Ruby/grape/1.0.1
A Ruby framework for rapid API development with great conventions.
https://rubygems.org/gems/grape
MIT
2 Security Vulnerabilities
grape subject to Cross-site Scripting
Published date: 2018-08-13T20:45:32Z
CVE: CVE-2018-3769
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2018-3769
- https://github.com/advisories/GHSA-f599-5m7p-hcpf
- https://github.com/ruby-grape/grape/issues/1762
- https://github.com/ruby-grape/grape/pull/1763
- https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/grape/CVE-2018-3769.yml
The grape rubygem suffers from a cross-site scripting (XSS) vulnerability via format
parameter.
Affected versions:
["1.0.3", "1.0.2", "1.0.1", "0.19.2", "0.19.1", "0.16.2", "0.15.0", "0.13.0", "0.12.0", "0.10.0", "0.8.0", "0.6.1", "0.6.0", "0.4.1", "0.4.0", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.1.4", "0.1.3", "0.1.0", "0.0.0.alpha.2", "0.0.0.alpha.1", "1.0.0", "0.19.0", "0.18.0", "0.17.0", "0.16.1", "0.14.0", "0.11.0", "0.10.1", "0.9.0", "0.7.0", "0.5.0", "0.3.2", "0.3.1", "0.3.0", "0.2.6", "0.2.5", "0.2.1.1", "0.2.0", "0.1.5", "0.1.1"]
Secure versions:
[1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.3.0, 2.4.0]
Recommendation:
Update to version 2.4.0.
ruby-grape Gem has XSS via "format" parameter
Published date: 2018-05-23
CVE: 2018-3769
CVSS V3: 6.1
When request on API contains the format
parameter in GET, the input
value of this parameter is rendered as the web-server responds with
text/html header.
Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Affected versions:
["1.0.3", "1.0.2", "1.0.1", "0.19.2", "0.19.1", "0.16.2", "0.15.0", "0.13.0", "0.12.0", "0.10.0", "0.8.0", "0.6.1", "0.6.0", "0.4.1", "0.4.0", "0.2.4", "0.2.3", "0.2.2", "0.2.1", "0.1.4", "0.1.3", "0.1.0", "0.0.0.alpha.2", "0.0.0.alpha.1", "1.0.0", "0.19.0", "0.18.0", "0.17.0", "0.16.1", "0.14.0", "0.11.0", "0.10.1", "0.9.0", "0.7.0", "0.5.0", "0.3.2", "0.3.1", "0.3.0", "0.2.6", "0.2.5", "0.2.1.1", "0.2.0", "0.1.5", "0.1.1"]
Secure versions:
[1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.6.0, 1.6.1, 1.6.2, 1.7.0, 1.7.1, 1.8.0, 2.0.0, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.3.0, 2.4.0]
Recommendation:
Update to version 2.4.0.
74 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.7.0 | MIT | 2 | 2014-04-02 - 17:04 | over 11 years |
| 0.6.1 | MIT | 2 | 2013-10-19 - 20:02 | over 11 years |
| 0.6.0 | MIT | 2 | 2013-09-16 - 13:41 | almost 12 years |
| 0.5.0 | MIT | 2 | 2013-06-14 - 17:50 | about 12 years |
| 0.4.1 | MIT | 2 | 2013-04-01 - 13:00 | over 12 years |
| 0.4.0 | MIT | 2 | 2013-03-17 - 17:35 | over 12 years |
| 0.3.2 | MIT | 2 | 2013-03-01 - 01:59 | over 12 years |
| 0.3.1 | MIT | 2 | 2013-02-25 - 20:44 | over 12 years |
| 0.3.0 | MIT | 2 | 2013-02-21 - 15:11 | over 12 years |
| 0.2.6 | MIT | 2 | 2013-01-11 - 14:28 | over 12 years |
| 0.2.5 | MIT | 2 | 2013-01-11 - 01:26 | over 12 years |
| 0.2.4 | MIT | 2 | 2013-01-06 - 21:53 | over 12 years |
| 0.2.3 | MIT | 2 | 2012-12-24 - 20:27 | over 12 years |
| 0.2.2 | UNKNOWN | 2 | 2012-10-12 - 15:06 | over 12 years |
| 0.2.1.1 | MIT | 2 | 2013-01-11 - 20:50 | over 12 years |
| 0.2.1 | UNKNOWN | 2 | 2012-07-13 - 17:14 | almost 13 years |
| 0.2.0 | UNKNOWN | 2 | 2012-03-28 - 23:45 | over 13 years |
| 0.1.5 | UNKNOWN | 2 | 2011-07-15 - 03:27 | almost 14 years |
| 0.1.4 | UNKNOWN | 2 | 2011-04-08 - 05:33 | over 14 years |
| 0.1.3 | UNKNOWN | 2 | 2011-01-10 - 18:11 | over 14 years |
| 0.1.1 | UNKNOWN | 2 | 2010-11-14 - 17:15 | over 14 years |
| 0.1.0 | UNKNOWN | 2 | 2010-11-13 - 20:20 | over 14 years |
| 0.0.0.alpha.1 | UNKNOWN | 2 | 2010-08-27 - 06:06 | almost 15 years |
| 0.0.0.alpha.2 | UNKNOWN | 2 | 2010-08-31 - 02:28 | almost 15 years |