jbuilder-2.11.5.gem: 6 vulnerabilities (highest severity is: 6.1) #16
Description
Vulnerable Library - jbuilder-2.11.5.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rails-html-sanitizer-1.5.0.gem
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (jbuilder version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-53989 |  Medium |
6.1 | rails-html-sanitizer-1.5.0.gem | Transitive | N/A* | ❌ |
| CVE-2024-53988 | Medium |
6.1 | rails-html-sanitizer-1.5.0.gem | Transitive | N/A* | ❌ |
| CVE-2024-53987 | Medium |
6.1 | rails-html-sanitizer-1.5.0.gem | Transitive | N/A* | ❌ |
| CVE-2024-53986 | Medium |
6.1 | rails-html-sanitizer-1.5.0.gem | Transitive | N/A* | ❌ |
| CVE-2024-53985 | Medium |
6.1 | rails-html-sanitizer-1.5.0.gem | Transitive | N/A* | ❌ |
| CVE-2023-38037 | Medium |
4.3 | activesupport-7.0.4.3.gem | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-53989
Vulnerable Library - rails-html-sanitizer-1.5.0.gem
HTML sanitization for Rails applications
Library home page: https://rubygems.org/gems/rails-html-sanitizer-1.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rails-html-sanitizer-1.5.0.gem
Dependency Hierarchy:
- jbuilder-2.11.5.gem (Root Library)
- actionview-7.0.4.3.gem
- ❌ rails-html-sanitizer-1.5.0.gem (Vulnerable Library)
- actionview-7.0.4.3.gem
Found in base branch: main
Vulnerability Details
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags for the the "noscript" element. This vulnerability is fixed in 1.6.1.
Publish Date: 2024-12-02
URL: CVE-2024-53989
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-rxv5-gxqc-xx8g
Release Date: 2024-12-02
Fix Resolution: rails-html-sanitizer - 1.6.1
CVE-2024-53988
Vulnerable Library - rails-html-sanitizer-1.5.0.gem
HTML sanitization for Rails applications
Library home page: https://rubygems.org/gems/rails-html-sanitizer-1.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rails-html-sanitizer-1.5.0.gem
Dependency Hierarchy:
- jbuilder-2.11.5.gem (Root Library)
- actionview-7.0.4.3.gem
- ❌ rails-html-sanitizer-1.5.0.gem (Vulnerable Library)
- actionview-7.0.4.3.gem
Found in base branch: main
Vulnerability Details
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math", "mtext", "table", and "style" elements are allowed and either either "mglyph" or "malignmark" are allowed. This vulnerability is fixed in 1.6.1.
Publish Date: 2024-12-02
URL: CVE-2024-53988
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVE-2024-53987
Vulnerable Library - rails-html-sanitizer-1.5.0.gem
HTML sanitization for Rails applications
Library home page: https://rubygems.org/gems/rails-html-sanitizer-1.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rails-html-sanitizer-1.5.0.gem
Dependency Hierarchy:
- jbuilder-2.11.5.gem (Root Library)
- actionview-7.0.4.3.gem
- ❌ rails-html-sanitizer-1.5.0.gem (Vulnerable Library)
- actionview-7.0.4.3.gem
Found in base branch: main
Vulnerability Details
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "style" element is explicitly allowed and the "svg" or "math" element is not allowed. This vulnerability is fixed in 1.6.1.
Publish Date: 2024-12-02
URL: CVE-2024-53987
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-2x5m-9ch4-qgrr
Release Date: 2024-12-02
Fix Resolution: rails-html-sanitizer - 1.6.1
CVE-2024-53986
Vulnerable Library - rails-html-sanitizer-1.5.0.gem
HTML sanitization for Rails applications
Library home page: https://rubygems.org/gems/rails-html-sanitizer-1.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rails-html-sanitizer-1.5.0.gem
Dependency Hierarchy:
- jbuilder-2.11.5.gem (Root Library)
- actionview-7.0.4.3.gem
- ❌ rails-html-sanitizer-1.5.0.gem (Vulnerable Library)
- actionview-7.0.4.3.gem
Found in base branch: main
Vulnerability Details
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0. A possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags where the "math" and "style" elements are both explicitly allowed. This vulnerability is fixed in 1.6.1.
Publish Date: 2024-12-02
URL: CVE-2024-53986
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-638j-pmjw-jq48
Release Date: 2024-12-02
Fix Resolution: rails-html-sanitizer - 1.6.1
CVE-2024-53985
Vulnerable Library - rails-html-sanitizer-1.5.0.gem
HTML sanitization for Rails applications
Library home page: https://rubygems.org/gems/rails-html-sanitizer-1.5.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/rails-html-sanitizer-1.5.0.gem
Dependency Hierarchy:
- jbuilder-2.11.5.gem (Root Library)
- actionview-7.0.4.3.gem
- ❌ rails-html-sanitizer-1.5.0.gem (Vulnerable Library)
- actionview-7.0.4.3.gem
Found in base branch: main
Vulnerability Details
rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. There is a possible XSS vulnerability with certain configurations of Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and Nokogiri < 1.15.7, or 1.16.x < 1.16.8. The XSS vulnerability with certain configurations of Rails::HTML::Sanitizer may allow an attacker to inject content if HTML5 sanitization is enabled and the application developer has overridden the sanitizer's allowed tags with both "math" and "style" elements or both both "svg" and "style" elements. This vulnerability is fixed in 1.6.1.
Publish Date: 2024-12-02
URL: CVE-2024-53985
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-w8gc-x259-rc7x
Release Date: 2024-12-02
Fix Resolution: rails-html-sanitizer - 1.6.1
CVE-2023-38037
Vulnerable Library - activesupport-7.0.4.3.gem
A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.
Library home page: https://rubygems.org/gems/activesupport-7.0.4.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/activesupport-7.0.4.3.gem
Dependency Hierarchy:
- jbuilder-2.11.5.gem (Root Library)
- ❌ activesupport-7.0.4.3.gem (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Active Support Possibly Discloses Locally Encrypted Files
Publish Date: 2025-01-09
URL: CVE-2023-38037
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-cr5q-6q9f-rq6q
Release Date: 2024-11-29
Fix Resolution: activesupport - 6.1.7.5,7.0.7.1