bundler-audit 0.3.0 → 0.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.gitignore +3 -0
- data/.travis.yml +1 -0
- data/ChangeLog.md +10 -0
- data/README.md +5 -1
- data/Rakefile +8 -0
- data/data/ruby-advisory-db.ts +1 -0
- data/data/ruby-advisory-db/CONTRIBUTORS.md +9 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml +20 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml +21 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml +27 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml +24 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml +22 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml +24 -0
- data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml +22 -0
- data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml +23 -0
- data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml +15 -0
- data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml +2 -2
- data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml +1 -1
- data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml +1 -1
- data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml +11 -0
- data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml +10 -0
- data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml +14 -0
- data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml +3 -8
- data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml +17 -0
- data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml +12 -0
- data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml +15 -0
- data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml +1 -1
- data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml +22 -0
- data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml +17 -0
- data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml +13 -0
- data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml +12 -0
- data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml +13 -0
- data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml +1 -1
- data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml +20 -0
- data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml +2 -1
- data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml +13 -0
- data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml +3 -2
- data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml +3 -2
- data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml +3 -2
- data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml +3 -2
- data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml +14 -0
- data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml +11 -0
- data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml +15 -0
- data/data/ruby-advisory-db/spec/advisory_example.rb +3 -3
- data/data/ruby-advisory-db/spec/gems_spec.rb +3 -4
- data/gemspec.yml +1 -0
- data/lib/bundler/audit.rb +1 -1
- data/lib/bundler/audit/advisory.rb +1 -1
- data/lib/bundler/audit/cli.rb +5 -4
- data/lib/bundler/audit/database.rb +6 -3
- data/lib/bundler/audit/version.rb +2 -2
- data/spec/advisory_spec.rb +27 -2
- data/spec/bundle/secure/Gemfile +1 -1
- data/spec/database_spec.rb +58 -1
- data/spec/fixtures/not_a_hash.yml +2 -0
- data/spec/integration_spec.rb +10 -69
- data/spec/spec_helper.rb +40 -0
- metadata +44 -3
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: eb1773e0d185dcc826b346744c13db1af6aaebab
|
|
4
|
+
data.tar.gz: 617a25945731a1f38563599b1fb715ff0f95a4d2
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 30ad678294da6ef14df9fac8b0d3bbcabaac517eb25c23a26efaeff8a9f01b34f458e3d10ef518ce720b9840362fce0506420064e56b15b1cfca724cae35dcc0
|
|
7
|
+
data.tar.gz: 7d4810f14c9bb158dba5a57fe5151dd9ff812c948c9919defbb291ee76a140def1e62ecaacd8daab3feb88e95a49fd0c1769c12269d301a6bd224f28b0f64bff
|
data/.gitignore
CHANGED
data/.travis.yml
CHANGED
data/ChangeLog.md
CHANGED
|
@@ -1,3 +1,13 @@
|
|
|
1
|
+
### 0.3.1 / 2014-04-20
|
|
2
|
+
|
|
3
|
+
* Added thor ~> 0.18 as a dependency.
|
|
4
|
+
* No longer rely on the vendored version of thor within bundler.
|
|
5
|
+
* Store the timestamp of when `data/ruby-advisory-db` was last updated in
|
|
6
|
+
`data/ruby-advisory-db.ts`.
|
|
7
|
+
* Use `data/ruby-advisory-db.ts` instead of the creation time of the
|
|
8
|
+
`dataruby-advisory-db` directory, which is always the install time
|
|
9
|
+
of the rubygem.
|
|
10
|
+
|
|
1
11
|
### 0.3.0 / 2013-10-31
|
|
2
12
|
|
|
3
13
|
* Added {Bundler::Audit::Database.update!} which uses `git` to download
|
data/README.md
CHANGED
|
@@ -110,6 +110,8 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
|
|
|
110
110
|
|
|
111
111
|
## Requirements
|
|
112
112
|
|
|
113
|
+
* [RubyGems] >= 1.8
|
|
114
|
+
* [thor] ~> 0.18
|
|
113
115
|
* [bundler] ~> 1.2
|
|
114
116
|
|
|
115
117
|
## Install
|
|
@@ -118,7 +120,7 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
|
|
|
118
120
|
|
|
119
121
|
## License
|
|
120
122
|
|
|
121
|
-
Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
|
|
123
|
+
Copyright (c) 2013-2014 Hal Brodigan (postmodern.mod3 at gmail.com)
|
|
122
124
|
|
|
123
125
|
bundler-audit is free software: you can redistribute it and/or modify
|
|
124
126
|
it under the terms of the GNU General Public License as published by
|
|
@@ -133,6 +135,8 @@ GNU General Public License for more details.
|
|
|
133
135
|
You should have received a copy of the GNU General Public License
|
|
134
136
|
along with bundler-audit. If not, see <http://www.gnu.org/licenses/>.
|
|
135
137
|
|
|
138
|
+
[RubyGems]: https://rubygems.org
|
|
139
|
+
[thor]: http://whatisthor.com/
|
|
136
140
|
[bundler]: https://github.com/carlhuda/bundler#readme
|
|
137
141
|
|
|
138
142
|
[OSVDB]: http://osvdb.org/
|
data/Rakefile
CHANGED
|
@@ -19,6 +19,7 @@ rescue Bundler::BundlerError => e
|
|
|
19
19
|
end
|
|
20
20
|
|
|
21
21
|
require 'rake'
|
|
22
|
+
require 'time'
|
|
22
23
|
|
|
23
24
|
require 'rubygems/tasks'
|
|
24
25
|
Gem::Tasks.new
|
|
@@ -26,11 +27,18 @@ Gem::Tasks.new
|
|
|
26
27
|
namespace :db do
|
|
27
28
|
desc 'Updates data/ruby-advisory-db'
|
|
28
29
|
task :update do
|
|
30
|
+
timestamp = nil
|
|
31
|
+
|
|
29
32
|
chdir 'data/ruby-advisory-db' do
|
|
30
33
|
sh 'git', 'pull', 'origin', 'master'
|
|
34
|
+
|
|
35
|
+
File.open('../ruby-advisory-db.ts','w') do |file|
|
|
36
|
+
file.write Time.parse(`git log --pretty="%cd" -1`).utc
|
|
37
|
+
end
|
|
31
38
|
end
|
|
32
39
|
|
|
33
40
|
sh 'git', 'commit', 'data/ruby-advisory-db',
|
|
41
|
+
'data/ruby-advisory-db.ts',
|
|
34
42
|
'-m', 'Updated ruby-advisory-db'
|
|
35
43
|
end
|
|
36
44
|
end
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
2014-02-11 00:45:58 UTC
|
|
@@ -12,3 +12,12 @@ Thanks,
|
|
|
12
12
|
* [Larry W. Cashdollar](http://vapid.dhs.org/)
|
|
13
13
|
* [Michael Grosser](https://github.com/grosser)
|
|
14
14
|
* [Sascha Korth](https://github.com/skorth)
|
|
15
|
+
* [David Radcliffe](https://github.com/dwradcliffe)
|
|
16
|
+
* [Jörg Schiller](https://github.com/joergschiller)
|
|
17
|
+
* [Derek Prior](https://github.com/derekprior)
|
|
18
|
+
* [Joel Chippindale](https://github.com/mocoso)
|
|
19
|
+
* [Josef Šimánek](https://github.com/simi)
|
|
20
|
+
* [Amiel Martin](https://github.com/amiel)
|
|
21
|
+
* [Jeremy Olliver](https://github.com/jeremyolliver)
|
|
22
|
+
* [Vasily Vasinov](https://github.com/vasinov)
|
|
23
|
+
* [Phill MV](https://twitter.com/phillmv)
|
|
@@ -0,0 +1,20 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: actionpack
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2013-6415
|
|
5
|
+
osvdb: 100524
|
|
6
|
+
url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
|
|
7
|
+
title: XSS Vulnerability in number_to_currency
|
|
8
|
+
date: 2013-12-03
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
|
|
12
|
+
The number_to_currency helper allows users to nicely format a numeric value. One
|
|
13
|
+
of the parameters to the helper (unit) is not escaped correctly. Applications
|
|
14
|
+
which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
|
|
15
|
+
|
|
16
|
+
cvss_v2:
|
|
17
|
+
|
|
18
|
+
patched_versions:
|
|
19
|
+
- ~> 3.2.16
|
|
20
|
+
- ">= 4.0.2"
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: actionpack
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2013-6414
|
|
5
|
+
osvdb: 100525
|
|
6
|
+
url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
|
|
7
|
+
title: Denial of Service Vulnerability in Action View
|
|
8
|
+
date: 2013-12-03
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
There is a denial of service vulnerability in the header handling component of
|
|
12
|
+
Action View.
|
|
13
|
+
|
|
14
|
+
cvss_v2:
|
|
15
|
+
|
|
16
|
+
unaffected_versions:
|
|
17
|
+
- ~> 2.3.0
|
|
18
|
+
|
|
19
|
+
patched_versions:
|
|
20
|
+
- ~> 3.2.16
|
|
21
|
+
- ">= 4.0.2"
|
|
@@ -0,0 +1,27 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: actionpack
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2013-6416
|
|
5
|
+
osvdb: 100526
|
|
6
|
+
url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
|
|
7
|
+
title: XSS Vulnerability in simple_format helper
|
|
8
|
+
date: 2013-12-03
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
There is a vulnerability in the simple_format helper in Ruby on Rails.
|
|
12
|
+
The simple_format helper converts user supplied text into html text
|
|
13
|
+
which is intended to be safe for display. A change made to the
|
|
14
|
+
implementation of this helper means that any user provided HTML
|
|
15
|
+
attributes will not be escaped correctly. As a result of this error,
|
|
16
|
+
applications which pass user-controlled data to be included as html
|
|
17
|
+
attributes will be vulnerable to an XSS attack.
|
|
18
|
+
|
|
19
|
+
cvss_v2:
|
|
20
|
+
|
|
21
|
+
unaffected_versions:
|
|
22
|
+
- ~> 2.3.0
|
|
23
|
+
- ~> 3.1.0
|
|
24
|
+
- ~> 3.2.0
|
|
25
|
+
|
|
26
|
+
patched_versions:
|
|
27
|
+
- ">= 4.0.2"
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: actionpack
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2013-6417
|
|
5
|
+
osvdb: 100527
|
|
6
|
+
url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
|
|
7
|
+
title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
|
|
8
|
+
date: 2013-12-03
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
The prior fix to CVE-2013-0155 was incomplete and the use of common
|
|
12
|
+
3rd party libraries can accidentally circumvent the protection. Due
|
|
13
|
+
to the way that Rack::Request and Rails::Request interact, it is
|
|
14
|
+
possible for a 3rd party or custom rack middleware to parse the
|
|
15
|
+
parameters insecurely and store them in the same key that Rails uses
|
|
16
|
+
for its own parameters. In the event that happens the application
|
|
17
|
+
will receive unsafe parameters and could be vulnerable to the earlier
|
|
18
|
+
vulnerability.
|
|
19
|
+
|
|
20
|
+
cvss_v2:
|
|
21
|
+
|
|
22
|
+
patched_versions:
|
|
23
|
+
- ~> 3.2.16
|
|
24
|
+
- ">= 4.0.2"
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: actionpack
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2013-4491
|
|
5
|
+
osvdb: 100528
|
|
6
|
+
url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
|
|
7
|
+
title: Reflective XSS Vulnerability in Ruby on Rails
|
|
8
|
+
date: 2013-12-03
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
There is a vulnerability in the internationalization component of Ruby on
|
|
12
|
+
Rails. Under certain common configurations an attacker can provide specially
|
|
13
|
+
crafted input which will execute a reflective XSS attack.
|
|
14
|
+
|
|
15
|
+
The root cause of this issue is a vulnerability in the i18n gem which has
|
|
16
|
+
been assigned the identifier CVE-2013-4492.
|
|
17
|
+
|
|
18
|
+
cvss_v2:
|
|
19
|
+
|
|
20
|
+
patched_versions:
|
|
21
|
+
- ~> 3.2.16
|
|
22
|
+
- ">= 4.0.2"
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: actionpack
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2014-0081
|
|
5
|
+
osvdb: 103439
|
|
6
|
+
url: http://osvdb.org/show/osvdb/103439
|
|
7
|
+
title: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
|
|
8
|
+
date: 2014-02-18
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
Ruby on Rails contains a flaw that allows a cross-site scripting (XSS) attack.
|
|
12
|
+
This flaw exists because the actionpack/lib/action_view/helpers/number_helper.rb
|
|
13
|
+
script does not validate input to the 'number_to_currency', 'number_to_percentage',
|
|
14
|
+
and 'number_to_human' helpers before returning it to users. This may allow a
|
|
15
|
+
remote attacker to create a specially crafted request that would execute arbitrary
|
|
16
|
+
script code in a user's browser session within the trust relationship between
|
|
17
|
+
their browser and the server.
|
|
18
|
+
|
|
19
|
+
cvss_v2:
|
|
20
|
+
|
|
21
|
+
patched_versions:
|
|
22
|
+
- ~> 3.2.17
|
|
23
|
+
- ~> 4.0.3
|
|
24
|
+
- ">= 4.1.0.beta2"
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: actionpack
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2014-0082
|
|
5
|
+
osvdb: 103440
|
|
6
|
+
url: http://osvdb.org/show/osvdb/103440
|
|
7
|
+
title: Denial of Service Vulnerability in Action View when using render :text
|
|
8
|
+
date: 2014-02-18
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
Ruby on Rails contains a flaw in actionpack/lib/action_view/template/text.rb
|
|
12
|
+
in the text rendering component of Action View that is triggered when
|
|
13
|
+
handling MIME types that are converted to symbols. This may allow a
|
|
14
|
+
remote attacker to cause a denial of service.
|
|
15
|
+
|
|
16
|
+
cvss_v2:
|
|
17
|
+
|
|
18
|
+
unaffected_versions:
|
|
19
|
+
- ~> 4.0.0
|
|
20
|
+
|
|
21
|
+
patched_versions:
|
|
22
|
+
- ">= 3.2.17"
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: activerecord
|
|
3
|
+
framework: rails
|
|
4
|
+
cve: 2014-0080
|
|
5
|
+
osvdb: 103438
|
|
6
|
+
url: http://osvdb.org/show/osvdb/103438
|
|
7
|
+
title: Data Injection Vulnerability in Active Record
|
|
8
|
+
date: 2014-02-18
|
|
9
|
+
|
|
10
|
+
description: |
|
|
11
|
+
Ruby on Rails contains a flaw in connection_adapters/postgresql/cast.rb
|
|
12
|
+
in Active Record. This issue may allow a remote attacker to inject data
|
|
13
|
+
into PostgreSQL array columns via a specially crafted string.
|
|
14
|
+
|
|
15
|
+
cvss_v2:
|
|
16
|
+
|
|
17
|
+
unaffected_versions:
|
|
18
|
+
- "< 3.2.0"
|
|
19
|
+
- ~> 3.2.0
|
|
20
|
+
|
|
21
|
+
patched_versions:
|
|
22
|
+
- ~> 4.0.3
|
|
23
|
+
- ">= 4.1.0.beta2"
|
|
@@ -0,0 +1,15 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: Arabic-Prawn
|
|
3
|
+
osvdb: 104365
|
|
4
|
+
url: http://osvdb.org/show/osvdb/104365
|
|
5
|
+
title: Arabic-Prawn Gem for Ruby contains a flaw
|
|
6
|
+
date: 2014-03-10
|
|
7
|
+
|
|
8
|
+
description: |
|
|
9
|
+
Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
|
|
10
|
+
file. The issue is due to the program failing to sanitize user input. This may
|
|
11
|
+
allow a remote attacker to inject arbitrary commands.
|
|
12
|
+
|
|
13
|
+
cvss_v2:
|
|
14
|
+
|
|
15
|
+
patched_versions:
|
|
@@ -8,8 +8,8 @@ date: 2013-10-22
|
|
|
8
8
|
description: Cocaine Gem for Ruby contains a flaw that is due to the method
|
|
9
9
|
of variable interpolation used by the program. With a specially crafted
|
|
10
10
|
object, a context-dependent attacker can execute arbitrary commands.
|
|
11
|
-
cvss_v2:
|
|
11
|
+
cvss_v2: 6.8
|
|
12
12
|
unaffected_versions:
|
|
13
|
-
-
|
|
13
|
+
- < 0.4.0
|
|
14
14
|
patched_versions:
|
|
15
15
|
- '>= 0.5.3'
|
|
@@ -8,5 +8,5 @@ date: 2013-03-12
|
|
|
8
8
|
|
|
9
9
|
description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL. This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
|
|
10
10
|
|
|
11
|
-
cvss_v2:
|
|
11
|
+
cvss_v2: 7.5
|
|
12
12
|
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: echor
|
|
3
|
+
osvdb: 102129
|
|
4
|
+
url: http://osvdb.org/show/osvdb/102129
|
|
5
|
+
title: Echor Gem for Ruby contains a flaw
|
|
6
|
+
date: 2014-01-14
|
|
7
|
+
description: Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request function that is triggered when
|
|
8
|
+
a semi-colon (;) is injected into a username or password. This may allow a context-dependent attacker to inject
|
|
9
|
+
arbitrary commands if the gem is used in a rails application.
|
|
10
|
+
cvss_v2:
|
|
11
|
+
patched_versions:
|
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: echor
|
|
3
|
+
osvdb: 102130
|
|
4
|
+
url: http://osvdb.org/show/osvdb/102130
|
|
5
|
+
title: Echor Gem for Ruby contains a flaw
|
|
6
|
+
date: 2014-01-14
|
|
7
|
+
description: Echor Gem for Ruby contains a flaw that is due to the program exposing credential information in the
|
|
8
|
+
system process listing. This may allow a local attacker to gain access to plaintext credential information.
|
|
9
|
+
cvss_v2:
|
|
10
|
+
patched_versions:
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: gitlab-grit
|
|
3
|
+
cve: 2013-4489
|
|
4
|
+
osvdb: 99370
|
|
5
|
+
url: http://www.osvdb.org/show/osvdb/99370
|
|
6
|
+
title: GitLab Grit Gem for Ruby contains a flaw
|
|
7
|
+
date: 2013-11-04
|
|
8
|
+
description: GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script.
|
|
9
|
+
The issue is triggered when input passed via the code search box is not properly sanitized,
|
|
10
|
+
which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to
|
|
11
|
+
execute arbitrary commands.
|
|
12
|
+
cvss_v2:
|
|
13
|
+
patched_versions:
|
|
14
|
+
- '>= 2.6.1'
|
|
@@ -1,19 +1,14 @@
|
|
|
1
1
|
---
|
|
2
2
|
gem: httparty
|
|
3
|
-
cve: 2013-
|
|
3
|
+
cve: 2013-1801
|
|
4
4
|
osvdb: 90741
|
|
5
5
|
url: http://osvdb.org/show/osvdb/90741
|
|
6
|
-
title:
|
|
7
|
-
httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
|
|
6
|
+
title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
|
|
8
7
|
date: 2013-01-14
|
|
9
|
-
|
|
10
8
|
description: |
|
|
11
9
|
httparty Gem for Ruby contains a flaw that is triggered when a type casting
|
|
12
10
|
error occurs during the parsing of parameters. This may allow a
|
|
13
11
|
context-dependent attacker to potentially execute arbitrary code.
|
|
14
|
-
|
|
15
|
-
cvss_v2: 9.3
|
|
16
|
-
|
|
12
|
+
cvss_v2: 7.5
|
|
17
13
|
patched_versions:
|
|
18
14
|
- ">= 0.10.0"
|
|
19
|
-
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: i18n
|
|
3
|
+
cve: 2013-4492
|
|
4
|
+
osvdb: 100528
|
|
5
|
+
url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
|
|
6
|
+
title: i18n missing translation error message XSS
|
|
7
|
+
date: 2013-12-03
|
|
8
|
+
|
|
9
|
+
description: |
|
|
10
|
+
The HTML exception message raised by I18n::MissingTranslation fails
|
|
11
|
+
to escape the keys.
|
|
12
|
+
|
|
13
|
+
cvss_v2: 4.3
|
|
14
|
+
|
|
15
|
+
patched_versions:
|
|
16
|
+
- ~> 0.5.1
|
|
17
|
+
- '>= 0.6.6'
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
---
|
|
2
|
+
gem: nokogiri
|
|
3
|
+
cve: 2013-6460
|
|
4
|
+
osvdb: 101179
|
|
5
|
+
url: http://www.osvdb.org/show/osvdb/101179
|
|
6
|
+
title: Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
|
|
7
|
+
date: 2013-12-14
|
|
8
|
+
description: Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of service. The issue is triggered when handling a specially crafted XML document, which can result in an infinite loop. This may allow a context-dependent attacker to crash the server.
|
|
9
|
+
cvss_v2:
|
|
10
|
+
patched_versions:
|
|
11
|
+
- ~> 1.5.11
|
|
12
|
+
- ">= 1.6.1"
|