RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.5.0 - Mend

bundler-audit 0.4.0 → 0.5.0

Files changed (313) hide show

data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml ADDED

@@ -0,0 +1,22 @@
+---
+gem: twitter-bootstrap-rails
+framework: rails
+cve: 2014-4920
+osvdb: 109206
+url: http://blog.nvisium.com/2014/03/reflected-xss-vulnerability-in-twitter.html
+title: Reflective XSS Vulnerability in twitter-bootstrap-rails
+date: 2014-03-25
+description: |
+  The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a
+  reflected cross-site scripting (XSS) attack. This flaw exists because the
+  bootstrap_flash helper method does not validate input when handling flash
+  messages before returning it to users. This may allow a context-dependent
+  attacker to create a specially crafted request that would execute arbitrary
+  script code in a user's browser session within the trust relationship between
+  their browser and the server.
+cvss_v2:
+patched_versions:
+  - ">= 3.2.0"

data/data/ruby-advisory-db/gems/uglifier/OSVDB-126747.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: uglifier
+osvdb: 126747
+url: https://github.com/mishoo/UglifyJS2/issues/751
+title: uglifier incorrectly handles non-boolean comparisons during minification
+date: 2015-07-21
+description: |
+  The upstream library for the Ruby uglifier gem, UglifyJS, is
+  affected by a vulnerability that allows a specially crafted
+  Javascript file to have altered functionality after minification.
+  This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated
+  to allow potentially malicious code to be hidden within secure code,
+  and activated by the minification process.
+  For more information, consult: https://zyan.scripts.mit.edu/blog/backdooring-js/
+patched_versions:
+  - ">= 2.7.2"

data/data/ruby-advisory-db/gems/web-console/CVE-2015-3224.yml ADDED

@@ -0,0 +1,22 @@
+---
+gem: web-console
+cve: 2015-3224
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw
+title: |
+  IP whitelist bypass in Web Console
+date: 2015-06-16
+description: |
+  Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).
+  Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.
+  All affected users should either upgrade or use one of the work arounds immediately.
+  To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.
+patched_versions:
+  - ">= 2.1.3"

data/data/ruby-advisory-db/gems/web-console/OSVDB-112346.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: web-console
+osvdb: 112346
+url: http://www.osvdb.org/show/osvdb/112346
+title: Web Console Gem for Ruby contains an unspecified flaw
+date: 2014-09-29
+description: The Web Console Gem for Ruby on Rails contains an unspecified flaw that
+  may allow an attacker to have an unspecified impact. No further details have been
+  provided by the vendor.
+cvss_v2:
+patched_versions:
+  - ">= 2.0.0.beta4"

data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml CHANGED

@@ -1,11 +1,12 @@
 ---
 gem: webbynode
+cve: 2013-7086
 osvdb: 100920
 url: http://osvdb.org/show/osvdb/100920
-title: Webbynode Gem for Ruby contains a flaw
+title: Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution
 date: 2013-12-12
-description: Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
+description: |
+  Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
   when handling a specially crafted growlnotify message. This may allow a
   context-dependent attacker to execute arbitrary commands.
 cvss_v2: 7.5
-patched_versions:

data/data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml CHANGED

@@ -9,6 +9,6 @@ description: Wicked Gem for Ruby contains a flaw that is due to the program
   failing to properly sanitize input passed via the 'the_step' parameter
   upon submission to the render_redirect.rb script.
   This may allow a remote attacker to gain access to arbitrary files.
-cvss_v2:
-patched_versions:
+cvss_v2: 5.0
+patched_versions:
   - '>= 1.0.1'

data/data/ruby-advisory-db/gems/xaviershay-dm-rails/OSVDB-118579.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: xaviershay-dm-rails
+cve: 2015-2179
+osvdb: 118579
+url: http://osvdb.org/show/osvdb/118579
+title: |
+  xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table
+date: 2015-02-17
+description: |
+  xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function
+  in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is
+  due to the function exposing sensitive information via the process table.
+  This may allow a local attack to gain access to MySQL credential information.

data/data/ruby-advisory-db/lib/cf_scrape.py ADDED

@@ -0,0 +1,5 @@
+import cfscrape
+import sys
+scraper = cfscrape.create_scraper() # returns a requests.Session object
+print scraper.get(sys.argv[1]).content

data/data/ruby-advisory-db/lib/{scrape.rb → osvdb_scrape.rb} RENAMED

@@ -1,22 +1,27 @@
-require 'rubygems'
-require 'bundler/setup'
 require 'pry'
-require 'mechanize'
+require 'nokogiri'
 require 'yaml'
 require 'date'
 class OSVDB
   attr_accessor :osvdb, :cve, :title, :description, :date, :cvss_v2, :gem, :url, :patched_versions, :page
-  def initialize(url)
-    self.url = url
+  def initialize(osvdb)
+    self.osvdb = osvdb
+    self.url = "http://osvdb.org/show/osvdb/#{self.osvdb}"
+    scrape!
     parse!
   end
-  def parse!
-    mech = Mechanize.new
-    self.page = mech.get(url)
+  def scrape!
+    html = `bash --login -c "python cf_scrape.py #{self.url}"`
+    doc = Nokogiri::XML(html) do |config|
+      config.nonet.noent
+    end
+    self.page = doc
+  end
+  def parse!
     page.search(".show_vuln_table").search("td ul li").each do |li|
       case li.children[0].text.strip
       when "CVE ID:"
@@ -29,7 +34,6 @@ class OSVDB
     self.description = page.search(".show_vuln_table").search("tr td tr .white_content p")[0].text
     self.date = page.search(".show_vuln_table").search("tr td tr .white_content tr td")[0].text
     self.title = page.search("title").text.gsub(/\d+: /, "")
-    self.osvdb = page.search("title").text.match(/\d+/)[0]
     if cvss_p = page.search(".show_vuln_table").search("tr td tr .white_content div p")[0]
       self.set_cvss(cvss_p.children[0].text)
     end
@@ -68,7 +72,8 @@ class OSVDB
       'date' => date,
       'description' => description,
       'cvss_v2' => cvss_v2,
-      'patched_versions' => patched_versions }.to_yaml
+      'patched_versions' => patched_versions
+    }.to_yaml(options = { line_width: 80 })
   end
   def filename

data/data/ruby-advisory-db/libraries/rubygems/CVE-2013-4287.yml ADDED

@@ -0,0 +1,19 @@
+---
+library: rubygems
+cve: 2013-4287
+osvdb: 97163
+url: http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html
+title: RubyGems Multiple API Call Version Validation CPU Consumption DoS
+date: 2013-09-09
+description: |
+  RubyGems contains a flaw that may allow a denial of service. The issue is
+  triggered when handling the gem build, Gem::Package, or Gem::PackageTask API
+  calls, which attempt to validate the version of the program. This may allow a
+  context-dependent attacker to cause a consumption of CPU resources and crash
+  the program.
+cvss_v2: 4.3
+patched_versions:
+  - ~> 1.8.23.1
+  - ~> 1.8.26
+  - ~> 2.0.8
+  - ">= 2.1.0"

data/data/ruby-advisory-db/libraries/rubygems/CVE-2013-4363.yml ADDED

@@ -0,0 +1,20 @@
+---
+library: rubygems
+cve: 2013-4363
+osvdb: 97163
+url: http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
+title: RubyGems Multiple API Call Version Validation CPU Consumption DoS
+date: 2013-09-24
+description: |
+  RubyGems contains a flaw that may allow a denial of service. The issue is
+  triggered when handling the gem build, Gem::Package, or Gem::PackageTask API
+  calls, which attempt to validate the version of the program. This may allow a
+  context-dependent attacker to cause a consumption of CPU resources and crash
+  the program. This vulnerability is due to an incomplete fix for
+  CVE-2013-4287, which allowed a denial of service via improper validation.
+cvss_v2: 4.3
+patched_versions:
+  - ~> 1.8.23.2
+  - ~> 1.8.27
+  - ~> 2.0.10
+  - ">= 2.1.5"

data/data/ruby-advisory-db/libraries/rubygems/CVE-2015-3900.yml ADDED

@@ -0,0 +1,19 @@
+---
+library: rubygems
+cve: 2015-3900
+osvdb: 122162
+url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
+title: |
+  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
+  Hostname Validation Request Hijacking
+date: 2015-05-14
+description: |
+  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
+  that is triggered when handling hostnames in SRV records. With a specially
+  crafted response, a context-dependent attacker may conduct DNS hijacking
+  attacks.
+cvss_v2: 5.0
+patched_versions:
+  - ~> 2.0.16
+  - ~> 2.2.4
+  - ">= 2.4.7"

data/data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml ADDED

@@ -0,0 +1,19 @@
+---
+library: rubygems
+cve: 2015-4020
+url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
+title: |
+  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
+  Hostname Validation Request Hijacking
+date: 2015-06-08
+description: |
+  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
+  that is triggered when handling hostnames in SRV records. With a specially
+  crafted response, a context-dependent attacker may conduct DNS hijacking
+  attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,
+  which allowed redirection to an arbitrary gem server in any security domain.
+cvss_v2: 5.0
+patched_versions:
+  - ~> 2.0.17
+  - ~> 2.2.5
+  - ">= 2.4.8"

data/data/ruby-advisory-db/libraries/rubygems/OSVDB-33561.yml ADDED

@@ -0,0 +1,17 @@
+---
+library: rubygems
+cve: 2007-0469
+osvdb: 33561
+url: http://www.osvdb.org/show/osvdb/33561
+title: |
+  RubyGems installer.rb extract_files Function Crafted GEM Package Arbitrary
+  File Overwrite
+date: 2007-01-22
+description: |
+  The extract_files function in installer.rb in RubyGems before 0.9.1 does not
+  check whether files exist before overwriting them, which allows user-assisted
+  remote attackers to overwrite arbitrary files, cause a denial of service, or
+  execute arbitrary code via crafted GEM packages.
+cvss_v2: 9.3
+patched_versions:
+  - ">= 0.9.1"

data/data/ruby-advisory-db/libraries/rubygems/OSVDB-81444.yml ADDED

@@ -0,0 +1,14 @@
+---
+library: rubygems
+cve: 2012-2126
+osvdb: 81444
+url: http://www.osvdb.org/show/osvdb/81444
+title: RubyGems SSL Certificate Validation MitM Spoofing Weakness
+date: 2012-04-20
+description: |
+  RubyGems contains a flaw related to the validation of SSL certificates when
+  accessing certain services and APIs. This may allow a man-in-the-middle
+  attacker to spoof a valid server.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 1.8.23"

data/data/ruby-advisory-db/libraries/rubygems/OSVDB-85809.yml ADDED

@@ -0,0 +1,16 @@
+---
+library: rubygems
+cve: 2012-2125
+osvdb: 85809
+url: http://www.osvdb.org/show/osvdb/85809
+title: |
+  RubyGems HTTPS to HTTP Redirection MitM Downloaded Installation File
+  Manipulation
+date: 2012-09-25
+description: |
+  RubyGems contains a flaw that is triggered by the gem fetcher allowing for
+  redirection of HTTPS to HTTP. This may allow a remote attacker to conduct a
+  man-in-the-middle attack to alter downloaded gem installation files.
+cvss_v2: 5.8
+patched_versions:
+  - ">= 1.8.23"

data/data/ruby-advisory-db/rubies/jruby/CVE-2010-1330.yml ADDED

@@ -0,0 +1,17 @@
+---
+engine: jruby
+cve: 2010-1330
+osvdb: 77297
+url: http://jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability
+title: |
+  JRuby XSS in the regular expression engine when processing invalid UTF-8 byte
+  sequences
+date: 2010-04-26
+description: |
+  The regular expression engine in JRuby before 1.4.1, when $KCODE is set to
+  'u', does not properly handle characters immediately after a UTF-8
+  character, which allows remote attackers to conduct cross-site scripting
+  (XSS) attacks via a crafted string.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 1.4.1"

data/data/ruby-advisory-db/rubies/jruby/CVE-2011-4838.yml ADDED

@@ -0,0 +1,15 @@
+---
+engine: jruby
+cve: 2011-4838
+osvdb: 78116
+url: http://jruby.org/2011/12/27/jruby-1-6-5-1
+title: JRuby Hash Collision Form Parameter Parsing Remote DoS
+date: 2011-12-27
+description: |
+  JRuby contains a flaw that may allow a remote denial of service. The issue is
+  triggered when an attacker sends multiple crafted parameters which trigger
+  hash collisions, and will result in loss of availability for the program via
+  CPU consumption.
+cvss_v2: 7.8
+patched_versions:
+  - ">= 1.6.5.1"

data/data/ruby-advisory-db/rubies/jruby/CVE-2012-5370.yml ADDED

@@ -0,0 +1,17 @@
+---
+engine: jruby
+cve: 2012-5370
+osvdb: 87864
+url: http://jruby.org/2012/12/03/jruby-1-7-1
+title: JRuby MurmurHash Implementation Hash Collision Remote DoS
+date: 2012-11-23
+description: |
+  JRuby contains a flaw related to the MurmurHash implementation that may allow
+  a remote denial of service. The issue is triggered when hash values are
+  computed without having the ability to cause hash collisions restricted. When
+  sending specially crafted input to an application maintaining a hash table, a
+  context-dependent attacker can cause a consumption of CPU resources. This
+  will result in a loss of availability for the program.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 1.7.1"

data/data/ruby-advisory-db/rubies/jruby/OSVDB-94644.yml ADDED

@@ -0,0 +1,12 @@
+---
+engine: jruby
+osvdb: 94644
+url: http://www.osvdb.org/show/osvdb/94644
+title: JRuby Null Byte Request Arbitrary File Access
+date: 2010-05-26
+description: |
+  JRuby contains a flaw that is due to the program failing to properly check
+  for null byte requests in certain file operations. This may allow a remote
+  attacker to gain access to arbitrary files. No further details are available.
+patched_versions:
+  - ">= 1.6.2"

data/data/ruby-advisory-db/rubies/rbx/OSVDB-78119.yml ADDED

@@ -0,0 +1,13 @@
+---
+engine: rbx
+osvdb: 78119
+url: http://www.osvdb.org/show/osvdb/78119
+title: Rubinius Hash Collision Form Parameter Parsing Remote DoS
+date: 2011-12-28
+description: |
+  Rubinius contains a flaw that may allow a remote denial of service. The issue
+  is triggered when an attacker sends multiple crafted parameters which trigger
+  hash collisions, and will result in loss of availability for the program via
+  CPU consumption.
+patched_versions:
+  - ">= 1.3.1"

data/data/ruby-advisory-db/rubies/rbx/OSVDB-87861.yml ADDED

@@ -0,0 +1,17 @@
+---
+engine: rbx
+cve: 2012-5372
+osvdb: 87861
+url: http://www.osvdb.org/show/osvdb/87861
+title: Rubinius MurmurHash3 Implementation Hash Collision Remote DoS
+date: 2012-11-23
+description: |
+  Rubinius contains a flaw related to the MurmurHash3 implementation that may
+  allow a remote denial of service. The issue is triggered when hash values
+  are computed without having the ability to cause hash collisions restricted.
+  When sending specially crafted input to an application maintaining a hash
+  table, a context-dependent attacker can cause a consumption of CPU resources.
+  This will result in a loss of availability for the program.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 1.3.1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml ADDED

@@ -0,0 +1,16 @@
+---
+engine: ruby
+cve: 2007-5162
+url: https://www.ruby-lang.org/en/news/2007/10/04/net-https-vulnerability/
+title: Ruby Net::HTTPS library does not validate server certificate CN
+date: 2007-09-27
+description: |
+  The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS
+  libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN)
+  field in a server certificate matches the domain name in an HTTPS request,
+  which makes it easier for remote attackers to intercept SSL transmissions via
+  a man-in-the-middle attack or spoofed web site.
+cvss_v2: 4.3
+patched_versions:
+  - ~> 1.8.5.114
+  - ">= 1.8.6.111"

data/data/ruby-advisory-db/rubies/ruby/CVE-2007-5770.yml ADDED

@@ -0,0 +1,17 @@
+---
+engine: ruby
+cve: 2007-5770
+url: http://www.cvedetails.com/cve/CVE-2007-5770/
+title: Ruby Net::HTTPS library does not validate server certificate CN
+date: 2007-10-08
+description: |
+  The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5)
+  Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the
+  commonName (CN) field in a server certificate matches the domain name in a
+  request sent over SSL, which makes it easier for remote attackers to
+  intercept SSL transmissions via a man-in-the-middle attack or spoofed web
+  site, different components than CVE-2007-5162.
+cvss_v2: 4.3
+patched_versions:
+  - ~> 1.8.6.230
+  - ">= 1.8.7"