Rails 7.1 Vulnerabilities
In order to calculate Rails 7.1 vulnerabilities we created an application using
the latest patch version of Rails 7.1 and we ran bundler-audit
to find all known vulnerabilities.
Here we list the security risks related to a sample Rails 7.1 application.
VULNERABLE GEM: actionview@7.1.5.2
Rails has a possible XSS vulnerability in its Action View tag helpers
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.1.5.2
Rails Active Storage has possible content type bypass via metadata in direct uploads
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.1.5.2
Rails Active Storage has a possible DoS vulnerability when in proxy mode via Range requests
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.1.5.2
Rails Active Storage has possible Path Traversal in DiskService
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.1.5.2
Rails Active Storage has possible glob injection in its DiskService
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activestorage@7.1.5.2
Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range requests
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@7.1.5.2
Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@7.1.5.2
Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: activesupport@7.1.5.2
Rails Active Support has a possible DoS vulnerability in its number helpers
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 7.2.3, >= 7.2.3.1, ~> 8.0.4, >= 8.0.4.1, >= 8.1.2.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: addressable@2.8.7
Addressable has a Regular Expression Denial of Service in Addressable templates
Description
Reported by bundler-audit. Criticality: High.
Solution: update to >= 2.9.0.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap has quadratic complexity when reading response literals
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to STARTTLS stripping via invalid response timing
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.3.10, ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to denial of service via high iteration count for SCRAM-* authentication
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to command Injection via "raw" arguments to multiple commands
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: net-imap@0.5.12
net-imap vulnerable to command Injection via unvalidated Symbol inputs
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to ~> 0.4.24, ~> 0.5.14, >= 0.6.4.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: nokogiri@1.18.10
Nokogiri CSS selector tokenizer has regular expression backtracking
Description
Reported by bundler-audit. Criticality: High.
Solution: update to >= 1.19.3.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: nokogiri@1.18.10
Nokogiri XSLT transform has a memory leak
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to >= 1.19.3.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: nokogiri@1.18.10
Nokogiri does not check the return value from xmlC14NExecute
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to >= 1.19.1.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack has a Directory Traversal via Rack::Directory
Description
Reported by bundler-audit. Criticality: High.
Solution: update to ~> 2.2.22, ~> 3.1.20, >= 3.2.5.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.22, ~> 3.1.20, >= 3.2.5.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass
Description
Reported by bundler-audit. Criticality: Low.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack - Forwarded Header semicolon injection enables Host and Scheme spoofing
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack::Static prefix matching can expose unintended files under the static root
Description
Reported by bundler-audit. Criticality: High.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack::Static header_rules bypass via URL-encoded paths
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
Description
Reported by bundler-audit. Criticality: High.
Solution: update to ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
Description
Reported by bundler-audit. Criticality: High.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack has Content-Length mismatch in Rack::Files error responses
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 2.2.23, ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack@3.2.3
Rack::Request accepts invalid Host characters, enabling host allowlist bypass
Description
Reported by bundler-audit. Criticality: Medium.
Solution: update to ~> 3.1.21, >= 3.2.6.
For full impact, workarounds, and patches, see the linked advisory.
VULNERABLE GEM: rack-session@2.1.1
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
Description
Reported by bundler-audit. Criticality: Unknown.
Solution: update to >= 2.1.2.
For full impact, workarounds, and patches, see the linked advisory.