Facets

How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!


Latest Gem Vulnerabilities

CVE-2021-22881 in actionpack
Moderate

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2021-22881. Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.1.2.1, 6.0.3.5 Impact ------ Specially crafted "Host" headers in combination with...
Read more →

Published 22 days ago
CVE-2021-22880 in activerecord
Critical

There is a possible DoS vulnerability in the PostgreSQL adapter in Active Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880. Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 6.1.2.1, 6.0.3.5, 5.2.4.5 Impact ------ Carefully crafted input can cause the input validation in the...
Read more →

Published 22 days ago
CVE-2021-21288 in carrierwave
Moderate

### Impact [CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. ###...
Read more →

Published 24 days ago
CVE-2021-21305 in carrierwave
Severe

### Impact [CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb) has a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation option(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby...
Read more →

Published 24 days ago
CVE-2021-21289 in mechanize
Critical

## Impact Mechanize `>= v2.0`, `< v2.7.7` allows for OS commands to be injected using several classes' methods which implicitly use Ruby's `Kernel.open` method. Exploitation is possible only if untrusted input is used as a local filename and passed to any of these calls: * Mechanize::CookieJar#load: since v2.0 (see 208e3ed) *...
Read more →

Published about 1 month ago

Vulnerabilities in the Past 12 Months

Vulnerabilities
Apr 2
May 13
Jun 5
Jul 2
Aug 4
Sep 3
Oct 4
Nov 3
Dec 2
Jan 1
Feb 5
Mar 0

Vulnerabilities in the Past 6 Years

Vulnerabilities
2016 34
2017 35
2018 36
2019 47
2020 50
2021 6