Replies: 3 comments
-
|
Hi! @dmz006. I tested with a local image, I can observe the same thing. |
Beta Was this translation helpful? Give feedback.
-
|
Hi! @dmz006, It seems a bug in the range of affected version of 2.7.1. The affected versions is >=2.6.0 Trivy is only reflecting the advisor GitHub result. https://github.com/aquasecurity/vuln-list/blob/0756b586549026400f91221eb748a0df4251a17b/ghsa/rubygems/sprockets/GHSA-r4x3-g983-9g48.json#L43 I opened a ticket in github to review this issue in: https://support.github.com/contact?tags=rr-general-technical |
Beta Was this translation helpful? Give feedback.
-
|
Github advisory: GHSA-33pp-3763-mrfp |
Beta Was this translation helpful? Give feedback.
-
Hello
Just curious if I'm seeing or reading this wrong but with a trivy scan of a rails app shows CVE-2014-7819 but the current version of sprockets is 3.7.2.
From the description in the scan:
Description: Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding.
Vulnerability: CVE-2014-7819
Severity: Medium
Package: sprockets
Current version: 3.7.2
Fixed in version: 2.7.1, 2.12.3, 2.11.3, 2.10.2, 2.9.4, 2.8.3, 2.5.1, 2.4.6, 2.2.3, 2.1.4, 2.0.5
Is this an issue that should be submitted, or am I reading it wrong and missing an update?
Beta Was this translation helpful? Give feedback.
All reactions