How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!
nokogiri version 1.7.2 has been released. This is a security update based on 1.7.1, addressing two upstream libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat. These patches only apply when using Nokogiri's vendored libxslt package. If you're using your...
Read more →
In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user.
Read more →
Nokogiri version 1.7.1 has been released, pulling in several upstream patches to the vendored libxml2 to address the following CVEs: CVE-2016-4658 CVSS v3 Base Score: 9.8 (Critical) libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial...
Read more →
The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory traversal vulnerability. If a site allows uploading of .zip files, an attacker can upload a malicious file that uses "../" pathname substrings to write arbitrary files to the filesystem.
Read more →
The openssl gem for Ruby uses the same initialization vector (IV) in GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for context-dependent attackers to bypass the encryption protection mechanism.
Read more →
| Vulnerabilities | |
|---|---|
| Aug | 3 |
| Sep | 0 |
| Oct | 0 |
| Nov | 0 |
| Dec | 2 |
| Jan | 1 |
| Feb | 1 |
| Mar | 1 |
| Apr | 1 |
| May | 1 |
| Jun | 0 |
| Jul | 0 |
| Vulnerabilities | |
|---|---|
| 2012 | 22 |
| 2013 | 84 |
| 2014 | 74 |
| 2015 | 44 |
| 2016 | 29 |
| 2017 | 5 |
