Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: jmespath
- Introduced through: leeroy_app@0.5.4
Detailed paths
-
Introduced through: fitnesskeeper/leeroy@fitnesskeeper/leeroy#96522d1a09ba8a5181ddbccc26c106647c279548 › leeroy_app@0.5.4 › aws-sdk@2.8.14 › aws-sdk-resources@2.8.14 › aws-sdk-core@2.8.14 › jmespath@1.3.1Remediation: Upgrade to leeroy_app@0.5.4.
Overview
Affected versions of this package are vulnerable to Deserialization of Untrusted Data due to the usage of JSON.load
, which is considered unsafe when used with untrusted input.
Remediation
Upgrade jmespath
to version 1.6.1 or higher.
References
high severity
- Vulnerable module: rake
- Introduced through: rake@10.5.0
Detailed paths
-
Introduced through: fitnesskeeper/leeroy@fitnesskeeper/leeroy#96522d1a09ba8a5181ddbccc26c106647c279548 › rake@10.5.0Remediation: Upgrade to rake@12.3.3.
Overview
rake is a Make-like program implemented in Ruby.
Affected versions of this package are vulnerable to Arbitrary Code Injection in Rake::FileList
when supplying a filename that begins with the pipe character |
.
PoC by Katsuhiko Yoshida
% ls -1
Gemfile
Gemfile.lock
poc_rake.rb
vendor
| touch evil.txt
% bundle exec ruby poc_rake.rb
["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"]
poc_rake.rb:6:list.egrep(/something/)
Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor
% ls -1
Gemfile
Gemfile.lock
evil.txt
poc_rake.rb
vendor
| touch evil.txt
Remediation
Upgrade rake
to version 12.3.3 or higher.
References
medium severity
- Vulnerable module: cucumber
- Introduced through: aruba@0.11.2
Detailed paths
-
Introduced through: fitnesskeeper/leeroy@fitnesskeeper/leeroy#96522d1a09ba8a5181ddbccc26c106647c279548 › aruba@0.11.2 › cucumber@2.4.0Remediation: Upgrade to aruba@0.11.2.
Overview
Affected versions of this package are vulnerable to HTML Injection. The HTML formatter appends any scenario output to the HTML without escaping HTML tags in the messages. This way, any output from the steps gets injected into the report page. In the simple case, this won't display the message as expected. When combined with for example capybara and CI environments this opens up the possibility of an XSS attack from the user input on the environment being tested.
Remediation
Upgrade cucumber
to version 4.0.0 or higher.