RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.5.0 - Mend

bundler-audit 0.4.0 → 0.5.0

Files changed (313) hide show

data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108571.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: kcapifony
+cve: 2014-5001
+osvdb: 108571
+url: http://osvdb.org/show/osvdb/108571
+title: kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password Disclosure
+date: 2014-06-30
+description: kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108572.yml ADDED

@@ -0,0 +1,7 @@
+---
+gem: kcapifony
+osvdb: 108572
+url: http://osvdb.org/show/osvdb/108572
+title: kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter Handling Remote Command Execution
+date: 2014-06-30
+description: kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml CHANGED

@@ -7,4 +7,3 @@ title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Met
 date: 2013-04-04
 description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
 cvss_v2: 9.3
-patched_versions:

data/data/ruby-advisory-db/gems/kompanee-recipes/OSVDB-108593.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: kompanee-recipes
+osvdb: 108593
+url: http://osvdb.org/show/osvdb/108593
+title: kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb Multiple Variable Handling Remote Command Execution Weakness
+date: 2014-06-30
+description: |
+  kompanee-recipes Gem for Ruby contains a flaw in
+  /lib/kompanee-recipes/heroku.rb that is triggered when handling shell
+  metacharacters passed via the 'password', 'user', 'deploy_name', and
+  'application' variables. This may allow a remote attacker to execute
+  arbitrary commands.

data/data/ruby-advisory-db/gems/lawn-login/OSVDB-108576.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: lawn-login
+cve: 2014-5000
+osvdb: 108576
+url: http://osvdb.org/show/osvdb/108576
+title: lawn-login Gem for Ruby /lib/lawn.rb Process Table Local Plaintext Password Disclosure
+date: 2014-06-30
+description: lawn-login Gem for Ruby contains a flaw in /lib/lawn.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/ldap_fluff/OSVDB-90579.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: ldap_fluff
+cve: 2012-5604
+osvdb: 90579
+url: http://osvdb.org/show/osvdb/90579
+title: Red Hat Subscription Asset Manager rubygem-ldap_fluff Active Directory Authentication Bypass
+date: 2012-12-04
+description: Red Hat Subscription Asset Manager contains a flaw in the
+  rubygem-ldap_fluff component. The issue is triggered when using Microsoft
+  Active Directory server as the authentication back-end. This may result in
+  authentication no longer being enforced, allowing a remote attacker to
+  trivially bypass it.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 0.1.3"

data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml CHANGED

@@ -7,4 +7,3 @@ title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Comman
 date: 2013-04-01
 description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
 cvss_v2: 6.8
-patched_versions:

data/data/ruby-advisory-db/gems/lean-ruport/OSVDB-108581.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: lean-ruport
+cve: 2014-4998
+osvdb: 108581
+url: http://osvdb.org/show/osvdb/108581
+title: lean-ruport Gem for Ruby /test/tc_database.rb Process Table Local Plaintext MySQL Password Disclosure
+date: 2014-06-30
+description: lean-ruport Gem for Ruby contains a flaw in /test/tc_database.rb that is due to the application exposing MySQL password information in plaintext in the process table. This may allow a local attacker to gain access to MySQL password information.

data/data/ruby-advisory-db/gems/lingq/OSVDB-108585.yml ADDED

@@ -0,0 +1,7 @@
+---
+gem: lingq
+osvdb: 108585
+url: http://osvdb.org/show/osvdb/108585
+title: lingq Gem for Ruby client.rb Metacharacter Handling Remote Command Execution
+date: 2014-06-30
+description: lingq Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/lynx/OSVDB-108579.yml ADDED

@@ -0,0 +1,7 @@
+---
+gem: lynx
+osvdb: 108579
+url: http://osvdb.org/show/osvdb/108579
+title: lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command Execution
+date: 2014-06-30
+description: lynx Gem for Ruby contains a flaw in lib/lynx/pipe/run.rb that may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/lynx/OSVDB-108580.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: lynx
+cve: 2014-5002
+osvdb: 108580
+url: http://osvdb.org/show/osvdb/108580
+title: lynx Gem for Ruby command/basic.rb Process Table Local Plaintext Password Disclosure
+date: 2014-06-30
+description: lynx Gem for Ruby contains a flaw in command/basic.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/mail/OSVDB-131677.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: mail
+osvdb: 131677
+url: http://www.mbsd.jp/Whitepaper/smtpi.pdf
+title: Mail Gem for Ruby vulnerable to SMTP Injection via recipient email addresses
+date: 2015-12-09
+description: |
+  Because the Mail Gem for Ruby does not validate or impose a length limit on
+  email address fields, an attacker can modify messages sent with the gem via a
+  specially-crafted recipient email address.
+  Applications that validate email address format are not affected by this
+  vulnerability.
+  The recipient attack is described in Terada, Takeshi. "SMTP Injection via
+  Recipient Email Addresses." 2015. The attacks described in the paper (Terada,
+  p. 4) can be applied to the library without any modification.
+patched_versions:
+- ">= 2.6.0"

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-129854.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: mapbox-rails
+osvdb: 129854
+url: https://nodesecurity.io/advisories/49
+title: mapbox-rails Content Injection via TileJSON attribute
+date: 2015-10-24
+description: |
+  Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable
+  to a cross-site-scripting attack in certain uncommon usage scenarios.
+  If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON
+  content from a non-Mapbox URL, it is possible for a malicious user with
+  control over the TileJSON content to inject script content into the
+  "attribution" value of the TileJSON which will be executed in the context of
+  the page using Mapbox.js.
+  Such usage is uncommon. The following usage scenarios are not vulnerable:
+  * only trusted TileJSON content is loaded
+  * TileJSON content comes only from mapbox.com URLs
+  * a Mapbox map ID is supplied, rather than a TileJSON URL

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-132871.yml ADDED

@@ -0,0 +1,22 @@
+---
+gem: mapbox-rails
+osvdb: 132871
+url: https://nodesecurity.io/advisories/74
+title: mapbox-rails Content Injection via TileJSON Name
+date: 2016-01-12
+description: |
+  Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable
+  to a cross-site-scripting attack in certain uncommon usage scenarios.
+  If you use L.mapbox.map and L.mapbox.shareControl it is possible for a
+  malicious user with control over the TileJSON content to inject script
+  content into the name value of the TileJSON. After clicking on the share
+  control, the malicious code will execute in the context of the page using
+  Mapbox.js.
+  Such usage is uncommon. L.mapbox.shareControl is not automatically added to
+  Mapbox.js maps and must be explicitly added. The following usage scenarios
+  are not vulnerable:
+  * the map does not use a share control (L.mapbox.sharecontrol)
+  * only trusted TileJSON content is loaded

data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml CHANGED

@@ -7,4 +7,3 @@ title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Inj
 date: 2013-04-13
 description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
 cvss_v2: 10.0
-patched_versions:

data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml CHANGED

@@ -5,11 +5,11 @@ osvdb: 91231
 url: http://osvdb.org/show/osvdb/91231
 title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
 date: 2013-03-12
-description: MiniMagick Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input from an untrusted source passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+description: |
+  MiniMagick Gem for Ruby contains a flaw that is triggered during the handling
+  of specially crafted input from an untrusted source passed via a URL that
+  contains a ';' character. This may allow a context-dependent attacker to
+  potentially execute arbitrary commands.
 cvss_v2: 9.3
 patched_versions:
   - ">= 3.6.0"

data/data/ruby-advisory-db/gems/moped/CVE-2015-4410.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: moped
+cve: 2015-4410
+url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
+title: Data Injection Vulnerability in moped Rubygem
+date: 2015-06-04
+description: >-
+  A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.
+vendor_patch:
+  - https://github.com/mongoid/moped/compare/e5fc928bcb5b7b89d171e31e31483be4185971b9...32cba17ad7d3da326778b4d8cd4b52e75bca9d40
+  - https://github.com/mongoid/moped/commit/276fbfd23c5ffb65e6bd18d564c8b6878c2498ac
+patched_versions:
+  - "~> 1.5.3"
+  - ">= 2.0.5"

data/data/ruby-advisory-db/gems/mustache-js-rails/OSVDB-131671.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: mustache-js-rails
+osvdb: 131671
+url: https://blog.srcclr.com/handlebars_vulnerability_research_findings/
+title: mustache.js - quoteless attributes in templates can lead to XSS
+date: 2015-11-17
+description: |
+  The upstream 'mustache.js' node.js module was found to not properly escape
+  backtick (`) and equals (=) characters, leading to possible content injection
+  via attributes in templates.
+  Example:
+  * Template: <a href={{foo}}/>
+  * Input: { 'foo' : 'test.com onload=alert(1)'}
+  * Rendered result: <a href=test.com onload=alert(1)/>
+patched_versions:
+  - ">= 2.0.3"

data/data/ruby-advisory-db/gems/net-ldap/OSVDB-106108.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: net-ldap
+cve: 2014-0083
+osvdb: 106108
+url: http://osvdb.org/show/osvdb/106108
+title:  Net::LDAP for Ruby lib/net/ldap/password.rb SSHA Password Generation Weak Salt
+date: 2014-02-13
+description: Net::LDAP for Ruby contains a flaw in lib/net/ldap/password.rb. The
+  issue is due to the program generating SSHA passwords with a weak salt value
+  that is between 0 and 999. This may allow a local attacker to more easily gain
+  access to password information.
+cvss_v2: 1.9
+patched_versions:
+  - ">= 0.6.0"

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-1819.yml ADDED

@@ -0,0 +1,52 @@
+---
+gem: nokogiri
+cve: 2015-1819
+url: https://github.com/sparklemotion/nokogiri/issues/1374
+title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
+date: 2015-04-14
+description: |
+  Several vulnerabilities were discovered in the libxml2 and libxslt libraries
+  that the Nokogiri gem depends on.
+  CVE-2015-1819
+  A denial of service flaw was found in the way libxml2 parsed XML
+  documents. This flaw could cause an application that uses libxml2 to use an
+  excessive amount of memory.
+  CVE-2015-7941
+  libxml2 does not properly stop parsing invalid input, which allows
+  context-dependent attackers to cause a denial of service (out-of-bounds read
+  and libxml2 crash) via crafted specially XML data.
+  CVE-2015-7942
+  The xmlParseConditionalSections function in parser.c in libxml2
+  does not properly skip intermediary entities when it stops parsing invalid
+  input, which allows context-dependent attackers to cause a denial of service
+  (out-of-bounds read and crash) via crafted XML data.
+  CVE-2015-7995
+  The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
+  check whether the parent node is an element, which allows attackers to cause
+  a denial of service using a specially crafted XML document.
+  CVE-2015-8035
+  The xz_decomp function in xzlib.c in libxml2 2.9.1 does not
+  properly detect compression errors, which allows context-dependent attackers
+  to cause a denial of service (process hang) via crafted XML data.
+  Another vulnerability was discoverd in libxml2 that could cause parsing
+  of unclosed comments to result in "conditional jump or move depends on
+  uninitialized value(s)" and unsafe memory access. This issue does not have a
+  CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4.
+patched_versions:
+  - "~> 1.6.6.4"
+  - ">= 1.6.7.rc4"
+related:
+  cve:
+    - 2015-7941
+    - 2015-7942
+    - 2015-7995
+    - 2015-8035
+  url:
+    - https://github.com/sparklemotion/nokogiri/pull/1376
+    - https://github.com/sparklemotion/nokogiri/commit/8f3de6d88d0da11fb62a45daa61b85ce71b4af59

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-5312.yml ADDED

@@ -0,0 +1,92 @@
+---
+gem: nokogiri
+cve: 2015-5312
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
+title: Nokogiri gem contains several vulnerabilities in libxml2
+date: 2015-12-15
+description: |
+  Nokogiri version 1.6.7.1 has been released, pulling in several upstream
+  patches to the vendored libxml2 to address the following CVEs:
+  CVE-2015-5312
+  CVSS v2 Base Score: 7.1 (HIGH)
+  The xmlStringLenDecodeEntities function in parser.c in libxml2
+  before 2.9.3 does not properly prevent entity expansion, which
+  allows context-dependent attackers to cause a denial of
+  service (CPU consumption) via crafted XML data, a different
+  vulnerability than CVE-2014-3660.
+  CVE-2015-7497
+  CVSS v2 Base Score: 5.0 (MEDIUM)
+  Heap-based buffer overflow in the xmlDictComputeFastQKey
+  function in dict.c in libxml2 before 2.9.3 allows
+  context-dependent attackers to cause a denial of service via
+  unspecified vectors.
+  CVE-2015-7498
+  CVSS v2 Base Score: 5.0 (MEDIUM)
+  Heap-based buffer overflow in the xmlParseXmlDecl function in
+  parser.c in libxml2 before 2.9.3 allows context-dependent
+  attackers to cause a denial of service via unspecified vectors
+  related to extracting errors after an encoding conversion
+  failure.
+  CVE-2015-7499
+  CVSS v2 Base Score: 5.0 (MEDIUM)
+  Heap-based buffer overflow in the xmlGROW function in parser.c
+  in libxml2 before 2.9.3 allows context-dependent attackers to
+  obtain sensitive process memory information via unspecified
+  vectors.
+  CVE-2015-7500
+  CVSS v2 Base Score: 5.0 (MEDIUM)
+  The xmlParseMisc function in parser.c in libxml2 before 2.9.3
+  allows context-dependent attackers to cause a denial of
+  service (out-of-bounds heap read) via unspecified vectors
+  related to incorrect entities boundaries and start tags.
+  CVE-2015-8241
+  CVSS v2 Base Score: 6.4 (MEDIUM)
+  The xmlNextChar function in libxml2 2.9.2 does not properly
+  check the state, which allows context-dependent attackers to
+  cause a denial of service (heap-based buffer over-read and
+  application crash) or obtain sensitive information via crafted
+  XML data.
+  CVE-2015-8242
+  CVSS v2 Base Score: 5.8 (MEDIUM)
+  The xmlSAX2TextNode function in SAX2.c in the push interface in
+  the HTML parser in libxml2 before 2.9.3 allows
+  context-dependent attackers to cause a denial of
+  service (stack-based buffer over-read and application crash) or
+  obtain sensitive information via crafted XML data.
+  CVE-2015-8317
+  CVSS v2 Base Score: 5.0 (MEDIUM)
+  The xmlParseXMLDecl function in parser.c in libxml2 before
+  2.9.3 allows context-dependent attackers to obtain sensitive
+  information via an (1) unterminated encoding value or (2)
+  incomplete XML declaration in XML data, which triggers an
+  out-of-bounds heap read.
+cvss_v2: 7.1
+unaffected_versions:
+  - "< 1.6.0"
+patched_versions:
+  - ">= 1.6.7.1"
+related:
+  cve:
+    - 2015-7497
+    - 2015-7498
+    - 2015-7499
+    - 2015-7500
+    - 2015-8241
+    - 2015-8242
+    - 2015-8317
+  url:
+    - https://github.com/sparklemotion/nokogiri/pull/1378
+    - https://github.com/sparklemotion/nokogiri/commit/4205af1a2a546f79d1b48df2ad8b27299c0099c5

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-7499.yml ADDED

@@ -0,0 +1,37 @@
+---
+gem: nokogiri
+cve: 2015-7499
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
+title: |
+  Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
+date: 2016-01-19
+description: |
+  Nokogiri version 1.6.7.2 has been released, pulling in several upstream
+  patches to the vendored libxml2 to address the following CVE:
+  CVE-2015-7499
+  CVSS v2 Base Score: 5.0 (MEDIUM)
+  Heap-based buffer overflow in the xmlGROW function in parser.c
+  in libxml2 before 2.9.3 allows context-dependent attackers to
+  obtain sensitive process memory information via unspecified
+  vectors.
+  libxml2 could be made to crash if it opened a specially crafted
+  file. It was discovered that libxml2 incorrectly handled certain
+  malformed documents. If a user or automated system were tricked
+  into opening a specially crafted document, an attacker could
+  possibly cause libxml2 to crash, resulting in a denial of service.
+cvss_v2: 5.0
+unaffected_versions:
+  - "< 1.6.0"
+patched_versions:
+  - ">= 1.6.7.2"
+related:
+  url:
+    - https://github.com/sparklemotion/nokogiri/commit/9eb540e7c905924a42757bf0a34c2c00707d536c

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml CHANGED

@@ -1,12 +1,18 @@
 ---
 gem: nokogiri
+platform: jruby
 cve: 2013-6460
 osvdb: 101179
-url: http://www.osvdb.org/show/osvdb/101179
-title: Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
+url: http://osvdb.org/show/osvdb/101179
+title: |
+  Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
 date: 2013-12-14
-description: Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of service. The issue is triggered when handling a specially crafted XML document, which can result in an infinite loop. This may allow a context-dependent attacker to crash the server.
-cvss_v2:
+description: |
+  Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of
+  service. The issue is triggered when handling a specially crafted XML
+  document, which can result in an infinite loop. This may allow a
+  context-dependent attacker to crash the server.
+cvss_v2: 4.3
 patched_versions:
-  - ~> 1.5.11
+  - "~> 1.5.11"
   - ">= 1.6.1"