Skip to content

resque-scheduler-4.10.2.gem: 4 vulnerabilities (highest severity is: 7.5) #6

Description

@mend-for-github-com
Vulnerable Library - resque-scheduler-4.10.2.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem

Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (resque-scheduler version) Remediation Possible** Reachability
CVE-2022-29970 High 7.5 Not Defined 0.2% sinatra-1.0.gem Transitive N/A*
CVE-2018-11627 Medium 6.1 Not Defined 0.1% sinatra-1.0.gem Transitive N/A*
CVE-2018-1000119 Medium 5.9 Not Defined 0.2% sinatra-1.0.gem Transitive N/A*
CVE-2018-7212 Medium 5.3 Not Defined 0.1% sinatra-1.0.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-29970

Vulnerable Library - sinatra-1.0.gem

Classy web-development dressed in a DSL

Library home page: https://rubygems.org/gems/sinatra-1.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem

Dependency Hierarchy:

  • resque-scheduler-4.10.2.gem (Root Library)
    • resque-2.6.0.gem
      • sinatra-1.0.gem (Vulnerable Library)

Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8

Found in base branch: main

Vulnerability Details

Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static files.

Publish Date: 2022-05-02

URL: CVE-2022-29970

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qp49-3pvw-x4m5

Release Date: 2022-05-02

Fix Resolution: sinatra - 2.2.0

CVE-2018-11627

Vulnerable Library - sinatra-1.0.gem

Classy web-development dressed in a DSL

Library home page: https://rubygems.org/gems/sinatra-1.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem

Dependency Hierarchy:

  • resque-scheduler-4.10.2.gem (Root Library)
    • resque-2.6.0.gem
      • sinatra-1.0.gem (Vulnerable Library)

Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8

Found in base branch: main

Vulnerability Details

Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.

Publish Date: 2018-05-31

URL: CVE-2018-11627

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11627

Release Date: 2018-05-31

Fix Resolution: 2.0.2

CVE-2018-1000119

Vulnerable Library - sinatra-1.0.gem

Classy web-development dressed in a DSL

Library home page: https://rubygems.org/gems/sinatra-1.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem

Dependency Hierarchy:

  • resque-scheduler-4.10.2.gem (Root Library)
    • resque-2.6.0.gem
      • sinatra-1.0.gem (Vulnerable Library)

Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8

Found in base branch: main

Vulnerability Details

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
Mend Note: Converted from WS-2017-0277, on 2022-11-08.

Publish Date: 2018-03-07

URL: CVE-2018-1000119

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.2%

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000119

Release Date: 2018-03-07

Fix Resolution: sinatra - 2.0.0,2.0.0.rc5;rack-protection - 1.5.4,2.0.0.rc5

CVE-2018-7212

Vulnerable Library - sinatra-1.0.gem

Classy web-development dressed in a DSL

Library home page: https://rubygems.org/gems/sinatra-1.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-1.0.gem

Dependency Hierarchy:

  • resque-scheduler-4.10.2.gem (Root Library)
    • resque-2.6.0.gem
      • sinatra-1.0.gem (Vulnerable Library)

Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8

Found in base branch: main

Vulnerability Details

An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash characters.

Publish Date: 2018-02-18

URL: CVE-2018-7212

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7212

Release Date: 2018-02-18

Fix Resolution: 2.0.1

Metadata

Metadata

Assignees

No one assigned

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions