Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

False positive with loofah CVE #210

Closed
mroach opened this issue Jun 28, 2021 · 3 comments
Closed

False positive with loofah CVE #210

mroach opened this issue Jun 28, 2021 · 3 comments

Comments

@mroach
Copy link

mroach commented Jun 28, 2021
edited

There appears to be a false positive with identifying a loofah version vulnerable to a CVE.

This message started appearing after upgrading from 2.9.1 to 2.10.0. The nature of the error and the correlation with the version bump leads me to think there's a string vs numeric version comparison issue.

Confidence: Medium
Category: Cross-Site Scripting
Check: SanitizeMethods
Message: loofah gem 2.10.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1
File: Gemfile.lock

Brakeman version 5.0.0
@mroach
Copy link
Author

mroach commented Jun 28, 2021

I posted this on the wrong repository. Hurrah! Sorry about that!

@mroach mroach closed this as completed Jun 28, 2021
@flavorjones
Copy link
Owner

No worries! I expect it's the same problem reported at #209? If so, thanks for your patience.

@mroach
Copy link
Author

mroach commented Jun 29, 2021 via email

@flavorjones flavorjones mentioned this issue Jul 14, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@flavorjones @mroach