How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!

We are sunsetting Hakiri on January 31 2022. To learn more please refer to this document.

Latest Gem Vulnerabilities

CVE-2021-22569 in google-protobuf

## Summary A potential Denial of Service issue in protobuf-java was discovered in the parsing procedure for binary data. Affected versions: All versions of Java Protobufs (including Kotlin and JRuby) prior to the versions listed below. Protobuf "javalite" users (typically Android) are not affected. ## Severity **High** - An...
Read more →

Published 17 days ago
CVE-2021-43846 in solidus_frontend

### Impact CSRF vulnerability that allows a malicious site to add an item to the user's cart without their knowledge. All `solidus_frontend` versions are affected. If you're using your own storefront, please, follow along to make sure you're not affected. To reproduce the issue: - Pick the id for a variant with available stock. From...
Read more →

Published 18 days ago
CVE-2021-43840 in message_bus

### Impact Users who deployed message bus with diagnostics features enabled (default off) were vulnerable to a path traversal bug, which could lead to disclosure of secret information on a machine if an unintended user were to gain access to the diagnostic route. The impact is also greater if there is no proxy for your web application...
Read more →

Published about 1 month ago
CVE-2021-44528 in actionpack

There is a possible open redirect vulnerability in the Host Authorization middleware in Action Pack. Specially crafted "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed...
Read more →

Published about 1 month ago
CVE-2021-28680 in devise_masquerade

The devise_masquerade gem before 1.3 allows certain attacks when a password's salt is unknown. An application that uses this gem to let administrators masquerade/impersonate users loses one layer of security protection compared to a situation where Devise (without this extension) is used. If the server-side secret_key_base value...
Read more →

Published about 2 months ago

Vulnerabilities in the Past 12 Months

Feb 5
Mar 3
Apr 7
May 11
Jun 2
Jul 2
Aug 3
Sep 3
Oct 3
Nov 8
Dec 7
Jan 2

Vulnerabilities in the Past 6 Years

2017 35
2018 37
2019 47
2020 52
2021 55
2022 2