Vulnerable Library - resque-scheduler-4.10.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Vulnerabilities
| CVE |
Severity |
CVSS |
Exploit Maturity |
EPSS |
Dependency |
Type |
Fixed in (resque-scheduler version) |
Remediation Possible** |
Reachability |
| CVE-2022-29970 |
High |
7.5 |
Not Defined |
0.2% |
sinatra-1.0.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2018-11627 |
Medium |
6.1 |
Not Defined |
0.1% |
sinatra-1.0.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2018-1000119 |
Medium |
5.9 |
Not Defined |
0.2% |
sinatra-1.0.gem |
Transitive |
N/A* |
❌ |
|
| CVE-2018-7212 |
Medium |
5.3 |
Not Defined |
0.1% |
sinatra-1.0.gem |
Transitive |
N/A* |
❌ |
|
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-29970
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
- resque-scheduler-4.10.2.gem (Root Library)
- resque-2.6.0.gem
- ❌ sinatra-1.0.gem (Vulnerable Library)
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Publish Date: 2022-05-02
URL: CVE-2022-29970
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-qp49-3pvw-x4m5
Release Date: 2022-05-02
Fix Resolution: sinatra - 2.2.0
CVE-2018-11627
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
- resque-scheduler-4.10.2.gem (Root Library)
- resque-2.6.0.gem
- ❌ sinatra-1.0.gem (Vulnerable Library)
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
Publish Date: 2018-05-31
URL: CVE-2018-11627
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11627
Release Date: 2018-05-31
Fix Resolution: 2.0.2
CVE-2018-1000119
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
- resque-scheduler-4.10.2.gem (Root Library)
- resque-2.6.0.gem
- ❌ sinatra-1.0.gem (Vulnerable Library)
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
Mend Note: Converted from WS-2017-0277, on 2022-11-08.
Publish Date: 2018-03-07
URL: CVE-2018-1000119
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000119
Release Date: 2018-03-07
Fix Resolution: sinatra - 2.0.0,2.0.0.rc5;rack-protection - 1.5.4,2.0.0.rc5
CVE-2018-7212
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
- resque-scheduler-4.10.2.gem (Root Library)
- resque-2.6.0.gem
- ❌ sinatra-1.0.gem (Vulnerable Library)
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.
Publish Date: 2018-02-18
URL: CVE-2018-7212
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7212
Release Date: 2018-02-18
Fix Resolution: 2.0.1
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.
Publish Date: 2022-05-02
URL: CVE-2022-29970
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-qp49-3pvw-x4m5
Release Date: 2022-05-02
Fix Resolution: sinatra - 2.2.0
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
Publish Date: 2018-05-31
URL: CVE-2018-11627
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11627
Release Date: 2018-05-31
Fix Resolution: 2.0.2
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
Mend Note: Converted from WS-2017-0277, on 2022-11-08.
Publish Date: 2018-03-07
URL: CVE-2018-1000119
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000119
Release Date: 2018-03-07
Fix Resolution: sinatra - 2.0.0,2.0.0.rc5;rack-protection - 1.5.4,2.0.0.rc5
Vulnerable Library - sinatra-1.0.gem
Classy web-development dressed in a DSL
Library home page: https://rubygems.org/gems/sinatra-1.0.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.
Publish Date: 2018-02-18
URL: CVE-2018-7212
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7212
Release Date: 2018-02-18
Fix Resolution: 2.0.1