Facets

How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!


Latest Gem Vulnerabilities

CVE-2019-13354 in strong_password
Critical

The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The malicious actor published v0.0.7 containing malicious code that enables an attacker to execute remote code in production. Downgrade `strong_password` to v0.0.6 to ensure no malicious code execution is possible.
Read more →

Published 13 days ago
CVE-2019-13146 in field_test
Severe

Due to unvalidated input, an attacker can pass in arbitrary variants via query parameters. If an application treats variants as trusted, this can lead to potential vulnerabilities like SQL injection or cross-site scripting (XSS). For instance: landing_page = field_test(:landing_page) Page.where("key = '#{landing_page}'")
Read more →

Published 17 days ago
CVE-2019-12732 in chartkick
Severe

Chartkick is vulnerable to a cross-site scripting (XSS) attack if both the following conditions are met: Condition 1: It's used with `ActiveSupport.escape_html_entities_in_json = false` (this is not the default for Rails) OR used with a non-Rails framework like Sinatra. Condition 2: Untrusted data or options are passed to a...
Read more →

Published about 1 month ago
CVE-2019-11068 in nokogiri
Severe

Nokogiri v1.10.3 has been released. This is a security release. It addresses a CVE in upstream libxslt rated as "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More details are available below. If you're using your distro's system libraries, rather than Nokogiri's vendored libraries, there's no security need to...
Read more →

Published 3 months ago
CVE-2019-10842 in bootstrap-sass
Critical

Arbitrary code execution (via backdoor code, when downloaded from rubygems.org) was discovered in bootstrap-sass 3.2.0.3. Users are advised to upgrade immediately to 3.2.0.4 An unauthenticated attacker can craft the ___cfduid cookie value with base64 arbitrary code to be executed via eval(), which can be leveraged to execute...
Read more →

Published 3 months ago

Vulnerabilities in the Past 12 Months

Vulnerabilities
Aug 0
Sep 2
Oct 5
Nov 3
Dec 0
Jan 0
Feb 2
Mar 11
Apr 2
May 0
Jun 1
Jul 2

Vulnerabilities in the Past 6 Years

Vulnerabilities
2014 75
2015 46
2016 33
2017 33
2018 34
2019 18