Vulnerabilities

 111 via 2748 paths

Dependencies

 114

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 4
  • 44
  • 57
  • 6
Status
  • 111
  • 0
  • 0

critical severity

Remote Code Execution (RCE)

  • Vulnerable module: activerecord
  • Introduced through: activerecord@6.1.4.1, database_cleaner-active_record@2.0.1 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.6.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.6.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.6.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.6.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.6.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.6.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.6.1.

Overview

activerecord is a library for databases on Rails.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). When serialized columns that use YAML (the default) are deserialized, Rails uses YAML.unsafe_load to convert the YAML data in to Ruby objects. If an attacker can manipulate data in the database (via means like SQL injection), then it may be possible for the attacker to escalate to an RCE.

Remediation

Upgrade activerecord to version 5.2.8.1, 6.0.5.1, 6.1.6.1, 7.0.3.1 or higher.

References

Remote Code Execution (RCE) vulnerability report

critical severity

Arbitrary Code Injection

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Arbitrary Code Injection. There is a possible shell-escape sequence injection vulnerability in Rack's Lint and CommonLogger components. Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.

Notes:

Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this:use Rack::Lint or use Rack::CommonLogger.

Remediation

Upgrade rack to version 2.0.9.1, 2.1.4.1, 2.2.3.1 or higher.

References

Arbitrary Code Injection vulnerability report

critical severity

Directory Traversal

  • Vulnerable module: activestorage
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.

Overview

Affected versions of this package are vulnerable to Directory Traversal via the path_for function in DiskService. An attacker can read, write, or delete arbitrary files on the server by supplying blob keys containing path traversal sequences like ../.

Note: In most cases, blob keys are expected to be trusted strings.

Details

A Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.

Directory Traversal vulnerabilities can be generally divided into two types:

  • Information Disclosure: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.

st is a module for serving static files on web pages, and contains a vulnerability of this type. In our example, we will serve files from the public route.

If an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.

curl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa

Note %2e is the URL encoded version of . (dot).

  • Writing arbitrary files: Allows the attacker to create or replace existing files. This type of vulnerability is also known as Zip-Slip.

One way to achieve this is by using a malicious zip archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.

The following is an example of a zip archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in /root/.ssh/ overwriting the authorized_keys file:

2018-04-15 22:04:29 .....           19           19  good.txt
2018-04-15 22:04:42 .....           20           20  ../../../../../../root/.ssh/authorized_keys

Remediation

Upgrade activestorage to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Directory Traversal vulnerability report

critical severity

Arbitrary Command Injection

  • Vulnerable module: activestorage
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.

Overview

Affected versions of this package are vulnerable to Arbitrary Command Injection due to untrusted user input being accepted as transformation methods or parameters. An attacker can execute arbitrary commands on the server by supplying crafted input that circumvents safe defaults.

Note: This is exploitable if the application uses both the image_processing gem and mini_magick as the image processor, and accepts arbitrary user input for transformation methods or parameters.

Workaround

This vulnerability can be mitigated by strictly validating user-supplied methods and parameters and deploying a strong ImageMagick security policy.

Remediation

Upgrade activestorage to version 7.1.5.2, 7.2.2.2, 8.0.2.1 or higher.

References

Arbitrary Command Injection vulnerability report

high severity

Expired Pointer Dereference

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Expired Pointer Dereference via 'xmlSchematronGetNode()` function in Schematron validator. An attacker can cause a crash or execute arbitrary code by triggering use of freed memory.

Remediation

Upgrade nokogiri to version 1.18.9 or higher.

References

Expired Pointer Dereference vulnerability report

high severity

Directory Traversal

  • Vulnerable module: yard
  • Introduced through: yard@0.9.26

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus yard@0.9.26
    Remediation: Upgrade to yard@0.9.42.

Overview

yard is a documentation generation tool for the Ruby programming language.

Affected versions of this package are vulnerable to Directory Traversal. When using yard server to serve documentation the package would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

For users who cannot upgrade, it is possible to perform path sanitization of HTTP requests at your webserver level.

Note: The original patch in version 0.9.20 was incorrectly applied.

Remediation

Upgrade yard to version 0.9.42 or higher.

References

Directory Traversal vulnerability report

high severity

Memory Allocation with Excessive Size Value

  • Vulnerable module: activestorage
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.

Overview

Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the Blobs::ProxyController. An attacker can exhaust server memory by sending requests with large or unbounded range headers.

Remediation

Upgrade activestorage to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Memory Allocation with Excessive Size Value vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: activesupport
  • Introduced through: activerecord@6.1.4.1, factory_bot@6.2.0 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus factory_bot@6.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to factory_bot@6.2.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 activesupport@6.1.4.1
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to mongoid@8.1.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 key_path@1.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-mongoid@2.0.1 mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-mongoid@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-create-meta@4.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-html-formatter@13.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.

Overview

activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in NumberConverter. An attacker can cause excessive memory allocation by submitting strings containing scientific notation (such as 1e10000), which are expanded into extremely large decimal representations when formatted.

Remediation

Upgrade activesupport to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: addressable
  • Introduced through: json-schema@2.8.1 and json-schema-rspec@0.0.4

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus json-schema@2.8.1 addressable@2.8.0
    Remediation: Upgrade to json-schema@2.8.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus json-schema-rspec@0.0.4 json-schema@2.8.1 addressable@2.8.0
    Remediation: Upgrade to json-schema-rspec@0.0.4.

Overview

addressable is an is an alternative implementation to the URI implementation that is part of Ruby's standard library.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the URI template matching due to the use of regular expressions with nested unbounded quantifiers. An attacker can cause excessive resource consumption and application downtime by supplying specially crafted URIs that trigger catastrophic backtracking.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade addressable to version 2.9.0 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Expired Pointer Dereference

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Expired Pointer Dereference due to a null pointer dereference while processing XPath XML expressions. An attacker can cause a crash and disrupt service availability by sending specially crafted input that triggers the dereference.

Remediation

Upgrade nokogiri to version 1.18.9 or higher.

References

Expired Pointer Dereference vulnerability report

high severity

Out-of-bounds Read

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Out-of-bounds Read due to improper namespace processing of sch:name elements in xmlSchematronFormatReport() function. An attacker can cause a denial of service or potentially execute arbitrary code by providing specially crafted XML input.

Remediation

Upgrade nokogiri to version 1.18.9 or higher.

References

Out-of-bounds Read vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the xmlBuildQName function. An attacker can cause a crash and denial of service by supplying specially crafted XML input that triggers an integer overflow and subsequent stack buffer overflow.

Remediation

Upgrade nokogiri to version 1.18.9 or higher.

References

Stack-based Buffer Overflow vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Rack::QueryParser. An attacker can exhaust memory and CPU by sending HTTP requests containing an excessively large number of &-separated query parameters.

Workaround

This vulnerability can be avoided by any means that limits the length of incoming raw strings or application/x-www-form-urlencoded data, including application-level limitation or employing middleware.

Remediation

Upgrade rack to version 2.2.14, 3.0.16, 3.1.14 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can exhaust system memory and cause process termination or severe slowdown by sending multipart requests with headers that never terminate, leading to unbounded memory allocation.

Workaround

This vulnerability can be mitigated by restricting maximum request sizes at the proxy or web server layer, such as configuring Nginx with client_max_body_size.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can exhaust system memory by sending multipart form submissions with excessively large non-file fields, leading to process crashes or degraded performance due to memory exhaustion and increased garbage collection overhead.

Workaround

This vulnerability can be mitigated by restricting the maximum request body size at the web-server or proxy layer (such as configuring Nginx client_max_body_size) and by validating and rejecting unusually large form fields at the application level.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can cause excessive memory consumption and potential process termination by sending multipart/form-data requests with a large preamble, leading to significant memory spikes and possible denial of service. The impact increases with higher allowed request sizes and concurrency.

Workaround

This vulnerability can be mitigated by limiting the total request body size at the proxy or web server level and by monitoring memory usage and setting per-process memory limits to prevent out-of-memory conditions.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Request#POST process. An attacker can exhaust system memory by sending large application/x-www-form-urlencoded request bodies, causing application slowdowns or termination by the operating system due to out-of-memory conditions. This occurs before any parameter parsing or configured parsing limits are enforced, allowing unbounded memory allocation proportional to the request size and concurrency.

Workaround

This vulnerability can be mitigated by enforcing strict maximum body size at the proxy or web server layer, such as configuring Nginx client_max_body_size or Apache LimitRequestBody.

Remediation

Upgrade rack to version 3.2.3, 3.1.18, 2.2.20 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Rack::Utils.select_best_encoding component. An attacker can cause excessive CPU consumption by sending a specially crafted Accept-Encoding header containing multiple wildcard entries.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) through the get_byte_ranges function. An attacker can exhaust CPU, memory, I/O, and bandwidth resources by sending requests with numerous small overlapping byte ranges in the HTTP Range header.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) when handling multipart form data without a Content-Length header in the Rack::Multipart::Parser component. An attacker can exhaust disk space by streaming an arbitrarily large multipart file upload, leading to service disruption.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Partial String Comparison

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Partial String Comparison in the Rack::Static component when URL prefix matching is used to determine if a request should be served as a static file. An attacker can access unintended files by crafting request paths that share the configured prefix, potentially leading to unauthorized disclosure of sensitive information.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Partial String Comparison vulnerability report

high severity

Relative Path Traversal

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Relative Path Traversal in the can_serve() function in Rack::Static that enables local file inclusion. An attacker who knows the exact path to any file in the root: file directory can access it by supplying a path traversing pathname.

Remediation

Upgrade rack to version 2.2.13, 3.0.14, 3.1.12 or higher.

References

Relative Path Traversal vulnerability report

high severity

SQL Injection

  • Vulnerable module: activerecord
  • Introduced through: activerecord@6.1.4.1, database_cleaner-active_record@2.0.1 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.

Overview

activerecord is a library for databases on Rails.

Affected versions of this package are vulnerable to SQL Injection due to improper sanitization of comments passed via annotate, optimzer_hints methods, or via the QueryLogs interface, which adds annotations automatically. Exploiting this behavior allows a malicious user to inject SQL outside of the comment.

Workaround

Avoid passing user input to annotate and avoid using QueryLogs configuration, which can include user input.

Remediation

Upgrade activerecord to version 6.0.6.1, 6.1.7.1, 7.0.4.1 or higher.

References

SQL Injection vulnerability report

high severity

Improper Handling of Unexpected Data Type

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Improper Handling of Unexpected Data Type due to incorrectly checking the types of arguments to various constructors in HTML4::SAX and XML::SAX, which causes a segmentation fault.

Remediation

Upgrade nokogiri to version 1.13.6 or higher.

References

Improper Handling of Unexpected Data Type vulnerability report

high severity

Missing Release of Memory after Effective Lifetime

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the XSLT::Stylesheet#transform function, when a string parameter containing a null byte is processed, preventing StringValueCStr from cleaning up the allocated array. An attacker can cause resource exhaustion by repeatedly supplying malicious input to long-running processes. The process needs to be sufficiently long-running that an accumulation of 24–32 bytes of heap memory at a time can have a substantial negative impact. This attack requirement is out of the attacker's control.

Remediation

Upgrade nokogiri to version 1.19.3 or higher.

References

Missing Release of Memory after Effective Lifetime vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to params_limit only being enforced for parameters separated by &, while still splitting on both & and ; in the QueryParser. An attacker can exhaust system resources and cause service disruption by submitting a large number of parameters separated by semicolons, bypassing the intended parameter count limit.

Note:

This is only exploitable if the QueryParser is used directly with its default configuration (no explicit delimiter).

Workaround

This vulnerability can be mitigated by configuring QueryParser with an explicit delimiter (such as &) or by enforcing query string and request size limits at the web server or proxy layer to mitigate excessive parsing overhead.

Remediation

Upgrade rack to version 2.2.18 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Permissive Regular Expression

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Permissive Regular Expression in the map_accel_path component. An attacker can read arbitrary files by injecting specially crafted values into the HTTP_X_ACCEL_MAPPING header, which are then interpolated into a regular expression and used to rewrite file paths for X-Accel-Redirect responses in nginx.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Permissive Regular Expression vulnerability report

high severity

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • Vulnerable module: rexml
  • Introduced through: rubocop@1.21.0, rubocop-performance@1.11.5 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop@1.21.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-performance@1.11.5 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-performance@1.11.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-rspec@2.5.0 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-rspec@2.5.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') via tree parser APIs like REXML::Document.new function. An attacker can cause the application to consume excessive resources by submitting specially crafted XML documents with many deep elements that have the same local name attributes.

Note:

This is only exploitable if a tree parser API is used to parse untrusted XMLs.

Remediation

Upgrade rexml to version 3.3.6 or higher.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report

high severity

Arbitrary Code Injection

  • Vulnerable module: activestorage
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.7.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Injection where the transformation method or its arguments are untrusted arbitrary input.

Note:

This vulnerability impacts applications that use Active Storage with the image_processing processing in addition to the mini_magick back end for image_processing.

PoC:

<%= image_tag blob.variant(params[:t] => params[:v]) %>

Remediation

Upgrade activestorage to version 5.2.6.3, 6.0.4.7, 6.1.4.7, 7.0.2.3 or higher.

References

Arbitrary Code Injection vulnerability report

high severity

Use After Free

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Use After Free via the ID and IDREF attributes, when using the xmlReader interface with validation or when a document is parsed with XML_PARSE_DTDVALID and without XML_PARSE_NOENT. This can lead to the value of ID attributes to not be normalized after potentially expanding entities in xmlRemoveID, which will cause later calls to xmlGetID to return a pointer to previously freed memory.

Remediation

Upgrade nokogiri to version 1.13.2 or higher.

References

Use After Free vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: activerecord
  • Introduced through: activerecord@6.1.4.1, database_cleaner-active_record@2.0.1 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.

Overview

activerecord is a library for databases on Rails.

Affected versions of this package are vulnerable to Denial of Service (DoS) when a value outside the range for a 64-bit signed integer is provided to the PostgreSQL connection adapter.

Workarounds

Ensure that user-supplied input which is provided to ActiveRecord clauses does not contain integers wider than a signed 64-bit representation or floats.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade activerecord to version 6.1.7.1, 7.0.4.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: loofah
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.

Overview

loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to containing an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade loofah to version 2.19.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Uncontrolled Recursion

  • Vulnerable module: loofah
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.

Overview

loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.

Affected versions of this package are vulnerable to Uncontrolled Recursion when it uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception, which might result in CPU resource consumption.

Workaround

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Remediation

Upgrade loofah to version 2.19.1 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the xerces:xercesImpldependency, as its XML parser consumes excessive amount of resources when handling specially crafted XML document payloads due to an infinite loop.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade nokogiri to version 1.13.4 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Heap-based Buffer Overflow

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Heap-based Buffer Overflow through the xmlHTMLPrintFileContext function in xmllint.c. An attacker can read memory contents that may contain sensitive data by triggering a buffer over-read condition.

Remediation

Upgrade nokogiri to version 1.16.5 or higher.

References

Heap-based Buffer Overflow vulnerability report

high severity

NULL Pointer Dereference

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to NULL Pointer Dereference due to the usage of a vulnerable version of the bundled libxml2 package.

Remediation

Upgrade nokogiri to version 1.13.9 or higher.

References

NULL Pointer Dereference vulnerability report

high severity

Out-of-bounds Write

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Out-of-bounds Write via the zlib dependency which allows memory corruption when deflating if the input has many distant matches.

Remediation

Upgrade nokogiri to version 1.13.4 or higher.

References

Out-of-bounds Write vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to an expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade nokogiri to version 1.13.4 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Use After Free

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Use After Free in the xmlSchemaItemListAdd() function in xmlschemas.c, which is exploitable by supplying a malicious .xsd schema for validation. it may also be exploitable when an xsd:keyref is provided in combination with recursively defined types that have additional identity constraints, for validation against a non malicious schema.

Remediation

Upgrade nokogiri to version 1.18.3 or higher.

References

Use After Free vulnerability report

high severity

XML External Entity (XXE) Injection

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected:

  • Nokogiri::XML::SAX::Parse
  • Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser
  • Nokogiri::XML::SAX::PushParser
  • Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser.

CRuby users are not affected.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade nokogiri to version 1.12.5 or higher.

References

XML External Entity (XXE) Injection vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the multipart parsing component. Exploiting this vulnerability is possible when carefully crafted multipart POST requests cause Rack's multipart parser to take much longer than expected.

Notes:

Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

It also includes reading POST data from a Rack request object like this:

p request.POST # read POST data 

p request.params # reads both query params and POST data

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.0.9.1, 2.1.4.1, 2.2.3.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Multipart MIME parsing functionality in parser.rb, which doesn't limit the number of total parts that can be uploaded. Exploiting this vulnerability is possible via a carefully crafted request, which might result in multipart parsing taking longer than expected.

Workaround

A proxy can be configured to limit the POST body size, which will mitigate this issue.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.0.9.3, 2.1.4.3, 2.2.6.3, 3.0.4.2 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) in handling of the Range request header. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. This issue is present when the Rack::File middleware or the Rack::Utils.byte_ranges methods are used (which includes applications built with Rails).

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rack to version 2.2.8.1, 3.0.9.1 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rails-html-sanitizer
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) which leads to excessive backtracking when attempting to sanitize certain SVG attributes. This can lead to CPU resource consumption.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rails-html-sanitizer to version 1.4.4 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

high severity

Information Exposure

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.6.

Overview

Affected versions of this package are vulnerable to Information Exposure via the ActionDispatch::Executor function, which expects response bodies to be closed and will not know to reset a thread's local state for the next request in a case where a response body isn't closed, allowing for data in the current request to leak to a subsequent request.

Remediation

Upgrade actionpack to version 5.2.6.2, 6.0.4.6, 6.1.4.6, 7.0.2.2 or higher.

References

Information Exposure vulnerability report

high severity

Improper Output Neutralization for Logs

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs through the Rack::CommonLogger process. An attacker can manipulate log entries by crafting input that includes newline characters to insert fraudulent entries or obscure real activity.

Remediation

Upgrade rack to version 2.2.11, 3.0.12, 3.1.10 or higher.

References

Improper Output Neutralization for Logs vulnerability report

high severity

OS Command Injection

  • Vulnerable module: thor
  • Introduced through: aruba@1.1.2 and rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 thor@1.1.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-create-meta@4.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-html-formatter@13.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 thor@1.1.0
    Remediation: Upgrade to aruba@1.1.2.

Overview

Affected versions of this package are vulnerable to OS Command Injection via the merge tool. An attacker can execute arbitrary commands by supplying crafted input that is improperly handled during the construction of commands.

Remediation

Upgrade thor to version 1.4.0 or higher.

References

OS Command Injection vulnerability report

high severity

Stack-based Buffer Overflow

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow in the xmlSnprintfElements() function. An attacker can overwrite out-of-bounds stack memory with XML NCName data by supplying a malicious XML document or malicious DTD.

This vulnerability is similar to the previously reported and patched (CVE-2017-9047)[https://security.snyk.io/vuln/SNYK-UNMANAGED-LIBXML2-3004044].

Remediation

Upgrade nokogiri to version 1.18.3 or higher.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: actionmailer
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the block_format helper. An attacker can craft specific input that triggers inefficient regular expression evaluation, causing the application to consume excessive resources and potentially leading to a denial of service.

Workaround

This vulnerability can be mitigated by avoiding using the block_format helper or upgrading to Ruby 3.2.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade actionmailer to version 6.1.7.9, 7.0.8.5, 7.1.4.1, 7.2.1.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the filtered_query_string function through the query parameter filtering process. By sending specially crafted query parameters, an attacker can cause the service to slow down or become unresponsive.

Note:

Users on Ruby 3.2 are unaffected by this issue.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade actionpack to version 6.1.7.9, 7.0.8.5, 7.1.4.1, 7.2.1.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when using HTTP Token authentication via the method authenticate_or_request_with_http_token or a similar method. By sending specially crafted headers, an attacker can cause the application to consume excessive resources, leading to a denial of service.

Note: Users on Ruby 3.2 are unaffected by this issue.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade actionpack to version 6.1.7.9, 7.0.8.5, 7.1.4.1, 7.2.1.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: actiontext
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.9.

Overview

actiontext is a package to edit and display rich text in Rails applications.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) through the plain_text_for_blockquote_node helper function due to the usage of an insecure regular expression. By submitting specially crafted text, an attacker can cause the application to consume excessive resources and potentially lead to a denial of service.

Note:

Rails applications using Ruby 3.2 or newer are unaffected.

Workaround

This vulnerability can be mitigated by avoiding the use of plain_text_for_blockquote_node or upgrading to Ruby 3.2.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade actiontext to version 6.1.7.9, 7.0.8.5, 7.1.4.1, 7.2.1.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Improper Neutralization

  • Vulnerable module: activerecord
  • Introduced through: activerecord@6.1.4.1, database_cleaner-active_record@2.0.1 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1
    Remediation: Upgrade to activerecord@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1
    Remediation: Upgrade to rails@7.1.5.2.

Overview

activerecord is a library for databases on Rails.

Affected versions of this package are vulnerable to Improper Neutralization via the ids parameter, which is passed to the find or raise_record_not_found_exception! function, can be logged without escaping. An attacker can inject arbitrary ANSI escape sequences into terminal output by supplying crafted input to methods that log identifiers, potentially causing misleading or malicious terminal behavior.

Remediation

Upgrade activerecord to version 7.1.5.2, 7.2.2.2, 8.0.2.1 or higher.

References

Improper Neutralization vulnerability report

medium severity

Glob Injection

  • Vulnerable module: activestorage
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.

Overview

Affected versions of this package are vulnerable to Glob Injection via the DiskService#delete_prefixed function. An attacker can delete unintended files from the storage directory by supplying blob keys containing glob metacharacters that are passed unescaped to Dir.glob.

Remediation

Upgrade activestorage to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Glob Injection vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: activesupport
  • Introduced through: activerecord@6.1.4.1, factory_bot@6.2.0 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus factory_bot@6.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to factory_bot@6.2.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 activesupport@6.1.4.1
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to mongoid@8.1.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 key_path@1.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-mongoid@2.0.1 mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-mongoid@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-create-meta@4.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-html-formatter@13.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.

Overview

activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in number_to_delimited() in the NumberToDelimitedConverter. An attacker can cause excessive resource consumption by submitting excessively long digit strings.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade activesupport to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the CSS selector tokenizer in css/tokenizer.rb. An attacker can cause excessive resource consumption by supplying malicious input to CSS.xpath_for.

Workaround

This vulnerability can be mitigated by setting a global Regexp.timeout.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade nokogiri to version 1.19.3 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Unchecked Return Value

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Unchecked Return Value from xmlC14NExecute, used in the canonicalize methods. These return and empty string rather than an error code for invalid and incomplete XML inputs. Although this behavior is not in itself a vulnerability in the parsing functionality, it has been demonstrated to be exploitable as a signature bypass in the vulnerability described in CVE-2025-66568.

Note: This is only exploitable in the CRuby extension. JRuby is not vulnerable.

Remediation

Upgrade nokogiri to version 1.19.1 or higher.

References

Unchecked Return Value vulnerability report

medium severity

Exposure of Information Through Directory Listing

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Exposure of Information Through Directory Listing in Rack::Directory, which checks for presence in the root directory only by left-side string comparison. An attacker can list directories outside the intended root if the prefix of the target directory is exactly the name of the root directory. E.g. www_backup is exposed when www is intended.

Remediation

Upgrade rack to version 2.2.22, 3.1.20, 3.2.5 or higher.

References

Exposure of Information Through Directory Listing vulnerability report

medium severity

Improper Output Neutralization for Logs

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rack::Sendfile middleware which logs values from the X-Sendfile-Type header. An attacker can inject messages into logs by including escape sequences such as newline characters in sent headers.

Remediation

Upgrade rack to version 2.2.12, 3.0.13, 3.1.11 or higher.

References

Improper Output Neutralization for Logs vulnerability report

medium severity

Incorrect Behavior Order: Validate Before Canonicalize

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Incorrect Behavior Order: Validate Before Canonicalize in the Rack::Static component. An attacker can bypass intended security headers by requesting static files using URL-encoded paths, causing the headers not to be applied as expected.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Incorrect Behavior Order: Validate Before Canonicalize vulnerability report

medium severity

Information Exposure

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Information Exposure in the Rack::Sendfile() when running behind a proxy that supports x-sendfile headers. An attacker can access internal endpoints intended to be protected by sending specially crafted x-sendfile-type or x-accel-mapping headers, causing the proxy to reissue internal requests that bypass access controls. This is only exploitable if the application uses Rack::Sendfile with a proxy supporting x-accel-redirect, the proxy does not always set or remove the x-sendfile-type and x-accel-mapping headers, and the application exposes an endpoint that returns a body responding to .to_path.

Workaround

This vulnerability can be mitigated by configuring the proxy to always set or strip the affected headers, or by disabling sendfile functionality in Rails applications.

Remediation

Upgrade rack to version 2.2.20, 3.1.18, 3.2.3 or higher.

References

Information Exposure vulnerability report

medium severity

Permissive Regular Expression

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Permissive Regular Expression in the Rack::Directory component when the configured root path is interpolated directly into a regular expression without escaping. An attacker can obtain sensitive filesystem path information by supplying a root path containing regex metacharacters, which causes the directory listing to reveal unintended details in the HTML output.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Permissive Regular Expression vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: rexml
  • Introduced through: rubocop@1.21.0, rubocop-performance@1.11.5 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop@1.21.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-performance@1.11.5 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-performance@1.11.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-rspec@2.5.0 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-rspec@2.5.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the REXML gem, when parsing an XML document that has many specific characters such as whitespace character,>] and ]>.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rexml to version 3.3.3 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rexml
  • Introduced through: rubocop@1.21.0, rubocop-performance@1.11.5 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop@1.21.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-performance@1.11.5 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-performance@1.11.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-rspec@2.5.0 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-rspec@2.5.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) due to the usage of insecure regular expressions in CHARACTER_REFERENCES. This vulnerability can be exploited when parsing XML content containing numerous digits between &# and x...; in a hex numeric character reference (&#x...;).

By supplying specially crafted XML documents, an attacker can cause the application to consume excessive resources.

Note:

This vulnerability doesn't affect Ruby 3.2 or later.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rexml to version 3.3.9 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: rexml
  • Introduced through: rubocop@1.21.0, rubocop-performance@1.11.5 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop@1.21.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-performance@1.11.5 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-performance@1.11.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-rspec@2.5.0 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-rspec@2.5.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the SAX2 or pull parser API. An attacker can cause the application to consume excessive resources leading to a denial of service by submitting specially crafted XML documents that exploit entity expansions.

PoC

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE member [
  <!ENTITY a "&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;">
  <!ENTITY b "&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;">
  <!ENTITY c "&d;&d;&d;&d;&d;&d;&d;&d;&d;&d;">
  <!ENTITY d "&e;&e;&e;&e;&e;&e;&e;&e;&e;&e;">
  <!ENTITY e "&f;&f;&f;&f;&f;&f;&f;&f;&f;&f;">
  <!ENTITY f "&g;&g;&g;&g;&g;&g;&g;&g;&g;&g;">
  <!ENTITY g "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx">
]>
<member>
&a;
</member>

Remediation

Upgrade rexml to version 3.3.3 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: rails
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.

Overview

rails is an opensource MVC web framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization, by leveraging the Clipboard API to target HTML elements that are assigned the contenteditable attribute. This has the potential to occur when pasting malicious HTML content from the clipboard that includes a data-method, data-remote or data-disable-with attribute.

Note: In order to exploit this vulnerability, an attacker would require action or input from the victim. (e.g. pasting the malicious HTML content)

Workaround

Users can attempt to mitigate this vulnerability by removing the contenteditable attribute from elements in pages that rails-ujs will interact with.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade rails to version 6.1.7.3, 7.0.4.3 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Improper Handling of Length Parameter Inconsistency

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the Rack::Files#fail component. An attacker can cause incorrect HTTP response framing and potential response desynchronization by requesting a non-existent path containing percent-encoded UTF-8 characters, which leads to a mismatch between the declared and actual Content-Length values.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Interpretation Conflict

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Interpretation Conflict in the Rack::Multipart::Parser component. An attacker can cause the application to interpret multipart form data differently from upstream proxies or WAFs by sending requests with multiple boundary parameters in the Content-Type header. This can allow malicious form fields or file uploads to bypass upstream inspection and be processed by the application.

Note:

This is only exploitable if an upstream proxy, WAF, or intermediary interprets the first boundary parameter while the application parses the last one.

Remediation

Upgrade rack to version 2.2.23, 3.1.21, 3.2.6 or higher.

References

Interpretation Conflict vulnerability report

medium severity

Use After Free

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Use After Free via the xmlTextReader module. An attacker can cause denial of service by processing crafted XML documents with DTD validation and XInclude expansion enabled.

Remediation

Upgrade nokogiri to version 1.15.6, 1.16.2 or higher.

References

Use After Free vulnerability report

medium severity

Open Redirect

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.2.

Overview

Affected versions of this package are vulnerable to Open Redirect through the X-Forwarded-Host header. If the value of the header is prefixed with a invalid domain character (for example a /), it is always accepted as the actual host of that request. Since this host is used for all url helpers, an attacker could change generated links and redirects.

Remediation

Upgrade actionpack to version 6.0.4.2, 6.1.4.2 or higher.

References

Open Redirect vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: activesupport
  • Introduced through: activerecord@6.1.4.1, factory_bot@6.2.0 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus factory_bot@6.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to factory_bot@6.2.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to mongoid@7.3.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 key_path@1.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-mongoid@2.0.1 mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-mongoid@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-create-meta@4.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-html-formatter@13.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.

Overview

activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when using the SafeBuffer#bytesplice() function, the output of which is not treated as mutated and therefore improperly tagged as html_safe although it may contain executable scripts.

Workaround

Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade activesupport to version 6.1.7.3, 7.0.4.3 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: loofah
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0
    Remediation: Upgrade to rails@6.1.4.1.

Overview

loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper neutralization of data URIs, via the image/svg+xml media type.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade loofah to version 2.19.1 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: rails-html-sanitizer
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via maliciously crafted data URIs, due to improper user input sanitization in the scrub_attribute function.

PoC

  def test_sanitize_data_protocol
    text = '- XSS><iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=">- XSS><iframe src="data:application/vnd.wap.xhtml+xml;base64,PHg6c2NyaXB0IHhtbG5zOng9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGh0bWwiPmFsZXJ0KGRvY3VtZW50LmRvbWFpbik8L3g6c2NyaXB0Pg=="></iframe></iframe>'

    scope_allowed_tags %w(iframe) do
      scope_allowed_attributes %w(src) do
        assert_equal %(- XSS\"&gt;<iframe>- XSS\"&gt;<iframe></iframe></iframe>), safe_list_sanitize(text)
      end
    end
  end

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade rails-html-sanitizer to version 1.4.4 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: yard
  • Introduced through: yard@0.9.26

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus yard@0.9.26
    Remediation: Upgrade to yard@0.9.35.

Overview

yard is a documentation generation tool for the Ruby programming language.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the URL hash in the embedded JavaScript code in the frames.erb template file.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade yard to version 0.9.35 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: activestorage
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the proxy controller when processing HTTP requests containing a large number of byte ranges in the Range header. An attacker can cause excessive CPU usage by sending requests with thousands of small ranges, leading to resource exhaustion and potential service disruption.

Remediation

Upgrade activestorage to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

medium severity

Arbitrary Code Execution

  • Vulnerable module: mongoid
  • Introduced through: mongoid@7.3.3 and database_cleaner-mongoid@2.0.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus mongoid@7.3.3
    Remediation: Upgrade to mongoid@7.6.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-mongoid@2.0.1 mongoid@7.3.3
    Remediation: Upgrade to database_cleaner-mongoid@2.0.1.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution via the Mongoid::Criteria.from_hash() function. An attacker can execute arbitrary Ruby code by supplying a specially crafted Hash value.

Remediation

Upgrade mongoid to version 7.6.1, 8.0.12, 8.1.12, 9.0.10 or higher.

References

Arbitrary Code Execution vulnerability report

medium severity

Web Cache Poisoning

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@7.1.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

PoC

GET /?q=legitimate&utm_content=1;q=malicious HTTP/1.1

Host: somesite.com

Upgrade-Insecure-Requests: 1		

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag e/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate			

Accept-Language: en-US,en;q=0.9 Connection: close

The server sees 3 parameters here: q, utm_content and then q again. On the other hand, the proxy considers this full string: 1;q=malicious as the value of utm_content, which is why the cache key would only contain somesite.com/?q=legitimate.

Remediation

Upgrade rack to version 3.0.0.beta1 or higher.

References

Web Cache Poisoning vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) when CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests without CSP headers, which could possibly expose users to this vulnerability.

Workaround: Set a CSP for the API responses manually.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade actionpack to version 5.2.7.1, 6.0.4.8, 6.1.5.1, 7.0.2.4 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Improper Input Validation

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.8.

Overview

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of security headers for non-HTML content types. An attacker can potentially exploit this to bypass security restrictions by sending specially crafted requests that exploit the lack of security headers.

Remediation

Upgrade actionpack to version 6.1.7.8, 7.0.8.4, 7.1.3.4, 7.2.0.beta2 or higher.

References

Improper Input Validation vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: actionview
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.5.1.

Overview

actionview is a simple, battle-tested conventions and helpers for building web pages.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ActionView::Helpers and ERB::Util methods, due to improper escape of dangerous characters in names of tags and names of attributes.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade actionview to version 5.2.7.1, 6.0.4.8, 6.1.5.1, 7.0.2.4 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: rails-html-sanitizer
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization which may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both select and style elements. This is due to an incomplete fix of CVE-2022-32209.

Note:

Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:

  1. Using the Rails configuration config.action_view.sanitized_allow_tags=:
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]

(see https://guides.rubyonrails.org/configuring.html#configuring-action-view)

  1. Using the class method Rails::Html::SafeListSanitizer.allowed_tags=:
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]

All users overriding the allowed tags by either of the above mechanisms to include both select and style should either upgrade or use one of the workarounds immediately.

Code is not impacted if allowed tags are overridden using either of the following mechanisms:

  • the :tags option to the Action View helper method sanitize.
  • the :tags option to the instance method SafeListSanitizer#sanitize.

Workaround

Users unable to upgrade to the fixed version can remove either select or style from the overridden allowed tags.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade rails-html-sanitizer to version 1.4.4 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Information Exposure

  • Vulnerable module: actioncable
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1
    Remediation: Upgrade to rails@7.1.0.

Overview

Affected versions of this package are vulnerable to Information Exposure.

Overview

actioncable is a package to structure many real-time application concerns into channels over a single WebSocket connection.

Affected versions of the package are vulnerable to Information Exposure. There is no way to filter out any sensitive data from the logs.

References

Remediation

Upgrade actioncable to version 7.1.0 or higher.

References

Information Exposure vulnerability report

medium severity

Exposure of Data Element to Wrong Session

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.7.

Overview

Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session due to the default behavior of sending a Set-Cookie header along with the user's session cookie when serving blobs and setting Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. An attacker can exploit this behavior to cause users to share sessions.

Workaround

This vulnerability can be avoided by configuring caching proxies not to cache Set-Cookie headers.

Remediation

Upgrade actionpack to version 6.1.7.7, 7.0.8.1 or higher.

References

Exposure of Data Element to Wrong Session vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the if_none_match header in http/cache.rb. An attacker can cause resource exhaustion with a malicious If-None-Match header if a version of Ruby below 3.2.0 is in use.

NOTE: Patches have been issued to address this vulnerability: 6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch, 7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade actionpack to version 6.1.7.1, 7.0.4.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in middleware/cookies.rb, which an attacker can trigger by sending a malicious cookie in combination with a malicious X_FORWARDED_HOST header.

NOTE: Patches have been released to address this issue: 6-1-Use-string-split-instead-of-regex-for-domain-parts.patch, 7-0-Use-string-split-instead-of-regex-for-domain-parts.patch

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade actionpack to version 6.1.7.1, 7.0.4.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Improper Handling of Values

  • Vulnerable module: activestorage
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.

Overview

Affected versions of this package are vulnerable to Improper Handling of Values in the DirectUploadsController. A malicious direct-upload client can set content_type flags like identified and analyzed to make a malicious uploaded file appear safe.

Remediation

Upgrade activestorage to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Improper Handling of Values vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: activesupport
  • Introduced through: activerecord@6.1.4.1, factory_bot@6.2.0 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus factory_bot@6.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to factory_bot@6.2.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 activesupport@6.1.4.1
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to mongoid@8.1.6.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 key_path@1.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-mongoid@2.0.1 mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-mongoid@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-create-meta@4.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-html-formatter@13.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.

Overview

activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the @html_unsafe flag used by the SafeBuffer#% function. An attacker can inject scripts by providing untrusted arguments to the formatting operation after the buffer has been mutated in place, which mayb cause the result to be incorrectly marked as safe and bypass automatic escaping.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade activesupport to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: activesupport
  • Introduced through: activerecord@6.1.4.1, factory_bot@6.2.0 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus factory_bot@6.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to factory_bot@6.2.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to mongoid@7.3.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 key_path@1.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-mongoid@2.0.1 mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-mongoid@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-create-meta@4.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-html-formatter@13.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.

Overview

activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the underscore() function in inflector/methods.rb. This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these.

NOTE: The impact of this vulnerability may be mitigated by configuring Regexp.timeout. Additionally, patches have been released to address this issue: 6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch, 7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade activesupport to version 6.1.7.1, 7.0.4.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: globalid
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2
    Remediation: Upgrade to rails@6.1.4.1.

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in uri/gid.rb, when parsing model_name values.

NOTE: A patch has been released to address this issue: 1-0-model-name-redos.patch

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade globalid to version 1.0.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in Content-Disposition header parsing in multipart/parser.rb.

NOTE: Patches have been released to address this issue: 2-0-Fix-ReDoS-vulnerability-in-multipart-parser, 2-1-Fix-ReDoS-vulnerability-in-multipart-parser, 2-2-Fix-ReDoS-vulnerability-in-multipart-parser, 3-0-Fix-ReDoS-vulnerability-in-multipart-parser

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rack to version 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in RFC2183 multipart boundary parsing in multipart/parser.rb. An attacker can trigger resource exhaustion by passing in a string involving control characters.

NOTE: 2-0-Forbid-control-characters-in-attributes.patch, 2-1-Forbid-control-characters-in-attributes.patch, 2-2-Forbid-control-characters-in-attributes.patch, 3-0-Forbid-control-characters-in-attributes.patch

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rack to version 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the get_byte_ranges() range header parsing function in utils.rb.

NOTE: Patches have been released to address this issue: 2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rack to version 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the parse_http_accept_header function in request.rb's header parsing due to the use of an insecure regex. Exploiting this vulnerability is possible by sending malicious strings as headers.

Workaround

This vulnerability can be avoided by setting Regexp.timeout in Ruby 3.2.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rack to version 2.2.6.4, 3.0.6.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the build_nested_query() function, used when parsing Accept and Forwarded headers. This can cause parsing performance to slow down.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rack to version 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Regular Expression Denial of Service (ReDoS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing Content-Type data in media_type.rb, causing a slow-down in parsing performance. Code using any of the following may be vulnerable: request.media_type, request.media_type_params, Rack::MediaType.type(content_type)

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

  • A The string must start with the letter 'A'
  • (B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
  • D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

  1. CCC
  2. CC+C
  3. C+CC
  4. C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String Number of C's Number of steps
ACCCX 3 38
ACCCCX 4 71
ACCCCCX 5 136
ACCCCCCCCCCCCCCX 14 65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

Upgrade rack to version 2.2.8.1, 3.0.9.1 or higher.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Denial of Service (DoS)

  • Vulnerable module: rexml
  • Introduced through: rubocop@1.21.0, rubocop-performance@1.11.5 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop@1.21.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-performance@1.11.5 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-performance@1.11.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-rspec@2.5.0 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-rspec@2.5.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Denial of Service (DoS) through the XML parsing process. An attacker can cause a denial of service by sending specially crafted XML documents that contain many specific characters such as <, 0, and %>.

This vulnerability is exploitable if the application is configured to parse untrusted XML documents.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade rexml to version 3.3.2 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: rexml
  • Introduced through: rubocop@1.21.0, rubocop-performance@1.11.5 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop@1.21.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-performance@1.11.5 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-performance@1.11.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rubocop-rspec@2.5.0 rubocop@1.21.0 rexml@3.2.5
    Remediation: Upgrade to rubocop-rspec@2.5.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') when parsing an XML that has many <s in an attribute value. An attacker can cause a denial of service by exploiting this behavior.

Workaround

This vulnerability can be mitigated by not parsing untrusted XMLs.

Remediation

Upgrade rexml to version 3.2.7 or higher.

References

Uncontrolled Resource Consumption ('Resource Exhaustion') vulnerability report

medium severity

Use After Free

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Use After Free through the numbers.c component. An attacker can cause memory corruption or execute arbitrary code by exploiting nested XPath evaluations where an XPath context node is modified but not restored.

Remediation

Upgrade nokogiri to version 1.18.4 or higher.

References

Use After Free vulnerability report

medium severity

Use After Free

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Use After Free through the xsltGetInheritedNsList process. An attacker can manipulate memory and potentially execute arbitrary code by excluding result prefixes.

Remediation

Upgrade nokogiri to version 1.18.4 or higher.

References

Use After Free vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in Rack::Directory, which automatically provides links to filenames on the filesystem. An attacker who can write files on the target system can cause the execution of JavaScript in the context of the hosting application by naming a file with an executable scheme like javascript: as part of its name, and convincing a user to click the malicious entry in the generated directory listing.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade rack to version 2.2.22, 3.1.20, 3.2.5 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.4.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper sanitization of user-supplied values passed into the redirect_to method which allows provided values to contain characters that are not legal in an HTTP header value.

Note: To be exploited, this requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails for versions 7.0.x and above).

Workaround

Users that are not able to upgrade to the fixed version should avoid providing user-supplied URLs with arbitrary schemes to the redirect_to method.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade actionpack to version 6.1.7.4, 7.0.5.1 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Information Exposure

  • Vulnerable module: activesupport
  • Introduced through: activerecord@6.1.4.1, factory_bot@6.2.0 and others

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus factory_bot@6.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to factory_bot@6.2.0.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to activerecord@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to mongoid@7.3.3.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus ruby_rabbitmq_janus@4.0.1 key_path@1.2.0 activesupport@6.1.4.1
    Remediation: Upgrade to ruby_rabbitmq_janus@4.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-active_record@2.0.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-active_record@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus database_cleaner-mongoid@2.0.1 mongoid@7.3.3 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to database_cleaner-mongoid@2.0.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activerecord@6.1.4.1 activemodel@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-create-meta@4.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-html-formatter@13.0.0 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 activejob@6.1.4.1 globalid@0.5.2 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 activesupport@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus aruba@1.1.2 cucumber@6.1.0 cucumber-wire@5.0.1 cucumber-core@9.0.1 cucumber-gherkin@18.1.1 cucumber-messages@15.0.0 protobuf-cucumber@3.10.8 activesupport@6.1.4.1
    Remediation: Upgrade to aruba@1.1.2.

Overview

activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Information Exposure. The ImpactActiveSupport::EncryptedFile method writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Note:

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

Workaround

Users can set the umask to be more restrictive: ruby$ umask 0077

Remediation

Upgrade activesupport to version 6.1.7.5, 7.0.7.1 or higher.

References

Information Exposure vulnerability report

medium severity

Information Exposure

  • Vulnerable module: railties
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1
    Remediation: Upgrade to rails@6.1.7.5.

Overview

railties is an application bootup, plugins, generators, and rake tasks.

Affected versions of this package are vulnerable to Information Exposure. The ImpactActiveSupport::EncryptedFile method writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Note:

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

Workaround

Users can set the umask to be more restrictive: ruby$ umask 0077

Remediation

Upgrade railties to version 6.1.7.5, 7.0.7.1 or higher.

References

Information Exposure vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: rails-html-sanitizer
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in sanitizer.rb, when allowed tags are overridden to allow both select and style elements.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade rails-html-sanitizer to version 1.4.3 or higher.

References

Cross-site Scripting (XSS) vulnerability report

medium severity

Cross-site Scripting (XSS)

  • Vulnerable module: rails-html-sanitizer
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2
    Remediation: Upgrade to rails@6.1.4.1.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to certain configurations of rails::Html::Sanitizer which allow attackers to inject content if the application developer have overridden the sanitizer's allowed tags in either of the following ways:

  1. allow both math and style elements

  2. or allow both SVG and style elements

Note: The code is only impacted if allowed tags are being overridden.

Workarounds

Remove style from the overridden allowed tags, or remove math and SVG from the overridden allowed tags.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade rails-html-sanitizer to version 1.4.4 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity

Cross-site Scripting (XSS)

  • Vulnerable module: actionview
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1
    Remediation: Upgrade to rails@7.2.3.1.

Overview

actionview is a simple, battle-tested conventions and helpers for building web pages.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via custom HTML attributes passed in to tag helpers. An attacker can inject scripts that may be executed in the context of the user's browser by supplying a blank string as an HTML attribute name, which causes attribute escaping to be bypassed and malformed HTML to be generated.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade actionview to version 7.2.3.1, 8.0.4.1, 8.1.2.1 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity

Race Condition

  • Vulnerable module: rack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 sprockets@4.0.2 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rack-test@1.1.0 rack@2.2.3
    Remediation: Upgrade to rails@6.1.4.1.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Race Condition in Rack::Session::Pool middleware, which allows an attacker to restore and use a deleted session. The attacker must be in possession of a valid session cookie and the attack must be timed to coincide with a disconnection from the long-running session by another user.

Workaround

This vulnerability can be avoided by invalidating sessions using the logged_out flag rather than deleting them, or by enforcing session invalidation by maintaining a custom session store and invalidating based on timestamp as soon as a session is closed.

Note: This vulnerability is addressed for Rack versions 3 and above in rack-session. The vulnerability is tracked by CVE-2025-46336.

Remediation

Upgrade rack to version 2.2.14 or higher.

References

Race Condition vulnerability report

low severity

Cross-site Scripting (XSS)

  • Vulnerable module: actionpack
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1
    Remediation: Upgrade to rails@7.0.8.7.

Overview

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the content_security_policy helper. An attacker can inject new directives into the CSP and bypass its protection mechanisms by crafting inputs that exploit the dynamic setting of CSP headers from untrusted user input.

Note:

This is only exploitable if applications set CSP headers dynamically from untrusted input.

Workaround

This vulnerability can be mitigated by avoiding the dynamic setting of CSP headers from untrusted input or by validating/sanitizing that input.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade actionpack to version 7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity

Buffer Under-read

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Buffer Under-read in the xmlSchemaIDCFillNodeTables() function. An attacker can cause partial denial of service by by validating a malicious XML document against an XML schema using xsd:keyref in combination with recursively defined types that have additional identity constraints.

Remediation

Upgrade nokogiri to version 1.18.8 or higher.

References

Buffer Under-read vulnerability report

low severity

Cross-site Scripting (XSS)

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the configuration of HTML5 sanitization and overridden sanitizer's allowed tags. An attacker can inject malicious content by exploiting the allowed tags settings to bypass sanitization controls. This is only exploitable if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags to include both 'math' and 'style' elements or both 'svg' and 'style' elements.

Details

Cross-site scripting (or XSS) is a code vulnerability that occurs when an attacker “injects” a malicious script into an otherwise trusted website. The injected script gets downloaded and executed by the end user’s browser when the user interacts with the compromised website.

This is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.

Injecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.

Escaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, < can be coded as &lt; and > can be coded as &gt; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses < and > as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.

The most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware.

Types of attacks

There are a few methods by which XSS can be manipulated:

Type Origin Description
Stored Server The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.
Reflected Server The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.
DOM-based Client The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.
Mutated The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.

Affected environments

The following environments are susceptible to an XSS attack:

  • Web servers
  • Application servers
  • Web application environments

How to prevent

This section describes the top best practices designed to specifically protect your code:

  • Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches.
  • Convert special characters such as ?, &, /, <, > and spaces to their respective HTML or URL encoded equivalents.
  • Give users the option to disable client-side scripts.
  • Redirect invalid requests.
  • Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.
  • Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.
  • Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.

Remediation

Upgrade nokogiri to version 1.15.7, 1.16.8 or higher.

References

Cross-site Scripting (XSS) vulnerability report

low severity

Stack-based Buffer Overflow

  • Vulnerable module: nokogiri
  • Introduced through: rails@6.1.4.1

Detailed paths

  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-dom-testing@2.0.3 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actioncable@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailer@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 railties@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 sprockets-rails@3.2.2 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actionmailbox@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.
  • Introduced through: dazzl-tv/ruby-rabbitmq-janus@dazzl-tv/ruby-rabbitmq-janus rails@6.1.4.1 actiontext@6.1.4.1 activestorage@6.1.4.1 actionpack@6.1.4.1 actionview@6.1.4.1 rails-html-sanitizer@1.4.2 loofah@2.12.0 nokogiri@1.12.4-x86_64-linux
    Remediation: Upgrade to rails@6.1.4.1.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow due to unsafe use of strcpy() in the xmllint interactive shell command tool. An attacker can cause a crash by providing an overly long argument to any shell command during an interactive session.

Note:

This vulnerability affects only the interactive shell and requires that an attacker can influence or control the command input to xmllint, which is uncommon in typical deployments.

Remediation

Upgrade nokogiri to version 1.18.9 or higher.

References

Stack-based Buffer Overflow vulnerability report