Find, fix and prevent vulnerabilities in your code.

Overview

nokogiri is a gem for parsing HTML, XML, SAX, and Reader.

Affected versions of this package are vulnerable to Use After Free via the xmlTextReader module. An attacker can cause denial of service by processing crafted XML documents with DTD validation and XInclude expansion enabled.

Remediation

Upgrade nokogiri to version 1.15.6, 1.16.2 or higher.

References

• GitHub Commit
• GitHub PR
• Gitlab Commit
• Gitlab Issue
• Gitlab Release

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption when parsing an XML that has many <s in an attribute value. An attacker can cause a denial of service by exploiting this behavior.

Workaround

This vulnerability can be mitigated by not parsing untrusted XMLs.

Remediation

Upgrade rexml to version 3.2.7 or higher.

References

• Advisory
• GitHub Commit

Overview

activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.

Affected versions of this package are vulnerable to Information Exposure. The ImpactActiveSupport::EncryptedFile method writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.

Note:

Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.

Workaround

Users can set the umask to be more restrictive: ruby$ umask 0077

Remediation

Upgrade activesupport to version 6.1.7.5, 7.0.7.1 or higher.

References

• GitHub Commit
• GitHub Release
• Vulnerability Advisory