Cybersecurity risks never rest.

⚠️ Stay ahead with our Security Audit service. We’ll identify vulnerabilities and fortify your app's defenses—so you can focus on your core business: https://www.fastruby.io/security-audit?utm_source=twitter&utm_medium=organic&utm_campaign=securityaudit&utm_term=&utm_content=gif

#rubyonrails #RubySec #RailsSec #InfoSec

There is no greater threat to your Rails app than exploitable code.

ICYMI: Our Rails security webinar is out and free to watch! Check out our new blog to watch it, as well as Ernesto’s slides. Make sure to bookmark our resources linked throughout—you’ll need them!

https://www.fastruby.io/blog/fortify-rails-security-webinar.html?utm_source=Mastodon&utm_medium=Organic&utm_campaign=Blogpromo&utm_term=railssecuritywebinar&utm_content=Gif&utm_id=

#RubySec #Security #InfoSec #CyberSecurity #WebSecurity

Did you miss last week's Rails security webinar? Catch the replay over here: https://www.fastruby.io/blog/fortify-rails-security-webinar.html?utm_source=twitter&utm_campaign=infosec

#RubySec #RailsSec #Infosec #Rails

Is your Ruby on Rails app secure? Check out our latest article on security to ensure your code is protected! #RubySec #InfoSec #CISO

https://go.fastruby.io/747

@wj @p8 ohh yeah, that part is clear, @postmodern. I meant the part of #Rails 6.0.x branch with no patches for those CVEs, then warning in GitHub + different interpretation on what is patched at GitHub advisories & #rubysec - the latter is correct, IMO.

@wj @p8 ITOH #rubysec reports both, CVE-2023-22792 & CVE-2023-22795 affect all #rails versions, and there's no fix for 6.0.x branch

https://rubysec.com/advisories/CVE-2023-22792/
https://rubysec.com/advisories/CVE-2023-22795/

Perhaps @postmodern can help here.

Nevertheless, I'd suggest an upgrade to rails 6.0.6.1 because CVE-2023-22794

https://rubysec.com/advisories/CVE-2023-22794/

Which is fixed by activerecord 6.0.6.1

https://my.diffend.io/gems/activerecord/6.0.6/6.0.6.1

CVE-2022-46648 (ruby-git / git gem) has been added to the ruby-advisory-db, based on the publicly available information, to encourage everyone to upgrade to git 1.13.0. Remember, eval() is evil!
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/git/CVE-2022-46648.yml
#ruby #security #rubysec

Working on adding CVE-2022-46648 (ruby-git / git gem) to ruby-advisory-db based on what I could piece together.
https://github.com/rubysec/ruby-advisory-db/pull/534
#ruby #security #rubysec

Spotted on the birbsite, this looks bad. Someone carelessly used eval() to unquote Strings in the ruby-git gem, instead of like Shellwords.shellsplit. The ruby-git gem is used by many other gems. I don't think the vuln has a public CVE yet nor or a GHSA ID (but I did manually add it to ruby-advisory-db). It was however patched in version 1.13.0, so `bundle up git` if the git gem is in your Gemfile.lock.
https://twitter.com/ooooooo_q/status/1611545398061191168
#ruby #security #rubysec