Facets

How secure are your Ruby projects? Scan Gemfile.lock for vulnerabilities, take action, and ship secure apps!


Latest Gem Vulnerabilities

CVE-2020-5216 in secure_headers
Severe

If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy header with the remaining value of the original string. It will continue to create new...
Read more →

Published 2 months ago
CVE-2020-5217 in secure_headers
Critical

If user-supplied input was passed into append/override_content_security_policy_directives, a semicolon could be injected leading to directive injection. This could be used to e.g. override a script-src directive. Duplicate directives are ignored and the first one wins. The directives in secure_headers are sorted alphabetically so...
Read more →

Published 2 months ago
CVE-2019-16782 in rack
Severe

There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount...
Read more →

Published 4 months ago
CVE-2019-16779 in excon
Moderate

There was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit...
Read more →

Published 4 months ago
CVE-2019-16770 in puma
Severe

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
Read more →

Published 4 months ago

Vulnerabilities in the Past 12 Months

Vulnerabilities
May 0
Jun 2
Jul 9
Aug 4
Sep 5
Oct 4
Nov 3
Dec 3
Jan 2
Feb 2
Mar 3
Apr 0

Vulnerabilities in the Past 6 Years

Vulnerabilities
2015 46
2016 33
2017 35
2018 34
2019 46
2020 7