Ooooooo_Q

**Name of the Vulnerable Software and Affected Versions** Kredis versions prior to 1.3.0.1 **Description** There is a deserialization of untrusted data vulnerability in the Kredis JSON deserialization code. This issue may result in the deserialization of unexpected objects in the system when carefully crafted JSON data is processed by Kredis. Any applications using Kredis with JSON are affected. **Recommendations** For versions prior to 1.3.0.1, update to version 1.3.0.1 or apply the provided patch for the 1.3.0 series, named 1-3-0-1-kredis.patch, to resolve the issue. As a temporary workaround, consider restricting the use of Kredis with JSON until the update or patch is applied.

**Name of the Vulnerable Software and Affected Versions** Rack versions 2.0.0 through 2.0.9.1 Rack versions 2.1.0 through 2.1.4.1 Rack versions 2.2.0 through 2.2.4.0 Rack versions 3.0.0 through 3.0.0.0 **Description** There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. **Recommendations** For Rack versions 2.0.0 through 2.0.9.1, update to version 2.0.9.2. For Rack versions 2.1.0 through 2.1.4.1, update to version 2.1.4.2. For Rack versions 2.2.0 through 2.2.4.0, update to version 2.2.4.1. For Rack versions 3.0.0 through 3.0.0.0, update to version 3.0.0.1. As a temporary workaround, consider restricting access to the `Content-Disposition` header parsing component until a patch is available. Apply the provided patches for the respective release series to aid in mitigating the issue.

**Name of the Vulnerable Software and Affected Versions** Rack versions 1.5.0 through 2.0.9.1 Rack versions 2.1.0 through 2.1.4.1 Rack versions 2.2.0 through 2.2.6.1 Rack versions 3.0.0 through 3.0.0.0 **Description** A denial of service vulnerability in the Range header parsing component of Rack can cause the component to take an unexpected amount of time when processing carefully crafted input, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests, such as streaming applications or applications that serve files, may be impacted. **Recommendations** For Rack versions 1.5.0 through 2.0.9.1, update to version 2.0.9.2. For Rack versions 2.1.0 through 2.1.4.1, update to version 2.1.4.2. For Rack versions 2.2.0 through 2.2.6.1, update to version 2.2.6.2. For Rack versions 3.0.0 through 3.0.0.0, update to version 3.0.0.1. As a temporary workaround, consider restricting access to the Range header parsing component until a patch is available. Apply the provided patches for the respective release series if an immediate upgrade is not possible.

**Name of the Vulnerable Software and Affected Versions** Action Dispatch versions prior to 6.0.6.1 Action Dispatch versions prior to 6.1.7.1 Action Dispatch versions prior to 7.0.4.1 **Description** A regular expression based DoS issue in Action Dispatch is related to insufficient input validation. Exploitation of this issue can allow a remote attacker to cause a denial of service. Specially crafted cookies, in combination with a specially crafted `X FORWARDED HOST` header, can cause the regular expression engine to enter a state of catastrophic backtracking, leading to high CPU and memory usage. **Recommendations** For versions prior to 6.0.6.1, upgrade to version 6.0.6.1 or later. For versions prior to 6.1.7.1, upgrade to version 6.1.7.1 or later, or apply the patch `6-1-Use-string-split-instead-of-regex-for-domain-parts.patch`. For versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or later, or apply the patch `7-0-Use-string-split-instead-of-regex-for-domain-parts.patch`. As a temporary workaround, consider using a load balancer or other device to filter out malicious `X FORWARDED HOST` headers before they reach the application.

**Name of the Vulnerable Software and Affected Versions** GlobalID versions 0.2.1 through 1.0.0 Rails versions 7.0.0 through 7.0.4 **Description** A ReDoS based DoS vulnerability in GlobalID could allow an attacker to cause the regular expression engine to take an unexpected amount of time with a carefully crafted input. In Rails, there is a possible open redirect when using the `redirect to` helper with untrusted user input, which could be bypassed by a carefully crafted URL. **Recommendations** For GlobalID versions 0.2.1 through 1.0.0, upgrade to version 1.0.1. For Rails versions 7.0.0 through 7.0.4, upgrade to version 7.0.4.1. As a temporary workaround for Rails, consider validating user input for the `redirect to` helper to prevent open redirects.

**Name of the Vulnerable Software and Affected Versions** Active Support versions prior to 6.1.7.1 Active Support versions prior to 7.0.4.1 **Description** The issue is related to insufficient input validation in the Inflector.underscore method, which can lead to a regular expression based DoS vulnerability. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking, resulting in high CPU and memory usage, and potentially leading to a denial of service. This affects methods such as String#underscore, ActiveSupport::Inflector.underscore, and String#titleize. **Recommendations** For Active Support versions prior to 6.1.7.1, upgrade to version 6.1.7.1 or apply the patch 6-1-Avoid-regex-backtracking-in-Inflector.underscore.patch. For Active Support versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or apply the patch 7-0-Avoid-regex-backtracking-in-Inflector.underscore.patch. As a temporary workaround for users on Ruby 3.2.0 or greater, consider configuring Regexp.timeout to reduce the impact of the issue.

**Name of the Vulnerable Software and Affected Versions** Rails versions prior to 7.0.4.1 **Description** The issue is related to an open redirect vulnerability in Rails, where an attacker could bypass the protection against open redirects by using a carefully crafted URL, resulting in an open redirect vulnerability. This occurs when the `redirect to` helper is used with untrusted user input. The vulnerability can be exploited by a remote attacker to redirect users to an arbitrary URL. **Recommendations** For versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or apply the provided patch for the 7.0 series, `7-0-Fix-sec-issue-with- url host allowed.patch`. As a temporary workaround, consider validating and sanitizing user input for the `redirect to` helper to minimize the risk of exploitation. Avoid using the `params[:some param]` in the `redirect to` helper until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** rails-html-sanitizer versions < 1.4.4 **Description** The issue is related to certain configurations of rails-html-sanitizer that use an inefficient regular expression. This inefficiency can lead to excessive backtracking when attempting to sanitize certain SVG attributes, resulting in a denial of service through CPU resource consumption. The vulnerability can be exploited by a remote attacker to cause a denial of service. **Recommendations** Upgrade to rails-html-sanitizer version 1.4.4 or later.

**Name of the Vulnerable Software and Affected Versions** Loofah versions prior to 2.19.1 **Description** Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri. It contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. **Recommendations** Upgrade to Loofah version 2.19.1 or later. As a temporary workaround, consider restricting the use of Loofah for sanitizing SVG attributes until a patch is applied.

**Name of the Vulnerable Software and Affected Versions** markdown-it-toc versions (affected versions not specified) **Description** The issue affects the generation of the table of contents (toc) in markdown-it-toc, where the title of the generated toc and the contents of the header are not properly escaped. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** markdown-it-decorate versions prior to a fixed version (no fixed version available) **Description** The issue affects the markdown-it-decorate package, allowing an attacker to add an event handler or use javascript:xxx for the link, potentially leading to cross-site scripting (XSS). This is a type of attack where an attacker can inject malicious scripts into a website, potentially stealing user data or taking control of the user's session. **Recommendations** For markdown-it-decorate versions prior to a fixed version, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.0.9.1 Rack versions prior to 2.1.4.1 Rack versions prior to 2.2.3.1 **Description** A possible denial of service vulnerability exists in the multipart parsing component of Rack. This issue is related to insufficient checking of user-input data when parsing composite POST requests. Exploitation of this vulnerability may allow a remote attacker to perform a denial of service (DoS) attack using a specially crafted POST request. The vulnerability can be triggered by carefully crafted multipart POST requests, causing Rack's multipart parser to take longer than expected. **Recommendations** For Rack versions prior to 2.0.9.1, upgrade to version 2.0.9.1 or later. For Rack versions prior to 2.1.4.1, upgrade to version 2.1.4.1 or later. For Rack versions prior to 2.2.3.1, upgrade to version 2.2.3.1 or later. As a temporary workaround, consider restricting the use of the `Rack::Multipart.parse multipart` function until a patch is available. Avoid using the `request.POST` and `request.params` methods to read POST data from a Rack request object until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: GitLab versions 13.0 through 14.3.1 Description: A stored Reflected Cross-Site Scripting issue in the Jira integration allows an attacker to execute arbitrary javascript code. Recommendations: For GitLab versions 13.0 through 14.3.1, update to a version later than 14.3.1 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** markdown-it-highlightjs versions prior to 3.3.1 **Description** This issue allows malicious JavaScript to be inserted as a value of `lang` in the markdown-it-highlightjs Inline code highlighting feature. The vulnerability can be exploited by manipulating the `lang` value, enabling the execution of malicious code. **Recommendations** For versions prior to 3.3.1, update to version 3.3.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the `lang` parameter in the markdown-it-highlightjs Inline code highlighting feature to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** actionpack page-caching gem versions prior to 1.2.1 **Description** The issue allows an attacker to write arbitrary files to a web server, potentially resulting in remote code execution if the attacker can write unescaped ERB to a view. **Recommendations** For actionpack page-caching gem versions prior to 1.2.1, update to version 1.2.1 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the web server to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: RubyGems versions 2.7.6 through 3.0.2 Description: A Directory Traversal issue was discovered in RubyGems. The issue allows a malicious gem to delete arbitrary files on the user's machine if the attacker can guess the paths, potentially leading to data loss or an unusable system. This is particularly concerning given how frequently the gem is run as sudo and the predictability of paths on modern systems. Recommendations: For versions 2.7.6 through 3.0.2, update to a version later than 3.0.2 to resolve the issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 5.2.2.1 Ruby on Rails versions prior to 6.0.0.beta3 **Description** A remote code execution issue exists in development mode Rails, allowing an attacker to guess the automatically generated development mode secret token. This token can be used in combination with other Rails internals to escalate to a remote code execution exploit. The vulnerability is related to errors in the pseudorandom number generator code. **Recommendations** For versions prior to 5.2.2.1, upgrade to version 5.2.2.1 or later. For versions prior to 6.0.0.beta3, upgrade to version 6.0.0.beta3 or later. As a temporary workaround, specify a secret key in development mode by adding `config.secret key base = SecureRandom.hex(64)` to "config/environments/development.rb".

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 2.2.10 Ruby versions 2.3.x prior to 2.3.7 Ruby versions 2.4.x prior to 2.4.4 Ruby versions 2.5.x prior to 2.5.1 Ruby version 2.6.0-preview1 **Description** The issue arises from the Dir.open, Dir.new, Dir.entries, and Dir.empty? methods not checking for NULL characters, potentially leading to unintentional directory traversal. This could allow a remote attacker to gain unauthorized access to protected data or impact the integrity of protected information. **Recommendations** For Ruby versions prior to 2.2.10, update to version 2.2.10 or later. For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later. For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Ruby version 2.6.0-preview1, update to a later version. As a temporary workaround, consider restricting access to the `Dir.open`, `Dir.new`, `Dir.entries`, and `Dir.empty?` methods until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 2.2.10 Ruby versions 2.3.x prior to 2.3.7 Ruby versions 2.4.x prior to 2.4.4 Ruby versions 2.5.x prior to 2.5.1 Ruby version 2.6.0-preview1 **Description** The issue arises from insufficient input validation in the UNIXServer.open and UNIXSocket.open methods. This may allow an attacker to connect to an unintended socket, potentially bypassing security restrictions. **Recommendations** For Ruby versions prior to 2.2.10, update to version 2.2.10 or later. For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later. For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Ruby version 2.6.0-preview1, update to a later version.

**Name of the Vulnerable Software and Affected Versions** Ruby versions prior to 2.2.10 Ruby versions 2.3.x prior to 2.3.7 Ruby versions 2.4.x prior to 2.4.4 Ruby versions 2.5.x prior to 2.5.1 Ruby version 2.6.0-preview1 **Description** The issue exists due to incorrect restriction of the directory path name with limited access in the Dir.mktmpdir method of the tmpdir library in Ruby. This could allow a remote attacker to write arbitrary files to the file system. The vulnerability might be exploited by using a .. (dot dot) in the prefix argument to create arbitrary directories or files. **Recommendations** For Ruby versions prior to 2.2.10, update to version 2.2.10 or later. For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later. For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later. For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later. For Ruby version 2.6.0-preview1, update to a later version.