CVE-2019-5421
devise Critical
Authentication
Discovered 12 months ago
Published over 2 years ago
Category: Authentication
Source: GitHub
Severity: Critical

Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the Devise::Models::Lockable class not being concurrency safe.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 4.6.0

Unaffected Versions

n/a

References

n/a

CVE-2015-8314
devise Critical
Authentication
Discovered 12 months ago
Published over 5 years ago
Category: Authentication
Severity: Critical

Devise version before 3.5.4 uses cookies to implement a “Remember me” functionality. However, it generates the same cookie for all devices. If an attacker manages to steal a remember me cookie and the user does not change the password frequently, the cookie can be used to gain access to the application indefinitely.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 3.5.4

Unaffected Versions

n/a

References

n/a

CVE-2017-17916
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘find_by’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘name’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2013-0233 / OSVDB-89642
devise Severe
Resource Management
Discovered 12 months ago
Published over 8 years ago
Category: Resource Management
Source: NIST NVD
Severity: Severe

Devise contains a flaw that is triggered during when a type conversion error occurs during the parsing of a malformed request. With a specially crafted request, a remote attacker can bypass security restrictions.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None Partial Partial Partial
Patched Versions

~> 1.5.4 ~> 2.0.5 ~> 2.1.3 >= 2.2.3

Unaffected Versions

n/a

CVE-2017-17920
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘reorder’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘name’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2017-17919
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘order’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘id desc’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2017-17917
rails Severe
SQL Injection
Discovered 12 months ago
Published over 3 years ago
Category: SQL Injection
Source: NIST NVD
Severity: Severe

** DISPUTED ** SQL injection vulnerability in the ‘where’ method in Ruby on Rails 5.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the ‘id’ parameter. NOTE: The vendor disputes this issue because the documentation states that this method is not intended for use with untrusted input.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Medium None Partial Partial Partial
Patched Versions

n/a

Unaffected Versions

n/a

CVE-2020-11082
kaminari Severe
Code Injection
Discovered 12 months ago
Published over 1 year ago
Category: Code Injection
Source: GitHub
Severity: Severe

Impact

There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.

For example, an attacker could craft pagination links that link to other domain or host: https://example.com/posts?page=4&original_script_name=https://another-host.example.com

In addition, an attacker could also craft pagination links that include JavaScript code that runs when a user clicks the link: https://example.com/posts?page=4&original_script_name=javascript:alert(42)%3b//

Releases

The 1.2.1 gem including the patch has already been released. All past released versions are affected by this vulnerability.

Workarounds

Application developers who can’t update the gem can workaround by overriding the PARAM_KEY_EXCEPT_LIST constant.

module Kaminari::Helpers
  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.2.1

Unaffected Versions

n/a

References

n/a

CVE-2018-16476
rails Severe
Information Disclosure
Discovered 12 months ago
Published about 5 years ago
Category: Information Disclosure
Severity: Severe

There is a vulnerability in Active Job. This vulnerability has been assigned the CVE identifier CVE-2018-16476.

Versions Affected: >= 4.2.0 Not affected: < 4.2.0 Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1

Impact

Carefully crafted user input can cause Active Job to deserialize it using GlobalId and allow an attacker to have access to information that they should not have.

Vulnerable code will look something like this:

MyJob.perform_later(user_input)

All users running an affected release should either upgrade or use one of the workarounds immediately.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 4.2.11 ~> 5.0.7.1 ~> 5.1.6.1 ~> 5.1.7 >= 5.2.1.1

Unaffected Versions

< 4.2.0

References

n/a

OSVDB-114435
devise Severe
Cross-Site Request Forgery
Discovered 12 months ago
Published about 8 years ago
Category: Cross-Site Request Forgery
Severity: Severe

Devise contains a flaw that allows a remote, user-assisted attacker to conduct a CSRF token fixation attack. This issue is triggered as previous CSRF tokens are not properly invalidated when a new token is created. If an attacker has knowledge of said token, a specially crafted request can be made to it, allowing the attacker to conduct CSRF attacks.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 2.2.5 >= 3.0.1

Unaffected Versions

n/a

References

n/a

CVE-2015-1840
jquery-rails Severe
Cross-Site Request Forgery
Discovered 12 months ago
Published over 6 years ago
Category: Cross-Site Request Forgery
Severity: Severe

In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to “ https://attacker.com” (note the leading space) that will be passed to JQuery, who will see this as a same origin request, and send the user’s CSRF token to the attacker domain.

To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.

For example, code like this:

link_to params

to code like this:

link_to filtered_params

def filtered_params # Filter just the parameters that you trust end

See also: - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 4.0.4 ~> 3.1.3

Unaffected Versions

n/a

References

n/a

CVE-2017-1002201
haml Moderate
Code Injection
Discovered 12 months ago
Published over 4 years ago
Category: Code Injection
Source: GitHub
Severity: Moderate

In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > “ ‘ must be escaped properly. In this case, the ‘ character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 5.0.0.beta.2

Unaffected Versions

n/a

References

n/a

CVE-2016-6316
rails Moderate
Cross-Site Scripting
Discovered 12 months ago
Published about 5 years ago
Category: Cross-Site Scripting
Source: NIST NVD
Severity: Moderate

There is a possible XSS vulnerability in Action View. Text declared as “HTML safe” will not have quotes escaped when used as attribute values in tag helpers.

Impact

Text declared as “HTML safe” when passed as an attribute value to a tag helper will not have quotes escaped which can lead to an XSS attack. Impacted code looks something like this:

content_tag(:div, "hi", title: user_input.html_safe)

Some helpers like the sanitize helper will automatically mark strings as “HTML safe”, so impacted code could also look something like this:

content_tag(:div, "hi", title: sanitize(user_input))

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

You can work around this issue by either not marking arbitrary user input as safe, or by manually escaping quotes like this:

def escape_quotes(value)
  value.gsub(/"/, '&quot;'.freeze)
end

content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

~> 4.2.7.1 ~> 4.2.8 >= 5.0.0.1

Unaffected Versions

< 3.0.0

CVE-2016-7103
jquery-ui-rails Moderate
Cross-Site Scripting
Discovered 12 months ago
Published about 5 years ago
Category: Cross-Site Scripting
Source: GitHub
Severity: Moderate

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 6.0.0

Unaffected Versions

n/a

References

n/a

CVE-2019-11358
jquery-rails Moderate
Other
Discovered 12 months ago
Published over 2 years ago
Category: Other
Severity: Moderate

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, …) because of bject.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 4.3.4

Unaffected Versions

n/a

References

n/a

CVE-2018-16477
rails Moderate
File Access
Discovered 12 months ago
Published about 5 years ago
Category: File Access
Severity: Moderate

There is a vulnerability in Active Storage. This vulnerability has been assigned the CVE identifier CVE-2018-16477.

Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 5.2.1.1

Impact

Signed download URLs generated by ActiveStorage for Google Cloud Storage service and Disk service include content-disposition and content-type parameters that an attacker can modify. This can be used to upload specially crafted HTML files and have them served and executed inline. Combined with other techniques such as cookie bombing and specially crafted AppCache manifests, an attacker can gain access to private signed URLs within a specific storage path.

Vulnerable apps are those using either GCS or the Disk service in production. Other storage services such as S3 or Azure aren’t affected.

All users running an affected release should either upgrade or use one of the workarounds immediately. For those using GCS, it’s also recommended to run the following to update existing blobs:

ActiveStorage::Blob.find_each do |blob|
  blob.send :update_service_metadata
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 5.2.1.1

Unaffected Versions

< 5.2.0

References

n/a

CVE-2019-16109
devise Moderate
Input Validation
Discovered 12 months ago
Published about 2 years ago
Category: Input Validation
Source: GitHub
Severity: Moderate

Devise before 4.7.1 confirms accounts upon receiving a request with a blank confirmation_token, if a database record has a blank value in the confirmation_token column. However, there is no scenario within Devise itself in which such database records would exist.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 4.7.1

Unaffected Versions

n/a

References

n/a