Vulnerabilities

 24 via 111 paths

Dependencies

 66

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 24
  • 1
Severity
  • 14
  • 11
Status
  • 25
  • 0
  • 0

high severity

Directory Traversal

  • Vulnerable module: yard
  • Introduced through: solargraph@0.54.0

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive solargraph@0.54.0 yard@0.9.37
    Remediation: Upgrade to solargraph@0.54.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive solargraph@0.54.0 yard-solargraph@0.1.0 yard@0.9.37
    Remediation: Upgrade to solargraph@0.54.0.

Overview

yard is a documentation generation tool for the Ruby programming language.

Affected versions of this package are vulnerable to Directory Traversal. When using yard server to serve documentation the package would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level.

Note: The original patch in version 0.9.20 was incorrectly applied.

Remediation

Upgrade yard to version 0.9.42 or higher.

References

Directory Traversal vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Rack::QueryParser. An attacker can exhaust memory and CPU by sending HTTP requests containing an excessively large number of &-separated query parameters.

Workaround

This vulnerability can be avoided by any means that limits the length of incoming raw strings or application/x-www-form-urlencoded data, including application-level limitation or employing middleware.

Remediation

Upgrade rack to version 2.2.14, 3.0.16, 3.1.14 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the Content-Disposition header parsing. An attacker can cause the server to consume excessive resources and potentially crash by sending specially crafted requests that exploit this inefficiency.

Remediation

Upgrade rack to version 3.1.16 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can exhaust system memory and cause process termination or severe slowdown by sending multipart requests with headers that never terminate, leading to unbounded memory allocation.

Workaround

This vulnerability can be mitigated by restricting maximum request sizes at the proxy or web server layer, such as configuring Nginx with client_max_body_size.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can exhaust system memory by sending multipart form submissions with excessively large non-file fields, leading to process crashes or degraded performance due to memory exhaustion and increased garbage collection overhead.

Workaround

This vulnerability can be mitigated by restricting the maximum request body size at the web-server or proxy layer (such as configuring Nginx client_max_body_size) and by validating and rejecting unusually large form fields at the application level.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can cause excessive memory consumption and potential process termination by sending multipart/form-data requests with a large preamble, leading to significant memory spikes and possible denial of service. The impact increases with higher allowed request sizes and concurrency.

Workaround

This vulnerability can be mitigated by limiting the total request body size at the proxy or web server level and by monitoring memory usage and setting per-process memory limits to prevent out-of-memory conditions.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Request#POST process. An attacker can exhaust system memory by sending large application/x-www-form-urlencoded request bodies, causing application slowdowns or termination by the operating system due to out-of-memory conditions. This occurs before any parameter parsing or configured parsing limits are enforced, allowing unbounded memory allocation proportional to the request size and concurrency.

Workaround

This vulnerability can be mitigated by enforcing strict maximum body size at the proxy or web server layer, such as configuring Nginx client_max_body_size or Apache LimitRequestBody.

Remediation

Upgrade rack to version 3.2.3, 3.1.18, 2.2.20 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Rack::Utils.select_best_encoding component. An attacker can cause excessive CPU consumption by sending a specially crafted Accept-Encoding header containing multiple wildcard entries.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) through the get_byte_ranges function. An attacker can exhaust CPU, memory, I/O, and bandwidth resources by sending requests with numerous small overlapping byte ranges in the HTTP Range header.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) when handling multipart form data without a Content-Length header in the Rack::Multipart::Parser component. An attacker can exhaust disk space by streaming an arbitrarily large multipart file upload, leading to service disruption.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Inefficient Algorithmic Complexity

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in the handle_mime_head component. An attacker can cause excessive CPU consumption by sending a crafted multipart/form-data request with numerous parts containing long, escape-heavy quoted parameter values.

Remediation

Upgrade rack to version 3.1.21, 3.2.6 or higher.

References

Inefficient Algorithmic Complexity vulnerability report

high severity

Partial String Comparison

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Partial String Comparison in the Rack::Static component when URL prefix matching is used to determine if a request should be served as a static file. An attacker can access unintended files by crafting request paths that share the configured prefix, potentially leading to unauthorized disclosure of sensitive information.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Partial String Comparison vulnerability report

high severity

Permissive Regular Expression

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Permissive Regular Expression in the map_accel_path component. An attacker can read arbitrary files by injecting specially crafted values into the HTTP_X_ACCEL_MAPPING header, which are then interpolated into a regular expression and used to rewrite file paths for X-Accel-Redirect responses in nginx.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Permissive Regular Expression vulnerability report

high severity

OS Command Injection

  • Vulnerable module: thor
  • Introduced through: solargraph@0.54.0

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive solargraph@0.54.0 thor@1.3.2
    Remediation: Upgrade to solargraph@0.54.0.

Overview

Affected versions of this package are vulnerable to OS Command Injection via the merge tool. An attacker can execute arbitrary commands by supplying crafted input that is improperly handled during the construction of commands.

Remediation

Upgrade thor to version 1.4.0 or higher.

References

OS Command Injection vulnerability report

medium severity

Exposure of Information Through Directory Listing

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Exposure of Information Through Directory Listing in Rack::Directory, which checks for presence in the root directory only by left-side string comparison. An attacker can list directories outside the intended root if the prefix of the target directory is exactly the name of the root directory. E.g. www_backup is exposed when www is intended.

Remediation

Upgrade rack to version 2.2.22, 3.1.20, 3.2.5 or higher.

References

Exposure of Information Through Directory Listing vulnerability report

medium severity

Incorrect Behavior Order: Validate Before Canonicalize

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the Rack::Static component. An attacker can bypass intended security headers by requesting static files using URL-encoded paths, causing the headers not to be applied as expected.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Incorrect Behavior Order: Validate Before Canonicalize vulnerability report

medium severity

Information Exposure

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Information Exposure in the Rack::Sendfile() when running behind a proxy that supports x-sendfile headers. An attacker can access internal endpoints intended to be protected by sending specially crafted x-sendfile-type or x-accel-mapping headers, causing the proxy to reissue internal requests that bypass access controls. This is only exploitable if the application uses Rack::Sendfile with a proxy supporting x-accel-redirect, the proxy does not always set or remove the x-sendfile-type and x-accel-mapping headers, and the application exposes an endpoint that returns a body responding to .to_path.

Workaround

This vulnerability can be mitigated by configuring the proxy to always set or strip the affected headers, or by disabling sendfile functionality in Rails applications.

Remediation

Upgrade rack to version 2.2.20, 3.1.18, 3.2.3 or higher.

References

Information Exposure vulnerability report

medium severity

Permissive Regular Expression

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Permissive Regular Expression in the Rack::Directory component when the configured root path is interpolated directly into a regular expression without escaping. An attacker can obtain sensitive filesystem path information by supplying a root path containing regex metacharacters, which causes the directory listing to reveal unintended details in the HTML output.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Permissive Regular Expression vulnerability report

medium severity

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • Vulnerable module: rexml
  • Introduced through: simplecov-cobertura@2.1.0 and solargraph@0.54.0

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive simplecov-cobertura@2.1.0 rexml@3.4.1
    Remediation: Upgrade to simplecov-cobertura@2.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive solargraph@0.54.0 kramdown@2.5.1 rexml@3.4.1
    Remediation: Upgrade to solargraph@0.54.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive solargraph@0.54.0 kramdown-parser-gfm@1.1.0 kramdown@2.5.1 rexml@3.4.1
    Remediation: Upgrade to solargraph@0.54.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') due to parsing XML. An attacker can cause excessive resource consumption and disrupt service availability by submitting specially crafted XML files containing multiple XML declarations.

Remediation

Upgrade rexml to version 3.4.2 or higher.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report

medium severity

Improper Handling of Length Parameter Inconsistency

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the Rack::Files#fail component. An attacker can cause incorrect HTTP response framing and potential response desynchronization by requesting a non-existent path containing percent-encoded UTF-8 characters, which leads to a mismatch between the declared and actual Content-Length values.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the Rack::Request component. An attacker can bypass host allowlist checks by supplying specially crafted Host headers containing invalid characters, potentially leading to unauthorized access or manipulation of application behavior by exploiting improper validation during host header parsing.

Remediation

Upgrade rack to version 3.1.21, 3.2.6 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Interpretation Conflict

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Interpretation Conflict in the Rack::Multipart::Parser component. An attacker can cause the application to interpret multipart form data differently from upstream proxies or WAFs by sending requests with multiple boundary parameters in the Content-Type header. This can allow malicious form fields or file uploads to bypass upstream inspection and be processed by the application.

Note:

This is only exploitable if an upstream proxy, WAF, or intermediary interprets the first boundary parameter while the application parses the last one.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Interpretation Conflict vulnerability report

medium severity

Interpretation Conflict

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Interpretation Conflict in the forwarded_values component. An attacker can manipulate HTTP headers to inject semicolons into quoted values, causing the process to misinterpret a single quoted value as multiple directives. This can result in host, proto, for, or by parameters being smuggled through a single header value, potentially leading to host and scheme spoofing by sending specially crafted Forwarded headers.

Remediation

Upgrade rack to version 3.1.21, 3.2.6 or higher.

References

Interpretation Conflict vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in Rack::Directory, which automatically provides links to filenames on the filesystem. An attacker who can write files on the target system can cause the execution of JavaScript in the context of the hosting application by naming a file with an executable scheme like javascript: as part of its name, and convincing a user to click the malicious entry in the generated directory listing.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade rack to version 2.2.22, 3.1.20, 3.2.5 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

LGPL-3.0 license

  • Module: sidekiq
  • Introduced through: sidekiq@8.0.3, rspec-sidekiq@5.1.0 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq@8.0.3
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive rspec-sidekiq@5.1.0 sidekiq@8.0.3
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive sidekiq-alive-next@3.2.0 sidekiq@8.0.3

LGPL-3.0 license

LGPL-3.0 license vulnerability report