RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.5.0 - Mend

bundler-audit 0.4.0 → 0.5.0

Files changed (313) hide show

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125676.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: sidekiq
+osvdb: 125676
+url: https://github.com/mperham/sidekiq/issues/2330
+title: |
+  Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
+  Reflected XSS
+date: 2015-06-04
+description: XSS via queue name in Sidekiq::Web
+patched_versions:
+  - ">= 3.4.0"
+related:
+  osvdb:
+    - 125677

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125678.yml ADDED

@@ -0,0 +1,9 @@
+---
+gem: sidekiq
+osvdb: 125678
+url: https://github.com/mperham/sidekiq/pull/2309
+title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS
+date: 2015-04-21
+description: XSS via job arguments display class in Sidekiq::Web
+patched_versions:
+  - ">= 3.4.0"

data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml CHANGED

@@ -5,9 +5,10 @@ osvdb: 96278
 url: http://www.osvdb.org/show/osvdb/96278
 title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution
 date: 2013-08-14
-description: Sounder Gem for Ruby contains a flaw that is triggered during the handling
-  of file names. This may allow a context-dependent attacker to execute arbitrary
-  commands.
+description: |
+  Sounder Gem for Ruby contains a flaw that is triggered during the handling
+  of file names. This may allow a context-dependent attacker to execute
+  arbitrary commands.
 cvss_v2: 7.5
 patched_versions:
-- '>= 1.0.2'
+  - ">= 1.0.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-119205.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: spree
+osvdb: 119205
+url: https://spreecommerce.com/blog/security-updates-2015-3-3
+title: Spree API Information Disclosure CSRF
+date: 2015-03-05
+description: |
+  Spree contains a flaw in the API as HTTP requests do not require multiple
+  steps, explicit confirmation, or a unique token when performing certain
+  sensitive actions. By tricking a user into following a specially crafted
+  link, a context-dependent attacker can perform a Cross-Site Request Forgery
+  (CSRF / XSRF) attack causing the victim to disclose potentially sensitive
+  information to attackers.
+patched_versions:
+  - ~> 2.2.10
+  - ~> 2.3.8
+  - ~> 2.4.5
+  - ">= 3.0.0.rc4"

data/data/ruby-advisory-db/gems/spree/OSVDB-125699.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: spree
+osvdb: 125699
+url: https://spreecommerce.com/blog/security-updates-2015-7-28
+title: |
+  Spree RABL templates rendering allows Arbitrary Code Execution and File
+  Disclosure
+date: 2015-07-28
+description: |
+  Spree contains a flaw where the rendering of arbitrary RABL templates allows
+  for execution arbitrary files on the host system, as well as disclosing the
+  existence of files on the system. This is a different issue than
+  OSVDB-125701.
+patched_versions:
+  - ~> 2.2.13
+  - ~> 2.3.12
+  - ~> 2.4.9
+  - ">= 3.0.3"

data/data/ruby-advisory-db/gems/spree/OSVDB-125701.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: spree
+osvdb: 125701
+url: https://spreecommerce.com/blog/security-updates-2015-7-20
+title: |
+  Spree RABL templates rendering allows Arbitrary Code Execution and File
+  Disclosure
+date: 2015-07-20
+description: |
+  Spree contains a flaw where the rendering of arbitrary RABL templates allows
+  for execution arbitrary files on the host system, as well as disclosing the
+  existence of files on the system.
+patched_versions:
+  - ~> 2.2.12
+  - ~> 2.3.11
+  - ~> 2.4.8
+  - ">= 3.0.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125712.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: spree
+osvdb: 125712
+url: https://spreecommerce.com/blog/security-issue-all-versions
+title: |
+  Product Scopes could allow for unauthenticated remote command execution
+date: 2012-07-02
+description: |
+  Product Scopes could allow for unauthenticated remote command execution.
+  This was corrected by removing conditions_any scope and use ARel query
+  building instead.
+patched_versions:
+  - ~> 0.11.4
+  - ~> 0.70.6
+  - ~> 1.0.5
+  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125713.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: spree
+osvdb: 125713
+url: https://spreecommerce.com/blog/security-issue-all-versions
+title: |
+  Potential XSS vulnerability related to the analytics dashboard
+date: 2012-07-02
+description: |
+  Spree has a flaw in its analytics dashboard where keywords are not escaped,
+  leading to potential XSS.
+patched_versions:
+  - ~> 0.11.4
+  - ~> 0.70.6
+  - ~> 1.0.5
+  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-69098.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: spree
+cve: 2010-3978
+osvdb: 69098
+url: https://spreecommerce.com/blog/json-hijacking-vulnerability
+title: |
+  Spree Multiple Script JSON Request Validation Weakness Remote Information
+  Disclosure
+date: 2010-11-02
+description: |
+  Spree contains a flaw that may lead to an unauthorized information
+  disclosure. The issue is triggered when the application exchanges data using
+  the JSON service without validating requests, which will disclose sensitive
+  user and order information to a context-dependent attacker when a logged-in
+  user visits a crafted website.
+cvss_v2: 5.0
+patched_versions:
+  - ~> 0.11.2
+  - ">= 0.30.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-73751.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: spree
+osvdb: 73751
+url: https://spreecommerce.com/blog/security-fixes
+title: Spree Content Controller Unspecified Arbitrary File Disclosure
+date: 2011-04-19
+description: |
+  Spree Gem for Ruby would allow a user to request a specially crafted URL and
+  expose arbitrary files on the server
+patched_versions:
+  - ">= 0.50.1"

data/data/ruby-advisory-db/gems/spree/OSVDB-76011.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: spree
+osvdb: 76011
+url: https://spreecommerce.com/blog/remote-command-product-group
+title: |
+  Spree Search ProductScope Class search[send][] Parameter Arbitrary Command
+  Execution
+date: 2011-10-05
+description: |
+  The ProductScope class fails to properly sanitize user-supplied input via the
+  'search[send][]' parameter resulting in arbitrary command execution. With a
+  specially crafted request, a remote attacker can potentially cause arbitrary
+  command execution.
+patched_versions:
+  - ">= 0.60.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-81505.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: spree
+cve: 2008-7310
+osvdb: 81505
+url: https://spreecommerce.com/blog/security-vulnerability-mass-assignment
+title: |
+  Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation
+date: 2008-09-22
+description: |
+  Spree contains a hash restriction weakness that occurs when parsing a
+  modified URL. This may allow an attacker to manipulate order state values.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-81506.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: spree
+cve: 2008-7311
+osvdb: 81506
+url: https://spreecommerce.com/blog/security-vulernability-session-cookie-store
+title: |
+  Spree Hardcoded config.action_controller_session Hash Value Cryptographic
+  Protection Weakness
+date: 2008-08-12
+description: |
+  Spree contains a hardcoded flaw related to the
+  config.action_controller_session hash value. This may allow an attacker to
+  more easily bypass cryptographic protection.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-90865.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: spree
+cve: 2013-2506
+osvdb: 90865
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
+  Escalation
+date: 2013-02-21
+description: |
+  Spree contains a flaw that leads to unauthorized privileges being gained. The
+  issue is triggered as certain input related to mass role assignment in
+  app/models/spree/user.rb is not properly verified before being used to update
+  a user. This may allow a remote attacker to assign arbitrary roles and gain
+  elevated administrative privileges.
+cvss_v2: 4.0
+patched_versions:
+  - ~> 1.1.6
+  - ~> 1.2.0
+  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml CHANGED

@@ -2,10 +2,16 @@
 gem: spree
 cve: 2013-1656
 osvdb: 91216
-url: http://osvdb.org/show/osvdb/91216
-title: Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary Ruby Object Instantiation Command Execution
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary
+  Ruby Object Instantiation Command Execution
 date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_action' parameter to promotion_actions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+description: |
+  Spree contains a flaw that is triggered when handling input passed via the
+  'promotion_action' parameter to promotion_actions_controller.rb. This may
+  allow a remote authenticated attacker to instantiate arbitrary Ruby objects
+  and potentially execute arbitrary commands.
 cvss_v2: 4.3
 patched_versions:
   - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml CHANGED

@@ -2,10 +2,16 @@
 gem: spree
 cve: 2013-1656
 osvdb: 91217
-url: http://osvdb.org/show/osvdb/91217
-title: Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby Object Instantiation Command Execution
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby
+  Object Instantiation Command Execution
 date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'payment_method' parameter to payment_methods_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+description: |
+  Spree contains a flaw that is triggered when handling input passed via the
+  'payment_method' parameter to payment_methods_controller.rb. This may allow
+  a remote authenticated attacker to instantiate arbitrary Ruby objects and
+  potentially execute arbitrary commands.
 cvss_v2: 4.3
 patched_versions:
   - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml CHANGED

@@ -2,10 +2,16 @@
 gem: spree
 cve: 2013-1656
 osvdb: 91218
-url: http://osvdb.org/show/osvdb/91218
-title: Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby Object Instantiation Command Execution
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby
+  Object Instantiation Command Execution
 date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'calculator_type' parameter to promotions_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+description: |
+  Spree contains a flaw that is triggered when handling input passed via the
+  'calculator_type' parameter to promotions_controller.rb. This may allow a
+  remote authenticated attacker to instantiate arbitrary Ruby objects and
+  potentially execute arbitrary commands.
 cvss_v2: 4.3
 patched_versions:
   - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml CHANGED

@@ -2,10 +2,16 @@
 gem: spree
 cve: 2013-1656
 osvdb: 91219
-url: http://osvdb.org/show/osvdb/91219
-title: Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby Object Instantiation Command Execution
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby
+  Object Instantiation Command Execution
 date: 2013-02-21
-description: Spree contains a flaw that is triggered when handling input passed via the 'promotion_rule' parameter to promotion_rules_controller.rb. This may allow a remote authenticated attacker to instantiate arbitrary Ruby objects and potentially execute arbitrary commands.
+description: |
+  Spree contains a flaw that is triggered when handling input passed via the
+  'promotion_rule' parameter to promotion_rules_controller.rb. This may allow
+  a remote authenticated attacker to instantiate arbitrary Ruby objects and
+  potentially execute arbitrary commands.
 cvss_v2: 4.3
 patched_versions:
   - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree_auth/OSVDB-90865.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: spree_auth
+cve: 2013-2506
+osvdb: 90865
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
+  Escalation
+date: 2013-02-21
+description: |
+  Spree contains a flaw that leads to unauthorized privileges being gained. The
+  issue is triggered as certain input related to mass role assignment in
+  app/models/spree/user.rb is not properly verified before being used to update
+  a user. This may allow a remote attacker to assign arbitrary roles and gain
+  elevated administrative privileges.
+cvss_v2: 4.0

data/data/ruby-advisory-db/gems/spree_auth_devise/OSVDB-90865.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: spree_auth_devise
+cve: 2013-2506
+osvdb: 90865
+url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
+title: |
+  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
+  Escalation
+date: 2013-02-21
+description: |
+  Spree contains a flaw that leads to unauthorized privileges being gained. The
+  issue is triggered as certain input related to mass role assignment in
+  app/models/spree/user.rb is not properly verified before being used to update
+  a user. This may allow a remote attacker to assign arbitrary roles and gain
+  elevated administrative privileges.
+cvss_v2: 4.0
+patched_versions:
+  - ~> 1.1.6
+  - ~> 1.2.0
+  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/sprockets/CVE-2014-7819.yml ADDED

@@ -0,0 +1,27 @@
+---
+gem: sprockets
+cve: 2014-7819
+osvdb: 113965
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
+title: Arbitrary file existence disclosure in Sprockets
+date: 2014-10-30
+description: |
+  Specially crafted requests can be used to determine whether a file exists on
+  the filesystem that is outside an application's root directory.  The files
+  will not be served, but attackers can determine whether or not the file
+  exists.
+cvss_v2: 5.0
+patched_versions:
+  - ~> 2.0.5
+  - ~> 2.1.4
+  - ~> 2.2.3
+  - ~> 2.3.3
+  - ~> 2.4.6
+  - ~> 2.5.1
+  - ~> 2.7.1
+  - ~> 2.8.3
+  - ~> 2.9.4
+  - ~> 2.10.2
+  - ~> 2.11.3
+  - ~> 2.12.3
+  - ">= 3.0.0.beta.3"

data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml CHANGED

@@ -3,12 +3,14 @@ gem: sprout
 cve: 2013-6421
 osvdb: 100598
 url: http://www.osvdb.org/show/osvdb/100598
-title: Sprout Gem for Ruby contains a flaw
+title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution
 date: 2013-12-02
-description: sprout Gem for Ruby contains a flaw in the unpack_zip() function in archive_unpacker.rb.
-  The issue is due to the program failing to properly sanitize input passed via the 'zip_file', 'dir',
-  'zip_name', and 'output' parameters. This may allow a context-dependent attacker to execute arbitrary code.
+description: |
+  sprout Gem for Ruby contains a flaw in the unpack_zip() function in
+  archive_unpacker.rb. The issue is due to the program failing to properly
+  sanitize input passed via the 'zip_file', 'dir', 'zip_name', and 'output'
+  parameters. This may allow a context-dependent attacker to execute arbitrary
+  code.
 cvss_v2: 7.5
-patched_versions:
 unaffected_versions:
   - '< 0.7.246'

data/data/ruby-advisory-db/gems/sup/CVE-2013-4478.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: sup
+cve: 2013-4478
+osvdb: 99074
+url: http://www.phenoelit.org/stuff/whatsup.txt
+title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
+date: 2013-10-29
+description: Sup MUA contains a flaw that is triggered when handling email
+  attachment content. This may allow a context-dependent attacker to execute
+  arbitrary commands.
+cvss_v2: 6.8
+patched_versions:
+  - "~> 0.13.2.1"
+  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4479.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: sup
+cve: 2013-4479
+osvdb: 99074
+url: http://www.phenoelit.org/stuff/whatsup.txt
+title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
+date: 2013-10-29
+description: Sup MUA contains a flaw that is triggered when handling email
+  attachment content. This may allow a context-dependent attacker to execute
+  arbitrary commands.
+cvss_v2: 6.8
+patched_versions:
+  - "~> 0.13.2.1"
+  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml CHANGED

@@ -7,4 +7,3 @@ title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injecti
 date: 2013-03-26
 description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
 cvss_v2: 7.5
-patched_versions: