kaminari 0.9.7

2 security vulnerabilities found in version 0.9.7

Insecure File Permissions vulnerability in kaminari

medium severity CVE-2024-32978
medium severity CVE-2024-32978
Patched versions: >= 0.16.2

kaminari versions prior to 0.16.2 are vulnerable to an Insecure File Permissions vulnerability, where certain files within the kaminari gem have insecure file permissions.

Versions Affected: < 0.16.2 Fixed Versions: >= 0.16.2

Impact

An attacker with local access could write arbitrary code to the affected files resulting in arbitrary code execution.

Releases

The fixed releases are available at the normal locations.

Workarounds

Manually set the permissions of the affected files to 644.

All Affected Versions:

lib/kaminari/models/page_scope_methods.rb

Version 0.15.0 and 0.15.1:

spec/models/mongo_mapper/mongo_mapper_spec.rb

Version 0.16.0:

spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb

Version 0.16.1:

spec/models/active_record/scopes_spec.rb
spec/models/mongo_mapper/mongo_mapper_spec.rb
spec/models/mongoid/mongoid_spec.rb
gemfiles/data_mapper_12.gemfile
gemfiles/active_record_32.gemfile

Cross-Site Scripting in Kaminari via original_script_name parameter

medium severity CVE-2020-11082
medium severity CVE-2020-11082
Patched versions: >= 1.2.1

Impact

There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.

For example, an attacker could craft pagination links that link to other domain or host: https://example.com/posts?page=4&original_script_name=https://another-host.example.com

In addition, an attacker could also craft pagination links that include JavaScript code that runs when a user clicks the link: https://example.com/posts?page=4&original_script_name=javascript:alert(42)%3b//

Releases

The 1.2.1 gem including the patch has already been released. All past released versions are affected by this vulnerability.

Workarounds

Application developers who can't update the gem can workaround by overriding the PARAM_KEY_EXCEPT_LIST constant.

module Kaminari::Helpers
  PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
end

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.