saigkill/hoe-manns

Vulnerabilities 2 via 3 paths
Dependencies 20
Source GitHub
Commit 530373ac

Find, fix and prevent vulnerabilities in your code.

Severity
  • 2
Status
  • 2
  • 0
  • 0
high severity

Arbitrary Code Injection

  • Vulnerable module: rake
  • Introduced through: hoe-manns@2.1.6

Detailed paths

  • Introduced through: saigkill/hoe-manns@saigkill/hoe-manns#530373acc926351dd38fea10ed66df6c135c6078 hoe-manns@2.1.6 rake@12.3.2
    Remediation: Upgrade to hoe-manns@2.1.6.

Overview

rake is a Make-like program implemented in Ruby.

Affected versions of this package are vulnerable to Arbitrary Code Injection in Rake::FileList when supplying a filename that begins with the pipe character |.

PoC by Katsuhiko Yoshida

% ls -1
Gemfile
Gemfile.lock
poc_rake.rb
vendor
| touch evil.txt
% bundle exec ruby poc_rake.rb
["poc_rake.rb", "Gemfile", "Gemfile.lock", "| touch evil.txt", "vendor"]
poc_rake.rb:6:list.egrep(/something/)
Error while processing 'vendor': Is a directory @ io_fillbuf - fd:7 vendor
% ls -1
Gemfile
Gemfile.lock
evil.txt
poc_rake.rb
vendor
| touch evil.txt

Remediation

Upgrade rake to version 12.3.3 or higher.

References

high severity
new

Denial of Service (DoS)

  • Vulnerable module: json
  • Introduced through: simplecov@0.16.1 and simplecov-cobertura@1.3.1

Detailed paths

  • Introduced through: saigkill/hoe-manns@saigkill/hoe-manns#530373acc926351dd38fea10ed66df6c135c6078 simplecov@0.16.1 json@2.2.0
    Remediation: Upgrade to simplecov@0.16.1.
  • Introduced through: saigkill/hoe-manns@saigkill/hoe-manns#530373acc926351dd38fea10ed66df6c135c6078 simplecov-cobertura@1.3.1 simplecov@0.16.1 json@2.2.0
    Remediation: Upgrade to simplecov-cobertura@1.3.1.

Overview

json is a JSON implementation as a Ruby extension in C

Affected versions of this package are vulnerable to Denial of Service (DoS). When parsing certain JSON documents, the json gem (including the one bundled with Ruby) can be coerced into creating arbitrary objects in the target system.

This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parse(user_input), but didn’t address some other styles of JSON parsing including JSON(user_input) and JSON.parse(user_input, nil).

See CVE-2013-0269 in detail.

Remediation

Upgrade json to version 2.3.0 or higher.

References