Skip to content

Instantly share code, notes, and snippets.

@jgamblin
Created January 26, 2019 18:30
Show Gist options
  • Save jgamblin/9af302c7e29d8878adb4168f0c646cc6 to your computer and use it in GitHub Desktop.
Save jgamblin/9af302c7e29d8878adb4168f0c646cc6 to your computer and use it in GitHub Desktop.
Bundle Audit Of Netflix Github
Vulnerablities Found In Workflowable:
Name: actionpack
Version: 4.0.4
Advisory: CVE-2014-7818
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
Title: Arbitrary file existence disclosure in Action Pack
Solution: upgrade to ~> 3.2.20, ~> 4.0.11, ~> 4.1.7, >= 4.2.0.beta3
Name: actionpack
Version: 4.0.4
Advisory: CVE-2016-2098
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q
Title: Possible remote code execution vulnerability in Action Pack
Solution: upgrade to ~> 3.2.22.2, ~> 4.2.5, >= 4.2.5.2, ~> 4.1.14, >= 4.1.14.2
Name: actionpack
Version: 4.0.4
Advisory: CVE-2015-7576
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k
Title: Timing attack vulnerability in basic authentication in Action Controller.
Solution: upgrade to >= 5.0.0.beta1.1, ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1, ~> 3.2.22.1
Name: actionpack
Version: 4.0.4
Advisory: CVE-2016-6316
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
Title: Possible XSS Vulnerability in Action View
Solution: upgrade to ~> 3.2.22.3, ~> 4.2.7.1, >= 5.0.0.1
Name: actionpack
Version: 4.0.4
Advisory: CVE-2014-0130
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o
Title: Directory Traversal Vulnerability With Certain Route Configurations
Solution: upgrade to ~> 3.2.18, ~> 4.0.5, >= 4.1.1
Name: actionpack
Version: 4.0.4
Advisory: CVE-2016-0752
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00
Title: Possible Information Leak Vulnerability in Action View
Solution: upgrade to >= 5.0.0.beta1.1, ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1, ~> 3.2.22.1
Name: actionpack
Version: 4.0.4
Advisory: CVE-2016-0751
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc
Title: Possible Object Leak and Denial of Service attack in Action Pack
Solution: upgrade to >= 5.0.0.beta1.1, ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1, ~> 3.2.22.1
Name: actionpack
Version: 4.0.4
Advisory: CVE-2015-7581
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
Title: Object leak vulnerability for wildcard controller routes in Action Pack
Solution: upgrade to ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1
Name: actionpack
Version: 4.0.4
Advisory: CVE-2016-2097
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4
Title: Possible Information Leak Vulnerability in Action View
Solution: upgrade to ~> 3.2.22.2, ~> 4.1.14, >= 4.1.14.2
Name: actionpack
Version: 4.0.4
Advisory: CVE-2014-7829
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk
Title: Arbitrary file existence disclosure in Action Pack
Solution: upgrade to ~> 3.2.21, ~> 4.0.11.1, ~> 4.0.12, ~> 4.1.7.1, >= 4.1.8
Name: activerecord
Version: 4.0.4
Advisory: CVE-2015-7577
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
Title: Nested attributes rejection proc bypass in Active Record
Solution: upgrade to >= 5.0.0.beta1.1, ~> 4.2.5, >= 4.2.5.1, ~> 4.1.14, >= 4.1.14.1, ~> 3.2.22.1
Name: activerecord
Version: 4.0.4
Advisory: CVE-2014-3514
Criticality: High
URL: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
Title: Data Injection Vulnerability in Active Record
Solution: upgrade to ~> 4.0.9, >= 4.1.5
Name: activerecord
Version: 4.0.4
Advisory: CVE-2014-3483
Criticality: Unknown
URL: http://osvdb.org/show/osvdb/108665
Title: SQL Injection Vulnerability in Active Record
Solution: upgrade to ~> 4.0.7, >= 4.1.3
Name: activesupport
Version: 4.0.4
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
Name: ffi
Version: 1.9.3
Advisory: CVE-2018-1000201
Criticality: High
URL: https://github.com/ffi/ffi/releases/tag/1.9.24
Title: ruby-ffi DDL loading issue on Windows OS
Solution: upgrade to >= 1.9.24
Name: i18n
Version: 0.6.9
Advisory: CVE-2014-10077
Criticality: Unknown
URL: https://github.com/svenfuchs/i18n/pull/289
Title: i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
Solution: upgrade to >= 0.8.0
Name: jquery-rails
Version: 3.1.1
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Title: CSRF Vulnerability in jquery-rails
Solution: upgrade to >= 4.0.4, ~> 3.1.3
Name: mail
Version: 2.5.4
Advisory: CVE-2015-9097
Criticality: Unknown
URL: https://hackerone.com/reports/137631
Title: SMTP command injection
Solution: upgrade to >= 2.5.5
Name: rack
Version: 1.5.2
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
Name: rack
Version: 1.5.2
Advisory: CVE-2015-3225
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Title: Potential Denial of Service Vulnerability in Rack
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
Name: sprockets
Version: 2.12.0
Advisory: CVE-2014-7819
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
Title: Arbitrary file existence disclosure in Sprockets
Solution: upgrade to ~> 2.0.5, ~> 2.1.4, ~> 2.2.3, ~> 2.3.3, ~> 2.4.6, ~> 2.5.1, ~> 2.7.1, ~> 2.8.3, ~> 2.9.4, ~> 2.10.2, ~> 2.11.3, ~> 2.12.3, >= 3.0.0.beta.3
Name: sprockets
Version: 2.12.0
Advisory: CVE-2018-3760
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
Title: Path Traversal in Sprockets
Solution: upgrade to >= 2.12.5, < 3.0.0, >= 3.7.2, < 4.0.0, >= 4.0.0.beta8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment