-
-
Notifications
You must be signed in to change notification settings - Fork 1
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: Run build on larger runners #37
Conversation
🔍 Vulnerabilities of
|
digest | sha256:0257f750bb0f3daa7fdba9a1e63c4579835f5a60329169453bdc6761a415bd75 |
vulnerabilities | |
size | 178 MB |
packages | 326 |
📦 Base Image ruby:2-alpine
also known as |
|
digest | sha256:45ca5ff1e098ddc85430bad09d433dfab4be9417477a5778568a7877408f1cd0 |
vulnerabilities |
rexml
|
Affected range | <3.2.5 |
Fixed version | 3.2.5 |
CVSS Score | 7.5 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
EPSS Score | 0.10% |
EPSS Percentile | 43rd percentile |
Description
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Uncontrolled Resource Consumption
Affected range | <3.3.3 |
Fixed version | 3.3.3 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Impact
The REXML gem before 3.3.2 has a DoS vulnerability when it parses an XML that has many entity expansions with SAX2 or pull parser API.
If you need to parse untrusted XMLs with SAX2 or pull parser API, you may be impacted to this vulnerability.
Patches
The REXML gem 3.3.3 or later include the patch to fix the vulnerability.
Workarounds
Don't parse untrusted XMLs with SAX2 or pull parser API.
References
- https://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/ : This is a similar vulnerability
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41946/: An announce on www.ruby-lang.org
Uncontrolled Resource Consumption
Affected range | <3.3.3 |
Fixed version | 3.3.3 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Impact
The REXML gem before 3.3.2 has some DoS vulnerabilities when it parses an XML that has many specific characters such as whitespace character,
>]
and]>
.If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
Patches
The REXML gem 3.3.3 or later include the patches to fix these vulnerabilities.
Workarounds
Don't parse untrusted XMLs.
References
- GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
- GHSA-4xqq-m2hx-25v8 : This is a similar vulnerability
- https://www.ruby-lang.org/en/news/2024/08/01/dos-rexml-cve-2024-41123/: An announce on www.ruby-lang.org
Uncontrolled Resource Consumption
Affected range | <3.2.7 |
Fixed version | 3.2.7 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
EPSS Score | 0.04% |
EPSS Percentile | 16th percentile |
Description
Impact
The REXML gem before 3.2.6 has a DoS vulnerability when it parses an XML that has many
<
s in an attribute value.If you need to parse untrusted XMLs, you may be impacted to this vulnerability.
Patches
The REXML gem 3.2.7 or later include the patch to fix this vulnerability.
Workarounds
Don't parse untrusted XMLs.
References
Uncontrolled Resource Consumption
Affected range | <3.3.2 |
Fixed version | 3.3.2 |
CVSS Score | 4.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
EPSS Score | 0.04% |
EPSS Percentile | 10th percentile |
Description
Impact
The REXML gem before 3.3.1 has some DoS vulnerabilities when it parses an XML that has many specific characters such as
<
,0
and%>
.If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
Patches
The REXML gem 3.3.2 or later include the patches to fix these vulnerabilities.
Workarounds
Don't parse untrusted XMLs.
References
- GHSA-vg3r-rm7w-2xgh : This is a similar vulnerability
- https://www.ruby-lang.org/en/news/2024/07/16/dos-rexml-cve-2024-39908/
bundler 2.1.4
(gem)
pkg:gem/[email protected]
Affected range | >=1.16.0 |
Fixed version | 2.2.10 |
CVSS Score | 8.8 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
EPSS Score | 0.97% |
EPSS Percentile | 84th percentile |
Description
Bundler 1.16.0 through 2.2.9 and 2.2.11 through 2.2.17 sometimes chooses a dependency source based on the highest gem version number, which means that a rogue gem found at a public source may be chosen, even if the intended choice was a private gem that is a dependency of another private gem that is explicitly depended on by the application.
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Affected range | <2.2.33 |
Fixed version | 2.2.33 |
CVSS Score | 6.7 |
CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
EPSS Score | 0.12% |
EPSS Percentile | 46th percentile |
Description
In
bundler
versions before 2.2.33, when working with untrusted and apparently harmlessGemfile
's, it is not expected that they lead to execution of external code, unless that's explicit in the ruby code inside theGemfile
itself. However, if theGemfile
includesgem
entries that use thegit
option with invalid, but seemingly harmless, values with a leading dash, this can be false.To handle dependencies that come from a Git repository instead of a registry, Bundler uses various commands, such as
git clone
. These commands are being constructed using user input (e.g. the repository URL). When building the
commands, Bundler versions before 2.2.33 correctly avoid Command Injection vulnerabilities by passing an array of arguments instead of a command string. However, there is the possibility that a user input starts with a dash (-
) and is therefore treated as an optional argument instead of a positional one. This can lead to Code Execution because some of the commands have options that can be leveraged to run arbitrary executables.Since this value comes from the
Gemfile
file, it can contain any character, including a leading dash.Exploitation
To exploit this vulnerability, an attacker has to craft a directory containing a
Gemfile
file that declares a dependency that is located in a Git repository. This dependency has to have a Git URL in the form of-u./payload
. This URL
will be used to construct a Git clone command but will be interpreted as the upload-pack argument. Then this directory needs to be shared with the victim, who then needs to run a command that evaluates the Gemfile, such asbundle lock
, inside.Impact
This vulnerability can lead to Arbitrary Code Execution, which could potentially lead to the takeover of the system. However, as explained above, the exploitability is very low, because it requires a lot of user interaction. It still could put developers at risk when dealing with untrusted files in a way they think is safe, because the exploit still works when the victim tries to make sure nothing can happen, e.g. by manually reviewing the
Gemfile
(although they would need the weird URL with a leading dash to not raise any flags).This kind of attack vector has been used in the past to target security researchers by sending them projects to collaborate on.
Patches
Bundler 2.2.33 has patched this problem by inserting
--
as an argument before any positional arguments to those Git commands that were affected by this issue.Workarounds
Regardless of whether users can upgrade or not, they should review any untrustred
Gemfile
's before running anybundler
commands that may read them, since they can contain arbitrary ruby code.References
rdoc 6.2.1.1
(gem)
pkg:gem/[email protected]
OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
Affected range | >=3.11 |
Fixed version | 6.3.1 |
CVSS Score | 7 |
CVSS Vector | CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
EPSS Score | 0.06% |
EPSS Percentile | 29th percentile |
Description
In RDoc, as distributed with Ruby, it is possible to execute arbitrary code via
|
and tags in a filename.
uri 0.10.0.2
(gem)
pkg:gem/[email protected]
Inefficient Regular Expression Complexity
Affected range | <0.10.0.3 |
Fixed version | 0.10.3 |
CVSS Score | 5.3 |
CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
EPSS Score | 0.15% |
EPSS Percentile | 51st percentile |
Description
A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with
rfc2396_parser.rb
andrfc3986_parser.rb
.NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
The Ruby advisory recommends updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead:
- For Ruby 3.0: Update to uri 0.10.3
- For Ruby 3.1 and 3.2: Update to uri 0.12.2.
You can use gem update uri to update it. If you are using bundler, please add gem
uri
,>= 0.12.2
(or other version mentioned above) to your Gemfile.
curl 8.5.0-r0
(apk)
pkg:apk/alpine/[email protected]?os_name=alpine&os_version=3.16
Affected range | <8.6.0-r0 |
Fixed version | Not Fixed |
EPSS Score | 0.06% |
EPSS Percentile | 25th percentile |
Description
I would like to test this a bit. When we don't see a performance improvement, we don't need to move it do different runners. |
if you dont intend to merge this soonish, please make it a draft. thx :) |
superseded by : #43 |
No description provided.