RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.5.0 - Mend

bundler-audit 0.4.0 → 0.5.0

Files changed (313) hide show

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7579.yml ADDED

@@ -0,0 +1,75 @@
+---
+gem: rails-html-sanitizer
+cve: 2015-7579
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"
+title: XSS vulnerability in rails-html-sanitizer
+description: |
+  There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
+  This vulnerability has been assigned the CVE identifier CVE-2015-7579.
+  Versions Affected:  1.0.2
+  Not affected:       1.0.0, 1.0.1
+  Fixed Versions:     1.0.3
+  Impact
+  ------
+  Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
+  passes an already escaped HTML entity to the input of Action View's `strip_tags`
+  these entities will be unescaped what may cause a XSS attack if used in combination
+  with `raw` or `html_safe`.
+  For example:
+      strip_tags("&lt;script&gt;alert('XSS')&lt;/script&gt;")
+  Would generate:
+      <script>alert('XSS')</script>
+  After the fix it will generate:
+      &lt;script&gt;alert('XSS')&lt;/script&gt;
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+  Workarounds
+  -----------
+  If you can't upgrade, please use the following monkey patch in an initializer
+  that is loaded before your application:
+  ```
+  $ cat config/initializers/strip_tags_fix.rb
+  class ActionView::Base
+    def strip_tags(html)
+      self.class.full_sanitizer.sanitize(html)
+    end
+  end
+  ```
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches
+  for the two supported release series. They are in git-am format and consist
+  of a single changeset.
+  * Do-not-unescape-already-escaped-HTML-entities.patch
+  Credits
+  -------
+  Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
+  reporting the problem and working with us to fix it.
+unaffected_versions:
+  - "~> 1.0.0"
+  - "~> 1.0.1"
+patched_versions:
+  - "~> 1.0.3"

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7580.yml ADDED

@@ -0,0 +1,70 @@
+---
+gem: rails-html-sanitizer
+cve: 2015-7580
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI"
+title: Possible XSS vulnerability in rails-html-sanitizer
+description: |
+  There is a possible XSS vulnerability in the white list sanitizer in the
+  rails-html-sanitizer gem. This vulnerability has been assigned the CVE
+  identifier CVE-2015-7580.
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     v1.0.3
+  Impact
+  ------
+  Carefully crafted strings can cause user input to bypass the sanitization in
+  the white list sanitizer which will can lead to an XSS attack.
+  Vulnerable code will look something like this:
+    <%= sanitize user_input, tags: %w(em) %>
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+  Workarounds
+  -----------
+  Putting the following monkey patch in an initializer can help to mitigate the
+  issue:
+  ```
+  class Rails::Html::PermitScrubber
+    alias :old_scrub :scrub
+    alias :old_skip_node? :skip_node?
+    def scrub(node)
+      if node.cdata?
+        text = node.document.create_text_node node.text
+        node.replace text
+        return CONTINUE
+      end
+      old_scrub node
+    end
+    def skip_node?(node); node.text?; end
+  end
+  ```
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
+  * 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series
+  Credits
+  -------
+  Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.
+patched_versions:
+  - "~> 1.0.3"

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml CHANGED

@@ -14,7 +14,7 @@ description: |
   valid. Such an attack would allow for the interception of sensitive traffic,
   and potentially allow for the injection of content into the SSL stream.
-cvss_v2:
+cvss_v2: 6.8
 patched_versions:
   - '>= 0.0.24'

data/data/ruby-advisory-db/gems/redcarpet/CVE-2015-5147.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: redcarpet
+cve: 2015-5147
+osvdb: 123859
+url: http://seclists.org/oss-sec/2015/q2/818
+title: redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow
+date: 2015-06-22
+description: |
+  redcarpet Gem for Ruby contains a flaw that allows a stack overflow.
+  This flaw exists because the header_anchor() function in html.c uses
+  variable length arrays (VLA) without any range checking. This may
+  allow a remote attacker to execute arbitrary code.
+cvss_v2: 7.5
+unaffected_versions:
+  - "< 3.3.0"
+patched_versions:
+  - ">= 3.3.2"

data/data/ruby-advisory-db/gems/redcarpet/OSVDB-120415.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: redcarpet
+osvdb: 120415
+url: http://danlec.com/blog/bug-in-sundown-and-redcarpet
+title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
+date: 2015-04-07
+description: |
+  redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting
+  (XSS) attack. This flaw exists because the parse_inline() function in
+  markdown.c does not validate input before returning it to users. This may
+  allow a remote attacker to create a specially crafted request that would
+  execute arbitrary script code in a user's browser session within the trust
+  relationship between their browser and the server.
+cvss_v2:
+patched_versions:
+  - ">= 3.2.3"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml CHANGED

@@ -1,16 +1,15 @@
 ---
 gem: redis-namespace
 osvdb: 96425
-url: http://www.osvdb.org/show/osvdb/96425
+url: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
 title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
 date: 2013-08-03
 description: |
   redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
   The issue is triggered when handling exec commands called via send(). This may allow a
   remote attacker to execute arbitrary commands.
-cvss_v2:
 patched_versions:
   - ">= 1.3.1"
-  - ">= 1.2.2"
-  - ">= 1.1.1"
-  - ">= 1.0.4"
+  - "~> 1.2.2"
+  - "~> 1.1.1"
+  - "~> 1.0.4"

data/data/ruby-advisory-db/gems/refile/OSVDB-120857.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: refile
+osvdb: 120857
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/VIfMO2LvzNs
+title: refile Gem for Ruby contains a remote code execution vulnerability
+date: 2015-04-15
+description: |
+  refile Gem for Ruby contains a flaw that is triggered when input is not
+  sanitized when handling the 'remote_image_url' field in a form, where
+  'image' is the name of the attachment. This may allow a remote attacker
+  to execute arbitrary shell commands.
+cvss_v2:
+unaffected_versions:
+  - "< 0.5.0"
+patched_versions:
+  - '>= 0.5.4'

data/data/ruby-advisory-db/gems/rest-client/CVE-2015-1820.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: rest-client
+cve: 2015-1820
+osvdb: 119878
+url: https://github.com/rest-client/rest-client/issues/369
+title: 'rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses'
+date: 2015-03-24
+description: |
+  rest-client in abstract_response.rb improperly handles Set-Cookie headers on
+  HTTP 30x redirection responses. Any cookies will be forwarded to the
+  redirection target regardless of domain, path, or expiration.
+  If you control a redirection source, you can cause rest-client to perform a
+  request to any third-party domain with cookies of your choosing, which may be
+  useful in performing a session fixation attack.
+  If you control a redirection target, you can steal any cookies set by the
+  third-party redirection request.
+cvss_v2:
+unaffected_versions:
+  - "<= 1.6.0"
+patched_versions:
+  - ">= 1.8.0"

data/data/ruby-advisory-db/gems/rest-client/OSVDB-117461.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: rest-client
+cve: 2015-3448
+osvdb: 117461
+url: http://www.osvdb.org/show/osvdb/117461
+title: Rest-Client Gem for Ruby logs password information in plaintext
+date: 2015-01-12
+description: Rest-Client Ruby Gem contains a flaw that is due to the application
+  logging password information in plaintext. This may allow a local attacker
+  to gain access to password information.
+cvss_v2:
+patched_versions:
+  - ">= 1.7.3"

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml CHANGED

@@ -1,14 +1,15 @@
----
+---
 gem: rgpg
-osvdb: 95948
 cve: 2013-4203
+osvdb: 95948
 url: http://www.osvdb.org/show/osvdb/95948
-title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
+title: rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution
 date: 2013-08-02
 description: |
-  rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
-  The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
-  This may allow a remote attacker to execute arbitrary commands.
+  rgpg Gem for Ruby contains a flaw in the GpgHelper module
+  (lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly
+  sanitize user-supplied input before being used in the system() function for
+  execution. This may allow a remote attacker to execute arbitrary commands.
 cvss_v2: 7.5
-patched_versions:
-  - ">= 0.2.3"
+patched_versions:
+  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-117903.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: ruby-saml
+osvdb: 117903
+url: http://www.osvdb.org/show/osvdb/117903
+title: Ruby-Saml Gem is vulnerable to arbitrary code execution
+date: 2015-02-03
+description: |
+  ruby-saml contains a flaw that is triggered as the URI value of a SAML response is
+  not properly sanitized through a prepared statement. This may allow a remote
+  attacker to execute arbitrary shell commands on the host machine.
+cvss_v2:
+patched_versions:
+  - ">= 0.8.2"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124383.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: ruby-saml
+osvdb: 124383
+url: https://github.com/onelogin/ruby-saml/pull/247
+title: Ruby-Saml Gem is vulnerable to entity expansion attacks
+date: 2015-06-30
+description: |
+  ruby-saml before 1.0.0 is vulnerable to entity expansion attacks.
+cvss_v2: 3.9
+patched_versions:
+  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124991.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: ruby-saml
+osvdb: 124991
+url: https://github.com/onelogin/ruby-saml/pull/225
+title: Ruby-Saml Gem is vulnerable to XPath Injection
+date: 2015-04-29
+description: |
+  ruby-saml before 1.0.0 is vulnerable to XPath injection on xml_security.rb. The
+  lack of prepared statements allows for possibly command injection, leading to
+  arbitrary code execution
+cvss_v2: 6.7
+patched_versions:
+  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/screen_capture/OSVDB-107783.yml ADDED

@@ -0,0 +1,7 @@
+---
+gem: screen_capture
+osvdb: 107783
+url: http://osvdb.org/show/osvdb/107783
+title: Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command Execution
+date: 2014-06-07
+description: Screen Capture Gem for Ruby contains a flaw in screen_capture.rb that is triggered when handling input passed via the URL. This may allow a context-dependent attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/sentry-raven/OSVDB-115654.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: sentry-raven
+cve: 2014-9490
+osvdb: 115654
+url: http://osvdb.org/show/osvdb/115654
+title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service
+date: 2014-12-08
+description: Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script
+  that is triggered when large numeric values are stored as an exponent or in
+  scientific notation. With a specially crafted request, an attacker can cause
+  the software to consume excessive resources resulting in a denial of service.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 0.12.2"

data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml CHANGED

@@ -1,13 +1,15 @@
 ---
 gem: sfpagent
-cve:
+cve: 2014-2888
 osvdb: 105971
 url: http://www.osvdb.org/show/osvdb/105971
-title: sfpagent Gem for Ruby Remote Command Injection
+title: sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution
 date: 2014-04-16
-description: sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
-  input is not properly sanitized when handling module names with shell metacharacters.
-  This may allow a context-dependent attacker to execute arbitrary commands.
-cvss_v2:
+description: |
+  sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
+  input is not properly sanitized when handling module names with shell
+  metacharacters. This may allow a context-dependent attacker to execute
+  arbitrary commands.
+cvss_v2: 7.5
 patched_versions:
-  - ">= 0.4.15"
+  - ">= 0.4.15"

data/data/ruby-advisory-db/gems/show_in_browser/OSVDB-93490.yml ADDED

@@ -0,0 +1,8 @@
+---
+gem: show_in_browser
+cve: 2013-2105
+osvdb: 93490
+url: http://osvdb.org/show/osvdb/93490
+title: Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection
+date: 2013-05-17
+description: Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user's browser.

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126329.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: sidekiq-pro
+osvdb: 126329
+url: https://github.com/mperham/sidekiq/commit/a695ff347ae50f641dfc35189131b232ea0aa1db
+title: |
+  Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements
+  Reflected XSS
+date: 2015-05-11
+description: |
+  XSS via batch failure error_class and error_message in Sidekiq::Web
+patched_versions:
+  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126330.yml ADDED

@@ -0,0 +1,10 @@
+---
+gem: sidekiq-pro
+osvdb: 126330
+url: https://github.com/mperham/sidekiq/commit/99b12fb50fe244c5a317f03f1bed9b333ec56ebe
+title: |
+  Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb Description Element XSS
+date: 2014-10-13
+description: XSS via batch description in Sidekiq::Web
+patched_versions:
+  - ">= 1.9.1"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126331.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: sidekiq-pro
+osvdb: 126331
+url: https://github.com/mperham/sidekiq/commit/651400ed8f237118346895c99dc28ca94f3169d3
+title: Sidekiq Pro Gem for Ruby CSRF in Job Filtering
+date: 2015-07-17
+description: |
+  Sidekiq::Web job filtering lacks CSRF protection. This issue
+  is related to OSVDB-125675.
+patched_versions:
+  - ">= 2.0.6"
+related:
+  osvdb:
+    - 125675

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125675.yml ADDED

@@ -0,0 +1,9 @@
+---
+gem: sidekiq
+osvdb: 125675
+url: https://github.com/mperham/sidekiq/pull/2422
+title: Sidekiq Gem for Ruby Multiple Unspecified CSRF
+date: 2015-07-06
+description: Sidekiq::Web lacks CSRF protection
+patched_versions:
+  - ">= 3.4.2"