YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file. This vulnerability is fixed in 0.9.35. References: https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
Created golang-github-aws-aws-sdk-go tracking bugs for this issue: Affects: epel-7 [bug 2267247] Created puppet tracking bugs for this issue: Affects: epel-8 [bug 2267254] Created rubygem-aruba tracking bugs for this issue: Affects: epel-8 [bug 2267255] Created rubygem-asciidoctor tracking bugs for this issue: Affects: epel-7 [bug 2267248] Affects: epel-8 [bug 2267256] Created rubygem-docile tracking bugs for this issue: Affects: epel-8 [bug 2267257] Created rubygem-dynect_rest tracking bugs for this issue: Affects: epel-7 [bug 2267249] Created rubygem-fog-core tracking bugs for this issue: Affects: epel-7 [bug 2267250] Created rubygem-fog-softlayer tracking bugs for this issue: Affects: epel-7 [bug 2267251] Created rubygem-git tracking bugs for this issue: Affects: epel-8 [bug 2267258] Created rubygem-public_suffix tracking bugs for this issue: Affects: epel-8 [bug 2267259] Created rubygem-rouge tracking bugs for this issue: Affects: epel-7 [bug 2267252] Created rubygem-semantic_puppet tracking bugs for this issue: Affects: epel-8 [bug 2267260] Created rubygem-thread_safe tracking bugs for this issue: Affects: epel-7 [bug 2267253] Created rubygem-vault tracking bugs for this issue: Affects: epel-7 [bug 2267246]
Created golang-github-aws-aws-sdk-go tracking bugs for this issue: Affects: epel-all [bug 2267263] Created puppet tracking bugs for this issue: Affects: epel-all [bug 2267264] Created rubygem-aruba tracking bugs for this issue: Affects: epel-all [bug 2267265] Created rubygem-asciidoctor tracking bugs for this issue: Affects: epel-all [bug 2267266] Created rubygem-docile tracking bugs for this issue: Affects: epel-all [bug 2267267] Created rubygem-dynect_rest tracking bugs for this issue: Affects: epel-all [bug 2267268] Created rubygem-fog-core tracking bugs for this issue: Affects: epel-all [bug 2267269] Created rubygem-fog-softlayer tracking bugs for this issue: Affects: epel-all [bug 2267270] Created rubygem-git tracking bugs for this issue: Affects: epel-all [bug 2267271] Created rubygem-public_suffix tracking bugs for this issue: Affects: epel-all [bug 2267272] Created rubygem-rouge tracking bugs for this issue: Affects: epel-all [bug 2267273] Created rubygem-semantic_puppet tracking bugs for this issue: Affects: epel-all [bug 2267274] Created rubygem-thread_safe tracking bugs for this issue: Affects: epel-all [bug 2267275] Created rubygem-vault tracking bugs for this issue: Affects: epel-all [bug 2267276]
I wonder how was this list compiled? I would be surprised if most of the trackers are false positives.
Created alexandria tracking bugs for this issue: Affects: fedora-all [bug 2267277] Created rubygem-asciidoctor tracking bugs for this issue: Affects: fedora-all [bug 2267278] Created rubygem-byebug tracking bugs for this issue: Affects: fedora-all [bug 2267279] Created rubygem-childprocess tracking bugs for this issue: Affects: fedora-all [bug 2267280] Created rubygem-chunky_png tracking bugs for this issue: Affects: fedora-all [bug 2267281] Created rubygem-cookiejar tracking bugs for this issue: Affects: fedora-all [bug 2267282] Created rubygem-dnsruby tracking bugs for this issue: Affects: fedora-all [bug 2267283] Created rubygem-elasticsearch-transport tracking bugs for this issue: Affects: fedora-all [bug 2267284] Created rubygem-ffi tracking bugs for this issue: Affects: fedora-all [bug 2267285] Created rubygem-file-tail tracking bugs for this issue: Affects: fedora-all [bug 2267286] Created rubygem-fog-core tracking bugs for this issue: Affects: fedora-all [bug 2267287] Created rubygem-fog-libvirt tracking bugs for this issue: Affects: fedora-all [bug 2267288] Created rubygem-git tracking bugs for this issue: Affects: fedora-all [bug 2267289] Created rubygem-haml tracking bugs for this issue: Affects: fedora-all [bug 2267290] Created rubygem-hashdiff tracking bugs for this issue: Affects: fedora-all [bug 2267291] Created rubygem-locale tracking bugs for this issue: Affects: fedora-all [bug 2267292] Created rubygem-middleware tracking bugs for this issue: Affects: fedora-all [bug 2267293] Created rubygem-msgpack tracking bugs for this issue: Affects: fedora-all [bug 2267295] Created rubygem-prawn tracking bugs for this issue: Affects: fedora-all [bug 2267296] Created rubygem-prawn-table tracking bugs for this issue: Affects: fedora-all [bug 2267297] Created rubygem-protobuf tracking bugs for this issue: Affects: fedora-all [bug 2267298] Created rubygem-public_suffix tracking bugs for this issue: Affects: fedora-all [bug 2267299] Created rubygem-pundit tracking bugs for this issue: Affects: fedora-all [bug 2267300] Created rubygem-red-colors tracking bugs for this issue: Affects: fedora-all [bug 2267301] Created rubygem-rest-client tracking bugs for this issue: Affects: fedora-all [bug 2267302] Created rubygem-rouge tracking bugs for this issue: Affects: fedora-all [bug 2267303] Created rubygem-rspec-core tracking bugs for this issue: Affects: fedora-all [bug 2267304] Created rubygem-rspec-expectations tracking bugs for this issue: Affects: fedora-all [bug 2267305] Created rubygem-rspec-mocks tracking bugs for this issue: Affects: fedora-all [bug 2267306] Created rubygem-ruby-vips tracking bugs for this issue: Affects: fedora-all [bug 2267307] Created rubygem-selenium-webdriver tracking bugs for this issue: Affects: fedora-all [bug 2267308] Created rubygem-semantic_puppet tracking bugs for this issue: Affects: fedora-all [bug 2267309] Created rubygem-test-unit-notify tracking bugs for this issue: Affects: fedora-all [bug 2267310] Created rubygem-test-unit-rr tracking bugs for this issue: Affects: fedora-all [bug 2267311] Created rubygem-thread_safe tracking bugs for this issue: Affects: fedora-all [bug 2267312] Created rubygem-tins tracking bugs for this issue: Affects: fedora-all [bug 2267313]
Ah, I see, yard is likely mentioned in shipped Gemfile, at least in rubygem-public_suffix, but ... I really doubt about usefulness of the reports which are based on Gemfile, package.json and similar. Can this this be prevented? Or at least reported somewhere what is the reason for such reports? If there was some security issue, it will be lost among the sheer amount of this false positives.
Can you please scan the packages for the `frames.html` instead? That should be the file, which is vulnerable.