RubyGems - bundler-audit - Versions diffs - 0.1.2 → 0.2.0 - Mend

bundler-audit 0.1.2 → 0.2.0

Files changed (84) hide show

data/data/ruby-advisory-db/gems/activerecord/{2012-2661.yml → OSVDB-82403.yml} RENAMED

@@ -1,8 +1,11 @@
 ---
 gem: activerecord
+framework: rails
 cve: 2012-2661
+osvdb: 82403
 url: http://www.osvdb.org/show/osvdb/82403
 title: Ruby on Rails where Method ActiveRecord Class SQL Injection
+date: 2012-05-31
 description: |
   Ruby on Rails (RoR) contains a flaw that may allow an attacker to carry out
@@ -13,6 +16,9 @@ description: |
 cvss_v2: 5.0
+unaffected_versions:
+  - ~> 2.3.14
 patched_versions:
   - ~> 3.0.13
   - ~> 3.1.5

data/data/ruby-advisory-db/gems/activerecord/{2012-2660.yml → OSVDB-82610.yml} RENAMED

@@ -1,10 +1,13 @@
 ---
 gem: activerecord
+framework: rails
 cve: 2012-2660
+osvdb: 82610
 url: http://www.osvdb.org/show/osvdb/82610
 title:
   Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query
   Arbitrary IS NULL Clause Injection
+date: 2012-05-31
 description: |
   Ruby on Rails contains a flaw related to the way ActiveRecord handles

data/data/ruby-advisory-db/gems/activerecord/{2013-0155.yml → OSVDB-89025.yml} RENAMED

@@ -1,8 +1,11 @@
 ---
 gem: activerecord
+framework: rails
 cve: 2013-0155
+osvdb: 89025
 url: http://osvdb.org/show/osvdb/89025
 title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
+date: 2013-01-08
 description: |
   Ruby on Rails contains a flaw in the Active Record. The issue is due to an

data/data/ruby-advisory-db/gems/activerecord/{2013-0276.yml → OSVDB-90072.yml} RENAMED

@@ -1,8 +1,11 @@
 ---
 gem: activerecord
+framework: rails
 cve: 2013-0276
+osvdb: 90072
 url: http://direct.osvdb.org/show/osvdb/90072
 title: Ruby on Rails Active Record attr_protected Method Bypass
+date: 2013-02-11
 description: |
   Ruby on Rails contains a flaw in the attr_protected method of the

data/data/ruby-advisory-db/gems/activerecord/{2013-0277.yml → OSVDB-90073.yml} RENAMED

@@ -1,10 +1,13 @@
 ---
 gem: activerecord
+framework: rails
 cve: 2013-0277
+osvdb: 90073
 url: http://direct.osvdb.org/show/osvdb/90073
 title:
   Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
   Code Execution
+date: 2013-02-11
 description: |
   Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.

data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml ADDED

@@ -0,0 +1,26 @@
+---
+gem: activerecord
+framework: rails
+cve: 2013-1854
+osvdb: 91453
+url: http://osvdb.org/show/osvdb/91453
+title: Symbol DoS vulnerability in Active Record
+date: 2013-03-19
+description: |
+  When a hash is provided as the find value for a query, the keys of
+  the hash may be converted to symbols. Carefully crafted requests can
+  coerce `params[:name]` to return a hash, and the keys to that hash
+  may be converted to symbols. Ruby symbols are not garbage collected,
+  so an attacker can initiate a denial of service attack by creating a
+  large number of symbols.
+cvss_v2: 7.8
+unaffected_versions:
+  - ~> 3.0.0
+patched_versions:
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activesupport/{2012-1098.yml → OSVDB-79726.yml} RENAMED

@@ -1,8 +1,11 @@
 ---
 gem: activesupport
+framework: rails
 cve: 2012-1098
+osvdb: 79726
 url: http://osvdb.org/79726
 title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
+date: 2012-03-01
 description: |
   Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
@@ -14,6 +17,9 @@ description: |
 cvss_v2: 4.3
+unaffected_versions:
+  - "< 3.0.0"
 patched_versions:
   - ~> 3.0.12
   - ~> 3.1.4

data/data/ruby-advisory-db/gems/activesupport/{2012-3464.yml → OSVDB-84516.yml} RENAMED

@@ -1,8 +1,11 @@
 ---
 gem: activesupport
+framework: rails
 cve: 2012-3464
+osvdb: 84516
 url: http://www.osvdb.org/show/osvdb/84516
 title: Ruby on Rails HTML Escaping Code XSS
+date: 2012-08-09
 description: |
   Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)

data/data/ruby-advisory-db/gems/activesupport/{2013-0333.yml → OSVDB-89594.yml} RENAMED

@@ -1,10 +1,13 @@
 ---
 gem: activesupport
+framework: rails
 cve: 2013-0333
+osvdb: 89594
 url: http://osvdb.org/show/osvdb/89594
 title:
   Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
   Execution
+date: 2013-01-28
 description: |
   Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple

data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml ADDED

@@ -0,0 +1,28 @@
+---
+gem: activesupport
+framework: rails
+platform: jruby
+cve: 2013-1856
+osvdb: 91451
+url: http://www.osvdb.org/show/osvdb/91451
+title: XML Parsing Vulnerability affecting JRuby users
+date: 2013-03-19
+description: |
+ The ActiveSupport XML parsing functionality supports multiple
+ pluggable backends. One backend supported for JRuby users is
+ ActiveSupport::XmlMini_JDOM which makes use of the
+ javax.xml.parsers.DocumentBuilder class. In some JVM configurations
+ the default settings of that class can allow an attacker to construct
+ XML which, when parsed, will contain the contents of arbitrary URLs
+ including files from the application server. They may also allow for
+ various denial of service attacks. Action Pack
+cvss_v2: 7.8
+unaffected_versions:
+  - ~> 2.3.0
+patched_versions:
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: command_wrap
+cve: 2013-1875
+osvdb: 91450
+url: http://osvdb.org/show/osvdb/91450
+title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-18
+description: command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
+cvss_v2: 7.5
+patched_versions:

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: crack
+cve: 2013-1800
+osvdb: 90742
+url: http://osvdb.org/show/osvdb/90742
+title: crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
+description: |
+  crack Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+date: 2013-01-09
+cvss_v2: 9.3
+patched_versions:
+  - ">= 0.3.2"

data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: cremefraiche
+cve: 2013-2090
+osvdb: 93395
+url: http://osvdb.org/show/osvdb/93395
+title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-05-14
+description: Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2:
+patched_versions:
+  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: curl
+cve: 2013-1878
+osvdb: 91230
+url: http://osvdb.org/show/osvdb/91230
+title: Curl Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-12
+description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
+cvss_v2: 9.3

data/data/ruby-advisory-db/gems/devise/{2013-0233.yml → OSVDB-89642.yml} RENAMED

@@ -1,8 +1,10 @@
 ---
 gem: devise
 cve: 2013-0233
+osvdb: 89642
 url: http://osvdb.org/show/osvdb/89642
 title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
+date: 2013-01-28
 description: |
   Devise contains a flaw that is triggered during when a type conversion error

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: dragonfly
+cve: 2013-1756
+osvdb: 90647
+url: http://www.osvdb.com/show/osvdb/90647
+title: Dragonfly Gem Remote Code Execution
+date: 2013-02-19
+description: |
+  The Dragonfly gem contains a flaw that allows an attacker to run arbitrary code
+  on a host machine using carefully crafted requests.
+cvss_v2:
+patched_versions:
+  - ">= 0.9.13"
+unaffected_versions:
+  - "< 0.7.0"

data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml ADDED

@@ -0,0 +1,9 @@
+---
+gem: enum_column3
+osvdb: 94679
+url: http://osvdb.org/show/osvdb/94679
+title: enum_column3 Gem for Ruby Symbol Creation Remote DoS
+date: 2013-06-26
+description: The enum_column3 Gem for Ruby contains a flaw that may allow a remote denial of service. The issue is due to the program typecasting unexpected strings to symbols. This may allow a remote attacker to crash the program.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: extlib
+cve: 2013-1802
+osvdb: 90740
+url: http://osvdb.org/show/osvdb/90740
+title: extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
+date: 2013-01-08
+description: |
+  extlib Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+cvss_v2: 9.3
+patched_versions:
+  - ">= 0.9.16"

data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: fastreader
+cve: 2013-1876
+osvdb: 91232
+url: http://osvdb.org/show/osvdb/91232
+title: fastreader Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-13
+description: fastreader Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+cvss_v2: 9.3

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: fileutils
+cve:
+osvdb: 90715
+url: http://osvdb.org/show/osvdb/90715
+title: fileutils Gem for Ruby files_utils.rb /tmp File Symlink Arbitrary File Overwrite
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against temporary files created by files_utils.rb to cause the program to unexpectedly overwrite an arbitrary file.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: fileutils
+cve:
+osvdb: 90716
+url: http://osvdb.org/show/osvdb/90716
+title: fileutils Gem for Ruby Temporary Directory Hijacking Weakness
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw that is due to the program not verifying the existence of a directory before attempting to create it. This may allow a local attacker to create the directory in advance, thus owning any files subsequently written to it.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: fileutils
+cve: 2013-2516
+osvdb: 90717
+url: http://osvdb.org/show/osvdb/90717
+title: fileutils Gem for Ruby file_utils.rb Crafted URL Handling Remote Command Execution
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is triggered when handling a specially crafted URL containing a command after a delimiter (;). This may allow a remote attacker to potentially execute arbitrary commands.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml ADDED

@@ -0,0 +1,9 @@
+---
+gem: flash_tool
+cve: 2013-2513
+osvdb: 90829
+url: http://osvdb.org/show/osvdb/90829
+title: flash_tool Gem for Ruby File Download Handling Arbitrary Command Execution
+date: 2013-03-04
+description: flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands.
+cvss_v2:

data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: ftpd
+cve: 2013-2512
+osvdb: 90784
+url: http://osvdb.org/show/osvdb/90784
+title: ftpd Gem for Ruby Shell Character Handling Remote Command Injection
+date: 2013-02-28
+description: |
+  ftpd Gem for Ruby contains a flaw that is triggered when handling a
+  specially crafted option or filename that contains a shell
+  character. This may allow a remote attacker to inject arbitrary
+  commands.
+cvss_v2: 9.0
+patched_versions:
+  - ">= 0.2.2"

data/data/ruby-advisory-db/gems/gtk2/{2007-6183.yml → OSVDB-40774.yml} RENAMED

@@ -1,10 +1,12 @@
 ---
 gem: gtk2
 cve: 2007-6183
+osvdb: 40774
 url: http://osvdb.org/show/osvdb/40774
 title:
   Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
   Format String
+date: 2007-11-27
 description: |
   Format string vulnerability in the mdiag_initialize function in

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: httparty
+cve: 2013-1802
+osvdb: 90741
+url: http://osvdb.org/show/osvdb/90741
+title:
+  httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
+date: 2013-01-14
+description: |
+  httparty Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+cvss_v2: 9.3
+patched_versions:
+  - ">= 0.10.0"

data/data/ruby-advisory-db/gems/json/{2013-0269.yml → OSVDB-90074.yml} RENAMED

@@ -1,8 +1,10 @@
 ---
 gem: json
 cve: 2013-0269
+osvdb: 90074
 url: http://direct.osvdb.org/show/osvdb/90074
 title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
+date: 2013-02-11
 description: |
   Ruby on Rails contains a flaw that may allow a remote denial of service.
@@ -16,6 +18,6 @@ description: |
 cvss_v2: 9.0
 patched_versions:
-  - ~> 1.5.4
-  - ~> 1.6.7
+  - ~> 1.5.5
+  - ~> 1.6.8
   - ">= 1.7.7"

data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: karteek-docsplit
+cve: 2013-1933
+osvdb: 92117
+url: http://osvdb.org/show/osvdb/92117
+title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-08
+description: Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 9.3
+patched_versions: