Vulnerabilities

 3 via 5 paths

Dependencies

 80

Source

 GitHub

Commit

 b49fdf55

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 2
  • 1
Status
  • 3
  • 0
  • 0

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack@3.1.14

Detailed paths

  • Introduced through: jufemaiz/aemo@jufemaiz/aemo#b49fdf55c400144cbf29704d19b05ccf9f22f711 rack@3.1.14
    Remediation: Upgrade to rack@3.1.16.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the Content-Disposition header parsing. An attacker can cause the server to consume excessive resources and potentially crash by sending specially crafted requests that exploit this inefficiency.

Remediation

Upgrade rack to version 3.1.16 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

OS Command Injection

  • Vulnerable module: thor
  • Introduced through: coveralls_reborn@0.28.0 and guard-yard@2.2.1

Detailed paths

  • Introduced through: jufemaiz/aemo@jufemaiz/aemo#b49fdf55c400144cbf29704d19b05ccf9f22f711 coveralls_reborn@0.28.0 thor@1.3.2
    Remediation: Upgrade to coveralls_reborn@0.28.0.
  • Introduced through: jufemaiz/aemo@jufemaiz/aemo#b49fdf55c400144cbf29704d19b05ccf9f22f711 guard-yard@2.2.1 guard@2.19.1 thor@1.3.2
    Remediation: Upgrade to guard-yard@2.2.1.

Overview

Affected versions of this package are vulnerable to OS Command Injection via the merge tool. An attacker can execute arbitrary commands by supplying crafted input that is improperly handled during the construction of commands.

Remediation

Upgrade thor to version 1.4.0 or higher.

References

OS Command Injection vulnerability report

medium severity
new

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • Vulnerable module: rexml
  • Introduced through: aemo@0.7.1 and webmock@3.25.1

Detailed paths

  • Introduced through: jufemaiz/aemo@jufemaiz/aemo#b49fdf55c400144cbf29704d19b05ccf9f22f711 aemo@0.7.1 rexml@3.4.1
    Remediation: Upgrade to aemo@0.7.1.
  • Introduced through: jufemaiz/aemo@jufemaiz/aemo#b49fdf55c400144cbf29704d19b05ccf9f22f711 webmock@3.25.1 crack@1.0.0 rexml@3.4.1
    Remediation: Upgrade to webmock@3.25.1.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') due to parsing XML. An attacker can cause excessive resource consumption and disrupt service availability by submitting specially crafted XML files containing multiple XML declarations.

Remediation

Upgrade rexml to version 3.4.2 or higher.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report