madhon / madhon.github.io Goto Github PK

Vulnerable Library - tzinfo-1.2.9.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.9.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.5.0/cache/tzinfo-1.2.9.gem

Dependency Hierarchy:

• github-pages-215.gem (Root Library)
  • jekyll-mentions-1.6.0.gem
    • html-pipeline-2.14.0.gem
      • activesupport-6.0.3.7.gem
        • ❌ tzinfo-1.2.9.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-22

URL: CVE-2022-31163

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-22

Fix Resolution: tzinfo - 0.3.61,1.2.10

Vulnerable Library - i18n-0.7.0.gem

New wave Internationalization support for Ruby.

Library home page: https://rubygems.org/gems/i18n-0.7.0.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/i18n-0.7.0.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • activesupport-4.2.5.1.gem
        • ❌ i18n-0.7.0.gem (Vulnerable Library)

Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24

Vulnerability Details

Hash#slice in lib/i18n/core_ext/hash.rb in the i18n gem before 0.8.0 for Ruby allows remote attackers to cause a denial of service (application crash) via a call in a situation where :some_key is present in keep_keys but not present in the hash.

Publish Date: 2018-11-06

URL: CVE-2014-10077

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-10077

Release Date: 2018-11-06

Fix Resolution: 0.8.0

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Vulnerability Details

Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors.

Publish Date: 2015-12-15

URL: CVE-2015-7499

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-7499

Release Date: 2015-12-15

Fix Resolution: 2.9.3

Vulnerable Library - redcarpet-3.3.3.gem

A fast, safe and extensible Markdown to (X)HTML parser

Library home page: https://rubygems.org/gems/redcarpet-3.3.3.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/redcarpet-3.3.3.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • ❌ redcarpet-3.3.3.gem (Vulnerable Library)

Vulnerability Details

Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the :escape_html option was being used. This is fixed in version 3.5.1 by the referenced commit.

Publish Date: 2021-01-11

URL: CVE-2020-26298

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q3wr-qw3g-3p4h

Release Date: 2021-01-11

Fix Resolution: redcarpet - 3.5.1

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24

Vulnerability Details

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

Publish Date: 2017-05-18

URL: CVE-2017-9050

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050

Release Date: 2017-05-18

Fix Resolution: 2.9.5

Vulnerable Library - jekyll-3.0.2.gem

Jekyll is a simple, blog aware, static site generator.

Library home page: https://rubygems.org/gems/jekyll-3.0.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/jekyll-3.0.2.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jekyll-seo-tag-0.1.4.gem
    • ❌ jekyll-3.0.2.gem (Vulnerable Library)

Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24

Vulnerability Details

Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows attackers to access arbitrary files by specifying a symlink in the "include" key in the "_config.yml" file.

Publish Date: 2018-09-28

URL: CVE-2018-17567

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-17567

Release Date: 2018-09-28

Fix Resolution: v3.7.4,v3.8.4

Vulnerable Library - activesupport-6.0.6.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-6.0.6.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-6.0.6.gem

Dependency Hierarchy:

• github-pages-227.gem (Root Library)
  • jekyll-mentions-1.6.0.gem
    • html-pipeline-2.14.3.gem
      • ❌ activesupport-6.0.6.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There is a possible regular expression based DoS vulnerability in Active Support. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. The issue is patched in versions 6.1.7.1 and 7.0.4.1.

Publish Date: 2023-01-06

URL: CVE-2023-22796

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j6gc-792m-qgm2

Release Date: 2023-01-06

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Vulnerability Details

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

Publish Date: 2018-04-08

URL: CVE-2017-18258

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-18258

Release Date: 2018-04-08

Fix Resolution: 2.9.6

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Vulnerability Details

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

Publish Date: 2018-07-19

URL: CVE-2018-14404

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GNOME/libxml2@a436374

Release Date: 2018-07-19

Fix Resolution: nokogiri- 2.9.5, libxml2 - 2.9.9

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Dependency Hierarchy:

• github-pages-215.gem (Root Library)
  • jekyll-commonmark-ghpages-0.1.6.gem
    • ❌ commonmarker-0.17.13.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

commonmarker versions prior to 0.23.4 are vulnerable to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns.
The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

Publish Date: 2022-02-03

URL: WS-2022-0093

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fmx4-26r3-wxpf

Release Date: 2022-02-03

Fix Resolution: commonmarker - 0.23.4

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24

Vulnerability Details

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictComputeFastKey function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for libxml2 Bug 759398.

Publish Date: 2017-05-18

URL: CVE-2017-9049

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9049

Release Date: 2017-05-18

Fix Resolution: v2.9.4

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Vulnerability Details

The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660.

Publish Date: 2015-12-15

URL: CVE-2015-5312

CVSS 2 Score Details (7.1)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5312

Release Date: 2015-12-15

Fix Resolution: 2.9.3

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Publish Date: 2020-12-30

URL: CVE-2020-26247

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4

Release Date: 2020-12-30

Fix Resolution: 1.11.0.rc4

Vulnerable Library - nokogiri-1.6.7.2.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

XML is like violence - if it doesn’t solve your problems, you are not
using enough of it.

Library home page: https://rubygems.org/gems/nokogiri-1.6.7.2.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.6.7.2-x86-mingw32.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jemoji-0.5.1.gem
    • html-pipeline-2.3.0.gem
      • ❌ nokogiri-1.6.7.2.gem (Vulnerable Library)

Vulnerability Details

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Publish Date: 2019-08-16

URL: CVE-2019-5477

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: rubysec/ruby-advisory-db@ddeb4ee

Release Date: 2019-01-04

Fix Resolution: nokogiri-v1.10.4, rexical-v1.0.7

Vulnerable Library - kramdown-1.9.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.9.0.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.9.0.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • ❌ kramdown-1.9.0.gem (Vulnerable Library)

Vulnerability Details

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Publish Date: 2020-07-17

URL: CVE-2020-14001

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001

Release Date: 2020-07-17

Fix Resolution: kramdown - 2.3.0

Vulnerable Library - kramdown-1.9.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.9.0.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.9.0.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • ❌ kramdown-1.9.0.gem (Vulnerable Library)

Vulnerability Details

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Publish Date: 2021-03-19

URL: CVE-2021-28834

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834

Release Date: 2021-03-19

Fix Resolution: REL_2_3_1

Vulnerable Library - addressable-2.7.0.gem

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.

Library home page: https://rubygems.org/gems/addressable-2.7.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.5.0/cache/addressable-2.7.0.gem

Dependency Hierarchy:

• github-pages-215.gem (Root Library)
  • jekyll-mentions-1.6.0.gem
    • jekyll-3.9.0.gem
      • ❌ addressable-2.7.0.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.

Publish Date: 2021-07-06

URL: CVE-2021-32740

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jxhc-q857-3j6g

Release Date: 2021-07-06

Fix Resolution: addressable - 2.8.0

Vulnerable Library - ffi-1.9.10.gem

Ruby FFI library

Library home page: https://rubygems.org/gems/ffi-1.9.10.gem

Path to dependency file: /madhon.github.io/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/ffi-1.9.10.gem

Dependency Hierarchy:

• github-pages-44.gem (Root Library)
  • jekyll-seo-tag-0.1.4.gem
    • jekyll-3.0.2.gem
      • jekyll-watch-1.3.1.gem
        • listen-3.0.5.gem
          • rb-inotify-0.9.5.gem
            • ❌ ffi-1.9.10.gem (Vulnerable Library)

Found in HEAD commit: d86fafcee21ac864fbc7bf6b9e69bb4daf2d6c24

Vulnerability Details

ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be hijacked on Windows OS, when a Symbol is used as DLL name instead of a String This vulnerability appears to have been fixed in v1.9.24 and later.

Publish Date: 2018-06-22

URL: CVE-2018-1000201

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000201

Release Date: 2018-06-22

Fix Resolution: 1.9.24

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Dependency Hierarchy:

• github-pages-215.gem (Root Library)
  • jekyll-commonmark-ghpages-0.1.6.gem
    • ❌ commonmarker-0.17.13.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Publish Date: 2022-09-21

URL: WS-2022-0320

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4qw4-jpp4-8gvp

Release Date: 2022-09-21

Fix Resolution: commonmarker - 0.23.6