Rails 6.1 Vulnerabilities
In order to calculate Rails 6.1 vulnerabilities we created an application using
the latest patch version of Rails 6.1 and we ran bundler-audit
to find all known vulnerabilities.
Here we list the security risks related to a sample Rails 6.1 application.
VULNERABLE GEM: actionpack@6.1.7.10
Possible Content Security Policy bypass in Action Dispatch
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.0.8, >= 7.0.8.7, ~> 7.1.5, >= 7.1.5.1, ~> 7.2.2, >= 7.2.2.1, >= 8.0.0.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: actionview@6.1.7.10
Rails has a possible XSS vulnerability in its Action View tag helpers
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activerecord@6.1.7.10
Active Record logging vulnerable to ANSI escape injection
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.1.5, >= 7.1.5.2, ~> 7.2.2, >= 7.2.2.2, >= 8.0.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@6.1.7.10
Active Storage allowed transformation methods that were potentially unsafe
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.1.5, >= 7.1.5.2, ~> 7.2.2, >= 7.2.2.2, >= 8.0.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@6.1.7.10
Rails Active Storage has possible content type bypass via metadata in direct uploads
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@6.1.7.10
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@6.1.7.10
Rails Active Storage has possible Path Traversal in DiskService
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@6.1.7.10
Rails Active Storage has possible glob injection in its DiskService
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@6.1.7.10
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@6.1.7.10
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@6.1.7.10
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@6.1.7.10
Rails Active Support has a possible DoS vulnerability in its number helpers
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.