bundler-audit 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 679e11f046f11e432067d55398791fdbf03536b3
-  data.tar.gz: ad6bb67d40dae3ee0346ffe18caa11ee19e142e6
+  metadata.gz: 9660b06fce10c2532f0c7aaa5fef6ca2d5c99067
+  data.tar.gz: 751d7e542727defa267b6d8abf2ad0b3f391ab70
 SHA512:
-  metadata.gz: 48e2f1e83c0122d4629e4ddd02d448f90578527b40a1a0fccf331903413fbb2f3df7952399723914c0e0450f6682187af4301404b98bacc61ad794b5633a3023
-  data.tar.gz: 2c868a8106f74e45ffe9bcf02d1578d7326c4bea0a12baddf79ab7bd9dc059b599b39e0a41d167a0bc6d0bbbf01a8dc7e5f28a53849fea88a7214da400f5b52a
+  metadata.gz: 2a3cb90acc0cecc82ee931fedd43ab4d0439fd2436bc29563a45a4a328862c9038f243f7bff68a9e394bb0c12fee6f83b1496347187783b3a6d972435169dbf3
+  data.tar.gz: 89a771db86e3baf43430b5448bee5664e1b73f017fed9c48756ea8a58f6f4515c761d4c46333a93e9bcde71e3c6777271ec799a933d5662a76df9504a29dd09d

data/.gitignore

@@ -1,5 +1,11 @@
+.ruby-version
+.ruby-gemset
 Gemfile.lock
 doc/
+.yardoc/
+coverage/
 pkg/
 spec/bundle/*/Gemfile.lock
+spec/bundle/*/.bundle/
 vendor/bundle/
+tmp/

data/.travis.yml

@@ -1,4 +1,7 @@
 rvm:
-  - 1.8.7
-  - 1.9.2
   - 1.9.3
+  - 2.0
+  - 2.1
+  - 2.2
+before_install:
+  - gem install rspec

data/ChangeLog.md

@@ -1,3 +1,28 @@
+### 0.4.0 / 2015-06-30
+
+* Require ruby >= 1.9.3 due to i18n gem deprecating < 1.9.3.
+* Added {Bundler::Audit::Advisory#osvdb}.
+* Resolve the IP addresses of gem sources and ignore intranet gem sources.
+  (PR #90)
+* Use ISO8601 date format when querying the git timestamp of ruby-advisory-db.
+  (PR #92)
+
+#### CLI
+
+* Print the CVE or OSVDB id.
+* No longer print "Unpatched versions found!" when an insecure gem source
+  is detected. (PR #84)
+
+### 0.3.1 / 2014-04-20
+
+* Added thor ~> 0.18 as a dependency.
+* No longer rely on the vendored version of thor within bundler.
+* Store the timestamp of when `data/ruby-advisory-db` was last updated in
+  `data/ruby-advisory-db.ts`.
+* Use `data/ruby-advisory-db.ts` instead of the creation time of the
+  `dataruby-advisory-db` directory, which is always the install time
+  of the rubygem.
+
 ### 0.3.0 / 2013-10-31
 
 * Added {Bundler::Audit::Database.update!} which uses `git` to download

data/Gemfile

@@ -7,6 +7,7 @@ group :development do
   gem 'kramdown',       '~> 0.14'
 
   gem 'rubygems-tasks', '~> 0.2'
-  gem 'rspec',          '~> 2.4'
+  gem 'rspec',          '~> 3.0'
   gem 'yard',           '~> 0.8'
+  gem 'simplecov',      '~> 0.7', :require => false
 end

data/README.md

@@ -108,8 +108,15 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
      create mode 100644 gems/wicked/OSVDB-98270.yml
     ruby-advisory-db: 64 advisories
 
+Ignore specific advisories:
+
+    $ bundle-audit check --ignore OSVDB-108664
+
 ## Requirements
 
+* [Ruby] >= 1.9.3
+* [RubyGems] >= 1.8
+* [thor] ~> 0.18
 * [bundler] ~> 1.2
 
 ## Install
@@ -118,7 +125,7 @@ Update the [ruby-advisory-db] that `bundle-audit` uses:
 
 ## License
 
-Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)
+Copyright (c) 2013-2015 Hal Brodigan (postmodern.mod3 at gmail.com)
 
 bundler-audit is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
@@ -133,6 +140,10 @@ GNU General Public License for more details.
 You should have received a copy of the GNU General Public License
 along with bundler-audit.  If not, see <http://www.gnu.org/licenses/>.
 
+[Ruby]: https://ruby-lang.org
+[RubyGems]: https://rubygems.org
+[thor]: http://whatisthor.com/
 [bundler]: https://github.com/carlhuda/bundler#readme
 
 [OSVDB]: http://osvdb.org/
+[ruby-advisory-db]: https://github.com/rubysec/ruby-advisory-db

data/Rakefile

@@ -3,22 +3,13 @@
 require 'rubygems'
 
 begin
-  require 'bundler'
+  require 'bundler/setup'
 rescue LoadError => e
-  warn e.message
-  warn "Run `gem install bundler` to install Bundler."
-  exit -1
-end
-
-begin
-  Bundler.setup(:development)
-rescue Bundler::BundlerError => e
-  warn e.message
-  warn "Run `bundle install` to install missing gems."
-  exit e.status_code
+  abort e.message
 end
 
 require 'rake'
+require 'time'
 
 require 'rubygems/tasks'
 Gem::Tasks.new
@@ -26,11 +17,18 @@ Gem::Tasks.new
 namespace :db do
   desc 'Updates data/ruby-advisory-db'
   task :update do
+    timestamp = nil
+
     chdir 'data/ruby-advisory-db' do
       sh 'git', 'pull', 'origin', 'master'
+
+      File.open('../ruby-advisory-db.ts','w') do |file|
+        file.write Time.parse(`git log --pretty="%cd" -1`).utc
+      end
     end
 
     sh 'git', 'commit', 'data/ruby-advisory-db',
+                        'data/ruby-advisory-db.ts',
                         '-m', 'Updated ruby-advisory-db'
   end
 end
@@ -44,7 +42,7 @@ namespace :spec do
 
     %w[secure unpatched_gems insecure_sources].each do |bundle|
       chdir(File.join(root,bundle)) do
-        sh 'BUNDLE_BIN_PATH="" BUNDLE_GEMFILE="" RUBYOPT="" bundle install --path ../../../vendor/bundle'
+        sh 'unset BUNDLE_BIN_PATH BUNDLE_GEMFILE RUBYOPT && bundle install --path ../../../vendor/bundle'
       end
     end
   end

data/data/ruby-advisory-db/CONTRIBUTORS.md

@@ -12,3 +12,12 @@ Thanks,
 * [Larry W. Cashdollar](http://vapid.dhs.org/)
 * [Michael Grosser](https://github.com/grosser)
 * [Sascha Korth](https://github.com/skorth)
+* [David Radcliffe](https://github.com/dwradcliffe)
+* [Jörg Schiller](https://github.com/joergschiller)
+* [Derek Prior](https://github.com/derekprior)
+* [Joel Chippindale](https://github.com/mocoso)
+* [Josef Šimánek](https://github.com/simi)
+* [Amiel Martin](https://github.com/amiel)
+* [Jeremy Olliver](https://github.com/jeremyolliver)
+* [Vasily Vasinov](https://github.com/vasinov)
+* [Phill MV](https://twitter.com/phillmv)

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml

@@ -0,0 +1,20 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6415
+osvdb: 100524
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
+title: XSS Vulnerability in number_to_currency
+date: 2013-12-03
+
+description: |
+  There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
+  The number_to_currency helper allows users to nicely format a numeric value. One
+  of the parameters to the helper (unit) is not escaped correctly.  Applications
+  which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml

@@ -0,0 +1,21 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6414
+osvdb: 100525
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
+title: Denial of Service Vulnerability in Action View
+date: 2013-12-03
+
+description: |
+  There is a denial of service vulnerability in the header handling component of 
+  Action View.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 2.3.0
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml

@@ -0,0 +1,27 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6416
+osvdb: 100526
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
+title: XSS Vulnerability in simple_format helper
+date: 2013-12-03
+
+description: |
+  There is a vulnerability in the simple_format helper in Ruby on Rails.
+  The simple_format helper converts user supplied text into html text 
+  which is intended to be safe for display. A change made to the 
+  implementation of this helper means that any user provided HTML 
+  attributes will not be escaped correctly. As a result of this error, 
+  applications which pass user-controlled data to be included as html 
+  attributes will be vulnerable to an XSS attack.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 2.3.0
+  - ~> 3.1.0
+  - ~> 3.2.0
+
+patched_versions:
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-6417
+osvdb: 100527
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
+title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
+date: 2013-12-03
+
+description: |
+  The prior fix to CVE-2013-0155 was incomplete and the use of common
+  3rd party libraries can accidentally circumvent the protection. Due
+  to the way that Rack::Request and Rails::Request interact, it is
+  possible for a 3rd party or custom rack middleware to parse the
+  parameters insecurely and store them in the same key that Rails uses
+  for its own parameters.  In the event that happens the application
+  will receive unsafe parameters and could be vulnerable to the earlier
+  vulnerability. 
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml

@@ -0,0 +1,22 @@
+---
+gem: actionpack
+framework: rails
+cve: 2013-4491
+osvdb: 100528
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
+title: Reflective XSS Vulnerability in Ruby on Rails
+date: 2013-12-03
+
+description: |
+  There is a vulnerability in the internationalization component of Ruby on
+  Rails. Under certain common configurations an attacker can provide specially
+  crafted input which will execute a reflective XSS attack.
+  
+  The root cause of this issue is a vulnerability in the i18n gem which has
+  been assigned the identifier CVE-2013-4492.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.16
+  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml

@@ -0,0 +1,24 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0081
+osvdb: 103439
+url: http://osvdb.org/show/osvdb/103439
+title: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw that allows a cross-site scripting (XSS) attack.
+  This flaw exists because the actionpack/lib/action_view/helpers/number_helper.rb
+  script does not validate input to the 'number_to_currency', 'number_to_percentage',
+  and 'number_to_human' helpers before returning it to users. This may allow a
+  remote attacker to create a specially crafted request that would execute arbitrary
+  script code in a user's browser session within the trust relationship between
+  their browser and the server.
+
+cvss_v2: 
+
+patched_versions:
+  - ~> 3.2.17
+  - ~> 4.0.3
+  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml

@@ -0,0 +1,22 @@
+---
+gem: actionpack
+framework: rails
+cve: 2014-0082
+osvdb: 103440
+url: http://osvdb.org/show/osvdb/103440
+title: Denial of Service Vulnerability in Action View when using render :text
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw in actionpack/lib/action_view/template/text.rb
+  in the text rendering component of Action View that is triggered when
+  handling MIME types that are converted to symbols. This may allow a
+  remote attacker to cause a denial of service.
+
+cvss_v2: 
+
+unaffected_versions:
+  - ~> 4.0.0
+
+patched_versions:
+  - ">= 3.2.17"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml

@@ -0,0 +1,23 @@
+---
+gem: activerecord
+framework: rails
+cve: 2014-0080
+osvdb: 103438
+url: http://osvdb.org/show/osvdb/103438
+title: Data Injection Vulnerability in Active Record
+date: 2014-02-18
+
+description: |
+  Ruby on Rails contains a flaw in connection_adapters/postgresql/cast.rb
+  in Active Record. This issue may allow a remote attacker to inject data
+  into PostgreSQL array columns via a specially crafted string.
+
+cvss_v2: 
+
+unaffected_versions:
+  - "< 3.2.0"
+  - ~> 3.2.0
+
+patched_versions:
+  - ~> 4.0.3
+  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml

@@ -0,0 +1,15 @@
+---
+gem: Arabic-Prawn
+osvdb: 104365
+url: http://osvdb.org/show/osvdb/104365
+title: Arabic-Prawn Gem for Ruby contains a flaw
+date: 2014-03-10
+
+description: |
+  Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
+  file. The issue is due to the program failing to sanitize user input. This may
+  allow a remote attacker to inject arbitrary commands.
+
+cvss_v2:
+
+patched_versions:

data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml

@@ -8,8 +8,8 @@ date: 2013-10-22
 description: Cocaine Gem for Ruby contains a flaw that is due to the method
   of variable interpolation used by the program. With a specially crafted
   object, a context-dependent attacker can execute arbitrary commands.
-cvss_v2:
+cvss_v2: 6.8
 unaffected_versions:
-  - ~> 0.3.0
+  - < 0.4.0
 patched_versions: 
   - '>= 0.5.3'

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml

@@ -10,7 +10,7 @@ description: |
   context-dependent attacker to potentially execute arbitrary code.
 date: 2013-01-09
 
-cvss_v2: 9.3
+cvss_v2: 7.5
 
 patched_versions:
   - ">= 0.3.2"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml

@@ -8,5 +8,5 @@ date: 2013-03-12
 
 description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
 
-cvss_v2: 9.3
+cvss_v2: 7.5
 

data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml

@@ -0,0 +1,11 @@
+---
+gem: echor
+osvdb: 102129
+url: http://osvdb.org/show/osvdb/102129
+title: Echor Gem for Ruby contains a flaw
+date: 2014-01-14
+description: Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request function that is triggered when
+  a semi-colon (;) is injected into a username or password. This may allow a context-dependent attacker to inject
+  arbitrary commands if the gem is used in a rails application.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml

@@ -0,0 +1,10 @@
+---
+gem: echor
+osvdb: 102130
+url: http://osvdb.org/show/osvdb/102130
+title: Echor Gem for Ruby contains a flaw
+date: 2014-01-14
+description: Echor Gem for Ruby contains a flaw that is due to the program exposing credential information in the
+  system process listing. This may allow a local attacker to gain access to plaintext credential information.
+cvss_v2:
+patched_versions:

data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml

@@ -0,0 +1,14 @@
+---
+gem: gitlab-grit
+cve: 2013-4489
+osvdb: 99370
+url: http://www.osvdb.org/show/osvdb/99370
+title: GitLab Grit Gem for Ruby contains a flaw
+date: 2013-11-04
+description: GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script.
+  The issue is triggered when input passed via the code search box is not properly sanitized,
+  which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to
+  execute arbitrary commands.
+cvss_v2:
+patched_versions: 
+  - '>= 2.6.1'

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml

@@ -1,19 +1,14 @@
 ---
 gem: httparty
-cve: 2013-1802
+cve: 2013-1801
 osvdb: 90741
 url: http://osvdb.org/show/osvdb/90741
-title:
-  httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
 date: 2013-01-14
-
 description: |
   httparty Gem for Ruby contains a flaw that is triggered when a type casting
   error occurs during the parsing of parameters. This may allow a
   context-dependent attacker to potentially execute arbitrary code.
-
-cvss_v2: 9.3
-
+cvss_v2: 7.5
 patched_versions:
   - ">= 0.10.0"
-

data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml

@@ -0,0 +1,17 @@
+---
+gem: i18n
+cve: 2013-4492
+osvdb: 100528
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
+title: i18n missing translation error message XSS
+date: 2013-12-03
+
+description: |
+  The HTML exception message raised by I18n::MissingTranslation fails
+  to escape the keys.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ~> 0.5.1
+  - '>= 0.6.6'

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml

@@ -0,0 +1,12 @@
+---
+gem: nokogiri
+cve: 2013-6460
+osvdb: 101179
+url: http://www.osvdb.org/show/osvdb/101179
+title: Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
+date: 2013-12-14
+description: Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of service. The issue is triggered when handling a specially crafted XML document, which can result in an infinite loop. This may allow a context-dependent attacker to crash the server.
+cvss_v2:
+patched_versions: 
+  - ~> 1.5.11
+  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml

@@ -0,0 +1,15 @@
+---
+gem: nokogiri
+cve: 2013-6461
+osvdb: 101458
+url: http://www.osvdb.org/show/osvdb/101458
+title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS 
+date: 2013-12-14
+description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.
+  The issue is due to an incorrectly configured XML parser accepting XML external entities from
+  an untrusted source. By sending specially crafted XML data, a remote attacker can cause an infinite
+  loop and crash the program.
+cvss_v2:
+patched_versions: 
+  - ~> 1.5.11
+  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml

@@ -11,7 +11,7 @@ description: |
   to execute arbitrary code. This vulnerability has to do with type casting
   during parsing, and is related to CVE-2013-0156.
 
-cvss_v2: 10.0
+cvss_v2: 7.5
 
 patched_versions:
   - ~> 1.0.3

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml

@@ -0,0 +1,22 @@
+---
+gem: omniauth-facebook
+cve: 2013-4562
+osvdb: 99693
+url: http://www.osvdb.org/show/osvdb/99693
+title: omniauth-facebook Gem for Ruby Unspecified CSRF 
+date: 2013-11-12
+
+description: |
+  omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
+  require multiple steps, explicit confirmation, or a unique token when
+  performing certain sensitive actions. By tricking a user into following
+  a specially crafted link, a context-dependent attacker can perform a
+  Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
+  perform an unspecified action.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.5.0"
+unaffected_versions:
+  - "<= 1.4.0"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml

@@ -0,0 +1,17 @@
+---
+gem: omniauth-facebook
+cve: 2013-4593
+osvdb: 99888
+url: http://www.osvdb.org/show/osvdb/99888
+title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass 
+date: 2013-11-14
+
+description: |
+  omniauth-facebook Gem for Ruby contains a flaw that is due to the application
+  supporting passing the access token via the URL. This may allow a remote
+  attacker to bypass authentication and authenticate as another user.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.5.1"

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml

@@ -0,0 +1,13 @@
+---
+gem: paperclip
+osvdb: 103151
+url: http://osvdb.org/show/osvdb/103151
+title: Paperclip Gem for Ruby contains a flaw
+date: 2014-01-31
+description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
+  validate the file extension, instead only validating the Content-Type header during file uploads.
+  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
+  spoofing the content-type.
+cvss_v2:
+patched_versions:
+  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml

@@ -0,0 +1,12 @@
+---
+gem: paratrooper-newrelic
+cve: 2014-1234
+osvdb: 101839
+url: http://www.osvdb.org/show/osvdb/101839
+title: Paratrooper-newrelic Gem for Ruby contains a flaw
+date: 2014-01-08
+description: Paratrooper-newrelic Gem for Ruby contains a flaw in /lib/paratrooper-newrelic.rb.
+  The issue is triggered when the script exposes the API key, allowing a local attacker to
+  gain access to it by monitoring the process tree.
+cvss_v2: 2.1
+patched_versions: 

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml

@@ -0,0 +1,13 @@
+---
+gem: paratrooper-pingdom
+cve: 2014-1233
+osvdb: 101847
+url: http://www.osvdb.org/show/osvdb/101847
+title: Paratrooper-pingdom Gem for Ruby contains a flaw
+date: 2013-12-26
+description: paratrooper-pingdom Gem for Ruby contains a flaw in /lib/paratrooper-pingdom.rb.
+  The issue is triggered when the script exposes API login credentials, allowing a local
+  attacker to gain access to the API key, username, and password for the API login by
+  monitoring the process tree.
+cvss_v2: 2.1
+patched_versions: 

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml

@@ -14,7 +14,7 @@ description: |
   code. This attack is more practical against 'cloud' users as intra-cloud
   latencies are sufficiently low to make the attack viable.
 
-cvss_v2: 7.6
+cvss_v2: 5.1
 patched_versions: 
 - ~> 1.1.6
 - ~> 1.2.8

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml

@@ -0,0 +1,20 @@
+---
+gem: rbovirt
+cve: 2014-0036
+osvdb: 104080
+url: http://osvdb.org/show/osvdb/104080
+title: rbovirt Gem for Ruby contains a flaw
+date: 2014-03-05
+
+description: |
+  rbovirt Gem for Ruby contains a flaw related to certificate validation.
+  The issue is due to the program failing to validate SSL certificates. This may
+  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
+  poisoning) to spoof the SSL server via an arbitrary certificate that appears
+  valid. Such an attack would allow for the interception of sensitive traffic,
+  and potentially allow for the injection of content into the SSL stream.
+
+cvss_v2:
+
+patched_versions:
+  - '>= 0.0.24'