bundler-audit 0.4.0 → 0.5.0

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml

@@ -0,0 +1,55 @@
+---
+gem: actionpack
+framework: rails
+cve: 2015-7581
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE"
+
+title: Object leak vulnerability for wildcard controller routes in Action Pack
+
+description: |
+  There is an object leak vulnerability for wildcard controllers in Action Pack. 
+  This vulnerability has been assigned the CVE identifier CVE-2015-7581. 
+
+  Versions Affected:  >= 4.0.0 and < 5.0.0.beta1 
+  Not affected:       < 4.0.0, 5.0.0.beta1 and newer 
+  Fixed Versions:     4.2.5.1, 4.1.14.1 
+
+  Impact 
+  ------ 
+  Users that have a route that contains the string ":controller" are susceptible 
+  to objects being leaked globally which can lead to unbounded memory growth. 
+  To identify if your application is vulnerable, look for routes that contain 
+  ":controller". 
+
+  Internally, Action Pack keeps a map of "url controller name" to "controller 
+  class name".  This map is cached globally, and is populated even if the 
+  controller class doesn't actually exist. 
+
+  All users running an affected release should either upgrade or use one of the 
+  workarounds immediately. 
+
+  Releases 
+  -------- 
+  The FIXED releases are available at the normal locations. 
+
+  Workarounds 
+  ----------- 
+  There are no feasible workarounds for this issue. 
+
+  Patches 
+  ------- 
+  To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 
+
+  * 4-1-wildcard_route.patch - Patch for 4.1 series 
+  * 4-2-wildcard_route.patch - Patch for 4.2 series 
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
+
+unaffected_versions:
+  - "< 4.0.0"
+  - ">= 5.0.0.beta1"
+
+patched_versions:
+  - "~> 4.2.5.1" 
+  - "~> 4.1.14.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml

@@ -0,0 +1,71 @@
+---
+gem: actionpack
+framework: rails
+cve: 2016-0751
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc"
+
+title: Possible Object Leak and Denial of Service attack in Action Pack
+
+description: |
+  There is a possible object leak which can lead to a denial of service 
+  vulnerability in Action Pack. This vulnerability has been 
+  assigned the CVE identifier CVE-2016-0751. 
+
+  Versions Affected:  All. 
+  Not affected:       None. 
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 
+
+  Impact 
+  ------ 
+  A carefully crafted accept header can cause a global cache of mime types to 
+  grow indefinitely which can lead to a possible denial of service attack in 
+  Action Pack. 
+
+  All users running an affected release should either upgrade or use one of the 
+  workarounds immediately. 
+
+  Releases 
+  -------- 
+  The FIXED releases are available at the normal locations. 
+
+  Workarounds 
+  ----------- 
+  This attack can be mitigated by a proxy that only allows known mime types in 
+  the Accept header. 
+
+  Placing the following code in an initializer will also mitigate the issue: 
+
+  ```ruby 
+  require 'action_dispatch/http/mime_type' 
+
+  Mime.const_set :LOOKUP, Hash.new { |h,k| 
+    Mime::Type.new(k) unless k.blank? 
+  } 
+  ``` 
+
+  Patches 
+  ------- 
+  To aid users who aren't able to upgrade immediately we have provided patches for 
+  the two supported release series. They are in git-am format and consist of a 
+  single changeset. 
+
+  * 5-0-mime_types_leak.patch - Patch for 5.0 series 
+  * 4-2-mime_types_leak.patch - Patch for 4.2 series 
+  * 4-1-mime_types_leak.patch - Patch for 4.1 series 
+  * 3-2-mime_types_leak.patch - Patch for 3.2 series 
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
+  of earlier unsupported releases are advised to upgrade as soon as possible as we 
+  cannot guarantee the continued availability of security fixes for unsupported 
+  releases. 
+
+  Credits 
+  ------- 
+  Aaron Patterson <3<3
+
+patched_versions:
+  - "~> 5.0.0.beta1.1"
+  - "~> 4.2.5.1" 
+  - "~> 4.1.14.1"
+  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml

@@ -13,7 +13,7 @@ description: |
   of the parameters to the helper (unit) is not escaped correctly.  Applications
   which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.16

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml

@@ -8,10 +8,10 @@ title: Denial of Service Vulnerability in Action View
 date: 2013-12-03
 
 description: |
-  There is a denial of service vulnerability in the header handling component of 
+  There is a denial of service vulnerability in the header handling component of
   Action View.
 
-cvss_v2: 
+cvss_v2: 5.0
 
 unaffected_versions:
   - ~> 2.3.0

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml

@@ -9,14 +9,14 @@ date: 2013-12-03
 
 description: |
   There is a vulnerability in the simple_format helper in Ruby on Rails.
-  The simple_format helper converts user supplied text into html text 
-  which is intended to be safe for display. A change made to the 
-  implementation of this helper means that any user provided HTML 
-  attributes will not be escaped correctly. As a result of this error, 
-  applications which pass user-controlled data to be included as html 
+  The simple_format helper converts user supplied text into html text
+  which is intended to be safe for display. A change made to the
+  implementation of this helper means that any user provided HTML
+  attributes will not be escaped correctly. As a result of this error,
+  applications which pass user-controlled data to be included as html
   attributes will be vulnerable to an XSS attack.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 unaffected_versions:
   - ~> 2.3.0

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml

@@ -15,9 +15,9 @@ description: |
   parameters insecurely and store them in the same key that Rails uses
   for its own parameters.  In the event that happens the application
   will receive unsafe parameters and could be vulnerable to the earlier
-  vulnerability. 
+  vulnerability.
 
-cvss_v2: 
+cvss_v2: 6.4
 
 patched_versions:
   - ~> 3.2.16

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml

@@ -11,11 +11,11 @@ description: |
   There is a vulnerability in the internationalization component of Ruby on
   Rails. Under certain common configurations an attacker can provide specially
   crafted input which will execute a reflective XSS attack.
-  
+
   The root cause of this issue is a vulnerability in the i18n gem which has
   been assigned the identifier CVE-2013-4492.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.16

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103439.yml

@@ -16,7 +16,7 @@ description: |
   script code in a user's browser session within the trust relationship between
   their browser and the server.
 
-cvss_v2: 
+cvss_v2: 4.3
 
 patched_versions:
   - ~> 3.2.17

data/data/ruby-advisory-db/gems/actionpack/OSVDB-103440.yml

@@ -13,7 +13,7 @@ description: |
   handling MIME types that are converted to symbols. This may allow a
   remote attacker to cause a denial of service.
 
-cvss_v2: 
+cvss_v2: 5.0
 
 unaffected_versions:
   - ~> 4.0.0

data/data/ruby-advisory-db/gems/actionpack/OSVDB-74616.yml

@@ -0,0 +1,18 @@
+---
+gem: actionpack
+framework: rails
+cve: 2011-3186
+osvdb: 74616
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g
+title: Response Splitting Vulnerability in Ruby on Rails
+date: 2011-08-16
+
+description: |
+  A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow
+  a remote attacker to inject arbitrary HTTP headers into a response due to
+  insufficient sanitization of the values provided for response content types.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - ">= 2.3.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-77199.yml

@@ -0,0 +1,23 @@
+---
+gem: actionpack
+framework: rails
+cve: 2011-4319
+osvdb: 77199
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU
+title: XSS vulnerability in the translate helper method in Ruby on Rails
+date: 2011-11-17
+
+description: |
+  A cross-site scripting (XSS) flaw was found in the way the 'translate' helper
+  method of the Ruby on Rails performed HTML escaping of interpolated user
+  input, when interpolation in combination with HTML-safe translations were
+  used. A remote attacker could use this flaw to execute arbitrary HTML or web
+  script by providing a specially-crafted input to Ruby on Rails application,
+  using the ActionPack module and its 'translate' helper method without explicit
+  (application specific) sanitization of user provided input.
+
+cvss_v2: 4.3
+
+patched_versions:
+  - "~> 3.0.11"
+  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-84243.yml

@@ -1,10 +1,10 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2012-3424
 osvdb: 84243
 url: http://www.osvdb.org/show/osvdb/84243
-title: 
+title:
   Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
   with_http_digest Helper Method Remote DoS
 date: 2012-07-26
@@ -16,12 +16,12 @@ description: |
   with_http_digest helper method is being used. This may allow a remote
   attacker to cause a loss of availability for the program.
 
-cvss_v2: 4.3
+cvss_v2: 5.0
 
 unaffected_versions:
   - ">= 2.3.5, <= 2.3.14"
 
-patched_versions: 
+patched_versions:
   - ~> 3.0.16
   - ~> 3.1.7
   - ">= 3.2.7"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2013-1855
@@ -7,14 +7,14 @@ url: http://www.osvdb.org/show/osvdb/91452
 title: XSS vulnerability in sanitize_css in Action Pack
 date: 2013-03-19
 
-description: | 
+description: |
   There is an XSS vulnerability in the `sanitize_css` method in Action
   Pack. Carefully crafted text can bypass the sanitization provided in
   the `sanitize_css` method in Action Pack
 
-cvss_v2: 4.0
+cvss_v2: 4.3
 
-patched_versions: 
+patched_versions:
   - ~> 2.3.18
   - ~> 3.1.12
   - ">= 3.2.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml

@@ -1,4 +1,4 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2013-1857
@@ -7,7 +7,7 @@ url: http://osvdb.org/show/osvdb/91454
 title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
 date: 2013-03-19
 
-description: | 
+description: |
   The sanitize helper in Ruby on Rails is designed to
   filter HTML and remove all tags and attributes which could be
   malicious. The code which ensured that URLs only contain supported
@@ -15,9 +15,9 @@ description: |
   embed a tag containing a URL which executes arbitrary javascript
   code.
 
-cvss_v2: 4.0
+cvss_v2: 4.3
 
-patched_versions: 
+patched_versions:
   - ~> 2.3.18
   - ~> 3.1.12
   - ">= 3.2.13"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml

@@ -0,0 +1,92 @@
+---
+gem: actionview
+framework: rails
+cve: 2016-0752
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00"
+
+title: Possible Information Leak Vulnerability in Action View
+description: |
+  There is a possible directory traversal and information leak vulnerability in 
+  Action View. This vulnerability has been assigned the CVE identifier 
+  CVE-2016-0752. 
+
+  Versions Affected:  All. 
+  Not affected:       None. 
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 
+
+  Impact 
+  ------ 
+  Applications that pass unverified user input to the `render` method in a 
+  controller may be vulnerable to an information leak vulnerability. 
+
+  Impacted code will look something like this: 
+
+  ```ruby 
+  def index 
+    render params[:id] 
+  end 
+  ``` 
+
+  Carefully crafted requests can cause the above code to render files from 
+  unexpected places like outside the application's view directory, and can 
+  possibly escalate this to a remote code execution attack. 
+
+  All users running an affected release should either upgrade or use one of the 
+  workarounds immediately. 
+
+  Releases 
+  -------- 
+  The FIXED releases are available at the normal locations. 
+
+  Workarounds 
+  ----------- 
+  A workaround to this issue is to not pass arbitrary user input to the `render` 
+  method.  Instead, verify that data before passing it to the `render` method. 
+
+  For example, change this: 
+
+  ```ruby 
+  def index 
+    render params[:id] 
+  end 
+  ``` 
+
+  To this: 
+
+  ```ruby 
+  def index 
+    render verify_template(params[:id]) 
+  end 
+
+  private 
+  def verify_template(name) 
+    # add verification logic particular to your application here 
+  end 
+  ``` 
+
+  Patches 
+  ------- 
+  To aid users who aren't able to upgrade immediately we have provided patches for 
+  the two supported release series. They are in git-am format and consist of a 
+  single changeset. 
+
+  * 3-2-render_data_leak.patch - Patch for 3.2 series 
+  * 4-1-render_data_leak.patch - Patch for 4.1 series 
+  * 4-2-render_data_leak.patch - Patch for 4.2 series 
+  * 5-0-render_data_leak.patch - Patch for 5.0 series 
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
+  of earlier unsupported releases are advised to upgrade as soon as possible as we 
+  cannot guarantee the continued availability of security fixes for unsupported 
+  releases. 
+
+  Credits 
+  ------- 
+  Thanks John Poulin for reporting this!
+
+patched_versions:
+  - "~> 5.0.0.beta1.1"
+  - "~> 4.2.5.1" 
+  - "~> 4.1.14.1"
+  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/activemodel/CVE-2016-0753.yml

@@ -0,0 +1,92 @@
+---
+gem: activemodel
+framework: rails
+cve: 2016-0753
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ"
+
+title: Possible Input Validation Circumvention in Active Model 
+
+description: |
+  There is a possible input validation circumvention vulnerability in Active 
+  Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. 
+
+  Versions Affected:  4.1.0 and newer 
+  Not affected:       4.0.13 and older 
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1 
+
+  Impact 
+  ------ 
+  Code that uses Active Model based models (including Active Record models) and 
+  does not validate user input before passing it to the model can be subject to 
+  an attack where specially crafted input will cause the model to skip 
+  validations. 
+
+  Vulnerable code will look something like this: 
+
+  ```ruby 
+  SomeModel.new(unverified_user_input) 
+  ``` 
+
+  Rails users using Strong Parameters are generally not impacted by this issue 
+  as they are encouraged to whitelist parameters and must specifically opt-out 
+  of input verification using the `permit!` method to allow mass assignment. 
+
+  For example, a vulnerable Rails application will have code that looks like 
+  this: 
+
+  ```ruby 
+  def create 
+    params.permit! # allow all parameters 
+    @user = User.new params[:users] 
+  end 
+  ``` 
+
+  Active Model and Active Record objects are not equipped to handle arbitrary 
+  user input.  It is up to the application to verify input before passing it to 
+  Active Model models.  Rails users already have Strong Parameters in place to 
+  handle white listing, but applications using Active Model and Active Record 
+  outside of a Rails environment may be impacted. 
+
+  All users running an affected release should either upgrade or use one of the 
+  workarounds immediately. 
+
+  Releases 
+  -------- 
+  The FIXED releases are available at the normal locations. 
+
+  Workarounds 
+  ----------- 
+  There are several workarounds depending on the application.  Inside a Rails 
+  application, stop using `permit!`.  Outside a Rails application, either use 
+  Hash#slice to select the parameters you need, or integrate Strong Parameters 
+  with your application. 
+
+  Patches 
+  ------- 
+  To aid users who aren't able to upgrade immediately we have provided patches for 
+  the two supported release series. They are in git-am format and consist of a 
+  single changeset. 
+
+  * 4-1-validation_skip.patch - Patch for 4.1 series 
+  * 4-2-validation_skip.patch - Patch for 4.2 series 
+  * 5-0-validation_skip.patch - Patch for 5.0 series 
+
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users 
+  of earlier unsupported releases are advised to upgrade as soon as possible as we 
+  cannot guarantee the continued availability of security fixes for unsupported 
+  releases. 
+
+  Credits 
+  ------- 
+  Thanks to: 
+
+  [John Backus](https://github.com/backus) from BlockScore for reporting this! 
+
+unaffected_versions:
+  - "<= 4.0.13"
+
+patched_versions:
+  - "~> 5.0.0.beta1.1"
+  - "~> 4.2.5.1" 
+  - "~> 4.1.14.1"