Hakiri says there is a vulnerability in Rack:
[CVE-2020-8161] Directory traversal in Rack::Directory
Directory traversal in Rack::Directory
There was a possible directory traversal vulnerability in the Rack::Directory app
that is bundled with Rack.
This vulnerability has been assigned the CVE identifier CVE-2020-8161.Versions Affected: rack < 2.2.0
Not affected: Applications that do not use Rack::Directory.
Fixed Versions: 2.1.3, >= 2.2.0
Testing-wise, if the site loads, we’re probably okay.
We don’t use Rack::Directory. I've marked the Hakiri finding as a false positive. We can fix this whenever, at which point we can unmark the finding as a false positive.
CVE-2020-8184 I think we should bump the version
Versions Affected: rack < 2.2.3, rack < 2.1.4 Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process Fixed Versions: rack >= 2.2.3, rack >= 2.1.4
Site loads for me!