redcarpet-3.2.3.gem: 2 vulnerabilities (highest severity is: 7.3) #5
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github.aaakk.us.kg
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - redcarpet-3.2.3.gem
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Stack-based buffer overflow in the header_anchor function in the HTML renderer in Redcarpet before 3.3.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.
Publish Date: 2015-07-14
URL: CVE-2015-5147
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5147
Release Date: 2015-07-14
Fix Resolution: 3.3.2
In order to enable automatic remediation, please create workflow rules
Vulnerable Library - redcarpet-3.2.3.gem
A fast, safe and extensible Markdown to (X)HTML parser
Library home page: https://rubygems.org/gems/redcarpet-3.2.3.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/redcarpet-3.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: 0dc5f6399caa3378e1374e91179039e2f27bffb8
Found in base branch: main
Vulnerability Details
Redcarpet is a Ruby library for Markdown processing. In Redcarpet before version 3.5.1, there is an injection vulnerability which can enable a cross-site scripting attack. In affected versions no HTML escaping was being performed when processing quotes. This applies even when the
:escape_htmloption was being used. This is fixed in version 3.5.1 by the referenced commit.Publish Date: 2021-01-11
URL: CVE-2020-26298
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-q3wr-qw3g-3p4h
Release Date: 2021-01-11
Fix Resolution: redcarpet - 3.5.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
The text was updated successfully, but these errors were encountered: