Regression in JWT Signature Validation

Overview Versions after and including 2.3.0 are improperly validating the JWT token signature when using the JWTValidator.verify method. Improper validation of the JWT token signature when not using the default Authorization Code Flow can allow an attacker to bypass authentication and...

HTTP Request Smuggling in Agoo

agoo through 2.12.3 allows request smuggling attacks where agoo is used as a backend and a frontend proxy also being vulnerable. It is possible to conduct HTTP request smuggling attacks by sending the Content-Length header twice. Furthermore, invalid Transfer Encoding headers were found to be...

Ensure that doorkeeper_token is valid when authenticating requests in API v2 calls

Impact The perpetrator who previously obtained an old expired user token could use it to access Storefront API v2 endpoints. Patches Please upgrade to 3.7.11, 4.0.4, or 4.1.11 depending on your used Spree version...

Possible XSS Vulnerability in Action Pack in Development Mode

There is a possible XSS vulnerability in Action Pack while the application server is in development mode. This vulnerability is in the Actionable Exceptions middleware. This vulnerability has been assigned the CVE identifier CVE-2020-8264. Versions Affected: = 6.0.0 Not affected: 6.0.0 Fixed...

Possible timing attack in derivation_endpoint

Impact When using the derivationendpoint plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. Patches The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.securecompare. Users using the...

Dependency Confusion in Bundler with Implicit Private Dependencies

Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that...

Potential HTTP Request Smuggling Vulnerability in WEBrick

WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request. See CWE-444 in detail...

Gon gem lack of escaping certain input when outputting as JSON

An issue was discovered in the gon gem before gon-6.4.0 for Ruby. MultiJson does not honor the escapemode parameter to escape fields as an XSS protection mechanism. To mitigate, jsondumper.rb in gon now does escaping for XSS by default without relying on MultiJson...

Potential XSS vulnerability in Action View

There is a potential Cross-Site Scripting XSS vulnerability in Action View's translation helpers. Views that allow the user to control the default not found value of the t and translate helpers could be susceptible to XSS attacks. Impact ------ When an HTML-unsafe string is passed as the default...

Cross-Site Scripting in jquery

Affected versions of jquery are vulnerable to cross-site scripting. This occurs because the main jquery function uses a regular expression to differentiate between HTML and selectors, but does not properly anchor the regular expression. The result is that jquery may interpret HTML as selectors wh...

CSS injection with width and height options

Chartkick is vulnerable to CSS injection if user input is passed to the width or height option. An attacker can set additional CSS properties, like:...

CSRF Vulnerability with Non-Session Based Authentication

The PgHero dashboard is vulnerable to CSRF with non-session based authentication methods. Impact The PgHero dashboard is vulnerable to cross-site request forgery CSRF. This affects the Docker image, Linux packages, and in specific cases, the Ruby gem. The Ruby gem is vulnerable with non-session...

CSRF Vulnerability with Non-Session Based Authentication

The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods. Impact The Field Test dashboard is vulnerable to CSRF with non-session based authentication methods, like basic authentication. Session-based authentication methods like Devise's default authentication a...

Ability to change order address without triggering address validations in solidus

Impact This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zo...

Ability to change order address without triggering address validations in solidus

Impact This vulnerability allows a malicious customer to craft request data with parameters that allow changing the address of the current order without changing the shipment costs associated with the new shipment. All stores with at least two shipping zones and different costs of shipment per zo...

Missing TLS certificate verification

Faye uses em-http-request6 and faye-websocket10 in the Ruby version of its client. Those libraries both use the EM::Connectionstarttls1 method in EventMachine2 to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by...

Missing TLS certificate verification in faye-websocket

The Faye::WebSocket::Client class uses the EM::Connectionstarttls1 method in EventMachine2 to implement the TLS handshake whenever a wss: URL is used for the connection. This method does not implement certificate verification by default, meaning that it does not check that the server presents a...

Heap buffer overflow in mruby interpreter

muby through 2.1.2-rc has a heap-based buffer overflow in the mrbyieldwithclass function in vm.c because of incorrect VM stack handling. It can be triggered via the stackcopy function...

Prototype Pollution in lodash

Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires...

Unintended read access in kramdown gem

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access such as template="/etc/passwd" or unintended embedded Ruby code execution such as a string that begins with template="string://%= . NOTE: kramdown is used...

Untrusted users able to run pending migrations in production

There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 = 6.0.3.2 Impact ------ Using this issu...

Cross-site scripting vulnerability via `<math>` or `<svg>` element in Sanitize

When HTML is sanitized using Sanitize's "relaxed" config or a custom config that allows certain elements, some content in a or element may not be sanitized correctly even if math and svg are not in the allowlist. You are likely to be vulnerable to this issue if you use Sanitize's relaxed config o...

Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding percent-encoding on the name of the cookie. This could result in an application that is dependent on this prefix to determine if a cookie is safe to process being manipulated...

Regular Expression Denial of Service in websocket-extensions (RubyGem)

Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string...

Cross-Site Scripting in Kaminari via `original_script_name` parameter

Impact There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links. For example, an attacker could craft pagination links that link to other domain or host:...

HTTP Smuggling via Transfer-Encoding Header in Puma

Impact This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via...

HTTP Smuggling via Transfer-Encoding Header in Puma

Impact By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response. Patches The problem has been fixed in Puma 3.12.5 and Puma 4.3.4...

Cross-Site Scripting in jquery

Versions of jquery prior to 1.9.0 are vulnerable to Cross-Site Scripting. The load method fails to recognize and remove "" HTML tags that contain a whitespace character, i.e: "", which results in the enclosed script logic to be executed. This allows attackers to execute arbitrary JavaScript in a...

Ability to forge per-form CSRF tokens given a global CSRF token

It is possible to possible to, given a global CSRF token such as the one present in the authenticitytoken meta tag, forge a per-form CSRF token for any action for that session. Versions Affected: rails = 5.2.4.3, rails = 6.0.3.1 Impact ------ Given the ability to extract the global CSRF token, an...

Possible Strong Parameters Bypass in ActionPack

There is a strong parameters bypass vector in ActionPack. Versions Affected: rails = 5.2.4.3, rails = 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or eachvalue, or eachpair will return the...

CSRF Vulnerability in rails-ujs

There is an vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails = 5.2.4.3, rails = 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor ta...

Circumvention of file size limits in ActiveStorage

There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Versions Affected: rails = 5.2.4.3, rails = 6.0.3.1 Impact ------ Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct...

Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore

There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the raw: true parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerabl...

Potential remote code execution of user-provided local names in ActionView

There was a vulnerability in versions of Rails prior to 5.0.1 that would allow an attacker who controlled the locals argument of a render call. Versions Affected: rails 5.0.1 Not affected: Applications that do not allow users to control the names of locals. Fixed Versions: 4.2.11.2 Impact ------ ...

Directory traversal in Rack::Directory app bundled with Rack

There was a possible directory traversal vulnerability in the Rack::Directory app that is bundled with Rack. Versions Affected: rack = 2.2.0 Impact ------ If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents ...

Improper Restriction of Excessive Authentication Attempts in Sorcery

Impact Brute force vulnerability when using password authentication via Sorcery. The brute force protection submodule will prevent a brute force attack for the defined lockout period, but once expired protection will not be re-enabled until a user or malicious actor logs in successfully. This doe...

Arbitrary file write/potential remote code execution in actionpack-page_caching

There is a vulnerability in the actionpack-pagecaching gem that allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view. Versions Affected: All versions of actionpack-pagecaching part of Rails...

activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding

activeresource contains a lack of encoding flaw in the elementpath function of lib/activeresource/base.rb. There is an issue with the way Active Resource encodes data before querying the back end server. This encoding mechanism can allow specially crafted requests to possibly access data that may...

Doorkeeper application secret information disclosure vulnerability

Information disclosure vulnerability. Allows an attacker to see all Doorkeeper::Application model attribute values including secrets after authorizing an application to their user. An application is vulnerable if the authorized applications controller is enabled GET...

Potential denial of service in bson rubygem

The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped allows remote attackers to cause a denial of service worker resource consumption via a crafted string. NOTE: This issue is due to an incomplete fix to CVE-2015-4410...

Authentication and extension bypass in Faye

On 20 April 2020 it was reported to me that the potential for authentication bypass exists in Faye1's extension system. This vulnerability has existed in the Node.js and Ruby versions of the server since version 0.5.0, when extensions were first introduced, in July 2010. It is patched in versions...

Potential XSS vulnerability in jQuery

Impact Passing HTML containing elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. Workarounds To workaround this issue without upgrading, use DOMPurify with its SAFEFORJQUERY option...

Potential XSS vulnerability in jQuery

Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods i.e. .html, .append, and others may execute untrusted code. Patches This problem is patched in jQuery 3.5.0. Workarounds To workaround the issue without upgrading, adding the...

Heap exposure vulnerability in the socket library

A heap exposure vulnerability was discovered in the socket library. This vulnerability has been assigned the CVE identifier CVE-2020-10933. We strongly recommend upgrading Ruby. When BasicSocketrecvnonblock and BasicSocketreadnonblock are invoked with size and buffer arguments, they initially...

Unsafe Object Creation Vulnerability in JSON (Additional fix)

When parsing certain JSON documents, the json gem including the one bundled with Ruby can be coerced into creating arbitrary objects in the target system. This is the same issue as CVE-2013-0269. The previous fix was incomplete, which addressed JSON.parseuserinput, but didn’t address some other...

json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)

There is an unsafe object creation vulnerability in the json gem bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. We strongly recommend upgrading the json gem. Details ------- When parsing certain JSON documents, the json gem including the one bundled wit...

Possible XSS vulnerability in ActionView

There is a possible XSS vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escapejavascript methods may be susceptible to XSS attacks. Versions Affected: All. Not affected: None. Fixed Versions: 6.0.2.2, 5.2.4.2 Impact ------ There is a possible XSS...

rails_admin ruby gem XSS vulnerability

RailsAdmin aka railsadmin before 1.4.3 and 2.x before 2.0.2 allows XSS via nested forms...

Sort order SQL injection via `direction` parameter in administrate

In Administrate rubygem before version 0.13.0, when sorting by attributes on a dashboard, the direction parameter was not validated before being interpolated into the SQL query. This could present a SQL injection if the attacker were able to modify the direction parameter and bypass ActiveRecord...

Denial of Service in uap-core when processing crafted User-Agent strings

Impact Some regexes are vulnerable to regular expression denial of service REDoS due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTPS request to maliciously crafted long strings. Patches Please update uap-ruby to = v2.6....