Rails 7.0 Vulnerabilities
In order to calculate Rails 7.0 vulnerabilities we created an application using
the latest patch version of Rails 7.0 and we ran bundler-audit
to find all known vulnerabilities.
Here we list the security risks related to a sample Rails 7.0 application.
VULNERABLE GEM: actionview@7.0.8.7
Rails has a possible XSS vulnerability in its Action View tag helpers
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activerecord@7.0.8.7
Active Record logging vulnerable to ANSI escape injection
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.1.5, >= 7.1.5.2, ~> 7.2.2, >= 7.2.2.2, >= 8.0.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.0.8.7
Active Storage allowed transformation methods that were potentially unsafe
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.1.5, >= 7.1.5.2, ~> 7.2.2, >= 7.2.2.2, >= 8.0.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.0.8.7
Rails Active Storage has possible content type bypass via metadata in direct uploads
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.0.8.7
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.0.8.7
Rails Active Storage has possible Path Traversal in DiskService
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.0.8.7
Rails Active Storage has possible glob injection in its DiskService
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.0.8.7
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@7.0.8.7
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@7.0.8.7
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@7.0.8.7
Rails Active Support has a possible DoS vulnerability in its number helpers
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: addressable@2.8.7
Addressable has a Regular Expression Denial of Service in Addressable templates
Description
Reported by bundler-audit. Criticality: High.
Solution: update to >= 2.9.0.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap has quadratic complexity when reading response literals
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to STARTTLS stripping via invalid response timing
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.3.10, ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to denial of service via high iteration count for SCRAM-* authentication
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: nokogiri@1.18.10
Nokogiri CSS selector tokenizer has regular expression backtracking
Description
Reported by bundler-audit. Criticality: High.
Solution: update to >= 1.19.3.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: nokogiri@1.18.10
Nokogiri XSLT transform has a memory leak
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to >= 1.19.3.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: nokogiri@1.18.10
Nokogiri does not check the return value from xmlC14NExecute
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to >= 1.19.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack has a Directory Traversal via Rack::Directory
Description
Reported by bundler-audit. Criticality: High.
Solution: update to ~> 2.2.22, ~> 3.1.20, >= 3.2.5.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.22, ~> 3.1.20, >= 3.2.5.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass
Description
Reported by bundler-audit. Criticality: Low.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack::Static prefix matching can expose unintended files under the static root
Description
Reported by bundler-audit. Criticality: High.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack::Static header_rules bypass via URL-encoded paths
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
Description
Reported by bundler-audit. Criticality: High.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@2.2.20
Rack has Content-Length mismatch in Rack::Files error responses
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.