This project forked from droidkaigi/conference-app-2020
The Official Conference App for DroidKaigi 2020 Tokyo
Home Page: https://droidkaigi.jp/2020/en/
License: Apache License 2.0
Vulnerable Library - git-1.5.0.gemLibrary home page: https://rubygems.org/gems/git-1.5.0.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-46648.
Publish Date: 2023-01-17
URL: CVE-2022-47318
CVSS 3 Score Details (8.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2022-47318
Release Date: 2023-01-17
Fix Resolution: git - 1.13.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - kotlin-stdlib-1.3.50.jarKotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /buildSrc/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.50/b529d1738c7e98bbfa36a4134039528f2ce78ebf/kotlin-stdlib-1.3.50.jar
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
Publish Date: 2021-02-03
URL: CVE-2020-29582
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cqj8-47ch-rvvq
Release Date: 2021-02-03
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.4.21
Step up your Open Source Security Game with Mend here
Vulnerable Library - guava-26.0-jre.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /buildSrc/build.gradle.kts
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/26.0-jre/6a806eff209f36f635f943e16d97491f00f6bfab/guava-26.0-jre.jar
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: 30.0-android
Step up your Open Source Security Game with Mend here
Vulnerable Library - activesupport-4.2.11.1.gemA toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-4.2.11.1.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
Publish Date: 2023-02-09
URL: CVE-2023-22796
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-j6gc-792m-qgm2
Release Date: 2023-01-06
Fix Resolution: activesupport - 6.1.7.1,7.0.4.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - addressable-2.7.0.gemAddressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.
Library home page: https://rubygems.org/gems/addressable-2.7.0.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. An uncontrolled resource consumption vulnerability exists after version 2.3.0 through version 2.7.0. Within the URI template implementation in Addressable, a maliciously crafted template may result in uncontrolled resource consumption, leading to denial of service when matched against a URI. In typical usage, templates would not normally be read from untrusted user input, but nonetheless, no previous security advisory for Addressable has cautioned against doing this. Users of the parsing capabilities in Addressable but not the URI template capabilities are unaffected. The vulnerability is patched in version 2.8.0. As a workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.
Publish Date: 2021-07-06
URL: CVE-2021-32740
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jxhc-q857-3j6g
Release Date: 2021-07-06
Fix Resolution: addressable - 2.8.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - cocoapods-downloader-1.3.0.gemLibrary home page: https://rubygems.org/gems/cocoapods-downloader-1.3.0.gem
Path to dependency file: /ios-base/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/cocoapods-downloader-1.3.0.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-01
URL: CVE-2022-24440
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24440
Release Date: 2022-04-01
Fix Resolution: cocoapods-downloader - 1.6.0,1.6.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - git-1.5.0.gemLibrary home page: https://rubygems.org/gems/git-1.5.0.gem
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318.
Publish Date: 2023-01-17
URL: CVE-2022-46648
CVSS 3 Score Details (8.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2023-01-17
Fix Resolution: git - 1.13.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - kotlin-stdlib-1.3.50.jarKotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /buildSrc/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.50/b529d1738c7e98bbfa36a4134039528f2ce78ebf/kotlin-stdlib-1.3.50.jar
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - tzinfo-1.2.6.gemTZInfo provides daylight savings aware transformations between times in different time zones.
Library home page: https://rubygems.org/gems/tzinfo-1.2.6.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.
Publish Date: 2022-07-22
URL: CVE-2022-31163
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5cm2-9h8c-rvfx
Release Date: 2022-07-22
Fix Resolution: tzinfo - 0.3.61,1.2.10
Step up your Open Source Security Game with Mend here
Vulnerable Library - kramdown-2.1.0.gemkramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-2.1.0.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Publish Date: 2020-07-17
URL: CVE-2020-14001
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
Release Date: 2020-07-17
Fix Resolution: kramdown - 2.3.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - cocoapods-downloader-1.3.0.gemLibrary home page: https://rubygems.org/gems/cocoapods-downloader-1.3.0.gem
Path to dependency file: /ios-base/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.5.0/cache/cocoapods-downloader-1.3.0.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-01
URL: CVE-2022-21223
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21223
Release Date: 2022-04-01
Fix Resolution: cocoapods-downloader - 1.6.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - google-oauth-client-1.28.0.jarGoogle OAuth Client Library for Java. Functionality that works on all supported Java platforms, including Java 6 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Library home page: https://github.com/googleapis/google-oauth-java-client
Path to dependency file: /buildSrc/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.oauth-client/google-oauth-client/1.28.0/9a9e5d0c33b663d6475c96ce79b2949545a113af/google-oauth-client-1.28.0.jar
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token's payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload. The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above
Publish Date: 2022-05-03
URL: CVE-2021-22573
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22573
Release Date: 2022-05-03
Fix Resolution: com.google.oauth-client:google-oauth-client:1.33.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - google-oauth-client-1.28.0.jarGoogle OAuth Client Library for Java. Functionality that works on all supported Java platforms, including Java 6 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Library home page: https://github.com/googleapis/google-oauth-java-client
Path to dependency file: /buildSrc/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.oauth-client/google-oauth-client/1.28.0/9a9e5d0c33b663d6475c96ce79b2949545a113af/google-oauth-client-1.28.0.jar
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.
Publish Date: 2020-07-09
URL: CVE-2020-7692
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-09
Fix Resolution: 1.3.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - httpclient-4.5.5.jarApache HttpComponents Client
Path to dependency file: /buildSrc/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.5/1603dfd56ebcd583ccdf337b6c3984ac55d89e58/httpclient-4.5.5.jar
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - git-1.5.0.gemLibrary home page: https://rubygems.org/gems/git-1.5.0.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-19
URL: CVE-2022-25648
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25648
Release Date: 2022-04-19
Fix Resolution: git - 1.11.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - kramdown-2.1.0.gemkramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-2.1.0.gem
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Publish Date: 2021-03-19
URL: CVE-2021-28834
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-19
Fix Resolution: 2.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-codec-1.10.jarThe Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /buildSrc/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar
Dependency Hierarchy:
Found in HEAD commit: ec2284d85604ba33cf06de1b5080110845ffd054
Found in base branch: master
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
