Skip to content

github-pages-193.gem: 24 vulnerabilities (highest severity is: 9.8) #14

Open
Open
github-pages-193.gem: 24 vulnerabilities (highest severity is: 9.8)#14
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Mar 7, 2024
Vulnerable Library - github-pages-193.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Vulnerabilities

Vulnerability Severity CVSS Dependency Type Fixed in (github-pages version) Remediation Possible**
CVE-2024-22051 Critical 9.8 commonmarker-0.17.13.gem Transitive N/A*
CVE-2021-28834 Critical 9.8 kramdown-1.17.0.gem Transitive N/A*
CVE-2020-14001 Critical 9.8 kramdown-1.17.0.gem Transitive N/A*
WS-2022-0093 High 8.8 commonmarker-0.17.13.gem Transitive N/A*
WS-2022-0089 High 8.8 nokogiri-1.12.5.gem Transitive N/A*
CVE-2022-24724 High 8.8 commonmarker-0.17.13.gem Transitive N/A*
CVE-2021-30560 High 8.8 nokogiri-1.12.5.gem Transitive N/A*
CVE-2025-6490 High 8.4 nokogiri-1.12.5.gem Transitive N/A*
CVE-2022-29181 High 8.2 nokogiri-1.12.5.gem Transitive N/A*
WS-2023-0095 High 7.5 commonmarker-0.17.13.gem Transitive N/A*
WS-2022-0320 High 7.5 commonmarker-0.17.13.gem Transitive N/A*
CVE-2026-35611 High 7.5 addressable-2.8.0.gem Transitive N/A*
CVE-2026-33176 High 7.5 activesupport-4.2.10.gem Transitive N/A*
CVE-2024-34459 High 7.5 nokogiri-1.12.5.gem Transitive N/A*
CVE-2023-22796 High 7.5 activesupport-4.2.10.gem Transitive N/A*
CVE-2022-31163 High 7.5 tzinfo-1.2.5.gem Transitive N/A*
CVE-2022-24836 High 7.5 nokogiri-1.12.5.gem Transitive N/A*
CVE-2018-25032 High 7.5 nokogiri-1.12.5.gem Transitive N/A*
CVE-2026-25765 Medium 5.8 faraday-1.8.0.gem Transitive N/A*
CVE-2026-33169 Medium 5.3 activesupport-4.2.10.gem Transitive N/A*
CVE-2023-26485 Medium 5.3 commonmarker-0.17.13.gem Transitive N/A*
CVE-2023-24824 Medium 5.3 commonmarker-0.17.13.gem Transitive N/A*
CVE-2026-33170 Medium 4.3 activesupport-4.2.10.gem Transitive N/A*
CVE-2023-22483 Low 3.5 commonmarker-0.17.13.gem Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-22051

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-commonmark-ghpages-0.1.5.gem
      • commonmarker-0.17.13.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

CommonMarker versions prior to 0.23.4 are at risk of an integer overflow vulnerability. This vulnerability can result in possibly unauthenticated remote attackers to cause heap memory corruption, potentially leading to an information leak or remote code execution, via parsing tables with marker rows that contain more than UINT16_MAX columns.

Publish Date: 2024-01-04

URL: CVE-2024-22051

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fmx4-26r3-wxpf

Release Date: 2024-01-04

Fix Resolution: commonmarker - 0.23.4

Step up your Open Source Security Game with Mend here

CVE-2021-28834

Vulnerable Library - kramdown-1.17.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/kramdown-1.17.0.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • kramdown-1.17.0.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Publish Date: 2021-03-19

URL: CVE-2021-28834

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-52p9-v744-mwjj

Release Date: 2021-03-19

Fix Resolution: kramdown - 2.3.1

Step up your Open Source Security Game with Mend here

CVE-2020-14001

Vulnerable Library - kramdown-1.17.0.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.17.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/kramdown-1.17.0.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • kramdown-1.17.0.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Publish Date: 2020-07-17

URL: CVE-2020-14001

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001

Release Date: 2020-07-17

Fix Resolution: kramdown - 2.3.0

Step up your Open Source Security Game with Mend here

WS-2022-0093

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-commonmark-ghpages-0.1.5.gem
      • commonmarker-0.17.13.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

commonmarker versions prior to 0.23.4 are vulnerable to heap memory corruption when parsing tables whose marker rows contain more than UINT16_MAX columns.
The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution.

Publish Date: 2022-02-03

URL: WS-2022-0093

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fmx4-26r3-wxpf

Release Date: 2022-02-03

Fix Resolution: commonmarker - 0.23.4

Step up your Open Source Security Game with Mend here

WS-2022-0089

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • nokogiri-1.12.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2024-12-05

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2024-12-05

Fix Resolution: nokogiri - v1.13.2,logstash-binary - no_fix,nokogiri - 1.13.2,rb-nokogiri - no_fix,files.com/files-php-sdk - v1.0.7

Step up your Open Source Security Game with Mend here

CVE-2022-24724

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-commonmark-ghpages-0.1.5.gem
      • commonmarker-0.17.13.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

cmark-gfm is GitHub's extended version of the C reference implementation of CommonMark. Prior to versions 0.29.0.gfm.3 and 0.28.3.gfm.21, an integer overflow in cmark-gfm's table row parsing "table.c:row_from_string" may lead to heap memory corruption when parsing tables who's marker rows contain more than UINT16_MAX columns. The impact of this heap corruption ranges from Information Leak to Arbitrary Code Execution depending on how and where "cmark-gfm" is used. If "cmark-gfm" is used for rendering remote user controlled markdown, this vulnerability may lead to Remote Code Execution (RCE) in applications employing affected versions of the "cmark-gfm" library. This vulnerability has been patched in the following cmark-gfm versions 0.29.0.gfm.3 and 0.28.3.gfm.21. A workaround is available. The vulnerability exists in the table markdown extensions of cmark-gfm. Disabling the table extension will prevent this vulnerability from being triggered.

Publish Date: 2022-03-03

URL: CVE-2022-24724

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/RSEC-2023-7

Release Date: 2022-03-03

Fix Resolution: commonmark - 1.8

Step up your Open Source Security Game with Mend here

CVE-2021-30560

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • nokogiri-1.12.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Use after free in Blink XSLT in Google Chrome prior to 91.0.4472.164 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Publish Date: 2021-08-03

URL: CVE-2021-30560

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2021-30560

Release Date: 2021-08-03

Fix Resolution: v1.1.35,libxslt - 1.1.35

Step up your Open Source Security Game with Mend here

CVE-2025-6490

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • nokogiri-1.12.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

A vulnerability was found in sparklemotion nokogiri c29c920907366cb74af13b4dc2230e9c9e23b833 and classified as problematic. This issue affects the function hashmap_set_with_hash of the file gumbo-parser/src/hashmap.c. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The real existence of this vulnerability is still doubted at the moment. The identifier of the patch is ada4708e5a67114402cd3feb70a4e1d1d7cf773a. It is recommended to apply a patch to fix this issue. The project maintainer explains that the affected code was merged into the main branch but the commit never appeared in an official release.

Publish Date: 2025-06-22

URL: CVE-2025-6490

CVSS 3 Score Details (8.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2022-29181

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • nokogiri-1.12.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a "String" by calling "#to_s" or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

Step up your Open Source Security Game with Mend here

WS-2023-0095

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-commonmark-ghpages-0.1.5.gem
      • commonmarker-0.17.13.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Commonmarker vulnerable to to several quadratic complexity bugs that may lead to denial of service

Publish Date: 2024-12-04

URL: WS-2023-0095

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-48wp-p9qv-4j64

Release Date: 2024-12-04

Fix Resolution: commonmarker - 0.23.9

Step up your Open Source Security Game with Mend here

WS-2022-0320

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-commonmark-ghpages-0.1.5.gem
      • commonmarker-0.17.13.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Unbounded resource exhaustion in cmark-gfm autolink extension may lead to denial of service

Publish Date: 2024-12-02

URL: WS-2022-0320

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4qw4-jpp4-8gvp

Release Date: 2024-12-02

Fix Resolution: commonmarker - 0.23.6

Step up your Open Source Security Game with Mend here

CVE-2026-35611

Vulnerable Library - addressable-2.8.0.gem

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. It is flexible, offers heuristic parsing, and additionally provides extensive support for IRIs and URI templates.

Library home page: https://rubygems.org/gems/addressable-2.8.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/addressable-2.8.0.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-avatar-0.6.0.gem
      • jekyll-3.7.4.gem
        • addressable-2.8.0.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Addressable is an alternative implementation to the URI implementation that is part of Ruby's standard library. From 2.3.0 to before 2.9.0, within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking. Templates using the * (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate patterns with nested unbounded quantifiers that are O(2^n) when matched against a maliciously crafted URI. Templates using multiple variables with the + or # operators (e.g., {+v1,v2,v3}) generate patterns with O(n^k) complexity due to the comma separator being within the matched character class, causing ambiguous backtracking across k variables. When matched against a maliciously crafted URI, this can result in catastrophic backtracking and uncontrolled resource consumption, leading to denial of service. This vulnerability is fixed in 2.9.0.

Publish Date: 2026-04-07

URL: CVE-2026-35611

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h27x-rffw-24p4

Release Date: 2026-04-07

Fix Resolution: addressable - 2.9.0

Step up your Open Source Security Game with Mend here

CVE-2026-33176

Vulnerable Library - activesupport-4.2.10.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • activesupport-4.2.10.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept strings containing scientific notation (e.g. "1e10000"), which "BigDecimal" expands into extremely large decimal representations. This can cause excessive memory allocation and CPU consumption when the expanded number is formatted, possibly resulting in a DoS vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Publish Date: 2026-03-23

URL: CVE-2026-33176

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-23

Fix Resolution: https://github.com/rails/rails.git - v8.0.5,https://github.com/rails/rails.git - v8.1.3,https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1

Step up your Open Source Security Game with Mend here

CVE-2024-34459

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • nokogiri-1.12.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

An issue was discovered in xmllint (from libxml2) before 2.11.8 and 2.12.x before 2.12.7. Formatting error messages with xmllint --htmlout can result in a buffer over-read in xmlHTMLPrintFileContext in xmllint.c. This vulnerability does not affect RubyGem's Nokogiri directly, but its dependency libxml2, which is downloaded during Nokogiri's depndency resolution.

Publish Date: 2024-05-13

URL: CVE-2024-34459

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2023-22796

Vulnerable Library - activesupport-4.2.10.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • activesupport-4.2.10.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Publish Date: 2023-02-09

URL: CVE-2023-22796

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-j6gc-792m-qgm2

Release Date: 2023-02-09

Fix Resolution: activesupport - 6.1.7.1,7.0.4.1

Step up your Open Source Security Game with Mend here

CVE-2022-31163

Vulnerable Library - tzinfo-1.2.5.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/tzinfo-1.2.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-mentions-1.4.1.gem
      • html-pipeline-2.9.1.gem
        • activesupport-4.2.10.gem
          • tzinfo-1.2.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-21

URL: CVE-2022-31163

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-21

Fix Resolution: tzinfo - 0.3.61,tzinfo - 1.2.10

Step up your Open Source Security Game with Mend here

CVE-2022-24836

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • nokogiri-1.12.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

Step up your Open Source Security Game with Mend here

CVE-2018-25032

Vulnerable Library - nokogiri-1.12.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.12.5.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/nokogiri-1.12.5.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • nokogiri-1.12.5.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches.

Publish Date: 2022-03-25

URL: CVE-2018-25032

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2018-25032

Release Date: 2022-03-25

Fix Resolution: zlib - 1.2.12

Step up your Open Source Security Game with Mend here

CVE-2026-25765

Vulnerable Library - faraday-1.8.0.gem

Library home page: https://rubygems.org/gems/faraday-1.8.0.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/faraday-1.8.0.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-theme-primer-0.5.3.gem
      • jekyll-github-metadata-2.9.4.gem
        • octokit-4.21.0.gem
          • faraday-1.8.0.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Faraday is an HTTP client library abstraction layer that provides a common interface over many adapters. Prior to 2.14.1, Faraday's build_exclusive_url method (in lib/faraday/connection.rb) uses Ruby's URI#merge to combine the connection's base URL with a user-supplied path. Per RFC 3986, protocol-relative URLs (e.g. //evil.com/path) are treated as network-path references that override the base URL's host/authority component. This means that if any application passes user-controlled input to Faraday's get(), post(), build_url(), or other request methods, an attacker can supply a protocol-relative URL like //attacker.com/endpoint to redirect the request to an arbitrary host, enabling Server-Side Request Forgery (SSRF). This vulnerability is fixed in 2.14.1.

Publish Date: 2026-02-09

URL: CVE-2026-25765

CVSS 3 Score Details (5.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-33mh-2634-fwr2

Release Date: 2026-02-09

Fix Resolution: https://github.com/lostisland/faraday.git - v2.14.1,faraday - 2.14.1

Step up your Open Source Security Game with Mend here

CVE-2026-33169

Vulnerable Library - activesupport-4.2.10.gem

A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing.

Library home page: https://rubygems.org/gems/activesupport-4.2.10.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/activesupport-4.2.10.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • activesupport-4.2.10.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

Active Support is a toolkit of support libraries and Ruby core extensions extracted from the Rails framework. "NumberToDelimitedConverter" uses a lookahead-based regular expression with "gsub!" to insert thousands delimiters. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the repeated lookahead group and "gsub!" can produce quadratic time complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

Publish Date: 2026-03-23

URL: CVE-2026-33169

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2026-03-23

Fix Resolution: https://github.com/rails/rails.git - v8.0.4.1,https://github.com/rails/rails.git - v8.1.2.1,https://github.com/rails/rails.git - v7.2.3.1

Step up your Open Source Security Game with Mend here

CVE-2023-26485

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-commonmark-ghpages-0.1.5.gem
      • commonmarker-0.17.13.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of _ characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources. ### Impact A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. ### Proof of concept $ ~/cmark-gfm$ python3 -c 'pad = "_" * 100000; print(pad + "." + pad, end="")' | time ./build/src/cmark-gfm --to plaintext Increasing the number 10000 in the above commands causes the running time to increase quadratically. ### Patches This vulnerability have been patched in 0.29.0.gfm.10. ### Note on cmark and cmark-gfm XXX: TBD cmark-gfm is a fork of cmark that adds the GitHub Flavored Markdown extensions. The two codebases have diverged over time, but share a common core. These bugs affect both cmark and cmark-gfm. ### Credit We would like to thank @gravypod for reporting this vulnerability. ### References https://en.wikipedia.org/wiki/Time_complexity ### For more information If you have any questions or comments about this advisory: * Open an issue in github/cmark-gfm
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: 2023-03-31

URL: CVE-2023-26485

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/RSEC-2023-8

Release Date: 2023-03-31

Fix Resolution: commonmark - 1.9.2

Step up your Open Source Security Game with Mend here

CVE-2023-24824

Vulnerable Library - commonmarker-0.17.13.gem

A fast, safe, extensible parser for CommonMark. This wraps the official libcmark library.

Library home page: https://rubygems.org/gems/commonmarker-0.17.13.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/commonmarker-0.17.13.gem

Dependency Hierarchy:

  • github-pages-193.gem (Root Library)
    • jekyll-commonmark-ghpages-0.1.5.gem
      • commonmarker-0.17.13.gem (Vulnerable Library)

Found in HEAD commit: 12bc1965fc756643d5e0473b5cc7cf0e1fe35bdf

Found in base branch: master

Vulnerability Details

cmark-gfm is GitHub's fork of cmark, a CommonMark parsing and rendering library and program in C. A polynomial time complexity issue in cmark-gfm may lead to unbounded resource exhaustion and subsequent denial of service. This CVE covers quadratic complexity issues when parsing text which leads with either large numbers of > or - characters. This issue has been addressed in version 0.29.0.gfm.10. Users are advised to upgrade. Users unable to upgrade should validate that their input comes from trusted sources.

Publish Date: 2023-03-31

URL: CVE-2023-24824

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/RSEC-2023-8

Release Date: 2023-03-31

Fix Resolution: commonmark - 1.9.2

Step up your Open Source Security Game with Mend here

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by Mend

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions