grape 0.2.1

1 security vulnerability found in version 0.2.1

ruby-grape Gem has XSS via "format" parameter

medium severity CVE-2018-3769
medium severity CVE-2018-3769
Patched versions: >= 1.1.0

When request on API contains the "format" parameter in GET, the input value of this parameter is rendered as the web-server responds with text/html header.

Example: http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E

1 memory leak found in version 0.2.1

Memory leak in formatter middleware

301
Patched versions: >= 0.10
Leaky versions: < 0.2.5

The call for .to_sym will leak the symbol since those are never garbage collected. Malicious users can abuse.

Gem version without a license.


Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.

This gem version is available.


This gem version has not been yanked and is still available for usage.