Vulnerabilities

 3 via 3 paths

Dependencies

 44

Source

 GitHub

Commit

 96522d1a

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 2
  • 1
Status
  • 3
  • 0
  • 0

high severity

Deserialization of Untrusted Data

  • Vulnerable module: jmespath
  • Introduced through: leeroy_app@0.5.4

Detailed paths

  • Introduced through: fitnesskeeper/leeroy@fitnesskeeper/leeroy#96522d1a09ba8a5181ddbccc26c106647c279548 leeroy_app@0.5.4 aws-sdk@2.8.14 aws-sdk-resources@2.8.14 aws-sdk-core@2.8.14 jmespath@1.3.1
    Remediation: Upgrade to leeroy_app@0.5.4.

Overview

Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of JSON.load, which is considered unsafe when used with untrusted input.

Remediation

Upgrade jmespath to version 1.6.1 or higher.

References

Deserialization of Untrusted Data vulnerability report

high severity

Arbitrary Code Injection

  • Vulnerable module: rake
  • Introduced through: rake@10.5.0

Detailed paths

  • Introduced through: fitnesskeeper/leeroy@fitnesskeeper/leeroy#96522d1a09ba8a5181ddbccc26c106647c279548 rake@10.5.0
    Remediation: Upgrade to rake@12.3.3.

Overview

rake is a Make-like program implemented in Ruby.

Affected versions of this package are vulnerable to Arbitrary Code Injection in Rake::FileList when supplying a filename that begins with the pipe character |.

PoC by Katsuhiko Yoshida

% ls -1
Gemfile
Gemfile.lock
poc_rake.rb
vendor
| touch evil.txt
% bundle exec ruby poc_rake.rb
["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"]
poc_rake.rb:6:list.egrep(/something/)
Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor
% ls -1
Gemfile
Gemfile.lock
evil.txt
poc_rake.rb
vendor
| touch evil.txt

Remediation

Upgrade rake to version 12.3.3 or higher.

References

Arbitrary Code Injection vulnerability report

medium severity

HTML Injection

  • Vulnerable module: cucumber
  • Introduced through: aruba@0.11.2

Detailed paths

  • Introduced through: fitnesskeeper/leeroy@fitnesskeeper/leeroy#96522d1a09ba8a5181ddbccc26c106647c279548 aruba@0.11.2 cucumber@2.4.0
    Remediation: Upgrade to aruba@0.11.2.

Overview

Affected versions of this package are vulnerable to HTML Injection. The HTML formatter appends any scenario output to the HTML without escaping HTML tags in the messages. This way, any output from the steps gets injected into the report page. In the simple case, this won't display the message as expected. When combined with for example capybara and CI environments this opens up the possibility of an XSS attack from the user input on the environment being tested.

Remediation

Upgrade cucumber to version 4.0.0 or higher.

References

HTML Injection vulnerability report