rdoc-3.12.gem: 4 vulnerabilities (highest severity is: 7.5) #2
Description
Vulnerable Library - rdoc-3.12.gem
RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the +rdoc+ and +ri+ tools for generating and displaying online documentation.
See RDoc for a description of RDoc's markup and basic use.
Library home page: https://rubygems.org/gems/rdoc-3.12.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rdoc-3.12.gem
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (rdoc version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2020-10663 |  High |
7.5 | json-1.7.6.gem | Transitive | N/A* | ❌ |
| CVE-2013-0269 | High |
7.3 | json-1.7.6.gem | Transitive | N/A* | ❌ |
| CVE-2021-31799 | High |
7.0 | rdoc-3.12.gem | Direct | rdoc - 6.3.1 | ❌ |
| CVE-2013-0256 |  Low |
3.7 | rdoc-3.12.gem | Direct | 4.0.0.preview2.1 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2020-10663
Vulnerable Library - json-1.7.6.gem
This is a JSON implementation as a Ruby extension in C.
Library home page: https://rubygems.org/gems/json-1.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/json-1.7.6.gem
Dependency Hierarchy:
- rdoc-3.12.gem (Root Library)
- ❌ json-1.7.6.gem (Vulnerable Library)
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
The JSON gem through 2.2.0 for Ruby, as used in Ruby 2.4 through 2.4.9, 2.5 through 2.5.7, and 2.6 through 2.6.5, has an Unsafe Object Creation Vulnerability. This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby. Specifically, use of JSON parsing methods can lead to creation of a malicious object within the interpreter, with adverse effects that are application-dependent.
Publish Date: 2020-04-28
URL: CVE-2020-10663
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
Release Date: 2020-04-28
Fix Resolution: 2.3.0
Step up your Open Source Security Game with Mend here
CVE-2013-0269
Vulnerable Library - json-1.7.6.gem
This is a JSON implementation as a Ruby extension in C.
Library home page: https://rubygems.org/gems/json-1.7.6.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/json-1.7.6.gem
Dependency Hierarchy:
- rdoc-3.12.gem (Root Library)
- ❌ json-1.7.6.gem (Vulnerable Library)
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
Publish Date: 2013-02-13
URL: CVE-2013-0269
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269
Release Date: 2013-02-13
Fix Resolution: json - 1.5.5,1.6.8,1.7.7
Step up your Open Source Security Game with Mend here
CVE-2021-31799
Vulnerable Library - rdoc-3.12.gem
RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the +rdoc+ and +ri+ tools for generating and displaying online documentation.
See RDoc for a description of RDoc's markup and basic use.
Library home page: https://rubygems.org/gems/rdoc-3.12.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rdoc-3.12.gem
Dependency Hierarchy:
- ❌ rdoc-3.12.gem (Vulnerable Library)
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
In RDoc 3.11 through 6.x before 6.3.1, as distributed with Ruby through 3.0.1, it is possible to execute arbitrary code via | and tags in a filename.
Publish Date: 2021-07-30
URL: CVE-2021-31799
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.ruby-lang.org/en/news/2021/05/02/os-command-injection-in-rdoc/
Release Date: 2021-07-30
Fix Resolution: rdoc - 6.3.1
Step up your Open Source Security Game with Mend here
CVE-2013-0256
Vulnerable Library - rdoc-3.12.gem
RDoc produces HTML and command-line documentation for Ruby projects. RDoc includes the +rdoc+ and +ri+ tools for generating and displaying online documentation.
See RDoc for a description of RDoc's markup and basic use.
Library home page: https://rubygems.org/gems/rdoc-3.12.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rdoc-3.12.gem
Dependency Hierarchy:
- ❌ rdoc-3.12.gem (Vulnerable Library)
Found in HEAD commit: b796a1fef53fffdf990be54f950a21eac4ad72d0
Found in base branch: master
Vulnerability Details
darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
Publish Date: 2013-03-01
URL: CVE-2013-0256
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-0256
Release Date: 2013-03-01
Fix Resolution: 4.0.0.preview2.1
Step up your Open Source Security Game with Mend here