Security audit report

Vulnerability scanning

PactFlow On-Premises uses the following tools to ensure the On-Premises image is kept as secure as possible.

  • Bundler Audit

  • NPM audit

  • Trivy

  • Quay Security Scanner

  • Amazon ECR Image scanning

Reporting vulnerabilities

To report a vulnerability, please contact security and ensure you include the relevant CVE, and the name and/or path to the vulnerable component.

Identifying the correct Ruby version

Many scanning tools have trouble identifying the correct version of Ruby installed on an image because Ruby stores its gems in a directory path that uses the minor version of Ruby (e.g., 2.7.0) rather than the patch version (eg. 2.7.6). This can be demonstrated by running the following command:

docker run --rm -it --entrypoint gem quay.io/pactflow/enterprise:latest environment

Example output (note the RUBY VERSION of 2.7.6 while the GEM PATHS use 2.7.0):

RubyGems Environment:
  - RUBYGEMS VERSION: 3.1.6
  - RUBY VERSION: 2.7.6 (2022-04-12 patchlevel 219) [x86_64-linux-musl]
  - INSTALLATION DIRECTORY: /usr/local/bundle
  - USER INSTALLATION DIRECTORY: /root/.gem/ruby/2.7.0
  - RUBY EXECUTABLE: /usr/local/bin/ruby
  - GIT EXECUTABLE:
  - EXECUTABLE DIRECTORY: /usr/local/bundle/bin
  - SPEC CACHE DIRECTORY: /root/.gem/specs
  - SYSTEM CONFIGURATION DIRECTORY: /usr/local/etc
  - RUBYGEMS PLATFORMS:
    - ruby
    - x86_64-linux-musl
  - GEM PATHS:
     - /usr/local/bundle
     - /root/.gem/ruby/2.7.0
     - /usr/local/lib/ruby/gems/2.7.0
  - GEM CONFIGURATION:
     - :update_sources => true
     - :verbose => true
     - :backtrace => false
     - :bulk_threshold => 1000
     - "install" => "--no-document"
     - "update" => "--no-document"
  - REMOTE SOURCES:
     - https://rubygems.org/
  - SHELL PATH:
     - /usr/local/bundle/bin
     - /usr/local/sbin
     - /usr/local/bin
     - /usr/sbin
     - /usr/bin
     - /sbin
     - /bin

The difficulty that tools have in identifying the correct version of Ruby can lead to false positives being reported. Please check the version of Ruby before submitting a vulnerability report.

Identifying the installed gem versions

To list the gems installed on the PactFlow On-Premises image, run:

docker run --rm -it --entrypoint gem quay.io/pactflow/enterprise:latest "list"

Known vulnerabilities

CVE-2015-9284

Component

omniauth gem

CVE

https://nvd.nist.gov/vuln/detail/CVE-2015-9284

Detectable in versions of PactFlow On-Premises

All.

Status

Non-exploitable.

Notes

This CVE is a CSRF vulnerability during sign in. This vulnerability is only exploitable if the initial request from the service provider to the identify provider is vulnerable to a CSRF attack because it uses a GET request without any CSRF protection. In PactFlow On-Premises, this is not possible as PactFlow On-Premises uses a POST request method with a CSRF token for the initial request to the IDP, as per the mitigation instructions here.

This can be observed by viewing the source of the login form.

<form action="https://example.com/auth/saml" method="post">
  <input type="hidden" name="authenticity_token" value="i_nnrcJziCKKNMb-FRQtxot2ZE6nsNpIhC_AtsK5Boc=">
  <button type="submit">SAML</button>
</form>

CVE-2021-41816

Component

The cgi library included in Ruby before 2.7.5 and 3.x before 3.0.3, and the cgi gem before 0.3.1.

CVE

https://nvd.nist.gov/vuln/detail/CVE-2021-41816

Status

False positive.

Notes

This vulnerability only affects platforms that use a 4-byte -ong data type, typically Windows. The PactFlow On-Premises base image uses 64-bit Ubuntu Linux, which uses an 8-byte long.

CVE-2020-36599

Description

lib/omniauth/failure_endpoint.rb in OmniAuth before 1.9.2 (and before 2.0) does not escape the message_key value.

Component

omniauth gem

Status

Non-exploitable.

Detectable in versions of PactFlow On-Premises

Up to and including 1.19.2.

Fixed versions

1.19.3 and later.

Notes

PactFlow On-Premises uses a custom failure endpoint, so the vulnerable code is never executed.

Mitigation guidance

If you must remove the libpam* packages for compliance reasons:

  • Be aware that this action may break the container’s ability to use aptapt-get, or dpkg.

  • You must force-remove the packages using dpkg with dependency resolution disabled:

    dpkg -r --force-depends libpam-modules libpam-runtime libpam0g libpam-modules-bin login passwd

  • This may prevent future upgrades or installation of packages within the running container.

  • PactFlow On-Premises continues to function correctly, but package management inside the container will be unsupported.

Caution

This operation is not recommended unless you understand and accept the trade-offs.

In this section:
© 2025
Publication date: