- 🤔 I’m on Twitter https://twitter.com/madh0n/
- 🤔 I’m on Masdoton https://hachyderm.io/@Madhon
madhon / madhon.github.io Goto Github PK
View Code? Open in Web Editor NEWWebsite
Website
TZInfo provides daylight savings aware transformations between times in different time zones.
Library home page: https://rubygems.org/gems/tzinfo-1.2.9.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/tzinfo-1.2.9.gem
Dependency Hierarchy:
Found in base branch: master
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require
on demand. In the affected versions, TZInfo::Timezone.get
fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get
can be made to load unintended files with require
, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition
within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get
by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z
.
Publish Date: 2022-07-22
URL: CVE-2022-31163
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5cm2-9h8c-rvfx
Release Date: 2022-07-22
Fix Resolution: tzinfo - 0.3.61,1.2.10
Step up your Open Source Security Game with Mend here
New wave Internationalization support for Ruby.
Library home page: https://rubygems.org/gems/i18n-0.7.0.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/i18n-0.7.0.gem
Dependency Hierarchy:
Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24
Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.
Publish Date: 2018-11-06
URL: CVE-2014-10077
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10077
Release Date: 2018-11-06
Fix Resolution: 0.8.0
Step up your Open Source Security Game with WhiteSource here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.
Publish Date: 2015-12-15
URL: CVE-2015-7499
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-7499
Release Date: 2015-12-15
Fix Resolution: 2.9.3
Step up your Open Source Security Game with WhiteSource here
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.3.3.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/redcarpet-3.3.3.gem
Dependency Hierarchy:
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html
option was being used. This is fixed in version 3.5.1 by the referenced commit.
Publish Date: 2021-01-11
URL: CVE-2020-26298
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q3wr-qw3g-3p4h
Release Date: 2021-01-11
Fix Resolution: redcarpet - 3.5.1
Step up your Open Source Security Game with WhiteSource here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
Publish Date: 2017-05-18
URL: CVE-2017-9050
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
Release Date: 2017-05-18
Fix Resolution: 2.9.5
Step up your Open Source Security Game with WhiteSource here
Jekyll is a simple, blog aware, static site generator.
Library home page: https://rubygems.org/gems/jekyll-3.0.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/jekyll-3.0.2.gem
Dependency Hierarchy:
Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24
Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.
Publish Date: 2018-09-28
URL: CVE-2018-17567
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17567
Release Date: 2018-09-28
Fix Resolution: v3.7.4,v3.8.4
Step up your Open Source Security Game with WhiteSource here
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-6.0.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem
Dependency Hierarchy:
Found in base branch: master
There is a possible regular expression based DoS vulnerability in Active Support. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. The issue is patched in versions 6.1.7.1 and 7.0.4.1.
Publish Date: 2023-01-06
URL: CVE-2023-22796
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j6gc-792m-qgm2
Release Date: 2023-01-06
Fix Resolution: activesupport - 6.1.7.1,7.0.4.1
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
Publish Date: 2018-04-08
URL: CVE-2017-18258
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18258
Release Date: 2018-04-08
Fix Resolution: 2.9.6
Step up your Open Source Security Game with WhiteSource here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
Publish Date: 2018-07-19
URL: CVE-2018-14404
Base Score Metrics:
Type: Upgrade version
Origin: GNOME/libxml2@a436374
Release Date: 2018-07-19
Fix Resolution: nokogiri- 2.9.5, libxml2 - 2.9.9
Step up your Open Source Security Game with WhiteSource here
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Dependency Hierarchy:
Found in base branch: master
commonmarker versions prior to 0.23.4 are vulnerable to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns.
The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.
Publish Date: 2022-02-03
URL: WS-2022-0093
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fmx4-26r3-wxpf
Release Date: 2022-02-03
Fix Resolution: commonmarker - 0.23.4
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.
Publish Date: 2017-05-18
URL: CVE-2017-9049
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049
Release Date: 2017-05-18
Fix Resolution: v2.9.4
Step up your Open Source Security Game with WhiteSource here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.
Publish Date: 2015-12-15
URL: CVE-2015-5312
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5312
Release Date: 2015-12-15
Fix Resolution: 2.9.3
Step up your Open Source Security Game with WhiteSource here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Publish Date: 2020-12-30
URL: CVE-2020-26247
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
Release Date: 2020-12-30
Fix Resolution: 1.11.0.rc4
Step up your Open Source Security Game with WhiteSource here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.
Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem
Dependency Hierarchy:
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open
method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file
is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Publish Date: 2019-08-16
URL: CVE-2019-5477
Base Score Metrics:
Type: Upgrade version
Origin: rubysec/ruby-advisory-db@ddeb4ee
Release Date: 2019-01-04
Fix Resolution: nokogiri-v1.10.4, rexical-v1.0.7
Step up your Open Source Security Game with WhiteSource here
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.9.0.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.9.0.gem
Dependency Hierarchy:
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Publish Date: 2020-07-17
URL: CVE-2020-14001
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
Release Date: 2020-07-17
Fix Resolution: kramdown - 2.3.0
Step up your Open Source Security Game with WhiteSource here
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.9.0.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.9.0.gem
Dependency Hierarchy:
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Publish Date: 2021-03-19
URL: CVE-2021-28834
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834
Release Date: 2021-03-19
Fix Resolution: REL_2_3_1
Step up your Open Source Security Game with WhiteSource here
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.7.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/addressable-2.7.0.gem
Dependency Hierarchy:
Found in base branch: master
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
Publish Date: 2021-07-06
URL: CVE-2021-32740
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jxhc-q857-3j6g
Release Date: 2021-07-06
Fix Resolution: addressable - 2.8.0
Step up your Open Source Security Game with Mend here
Ruby FFI library
Library home page: https://rubygems.org/gems/ffi-1.9.10.gem
Path to dependency file: /madhon.github.io/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/ffi-1.9.10.gem
Dependency Hierarchy:
Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24
ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.
Publish Date: 2018-06-22
URL: CVE-2018-1000201
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000201
Release Date: 2018-06-22
Fix Resolution: 1.9.24
Step up your Open Source Security Game with WhiteSource here
A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.
Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem
Dependency Hierarchy:
Found in base branch: master
Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service
Publish Date: 2022-09-21
URL: WS-2022-0320
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4qw4-jpp4-8gvp
Release Date: 2022-09-21
Fix Resolution: commonmarker - 0.23.6
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.