Find, fix and prevent vulnerabilities in your code.
medium severity
- Vulnerable module: nokogiri
- Introduced through: nokogiri@1.13.10-x64-mingw32
Detailed paths
-
Introduced through: timbru31/mp3lyrics@timbru31/mp3lyrics#08e7806406d8ffb7fe4d87d9b2ea08a6386956ba › nokogiri@1.13.10-x64-mingw32Remediation: Upgrade to nokogiri@1.15.6.
Overview
nokogiri is a gem for parsing HTML, XML, SAX, and Reader.
Affected versions of this package are vulnerable to Use After Free via the xmlTextReader
module. An attacker can cause denial of service by processing crafted XML documents with DTD validation and XInclude expansion enabled.
Remediation
Upgrade nokogiri
to version 1.15.6, 1.16.2 or higher.
References
medium severity
new
- Vulnerable module: rexml
- Introduced through: rubocop@1.28.2
Detailed paths
-
Introduced through: timbru31/mp3lyrics@timbru31/mp3lyrics#08e7806406d8ffb7fe4d87d9b2ea08a6386956ba › rubocop@1.28.2 › rexml@3.2.5Remediation: Upgrade to rubocop@1.28.2.
Overview
rexml is an An XML toolkit for Ruby.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption when parsing an XML that has many <
s in an attribute value. An attacker can cause a denial of service by exploiting this behavior.
Workaround
This vulnerability can be mitigated by not parsing untrusted XMLs.
Remediation
Upgrade rexml
to version 3.2.7 or higher.
References
medium severity
- Vulnerable module: activesupport
- Introduced through: activesupport@6.1.7.3
Detailed paths
-
Introduced through: timbru31/mp3lyrics@timbru31/mp3lyrics#08e7806406d8ffb7fe4d87d9b2ea08a6386956ba › activesupport@6.1.7.3Remediation: Upgrade to activesupport@6.1.7.5.
Overview
activesupport is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework.
Affected versions of this package are vulnerable to Information Exposure. The ImpactActiveSupport::EncryptedFile
method writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to read the contents of the temporary file.
Note:
Attackers that have access to the file system could possibly read the contents of this temporary file while a user is editing it.
Workaround
Users can set the umask to be more restrictive: ruby$ umask 0077
Remediation
Upgrade activesupport
to version 6.1.7.5, 7.0.7.1 or higher.