RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.5.0 - Mend

bundler-audit 0.4.0 → 0.5.0

Files changed (313) hide show

data/data/ruby-advisory-db/gems/backup-agoddard/OSVDB-108578.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: backup-agoddard
+cve: 2014-4993
+osvdb: 108578
+url: http://osvdb.org/show/osvdb/108578
+title: backup-agoddard Gem for Ruby /lib/backup/cli/utility.rb Process Table Local Plaintext Password Disclosure
+date: 2014-06-30
+description: backup-agoddard Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108569.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: backup_checksum
+cve: 2014-4993
+osvdb: 108569
+url: http://osvdb.org/show/osvdb/108569
+title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Process List Local Plaintext Password Disclosure
+date: 2014-06-30
+description: |
+  backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb
+  that is triggered as the program displays password information in plaintext
+  in the process list. This may allow a local attacker to gain access to
+  password information.

data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108570.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: backup_checksum
+osvdb: 108570
+url: http://osvdb.org/show/osvdb/108570
+title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Metacharacter Handling Remote Command Execution
+date: 2014-06-30
+description: |
+  backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb
+  that is triggered when handling metacharacters. This may allow a remote
+  attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/bcrypt-ruby/OSVDB-62067.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: bcrypt-ruby
+platform: jruby
+osvdb: 62067
+url: http://www.mindrot.org/files/jBCrypt/internat.adv
+title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
+date: 2010-02-01
+description: |
+  bcrypt-ruby Gem for Ruby suffered from a bug related to character
+  encoding that substantially reduced the entropy of hashed passwords
+  containing non US-ASCII characters. An incorrect encoding step
+  transparently replaced such characters by '?' prior to hashing. In the
+  worst case of a password consisting solely of non-US-ASCII characters,
+  this would cause its hash to be equivalent to all other such passwords
+  of the same length. This issue only affects the JRuby implementation.
+  This gem has been renamed. Please use "bcrypt" from now on.
+patched_versions:
+  - ">= 2.1.4"

data/data/ruby-advisory-db/gems/bcrypt/OSVDB-62067.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: bcrypt
+platform: jruby
+osvdb: 62067
+url: http://www.mindrot.org/files/jBCrypt/internat.adv
+title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
+date: 2010-02-01
+description: |
+  bcrypt-ruby Gem for Ruby suffered from a bug related to character
+  encoding that substantially reduced the entropy of hashed passwords
+  containing non US-ASCII characters. An incorrect encoding step
+  transparently replaced such characters by '?' prior to hashing. In the
+  worst case of a password consisting solely of non-US-ASCII characters,
+  this would cause its hash to be equivalent to all other such passwords
+  of the same length. This issue only affects the JRuby implementation.
+patched_versions:
+  - ">= 2.1.4"

data/data/ruby-advisory-db/gems/bio-basespace-sdk/OSVDB-101031.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: bio-basespace-sdk
+cve: 2013-7111
+osvdb: 101031
+url: http://osvdb.org/show/osvdb/101031
+title: Bio Basespace SDK Gem for Ruby Command Line API Key Disclosure
+date: 2013-12-14
+description: Bio Basespace SDK Gem for Ruby contains a flaw that is due to the API client code passing the API_KEY to a curl command. This may allow a local attacker to gain access to API key information by monitoring the process table.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108899.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: brbackup
+osvdb: 108899
+url: http://osvdb.org/show/osvdb/108899
+title: brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection
+date: 2014-07-09
+description: |
+  brbackup Gem for Ruby contains a flaw that may allow carrying out an SQL
+  injection attack. The issue is due to the /lib/brbackup.rb script not
+  properly sanitizing user-supplied input to the 'name' parameter. This may
+  allow a remote attacker to inject or manipulate SQL queries in the back-end
+  database, allowing for the manipulation or disclosure of arbitrary data.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108900.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: brbackup
+osvdb: 108900
+url: http://osvdb.org/show/osvdb/108900
+title: brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote Command Execution
+date: 2014-07-09
+description: |
+  brbackup Gem for Ruby contains a flaw that is triggered as input passed
+  via the 'dbuser' variable is not properly sanitized. This may allow a
+  remote attacker to inject shell metacharacters and execute arbitrary
+  commands.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108901.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: brbackup
+cve: 2014-5004
+osvdb: 108901
+url: http://osvdb.org/show/osvdb/108901
+title: brbackup Gem for Ruby Process List Local Plaintext Password Disclosure
+date: 2014-07-09
+description: |
+  brbackup Gem for Ruby contains a flaw that is due to the program exposing
+  password information in plaintext in the process list. This may allow a
+  local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/bson/CVE-2015-4412.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: bson
+cve: 2015-4412
+url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
+title: Data Injection Vulnerability in bson Rubygem
+date: 2015-06-04
+description: >-
+  A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.
+vendor_patch:
+  - https://github.com/mongodb/mongo-ruby-driver/compare/6ae981167759d5819ba3d41e374e5b2af5b79077~1...9859a3ab9773a8a883eb8438b665a921cc991c71
+  - https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7
+patched_versions:
+  - "~> 1.12.3"
+  - ">= 3.0.4"

data/data/ruby-advisory-db/gems/builder/OSVDB-95668.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: builder
+osvdb: 95668
+url: http://osvdb.org/show/osvdb/95668
+title: Builder Gem for Ruby Tag Name Handling Private Method Exposure
+date: 2007-06-15
+description: |
+  Builder Gem for Ruby contains a flaw in the handling of tag names. The issue
+  is triggered when the program reads tag names from XML data and then calls a
+  method with that name. With a specially crafted file, a context-dependent
+  attacker can call private methods and manipulate data.
+patched_versions:
+  - ">= 2.1.2"

data/data/ruby-advisory-db/gems/bundler/OSVDB-110004.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: bundler
+cve: 2013-0334
+osvdb: 110004
+url: http://www.osvdb.org/show/osvdb/110004
+title: Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing
+date: 2014-08-13
+description: |
+  Bundler Gem for Ruby contains a flaw that is triggered when handling
+  a gemfile that contains multiple top-level source lines. This may allow a
+  context-dependent attacker to install specially crafted gems on a remote
+  system, leading to arbitrary code execution.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 1.7.0"

data/data/ruby-advisory-db/gems/bundler/OSVDB-115090.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: bundler
+osvdb: 115090
+url: http://www.osvdb.org/show/osvdb/115090
+title: Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing
+date: 2013-02-12
+description: |
+  Bundler Gem for Ruby contains a flaw as SSL certificates are not properly
+  validated. By spoofing the SSL server via a certificate that appears valid,
+  an attacker with the ability to intercept network traffic (e.g. MiTM, DNS
+  cache poisoning) can disclose and optionally manipulate transmitted data.
+patched_versions:
+  - ">= 1.3.0.pre.8"

data/data/ruby-advisory-db/gems/bundler/OSVDB-115091.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: bundler
+osvdb: 115091
+url: http://www.osvdb.org/show/osvdb/115091
+title: Bundler Gem for Ruby Redirection Remote HTTP Basic Authentication Credential Disclosure
+date: 2013-02-12
+description: |
+   Bundler Gem for Ruby contains a flaw that is triggered during the
+   redirection to other hosts. This may allow a remote attacker to gain access
+   to HTTP basic authentication credential information.
+patched_versions:
+  - ">= 1.3.0.pre.8"

data/data/ruby-advisory-db/gems/bundler/OSVDB-115917.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: bundler
+osvdb: 115917
+url: http://www.osvdb.org/show/osvdb/115917
+title: Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential Disclosure
+date: 2011-09-20
+description: |
+  Bundler Gem for Ruby contains a flaw that is due to the program listing
+  credential information in plaintext in the install command process listing.
+  This may allow a local attacker to gain access to credential information.
+patched_versions:
+  - ">= 1.1.rc"

data/data/ruby-advisory-db/gems/cap-strap/OSVDB-108574.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: cap-strap
+cve: 2014-4992
+osvdb: 108574
+url: http://osvdb.org/show/osvdb/108574
+title: cap-strap Gem for Ruby Process Table Local Plaintext Credential Disclosure
+date: 2014-06-30
+description: cap-strap Gem for Ruby contains a flaw that is due to the application exposing credential information in plaintext in the process table listing. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/cap-strap/OSVDB-108575.yml ADDED

@@ -0,0 +1,7 @@
+---
+gem: cap-strap
+osvdb: 108575
+url: http://osvdb.org/show/osvdb/108575
+title: cap-strap Gem for Ruby Hardcoded Password Crypt Hash Salt Weakness
+date: 2014-06-30
+description: cap-strap Gem for Ruby contains a flaw that is due to the application using a hardcoded default 'sa' salt for password encryption. This may allow a local attacker to more easily decrypt passwords.

data/data/ruby-advisory-db/gems/ciborg/OSVDB-108586.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: ciborg
+cve: 2014-5003
+osvdb: 108586
+url: http://osvdb.org/show/osvdb/108586
+title: ciborg Gem for Ruby default.rb /tmp/perlbrew-installer Local Symlink File Overwrite
+date: 2014-06-30
+description: ciborg Gem for Ruby contains a flaw as default.rb creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/perlbrew-installer file to cause the program to unexpectedly overwrite an arbitrary file.

data/data/ruby-advisory-db/gems/codders-dataset/OSVDB-108582.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: codders-dataset
+cve: 2014-4991
+osvdb: 108582
+url: http://osvdb.org/show/osvdb/108582
+title: codders-dataset Gem for Ruby /lib/dataset/database/postgresql.rb Process Table Local Plaintext Credential Disclosure
+date: 2014-06-30
+description: codders-dataset Gem for Ruby contains a flaw in /lib/dataset/database/postgresql.rb that is due to the application exposing credential information in plaintext in the process table. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/codders-dataset/OSVDB-108583.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: codders-dataset
+cve: 2014-4991
+osvdb: 108583
+url: http://osvdb.org/show/osvdb/108583
+title: codders-dataset Gem for Ruby /lib/dataset/database/mysql.rb Process Table Local Plaintext Credential Disclosure
+date: 2014-06-30
+description: codders-dataset Gem for Ruby contains a flaw in /lib/dataset/database/mysql.rb that is due to the application exposing credential information in plaintext in the process table. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: colorscore
+cve: 2015-7541
+osvdb: 132516
+url: http://seclists.org/oss-sec/2016/q1/17
+title: colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection
+date: 2016-01-04
+description: |
+  The contents of the `image_path`, `colors`, and `depth` variables generated
+  from possibly user-supplied input are passed directly to the shell via
+  `convert ...`.
+  If a user supplies a value that includes shell metacharacters such as ';', an
+  attacker may be able to execute shell commands on the remote system as the
+  user id of the Ruby process.
+  To resolve this issue, the aforementioned variables (especially `image_path`)
+  must be sanitized for shell metacharacters.
+  Currently, no fix for this issue exists.

data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml CHANGED

@@ -7,4 +7,3 @@ title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
 date: 2013-03-18
 description: command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
 cvss_v2: 7.5
-patched_versions:

data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml CHANGED

@@ -1,4 +1,4 @@
----
+---
 gem: cremefraiche
 cve: 2013-2090
 osvdb: 93395
@@ -6,6 +6,6 @@ url: http://osvdb.org/show/osvdb/93395
 title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution
 date: 2013-05-14
 description: Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2:
-patched_versions:
-  - ">= 0.6.1"
+cvss_v2: 9.3
+patched_versions:
+  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/curb/OSVDB-114600.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: curb
+osvdb: 114600
+url: http://osvdb.org/show/osvdb/114600
+title: curb Gem for Ruby Empty http_put Body Handling Remote DoS
+date: 2010-08-12
+description: |
+  curb Gem for Ruby contains a flaw that is triggered when handling an empty
+  http_put body. This may allow a remote attacker to crash an application
+  linked against the library.
+patched_versions:
+  - ">= 0.7.8"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml CHANGED

@@ -1,12 +1,13 @@
 ---
 gem: curl
-cve: 2013-1878
+cve: 2013-2617
 osvdb: 91230
 url: http://osvdb.org/show/osvdb/91230
-title: Curl Gem for Ruby URI Handling Arbitrary Command Injection
+title: Curl Gem for Ruby URI Handling Arbitrary Command Injection
 date: 2013-03-12
-description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
+description: Curl Gem for Ruby contains a flaw that is triggered during the
+  handling of specially crafted input passed via the URL.  This may allow
+  a context-dependent attacker to potentially execute arbitrary commands by
+  injecting them via a semi-colon (;).
 cvss_v2: 7.5
+patched_versions:

data/data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml ADDED

@@ -0,0 +1,22 @@
+---
+gem: devise-two-factor
+cve: 2015-7225
+url: http://www.openwall.com/lists/oss-security/2015/09/06/2
+title: |
+  devise-two-factor 1.1.0 and earlier vulnerable to replay attacks
+date: 2015-09-17
+description: |
+  A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local
+  attackers to shoulder-surf a user's TOTP verification code and use it to
+  login after the user has authenticated.
+  By not "burning" a previously used TOTP, devise-two-factor allows a narrow
+  window of opportunity (aka the timestep period) where an attacker can re-use a
+  verification code.
+  Should an attacker possess a given user's authentication
+  credentials, this flaw effectively defeats two-factor authentication for the
+  duration of the timestep.
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/devise/CVE-2015-8314.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: devise
+cve: 2015-8314
+url: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
+title: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
+date: 2016-01-18
+description: |
+  Devise version before 3.5.4 uses cookies to implement a "Remember me"
+  functionality. However, it generates the same cookie for all devices. If an
+  attacker manages to steal a remember me cookie and the user does not change
+  the password frequently, the cookie can be used to gain access to the
+  application indefinitely.
+patched_versions:
+  - ">= 3.5.4"

data/data/ruby-advisory-db/gems/devise/OSVDB-114435.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: devise
+osvdb: 114435
+url: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
+title: CSRF token fixation attacks in Devise
+date: 2013-08-02
+description: |
+  Devise contains a flaw that allows a remote, user-assisted attacker to
+  conduct a CSRF token fixation attack. This issue is triggered as previous
+  CSRF tokens are not properly invalidated when a new token is created.
+  If an attacker has knowledge of said token, a specially crafted request can
+  be made to it, allowing the attacker to conduct CSRF attacks.
+patched_versions:
+  - ~> 2.2.5
+  - ">= 3.0.1"

data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml CHANGED

@@ -11,7 +11,7 @@ description: |
   occurs during the parsing of a malformed request. With a specially crafted
   request, a remote attacker can bypass security restrictions.
-cvss_v2: 10.0
+cvss_v2: 6.8
 patched_versions:
   - ~> 1.5.4

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2014-8144.yml ADDED

@@ -0,0 +1,26 @@
+---
+gem: doorkeeper
+cve: 2014-8144
+osvdb: 116010
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw
+title: |
+  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
+  and earlier.
+date: 2014-12-18
+description: |
+  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
+  and earlier allows remote attackers to hijack the user's OAuth
+  autorization code. This vulnerability has been assigned the CVE
+  identifier CVE-2014-8144.
+  Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
+  on the Internet can then read a user's authorization code with
+  arbitrary scope from any Doorkeeper-compatible Rails app you are
+  logged in.
+cvss_v2: 6.8
+patched_versions:
+  - ~> 1.4.1
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/doorkeeper/OSVDB-118830.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: doorkeeper
+osvdb: 118830
+url: http://www.osvdb.org/show/osvdb/118830
+title: |
+  Doorkeeper Gem for Ruby stores sensitive information
+  in production logs
+date: 2015-02-10
+description: |
+  Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb.
+  The issue is due to the program storing sensitive information in
+  production logs. This may allow a local attacker to gain access to
+  sensitive information.
+cvss_v2:
+patched_versions:
+  - "~> 1.4.2"
+  - ">= 2.1.2"