-
-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Brakeman reporting false positive on CVE-2018-8048 #209
Comments
Same issue here |
This is an issue with the Loofah version detection in Brakeman: presidentbeef/brakeman#1603. There's a fix waiting to go in here presidentbeef/brakeman#1604 |
@pezholio Thanks for the pointer, I'll leave this open until that's resolved so folks understand what's going on. |
Wait, how the heck did I end up posting this to the loofah issues, thought all the time I was in the Brakeman GitHub repo 🙈. Monday mood, indeed. |
@jarkko Happens to the best of us! |
FWIW - the fix is now in for Brakeman (presidentbeef/brakeman#1607), and a new version has been pushed to RubyGems, so I think this can be closed |
Thanks for your patience, everybody! |
- The report actually says: "loofah gem 2.13.0 is vulnerable (CVE-2018-8048). Upgrade to 2.2.1." - On closer inspection, you'll see that 2.2.1 is a *downgrade* from 2.13.0 A known issue: flavorjones/loofah#209
We're getting this with our Rails app, with the brand new loofah 2.10:
However, the CVE is from 2018, and 2.10.0 is clearly > 2.2.1. Can it be that the "10" is somehow detected as smaller than "2" (perhaps sorting as a string instead of a number)?
The text was updated successfully, but these errors were encountered: