Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed @ CVE-2022-30123 #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

mik-patient
Copy link

Vulnerability Description

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Arbitrary Code Injection. There is a possible shell-escape sequence injection vulnerability in Rack's Lint and CommonLogger components. Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.

Notes:
Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this:use Rack::Lint or use Rack::CommonLogger.

CVE-2022-30123
GHSA-wq4h-7r42-5hrr

Technical Details

Testing Instructions

@WilliamNHarvey
Copy link
Member

👋 Hey there

This change to the Gemfile.lock won't affect the apps that use this gem. It's solely committed here for use in automated testing. Is there a change to the gemspec that's relevant to this CVE, like new minimum dependency versions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants