Facets
How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!
How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!
Simple Form before 5.0 has Incorrect Access Control in `file_method?` in `lib/simple_form/form_builder.rb`, because a user-supplied string is invoked as a method call. This only happens for pages that build forms based on user input.
Read more →
With the consul ruby gem before 1.0.3, if a controller checks multiple powers using `:if` or `:except` conditions, these conditions are erroneously applied to all power checks in that controller. This can lead to skipped power checks and hence unauthenticated access to certain controller actions.
Read more →
In Rubyzip before 1.3.0, a crafted ZIP file can bypass application checks on ZIP entry sizes because data about the uncompressed size can be spoofed. This allows attackers to cause a denial of service (disk consumption).
Read more →
Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. However, there is no scenario within Devise itself in which such database records would exist.
Read more →
The rest-client gem 1.6.10, 1.6.11, 1.6.12, and 1.6.13 for Ruby, as distributed on RubyGems.org, included a code-execution backdoor inserted by a third party.
Read more →
| Vulnerabilities | |
|---|---|
| Nov | 3 |
| Dec | 0 |
| Jan | 0 |
| Feb | 2 |
| Mar | 11 |
| Apr | 3 |
| May | 0 |
| Jun | 1 |
| Jul | 8 |
| Aug | 2 |
| Sep | 4 |
| Oct | 0 |
| Vulnerabilities | |
|---|---|
| 2014 | 75 |
| 2015 | 46 |
| 2016 | 33 |
| 2017 | 33 |
| 2018 | 34 |
| 2019 | 31 |