/ffi/ffi/releases/tag/1.9.24"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Nokogiri gem contains several vulnerabilities in libxml2 and libxslt",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2016-4658",
- "severity": "High",
- "solution": "upgrade to \u003e= 1.7.1",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2016-4658",
- "value": "CVE-2016-4658",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4658"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1615"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Denial of service or RCE from libxml2 and libxslt",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2015-8806",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.6.8",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2015-8806",
- "value": "CVE-2015-8806",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8806"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1473"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Nokogiri gem, via libxml, is affected by DoS vulnerabilities",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2017-15412",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.8.2",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2017-15412",
- "value": "CVE-2017-15412",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15412"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1714"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Nokogiri gem, via libxml, is affected by DoS vulnerabilities",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2017-16932",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.8.1",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2017-16932",
- "value": "CVE-2017-16932",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16932"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1714"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2017-5029",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.7.2",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2017-5029",
- "value": "CVE-2017-5029",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5029"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1634"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2017-9050",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.8.1",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2017-9050",
- "value": "CVE-2017-9050",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1673"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Nokogiri gem, via libxml2, is affected by multiple vulnerabilities",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2018-14404",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.8.5",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2018-14404",
- "value": "CVE-2018-14404",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1785"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Revert libxml2 behavior in Nokogiri gem that could cause XSS",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2018-8048",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.8.3",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2018-8048",
- "value": "CVE-2018-8048",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8048"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/pull/1746"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Nokogiri gem, via libxslt, is affected by improper access control vulnerability",
- "cve": "Gemfile.lock:nokogiri:cve:CVE-2019-11068",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 1.10.3",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2019-11068",
- "value": "CVE-2019-11068",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11068"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1892"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "name": "Vulnerabilities in libxml2",
- "message": "Vulnerabilities in libxml2 in nokogiri",
- "description": " The version of libxml2 packaged with Nokogiri contains several vulnerabilities.\r\n Nokogiri has mitigated these issues by upgrading to libxml 2.9.5.\r\n\r\n It was discovered that a type confusion error existed in libxml2. An\r\n attacker could use this to specially construct XML data that\r\n could cause a denial of service or possibly execute arbitrary\r\n code. (CVE-2017-0663)\r\n\r\n It was discovered that libxml2 did not properly validate parsed entity\r\n references. An attacker could use this to specially construct XML\r\n data that could expose sensitive information. (CVE-2017-7375)\r\n\r\n It was discovered that a buffer overflow existed in libxml2 when\r\n handling HTTP redirects. An attacker could use this to specially\r\n construct XML data that could cause a denial of service or possibly\r\n execute arbitrary code. (CVE-2017-7376)\r\n\r\n Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in\r\n libxml2 when handling elements. An attacker could use this to specially\r\n construct XML data that could cause a denial of service or possibly\r\n execute arbitrary code. (CVE-2017-9047)\r\n\r\n Marcel Böhme and Van-Thuan Pham discovered a buffer overread\r\n in libxml2 when handling elements. An attacker could use this\r\n to specially construct XML data that could cause a denial of\r\n service. (CVE-2017-9048)\r\n\r\n Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads\r\n in libxml2 when handling parameter-entity references. An attacker\r\n could use these to specially construct XML data that could cause a\r\n denial of service. (CVE-2017-9049, CVE-2017-9050)",
- "cve": "Gemfile.lock:nokogiri:gemnasium:06565b64-486d-4326-b906-890d9915804d",
- "severity": "Unknown",
- "solution": "Upgrade to latest version.",
- "scanner": {
- "id": "gemnasium",
- "name": "Gemnasium"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- }
- },
- "identifiers": [
- {
- "type": "gemnasium",
- "name": "Gemnasium-06565b64-486d-4326-b906-890d9915804d",
- "value": "06565b64-486d-4326-b906-890d9915804d",
- "url": "https://deps.sec.gitlab.com/packages/gem/nokogiri/versions/1.6.7.2/advisories"
- },
- {
- "type": "usn",
- "name": "USN-3424-1",
- "value": "USN-3424-1",
- "url": "https://usn.ubuntu.com/3424-1/"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sparklemotion/nokogiri/issues/1673"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Path traversal is possible via backslash characters on Windows.",
- "cve": "Gemfile.lock:rack-protection:cve:CVE-2018-7212",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 2.0.1, ~\u003e 1.5.4",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "rack-protection"
- },
- "version": "2.0.0"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2018-7212",
- "value": "CVE-2018-7212",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7212"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sinatra/sinatra/pull/1379"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Possible DoS vulnerability in Rack",
- "cve": "Gemfile.lock:rack:cve:CVE-2018-16470",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 2.0.6",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "rack"
- },
- "version": "2.0.4"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2018-16470",
- "value": "CVE-2018-16470",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16470"
- }
- ],
- "links": [
- {
- "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "Possible XSS vulnerability in Rack",
- "cve": "Gemfile.lock:rack:cve:CVE-2018-16471",
- "severity": "Unknown",
- "solution": "upgrade to ~\u003e 1.6.11, \u003e= 2.0.6",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "rack"
- },
- "version": "2.0.4"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2018-16471",
- "value": "CVE-2018-16471",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471"
- }
- ],
- "links": [
- {
- "url": "https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o"
- }
- ]
- },
- {
- "category": "dependency_scanning",
- "message": "XSS via the 400 Bad Request page",
- "cve": "Gemfile.lock:sinatra:cve:CVE-2018-11627",
- "severity": "Unknown",
- "solution": "upgrade to \u003e= 2.0.2",
- "scanner": {
- "id": "bundler_audit",
- "name": "bundler-audit"
- },
- "location": {
- "file": "Gemfile.lock",
- "dependency": {
- "package": {
- "name": "sinatra"
- },
- "version": "2.0.0"
- }
- },
- "identifiers": [
- {
- "type": "cve",
- "name": "CVE-2018-11627",
- "value": "CVE-2018-11627",
- "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11627"
- }
- ],
- "links": [
- {
- "url": "https://github.com/sinatra/sinatra/issues/1428"
- }
- ]
- }
- ],
- "remediations": [],
- "dependency_files": [
- {
- "path": "Gemfile.lock",
- "package_manager": "bundler",
- "dependencies": [
- {
- "package": {
- "name": "activesupport<img src=x onerror=alert(1)>"
- },
- "version": "5.1.4"
- },
- {
- "package": {
- "name": "byebug"
- },
- "version": "10.0.0"
- },
- {
- "package": {
- "name": "coderay"
- },
- "version": "1.1.2"
- },
- {
- "package": {
- "name": "concurrent-ruby"
- },
- "version": "1.0.5"
- },
- {
- "package": {
- "name": "connection_pool"
- },
- "version": "2.2.1"
- },
- {
- "package": {
- "name": "diff-lcs"
- },
- "version": "1.3"
- },
- {
- "package": {
- "name": "faker"
- },
- "version": "1.6.6"
- },
- {
- "package": {
- "name": "ffi"
- },
- "version": "1.9.21"
- },
- {
- "package": {
- "name": "formatador"
- },
- "version": "0.2.5"
- },
- {
- "package": {
- "name": "guard"
- },
- "version": "2.14.2"
- },
- {
- "package": {
- "name": "guard-compat"
- },
- "version": "1.2.1"
- },
- {
- "package": {
- "name": "guard-rspec"
- },
- "version": "4.7.3"
- },
- {
- "package": {
- "name": "i18n"
- },
- "version": "0.9.5"
- },
- {
- "package": {
- "name": "listen"
- },
- "version": "3.1.5"
- },
- {
- "package": {
- "name": "lumberjack"
- },
- "version": "1.0.12"
- },
- {
- "package": {
- "name": "method_source"
- },
- "version": "0.9.0"
- },
- {
- "package": {
- "name": "mini_portile2"
- },
- "version": "2.0.0"
- },
- {
- "package": {
- "name": "minitest"
- },
- "version": "5.11.3"
- },
- {
- "package": {
- "name": "mustermann"
- },
- "version": "1.0.1"
- },
- {
- "package": {
- "name": "nenv"
- },
- "version": "0.3.0"
- },
- {
- "package": {
- "name": "nokogiri"
- },
- "version": "1.6.7.2"
- },
- {
- "package": {
- "name": "notiffany"
- },
- "version": "0.1.1"
- },
- {
- "package": {
- "name": "pg"
- },
- "version": "1.0.0"
- },
- {
- "package": {
- "name": "pry"
- },
- "version": "0.11.3"
- },
- {
- "package": {
- "name": "puma"
- },
- "version": "3.12.0"
- },
- {
- "package": {
- "name": "rack"
- },
- "version": "2.0.4"
- },
- {
- "package": {
- "name": "rack-protection"
- },
- "version": "2.0.0"
- },
- {
- "package": {
- "name": "rb-fsevent"
- },
- "version": "0.10.2"
- },
- {
- "package": {
- "name": "rb-inotify"
- },
- "version": "0.9.10"
- },
- {
- "package": {
- "name": "redis"
- },
- "version": "3.3.5"
- },
- {
- "package": {
- "name": "rspec"
- },
- "version": "3.7.0"
- },
- {
- "package": {
- "name": "rspec-core"
- },
- "version": "3.7.1"
- },
- {
- "package": {
- "name": "rspec-expectations"
- },
- "version": "3.7.0"
- },
- {
- "package": {
- "name": "rspec-mocks"
- },
- "version": "3.7.0"
- },
- {
- "package": {
- "name": "rspec-support"
- },
- "version": "3.7.1"
- },
- {
- "package": {
- "name": "ruby_dep"
- },
- "version": "1.5.0"
- },
- {
- "package": {
- "name": "shellany"
- },
- "version": "0.0.1"
- },
- {
- "package": {
- "name": "sidekiq"
- },
- "version": "4.2.10"
- },
- {
- "package": {
- "name": "sinatra"
- },
- "version": "2.0.0"
- },
- {
- "package": {
- "name": "slim"
- },
- "version": "3.0.9"
- },
- {
- "package": {
- "name": "spring"
- },
- "version": "2.0.2"
- },
- {
- "package": {
- "name": "temple"
- },
- "version": "0.8.0"
- },
- {
- "package": {
- "name": "thor"
- },
- "version": "0.20.0"
- },
- {
- "package": {
- "name": "thread_safe"
- },
- "version": "0.3.6"
- },
- {
- "package": {
- "name": "tilt"
- },
- "version": "2.0.8"
- },
- {
- "package": {
- "name": "tzinfo"
- },
- "version": "1.2.5"
- }
- ]
- }
- ]
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement