Vulnerabilities

 4 via 33 paths

Dependencies

 57

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 3
Status
  • 4
  • 0
  • 0

high severity
new

Uncontrolled Recursion

  • Vulnerable module: faraday
  • Introduced through: faraday@2.14.2 and jekyll-github-metadata@2.14.0

Detailed paths

  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects faraday@2.14.2
    Remediation: Upgrade to faraday@2.14.3.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-github-metadata@2.14.0 octokit@4.25.1 faraday@2.14.2
    Remediation: Upgrade to jekyll-github-metadata@2.14.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-github-metadata@2.14.0 octokit@4.25.1 sawyer@0.9.3 faraday@2.14.2
    Remediation: Upgrade to jekyll-github-metadata@2.14.0.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion in the NestedParamsEncoder module through the dehash routine. An attacker can cause the application to crash and exhaust system resources by submitting a deeply nested query string that triggers uncontrolled recursion.

Remediation

Upgrade faraday to version 2.14.3 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity
new

Infinite loop

  • Vulnerable module: concurrent-ruby
  • Introduced through: tzinfo@2.0.6, jekyll@4.3.1 and others

Detailed paths

  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects tzinfo@2.0.6 concurrent-ruby@1.3.6
    Remediation: Upgrade to tzinfo@2.0.6.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll@4.3.1.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-bulma@0.8.1 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-bulma@0.8.1.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-github-metadata@2.14.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-github-metadata@2.14.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-seo-tag@2.8.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-seo-tag@2.8.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-sitemap@1.4.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-sitemap@1.4.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 tzinfo@2.0.6 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.

Overview

Affected versions of this package are vulnerable to Infinite loop in the AtomicReference#update function when the current value is Float::NAN. An attacker can cause indefinite busy retry loops and CPU exhaustion by supplying malicious numeric data.

Remediation

Upgrade concurrent-ruby to version 1.3.7 or higher.

References

Infinite loop vulnerability report

medium severity
new

Improper Locking

  • Vulnerable module: concurrent-ruby
  • Introduced through: tzinfo@2.0.6, jekyll@4.3.1 and others

Detailed paths

  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects tzinfo@2.0.6 concurrent-ruby@1.3.6
    Remediation: Upgrade to tzinfo@2.0.6.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll@4.3.1.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-bulma@0.8.1 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-bulma@0.8.1.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-github-metadata@2.14.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-github-metadata@2.14.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-seo-tag@2.8.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-seo-tag@2.8.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-sitemap@1.4.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-sitemap@1.4.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 tzinfo@2.0.6 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.

Overview

Affected versions of this package are vulnerable to Improper Locking in the release_write_lock() and release_read_lock() functions. An attacker can disrupt synchronization guarantees and exploit data races or cause denial of service by invoking these functions from unauthorized threads or without holding the appropriate lock.

Remediation

Upgrade concurrent-ruby to version 1.3.7 or higher.

References

Improper Locking vulnerability report

medium severity
new

Wrap-around Error

  • Vulnerable module: concurrent-ruby
  • Introduced through: tzinfo@2.0.6, jekyll@4.3.1 and others

Detailed paths

  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects tzinfo@2.0.6 concurrent-ruby@1.3.6
    Remediation: Upgrade to tzinfo@2.0.6.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll@4.3.1.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-bulma@0.8.1 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-bulma@0.8.1.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-github-metadata@2.14.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-github-metadata@2.14.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-seo-tag@2.8.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-seo-tag@2.8.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jekyll-sitemap@1.4.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jekyll-sitemap@1.4.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 jekyll@4.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 i18n@1.14.8 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.
  • Introduced through: MichaelCurrin/my-github-projects:Gemfile.lock@MichaelCurrin/my-github-projects jemoji@0.13.0 html-pipeline@2.14.3 activesupport@7.2.3.1 tzinfo@2.0.6 concurrent-ruby@1.3.6
    Remediation: Upgrade to jemoji@0.13.0.

Overview

Affected versions of this package are vulnerable to Wrap-around Error in ReentrantReadWriteLock that causes incorrect write locks. An attacker can cause a thread to incorrectly obtain a write lock without exclusivity by repeatedly acquiring the read lock 32,768 times, which overflows the internal counter and bypasses the global writer state. This allows other threads to continue acquiring read locks concurrently, leading to data races and inconsistent reads of shared mutable state.

Remediation

Upgrade concurrent-ruby to version 1.3.7 or higher.

References

Wrap-around Error vulnerability report