RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.5.0 - Mend

bundler-audit 0.4.0 → 0.5.0

Files changed (313) hide show

data/data/ruby-advisory-db/gems/activerecord-jdbc-adapter/OSVDB-114854.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: activerecord-jdbc-adapter
+platform: jruby
+osvdb: 114854
+url: http://osvdb.org/show/osvdb/114854
+title: |
+  ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub()
+  Function SQL Injection
+date: 2013-02-25
+description: |
+  ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying
+  out an SQL injection attack. The issue is due to the sql.gsub() function in
+  lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before
+  using it in SQL queries. This may allow a remote attacker to inject or
+  manipulate SQL queries in the back-end database, allowing for the
+  manipulation or disclosure of arbitrary data.
+unaffected_versions:
+  - "< 1.2.6"
+patched_versions:
+  - ">= 1.2.8"

data/data/ruby-advisory-db/gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: activerecord-oracle_enhanced-adapter
+osvdb: 95376
+url: http://osvdb.org/show/osvdb/95376
+title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
+date: 2008-10-10
+description: |
+  Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an
+  attacker to carry out an SQL injection attack. The issue is due to the
+  program not properly sanitizing user-supplied input related to the :limit and
+  :offset functions. This may allow an attacker to inject or manipulate SQL
+  queries in the back-end database, allowing for the manipulation or disclosure
+  of arbitrary data.
+patched_versions:
+  - ">= 1.1.8"

data/data/ruby-advisory-db/gems/activerecord/CVE-2014-3514.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: activerecord
+framework: rails
+cve: 2014-3514
+url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ
+title: Data Injection Vulnerability in Active Record
+date: 2014-08-18
+description: >-
+  The create_with functionality in Active Record was implemented
+  incorrectly and completely bypasses the strong parameters
+  protection. Applications which pass user-controlled values to
+  create_with could allow attackers to set arbitrary attributes on
+  models.
+cvss_v2: 8.7
+unaffected_versions:
+  - "< 4.0.0"
+patched_versions:
+  - ~> 4.0.9
+  - ">= 4.1.5"

data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml ADDED

@@ -0,0 +1,107 @@
+---
+gem: activerecord
+framework: rails
+cve: 2015-7577
+date: 2016-01-25
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
+title: Nested attributes rejection proc bypass in Active Record
+description: |
+  There is a vulnerability in how the nested attributes feature in Active Record
+  handles updates in combination with destroy flags when destroying records is
+  disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
+  Versions Affected:  3.1.0 and newer
+  Not affected:       3.0.x and older
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+  Impact
+  ------
+  When using the nested attributes feature in Active Record you can prevent the
+  destruction of associated records by passing the `allow_destroy: false` option
+  to the `accepts_nested_attributes_for` method. However due to a change in the
+  commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
+  being called because it assumes that the record will be destroyed anyway.
+  However this isn't true if `:allow_destroy` is false so this leads to changes
+  that would have been rejected being applied to the record. Attackers could use
+  this do things like set attributes to invalid values and to clear all of the
+  attributes amongst other things. The severity will be dependent on how the
+  application has used this feature.
+  All users running an affected release should either upgrade or use one of
+  the workarounds immediately.
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+  Workarounds
+  -----------
+  If you can't upgrade, please use the following monkey patch in an initializer
+  that is loaded before your application:
+  ```
+  $ cat config/initializers/nested_attributes_bypass_fix.rb
+  module ActiveRecord
+    module NestedAttributes
+      private
+      def reject_new_record?(association_name, attributes)
+        will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes)
+      end
+      def call_reject_if(association_name, attributes)
+        return false if will_be_destroyed?(association_name, attributes)
+        case callback = self.nested_attributes_options[association_name][:reject_if]
+        when Symbol
+          method(callback).arity == 0 ? send(callback) : send(callback, attributes)
+        when Proc
+          callback.call(attributes)
+        end
+      end
+      def will_be_destroyed?(association_name, attributes)
+        allow_destroy?(association_name) && has_destroy_flag?(attributes)
+      end
+      def allow_destroy?(association_name)
+        self.nested_attributes_options[association_name][:allow_destroy]
+      end
+    end
+  end
+  ```
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
+  * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
+  * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
+  * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
+  * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+  of earlier unsupported releases are advised to upgrade as soon as possible as we
+  cannot guarantee the continued availability of security fixes for unsupported
+  releases.
+  Credits
+  -------
+  Thank you to Justin Coyne for reporting the problem and working with us to fix it.
+  [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
+unaffected_versions:
+  - "~> 3.0.0"
+  - "< 3.0.0"
+patched_versions:
+  - "~> 5.0.0.beta1.1"
+  - "~> 4.2.5.1"
+  - "~> 4.1.14.1"
+  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-108664.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: activerecord
+framework: rails
+cve: 2014-3482
+osvdb: 108664
+url: http://osvdb.org/show/osvdb/108664
+title: SQL Injection Vulnerability in Active Record
+date: 2014-07-02
+description: |
+  Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack.
+  The issue is due to the PostgreSQL adapter for Active Record not properly
+  sanitizing user-supplied input when quoting bitstring. This may allow a remote
+  attacker to inject or manipulate SQL queries in the back-end database,
+  allowing for the manipulation or disclosure of arbitrary data.
+cvss_v2:
+unaffected_versions:
+  - ">= 4.0.0"
+patched_versions:
+  - ~> 3.2.19

data/data/ruby-advisory-db/gems/activerecord/OSVDB-108665.yml ADDED

@@ -0,0 +1,24 @@
+---
+gem: activerecord
+framework: rails
+cve: 2014-3483
+osvdb: 108665
+url: http://osvdb.org/show/osvdb/108665
+title: SQL Injection Vulnerability in Active Record
+date: 2014-07-02
+description: |
+  Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack.
+  The issue is due to the PostgreSQL adapter for Active Record not properly
+  sanitizing user-supplied input when quoting ranges. This may allow a remote
+  attacker to inject or manipulate SQL queries in the back-end database,
+  allowing for the manipulation or disclosure of arbitrary data.
+cvss_v2:
+unaffected_versions:
+  - "< 4.0.0"
+patched_versions:
+  - ~> 4.0.7
+  - ">= 4.1.3"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-88661.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: activerecord
+framework: rails
+cve: 2012-6496
+osvdb: 88661
+url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
+title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass
+date: 2012-12-22
+description: |
+  Due to the way dynamic finders in Active Record extract options from method
+  parameters, a method parameter can mistakenly be used as a scope.  Carefully
+  crafted requests can use the scope to inject arbitrary SQL.
+cvss_v2: 6.4
+patched_versions:
+  - ~> 3.0.18
+  - ~> 3.1.9
+  - ">= 3.2.10"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml CHANGED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2013-0276
 osvdb: 90072
-url: http://direct.osvdb.org/show/osvdb/90072
+url: http://osvdb.org/show/osvdb/90072
 title: Ruby on Rails Active Record attr_protected Method Bypass
 date: 2013-02-11
@@ -16,6 +16,6 @@ description: |
 cvss_v2: 5.0
 patched_versions:
-  - ~> 2.3.17
-  - ~> 3.1.11
+  - "~> 2.3.17"
+  - "~> 3.1.11"
   - ">= 3.2.12"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml CHANGED

@@ -3,8 +3,8 @@ gem: activerecord
 framework: rails
 cve: 2013-0277
 osvdb: 90073
-url: http://direct.osvdb.org/show/osvdb/90073
-title:
+url: http://osvdb.org/show/osvdb/90073
+title: |
   Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
   Code Execution
 date: 2013-02-11
@@ -19,5 +19,5 @@ description: |
 cvss_v2: 10.0
 patched_versions:
-  - ~> 2.3.17
+  - "~> 2.3.17"
   - ">= 3.1.0"

data/data/ruby-advisory-db/gems/activeresource/OSVDB-95749.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: activeresource
+osvdb: 95749
+url: http://osvdb.org/show/osvdb/95749
+title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
+date: 2008-08-15
+description: |
+  activeresource contains a format string flaw in the request function of
+  lib/active_resource/connection.rb. The issue is triggered as format string
+  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input
+  when passed via the 'result.code' and 'result.message' variables. This may
+  allow a remote attacker to cause a denial of service or potentially execute
+  arbitrary code.
+patched_versions:
+  - ">= 2.2.0"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml ADDED

@@ -0,0 +1,54 @@
+---
+gem: activesupport
+cve: 2015-3226
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
+title: |
+  XSS Vulnerability in ActiveSupport::JSON.encode
+date: 2015-06-16
+description: |
+  When a `Hash` containing user-controlled data is encode as JSON (either through
+  `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
+  escaping that matches the guarantee implied by the `escape_html_entities_in_json`
+  option (which is enabled by default). If this resulting JSON string is subsequently
+  inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
+  For example, the following code snippet is vulnerable to this attack:
+      <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
+  Similarly, the following is also vulnerable:
+      <script>
+        var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
+      </script>
+  All applications that renders JSON-encoded strings that contains user-controlled
+  data in their views should either upgrade to one of the FIXED versions or use
+  the suggested workaround immediately.
+  Workarounds
+  -----------
+  To work around this problem add an initializer with the following code:
+    module ActiveSupport
+      module JSON
+        module Encoding
+          private
+          class EscapedString
+            def to_s
+              self
+            end
+          end
+        end
+      end
+    end
+unaffected_versions:
+  - "< 4.1.0"
+patched_versions:
+  - ">= 4.2.2"
+  - "~> 4.1.11"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml ADDED

@@ -0,0 +1,32 @@
+---
+gem: activesupport
+cve: 2015-3227
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
+title: |
+  Possible Denial of Service attack in Active Support
+date: 2015-06-16
+description: |
+  Specially crafted XML documents can cause applications to raise a
+  `SystemStackError` and potentially cause a denial of service attack.  This
+  only impacts applications using REXML or JDOM as their XML processor.  Other
+  XML processors that Rails supports are not impacted.
+  All users running an affected release should either upgrade or use one of the work arounds immediately.
+  Workarounds
+  -----------
+  Use an XML parser that is not impacted by this problem, such as Nokogiri or
+  LibXML.  You can change the processor like this:
+    ActiveSupport::XmlMini.backend = 'Nokogiri'
+  If you cannot change XML parsers, then adjust
+  `RUBY_THREAD_MACHINE_STACK_SIZE`.
+patched_versions:
+  - ">= 4.2.2"
+  - "~> 4.1.11"
+  - "~> 3.2.22"

data/data/ruby-advisory-db/gems/as/OSVDB-112683.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: as
+osvdb: 112683
+url: http://osvdb.org/show/osvdb/112683
+title: as Gem for Ruby Process List Local Plaintext Credentials Disclosure
+date: 2014-09-25
+description: |
+  as Gem for Ruby contains a flaw that is due to the program displaying
+  credential information in plaintext in the process list. This may
+  allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/authlogic/OSVDB-89064.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: authlogic
+cve: 2012-6497
+osvdb: 89064
+url: http://osvdb.org/show/osvdb/89064
+title: Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness
+date: 2012-12-21
+description: |
+  Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered
+  when the program makes an unsafe method call for find_by_id. With a specially
+  crafted parameter in an environment that knows the secret_token value in
+  secret_token.rb, a remote attacker to more easily conduct SQL injection
+  attacks.
+patched_versions:
+  - ">= 3.3.0"

data/data/ruby-advisory-db/gems/auto_awesomplete/OSVDB-132800.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: auto_awesomplete
+osvdb: 132800
+url: https://github.com/Tab10id/auto_awesomplete/issues/2
+title: |
+  auto_awesomplete Gem for Ruby allows arbitrary search execution
+date: 2016-01-08
+description: |
+  auto_awesomplete Gem for Ruby contains a flaw that is triggered when handling the
+  'params[:default_class_name]' option. This allows users to search any object
+  of all given ActiveRecord classes.

data/data/ruby-advisory-db/gems/auto_select2/OSVDB-132800.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: auto_select2
+osvdb: 132800
+url: https://github.com/Loriowar/auto_select2/issues/4
+title: |
+  auto_select2 Gem for Ruby allows arbitrary search execution
+date: 2016-01-08
+description: |
+  auto_select2 Gem for Ruby contains a flaw that is triggered when handling the
+  'params[:default_class_name]' option. This allows users to search any object
+  of all given ActiveRecord classes.
+patched_versions:
+  - ">= 0.5.0"

data/data/ruby-advisory-db/gems/awesome_spawn/CVE-2014-0156.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: awesome_spawn
+cve: 2014-0156
+url: https://github.com/ManageIQ/awesome_spawn/commit/e524f85f1c6e292ef7d117d7818521307ac269ff
+title: OS command injection flaw in awesome_spawn
+date: 2014-03-28
+description: >-
+  Awesome spawn contains OS command injection vulnerability, which allows
+  execution of additional commands passed to Awesome spawn as arguments, e.g.
+  AwesomeSpawn.run('ls',:params => {'-l' => ";touch haxored"}). If untrusted
+  input was included in command arguments, attacker could use this flaw to
+  execute arbitrary command.
+cvss_v2:  6.8
+patched_versions:
+  - "~> 1.2.0"
+  - ">= 1.3.0"