bundler-audit 0.1.0 → 0.2.0

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml

@@ -0,0 +1,20 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2013-1855
+osvdb: 91452
+url: http://www.osvdb.org/show/osvdb/91452
+title: XSS vulnerability in sanitize_css in Action Pack
+date: 2013-03-19
+
+description: | 
+  There is an XSS vulnerability in the `sanitize_css` method in Action
+  Pack. Carefully crafted text can bypass the sanitization provided in
+  the `sanitize_css` method in Action Pack
+
+cvss_v2: 4.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml

@@ -0,0 +1,23 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2013-1857
+osvdb: 91454
+url: http://osvdb.org/show/osvdb/91454
+title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+date: 2013-03-19
+
+description: | 
+  The sanitize helper in Ruby on Rails is designed to
+  filter HTML and remove all tags and attributes which could be
+  malicious. The code which ensured that URLs only contain supported
+  protocols contained several bugs which could allow an attacker to
+  embed a tag containing a URL which executes arbitrary javascript
+  code.
+
+cvss_v2: 4.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml

@@ -0,0 +1,25 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2012-2661
+osvdb: 82403
+url: http://www.osvdb.org/show/osvdb/82403
+title: Ruby on Rails where Method ActiveRecord Class SQL Injection
+date: 2012-05-31
+
+description: |
+  Ruby on Rails (RoR) contains a flaw that may allow an attacker to carry out
+  an SQL injection attack. The issue is due to the ActiveRecord class not
+  properly sanitizing user-supplied input to the 'where' method. This may
+  allow an attacker to inject or manipulate SQL queries in an application
+  built on RoR, allowing for the manipulation or disclosure of arbitrary data.
+
+cvss_v2: 5.0
+
+unaffected_versions:
+  - ~> 2.3.14
+
+patched_versions: 
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml

@@ -0,0 +1,24 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2012-2660
+osvdb: 82610
+url: http://www.osvdb.org/show/osvdb/82610
+title:
+  Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query
+  Arbitrary IS NULL Clause Injection
+date: 2012-05-31
+
+description: |
+  Ruby on Rails contains a flaw related to the way ActiveRecord handles
+  parameters in conjunction with the way Rack parses query parameters.
+  This issue may allow an attacker to inject arbitrary 'IS NULL' clauses in
+  to application SQL queries. This may also allow an attacker to have the
+  SQL query check for NULL in arbitrary places.
+
+cvss_v2: 7.5
+
+patched_versions: 
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"

data/data/{bundler/audit/rails/2013-0155.yml → ruby-advisory-db/gems/activerecord/OSVDB-89025.yml}

@@ -1,7 +1,11 @@
----
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-0155
+osvdb: 89025
 url: http://osvdb.org/show/osvdb/89025
-title: |
-  Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 
+title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 
+date: 2013-01-08
 
 description: |
   Ruby on Rails contains a flaw in the Active Record. The issue is due to an
@@ -13,7 +17,8 @@ description: |
 
 cvss_v2: 10.0
 
-patched_versions:
+patched_versions: 
+  - ~> 2.3.16
   - ~> 3.0.19
   - ~> 3.1.10
   - ">= 3.2.11"

data/data/{bundler/audit/rails/2013-0276.yml → ruby-advisory-db/gems/activerecord/OSVDB-90072.yml}

@@ -1,6 +1,11 @@
----
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-0276
+osvdb: 90072
 url: http://direct.osvdb.org/show/osvdb/90072
-title: Ruby on Rails Active Record attr_protected Method Bypass 
+title: Ruby on Rails Active Record attr_protected Method Bypass
+date: 2013-02-11
 
 description: |
   Ruby on Rails contains a flaw in the attr_protected method of the
@@ -10,7 +15,7 @@ description: |
 
 cvss_v2: 5.0
 
-patched_versions:
+patched_versions: 
   - ~> 2.3.17
   - ~> 3.1.11
   - ">= 3.2.12"

data/data/{bundler/audit/rails/2013-0277.yml → ruby-advisory-db/gems/activerecord/OSVDB-90073.yml}

@@ -1,8 +1,13 @@
----
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-0277
+osvdb: 90073
 url: http://direct.osvdb.org/show/osvdb/90073
-title: |
+title:
   Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
   Code Execution 
+date: 2013-02-11
 
 description: |
   Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.
@@ -13,6 +18,6 @@ description: |
 
 cvss_v2: 10.0
 
-patched_versions:
+patched_versions: 
   - ~> 2.3.17
   - ">= 3.1.0"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml

@@ -0,0 +1,26 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-1854
+osvdb: 91453
+url: http://osvdb.org/show/osvdb/91453
+title: Symbol DoS vulnerability in Active Record
+date: 2013-03-19
+
+description: | 
+  When a hash is provided as the find value for a query, the keys of
+  the hash may be converted to symbols. Carefully crafted requests can
+  coerce `params[:name]` to return a hash, and the keys to that hash
+  may be converted to symbols. Ruby symbols are not garbage collected,
+  so an attacker can initiate a denial of service attack by creating a
+  large number of symbols.
+
+cvss_v2: 7.8
+
+unaffected_versions:
+  - ~> 3.0.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml

@@ -0,0 +1,26 @@
+--- 
+gem: activesupport
+framework: rails
+cve: 2012-1098
+osvdb: 79726
+url: http://osvdb.org/79726
+title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
+date: 2012-03-01
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because athe application does not validate direct
+  manipulations of SafeBuffer objects via '[]' and other methods. This may
+  allow a user to create a specially crafted request that would execute
+  arbitrary script code in a user's browser within the trust relationship
+  between their browser and the server.
+
+cvss_v2: 4.3
+
+unaffected_versions:
+  - "< 3.0.0"
+
+patched_versions: 
+  - ~> 3.0.12
+  - ~> 3.1.4
+  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml

@@ -0,0 +1,23 @@
+--- 
+gem: activesupport
+framework: rails
+cve: 2012-3464
+osvdb: 84516
+url: http://www.osvdb.org/show/osvdb/84516
+title: Ruby on Rails HTML Escaping Code XSS
+date: 2012-08-09
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because the HTML escaping code functionality does
+  not properly escape a single quote character. This may allow a user to create
+  a specially crafted request that would execute arbitrary script code in a
+  user's browser within the trust relationship between their browser and the
+  server.
+
+cvss_v2: 4.3
+
+patched_versions: 
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/{bundler/audit/rails/2013-0333.yml → ruby-advisory-db/gems/activesupport/OSVDB-89594.yml}

@@ -1,8 +1,13 @@
----
+--- 
+gem: activesupport
+framework: rails
+cve: 2013-0333
+osvdb: 89594
 url: http://osvdb.org/show/osvdb/89594
-title: |
+title:
   Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
   Execution 
+date: 2013-01-28
 
 description: |
   Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple
@@ -15,6 +20,6 @@ description: |
 
 cvss_v2: 9.3
 
-patched_versions:
+patched_versions: 
   - ~> 2.3.16
   - ">= 3.0.20"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml

@@ -0,0 +1,28 @@
+--- 
+gem: activesupport
+framework: rails
+platform: jruby
+cve: 2013-1856
+osvdb: 91451
+url: http://www.osvdb.org/show/osvdb/91451
+title: XML Parsing Vulnerability affecting JRuby users
+date: 2013-03-19
+
+description: | 
+ The ActiveSupport XML parsing functionality supports multiple
+ pluggable backends. One backend supported for JRuby users is
+ ActiveSupport::XmlMini_JDOM which makes use of the
+ javax.xml.parsers.DocumentBuilder class. In some JVM configurations
+ the default settings of that class can allow an attacker to construct
+ XML which, when parsed, will contain the contents of arbitrary URLs
+ including files from the application server. They may also allow for
+ various denial of service attacks. Action Pack
+
+cvss_v2: 7.8
+
+unaffected_versions:
+  - ~> 2.3.0
+
+patched_versions:   
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml

@@ -0,0 +1,10 @@
+--- 
+gem: command_wrap
+cve: 2013-1875
+osvdb: 91450
+url: http://osvdb.org/show/osvdb/91450
+title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-18
+description: command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
+cvss_v2: 7.5
+patched_versions: 

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml

@@ -0,0 +1,17 @@
+---
+gem: crack
+cve: 2013-1800
+osvdb: 90742
+url: http://osvdb.org/show/osvdb/90742
+title: crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+description: |
+  crack Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+date: 2013-01-09
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 0.3.2"
+

data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml

@@ -0,0 +1,11 @@
+--- 
+gem: cremefraiche
+cve: 2013-2090
+osvdb: 93395
+url: http://osvdb.org/show/osvdb/93395
+title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-05-14
+description: Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 
+patched_versions: 
+  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml

@@ -0,0 +1,12 @@
+---
+gem: curl
+cve: 2013-1878
+osvdb: 91230
+url: http://osvdb.org/show/osvdb/91230
+title: Curl Gem for Ruby URI Handling Arbitrary Command Injection 
+date: 2013-03-12
+
+description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
+
+cvss_v2: 9.3
+

data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml

@@ -0,0 +1,20 @@
+---
+gem: devise
+cve: 2013-0233
+osvdb: 89642
+url: http://osvdb.org/show/osvdb/89642
+title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
+date: 2013-01-28
+
+description: |
+  Devise contains a flaw that is triggered during when a type conversion error
+  occurs during the parsing of a malformed request. With a specially crafted
+  request, a remote attacker can bypass security restrictions.
+
+cvss_v2: 10.0
+
+patched_versions:
+  - ~> 1.5.4
+  - ~> 2.0.5
+  - ~> 2.1.3
+  - ">= 2.2.3"

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml

@@ -0,0 +1,19 @@
+--- 
+gem: dragonfly
+cve: 2013-1756
+osvdb: 90647
+url: http://www.osvdb.com/show/osvdb/90647
+title: Dragonfly Gem Remote Code Execution
+date: 2013-02-19
+
+description: |
+  The Dragonfly gem contains a flaw that allows an attacker to run arbitrary code
+  on a host machine using carefully crafted requests.
+
+cvss_v2: 
+
+patched_versions: 
+  - ">= 0.9.13"
+
+unaffected_versions:
+  - "< 0.7.0"

data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml

@@ -0,0 +1,9 @@
+--- 
+gem: enum_column3
+osvdb: 94679
+url: http://osvdb.org/show/osvdb/94679
+title: enum_column3 Gem for Ruby Symbol Creation Remote DoS 
+date: 2013-06-26
+description: The enum_column3 Gem for Ruby contains a flaw that may allow a remote denial of service. The issue is due to the program typecasting unexpected strings to symbols. This may allow a remote attacker to crash the program.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml

@@ -0,0 +1,18 @@
+---
+gem: extlib
+cve: 2013-1802
+osvdb: 90740
+url: http://osvdb.org/show/osvdb/90740
+title: extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+date: 2013-01-08
+
+description: |
+  extlib Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 0.9.16"
+

data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml

@@ -0,0 +1,12 @@
+---
+gem: fastreader
+cve: 2013-1876
+osvdb: 91232
+url: http://osvdb.org/show/osvdb/91232
+title: fastreader Gem for Ruby URI Handling Arbitrary Command Injection 
+date: 2013-03-13
+
+description: fastreader Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+
+cvss_v2: 9.3
+

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml

@@ -0,0 +1,10 @@
+--- 
+gem: fileutils
+cve: 
+osvdb: 90715
+url: http://osvdb.org/show/osvdb/90715
+title: fileutils Gem for Ruby files_utils.rb /tmp File Symlink Arbitrary File Overwrite
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against temporary files created by files_utils.rb to cause the program to unexpectedly overwrite an arbitrary file.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml

@@ -0,0 +1,10 @@
+--- 
+gem: fileutils
+cve: 
+osvdb: 90716
+url: http://osvdb.org/show/osvdb/90716
+title: fileutils Gem for Ruby Temporary Directory Hijacking Weakness
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw that is due to the program not verifying the existence of a directory before attempting to create it. This may allow a local attacker to create the directory in advance, thus owning any files subsequently written to it.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml

@@ -0,0 +1,10 @@
+--- 
+gem: fileutils
+cve: 2013-2516
+osvdb: 90717
+url: http://osvdb.org/show/osvdb/90717
+title: fileutils Gem for Ruby file_utils.rb Crafted URL Handling Remote Command Execution
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is triggered when handling a specially crafted URL containing a command after a delimiter (;). This may allow a remote attacker to potentially execute arbitrary commands.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml

@@ -0,0 +1,9 @@
+--- 
+gem: flash_tool
+cve: 2013-2513
+osvdb: 90829
+url: http://osvdb.org/show/osvdb/90829
+title: flash_tool Gem for Ruby File Download Handling Arbitrary Command Execution
+date: 2013-03-04
+description: flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands.
+cvss_v2: 

data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml

@@ -0,0 +1,18 @@
+--- 
+gem: ftpd
+cve: 2013-2512
+osvdb: 90784
+url: http://osvdb.org/show/osvdb/90784
+title: ftpd Gem for Ruby Shell Character Handling Remote Command Injection
+date: 2013-02-28
+
+description: | 
+  ftpd Gem for Ruby contains a flaw that is triggered when handling a
+  specially crafted option or filename that contains a shell
+  character. This may allow a remote attacker to inject arbitrary
+  commands.
+
+cvss_v2: 9.0
+
+patched_versions: 
+  - ">= 0.2.2"

data/data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml

@@ -0,0 +1,20 @@
+---
+gem: gtk2
+cve: 2007-6183
+osvdb: 40774
+url: http://osvdb.org/show/osvdb/40774
+title:
+  Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
+  Format String 
+date: 2007-11-27
+
+description: |
+  Format string vulnerability in the mdiag_initialize function in
+  gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
+  SVN versions before 20071127, allows context-dependent attackers to execute
+  arbitrary code via format string specifiers in the message parameter.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - "> 0.16.0"

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml

@@ -0,0 +1,19 @@
+---
+gem: httparty
+cve: 2013-1802
+osvdb: 90741
+url: http://osvdb.org/show/osvdb/90741
+title:
+  httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+date: 2013-01-14
+
+description: |
+  httparty Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 0.10.0"
+

data/data/{bundler/audit/json/2013-0269.yml → ruby-advisory-db/gems/json/OSVDB-90074.yml}

@@ -1,6 +1,10 @@
----
+--- 
+gem: json
+cve: 2013-0269
+osvdb: 90074
 url: http://direct.osvdb.org/show/osvdb/90074
 title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
+date: 2013-02-11
 
 description: |
   Ruby on Rails contains a flaw that may allow a remote denial of service.
@@ -13,7 +17,7 @@ description: |
 
 cvss_v2: 9.0
 
-patched_versions:
-  - ~> 1.5.4
-  - ~> 1.6.7
+patched_versions: 
+  - ~> 1.5.5
+  - ~> 1.6.8
   - ">= 1.7.7"

data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml

@@ -0,0 +1,10 @@
+--- 
+gem: karteek-docsplit
+cve: 2013-1933
+osvdb: 92117
+url: http://osvdb.org/show/osvdb/92117
+title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-08
+description: Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 9.3
+patched_versions: 

data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml

@@ -0,0 +1,10 @@
+--- 
+gem: kelredd-pruview
+cve: 2013-1947
+osvdb: 92228
+url: http://osvdb.org/show/osvdb/92228
+title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-04
+description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+cvss_v2: 9.3
+patched_versions: 

data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml

@@ -0,0 +1,10 @@
+--- 
+gem: ldoce
+cve: 2013-1911
+osvdb: 91870
+url: http://osvdb.org/show/osvdb/91870
+title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-01
+description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
+cvss_v2: 6.8
+patched_versions: 

data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml

@@ -0,0 +1,21 @@
+---
+gem: loofah
+osvdb: 90945
+url: http://www.osvdb.org/show/osvdb/90945
+title: Loofah HTML and XSS injection vulnerability
+date: 2012-09-08
+
+description: |
+  Loofah Gem for Ruby contains a flaw that allows a remote cross-site
+  scripting (XSS) attack. This flaw exists because the
+  Loofah::HTML::Document\#text function passes properly sanitized
+  user-supplied input to the Loofah::XssFoliate and
+  Loofah::Helpers\#strip_tags functions which convert input back to
+  text. This may allow an attacker to create a specially crafted
+  request that would execute arbitrary script code in a user's browser
+  within the trust relationship between their browser and the server.
+
+cvss_v2: 5.0
+
+patched_versions:
+  - ">=  0.4.6"

data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml

@@ -0,0 +1,21 @@
+--- 
+gem: mail
+cve: 2011-0739
+osvdb: 70667
+url: http://www.osvdb.org/show/osvdb/70667
+title: >
+  Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
+  Address Arbitrary Shell Command Injection 
+date: 2011-01-25
+
+description: |
+  Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
+  input passed from an email from address in the 'deliver()' function in
+  'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
+  command line argument. This may allow a remote attacker to inject arbitrary
+  shell commands.
+
+cvss_v2: 6.8
+
+patched_versions: 
+  - ">= 2.2.15"