RubyGems - bundler-audit - Versions diffs - 0.4.0 → 0.7.0.1 - Mend

bundler-audit 0.4.0 → 0.7.0.1

Files changed (584) hide show

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2098.yml ADDED

@@ -0,0 +1,89 @@
+---
+gem: actionpack
+framework: rails
+cve: 2016-2098
+date: 2016-02-29
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q"
+title: Possible remote code execution vulnerability in Action Pack
+description: |
+  There is a possible remote code execution vulnerability in Action Pack.
+  This vulnerability has been assigned the CVE identifier CVE-2016-2098.
+  Versions Affected:  3.2.x, 4.0.x, 4.1.x, 4.2.x
+  Not affected:       5.0+
+  Fixed Versions:     3.2.22.2, 4.1.14.2, 4.2.5.2
+  Impact
+  ------
+  Applications that pass unverified user input to the `render` method in a
+  controller or a view may be vulnerable to a code injection.
+  Impacted code will look like this:
+  ```ruby
+  class TestController < ApplicationController
+    def show
+      render params[:id]
+    end
+  end
+  ```
+  An attacker could use the request parameters to coerce the above example
+  to execute arbitrary ruby code.
+  All users running an affected release should either upgrade or use one of
+  the workarounds immediately.
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+  Workarounds
+  -----------
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method. Instead, verify that data before passing it to the `render` method.
+  For example, change this:
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+  To this:
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided a
+  patch for it. It is in git-am format and consist of a single changeset.
+  * 3-2-secure_inline_with_params.patch - Patch for 3.2 series
+  * 4-1-secure_inline_with_params.patch - Patch for 4.1 series
+  * 4-2-secure_inline_with_params.patch - Patch for 4.2 series
+  Credits
+  -------
+  Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for
+  reporting this!
+unaffected_versions:
+  - ">= 5.0.0.beta1"
+patched_versions:
+  - "~> 3.2.22.2"
+  - "~> 4.2.5, >= 4.2.5.2"
+  - "~> 4.1.14, >= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-6316.yml ADDED

@@ -0,0 +1,57 @@
+---
+gem: actionpack
+framework: rails
+cve: 2016-6316
+date: 2016-08-11
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
+title: Possible XSS Vulnerability in Action View
+description: |
+  There is a possible XSS vulnerability in Action View.  Text declared as "HTML
+  safe" will not have quotes escaped when used as attribute values in tag
+  helpers.
+  Impact
+  ------
+  Text declared as "HTML safe" when passed as an attribute value to a tag helper
+  will not have quotes escaped which can lead to an XSS attack.  Impacted code
+  looks something like this:
+  ```ruby
+  content_tag(:div, "hi", title: user_input.html_safe)
+  ```
+  Some helpers like the `sanitize` helper will automatically mark strings as
+  "HTML safe", so impacted code could also look something like this:
+  ```ruby
+  content_tag(:div, "hi", title: sanitize(user_input))
+  ```
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Workarounds
+  -----------
+  You can work around this issue by either *not* marking arbitrary user input as
+  safe, or by manually escaping quotes like this:
+  ```ruby
+  def escape_quotes(value)
+    value.gsub(/"/, '&quot;'.freeze)
+  end
+  content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
+  ```
+unaffected_versions:
+  - "< 3.0.0"
+  # Newer versions are affected, but tracked in the actionview gem.
+  - ">= 4.1.0"
+patched_versions:
+  - ~> 3.2.22.3
+  - ~> 4.2.7.1
+  - ">= 5.0.0.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2020-8164.yml ADDED

@@ -0,0 +1,49 @@
+---
+gem: actionpack
+framework: rails
+cve: 2020-8164
+date: 2020-05-18
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
+title: Possible Strong Parameters Bypass in ActionPack
+description: |
+  There is a strong parameters bypass vector in ActionPack.
+  Versions Affected:  rails <= 6.0.3
+  Not affected:       rails < 4.0.0
+  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
+  Impact
+  ------
+  In some cases user supplied information can be inadvertently leaked from
+  Strong Parameters.  Specifically the return value of `each`, or `each_value`,
+  or `each_pair` will return the underlying "untrusted" hash of data that was
+  read from the parameters.  Applications that use this return value may be
+  inadvertently use untrusted user input.
+  Impacted code will look something like this:
+  ```
+  def update
+    # Attacker has included the parameter: `{ is_admin: true }`
+    User.update(clean_up_params)
+  end
+  def clean_up_params
+     params.each { |k, v|  SomeModel.check(v) if k == :name }
+  end
+  ```
+  Note the mistaken use of `each` in the `clean_up_params` method in the above
+  example.
+  Workarounds
+  -----------
+  Do not use the return values of `each`, `each_value`, or `each_pair` in your
+  application.
+unaffected_versions:
+  - "< 4.0.0"
+patched_versions:
+  - "~> 5.2.4.3"
+  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2020-8166.yml ADDED

@@ -0,0 +1,31 @@
+---
+gem: actionpack
+framework: rails
+cve: 2020-8166
+date: 2020-05-18
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
+title: Ability to forge per-form CSRF tokens given a global CSRF token
+description: |
+  It is possible to possible to, given a global CSRF token such as the one
+  present in the authenticity_token meta tag, forge a per-form CSRF token for
+  any action for that session.
+  Versions Affected:  rails < 5.2.5, rails < 6.0.4
+  Not affected:       Applications without existing HTML injection vulnerabilities.
+  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
+  Impact
+  ------
+  Given the ability to extract the global CSRF token, an attacker would be able to
+  construct a per-form CSRF token for that session.
+  Workarounds
+  -----------
+  This is a low-severity security issue. As such, no workaround is necessarily
+  until such time as the application can be upgraded.
+patched_versions:
+  - "~> 5.2.4.3"
+  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml CHANGED

@@ -13,7 +13,7 @@ description: |
   of the parameters to the helper (unit) is not escaped correctly.  Applications
   which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
-cvss_v2:
+cvss_v2: 4.3
 patched_versions:
   - ~> 3.2.16

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml CHANGED

@@ -8,10 +8,10 @@ title: Denial of Service Vulnerability in Action View
 date: 2013-12-03
 description: |
-  There is a denial of service vulnerability in the header handling component of
+  There is a denial of service vulnerability in the header handling component of
   Action View.
-cvss_v2:
+cvss_v2: 5.0
 unaffected_versions:
   - ~> 2.3.0

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml CHANGED

@@ -9,14 +9,14 @@ date: 2013-12-03
 description: |
   There is a vulnerability in the simple_format helper in Ruby on Rails.
-  The simple_format helper converts user supplied text into html text
-  which is intended to be safe for display. A change made to the
-  implementation of this helper means that any user provided HTML
-  attributes will not be escaped correctly. As a result of this error,
-  applications which pass user-controlled data to be included as html
+  The simple_format helper converts user supplied text into html text
+  which is intended to be safe for display. A change made to the
+  implementation of this helper means that any user provided HTML
+  attributes will not be escaped correctly. As a result of this error,
+  applications which pass user-controlled data to be included as html
   attributes will be vulnerable to an XSS attack.
-cvss_v2:
+cvss_v2: 4.3
 unaffected_versions:
   - ~> 2.3.0

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml CHANGED

@@ -15,9 +15,9 @@ description: |
   parameters insecurely and store them in the same key that Rails uses
   for its own parameters.  In the event that happens the application
   will receive unsafe parameters and could be vulnerable to the earlier
-  vulnerability.
+  vulnerability.
-cvss_v2:
+cvss_v2: 6.4
 patched_versions:
   - ~> 3.2.16

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml CHANGED

@@ -11,11 +11,11 @@ description: |
   There is a vulnerability in the internationalization component of Ruby on
   Rails. Under certain common configurations an attacker can provide specially
   crafted input which will execute a reflective XSS attack.
   The root cause of this issue is a vulnerability in the i18n gem which has
   been assigned the identifier CVE-2013-4492.
-cvss_v2:
+cvss_v2: 4.3
 patched_versions:
   - ~> 3.2.16

data/data/ruby-advisory-db/gems/actionpack/OSVDB-74616.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: actionpack
+framework: rails
+cve: 2011-3186
+osvdb: 74616
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g
+title: Response Splitting Vulnerability in Ruby on Rails
+date: 2011-08-16
+description: |
+  A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow
+  a remote attacker to inject arbitrary HTTP headers into a response due to
+  insufficient sanitization of the values provided for response content types.
+cvss_v2: 4.3
+patched_versions:
+  - ">= 2.3.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-77199.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: actionpack
+framework: rails
+cve: 2011-4319
+osvdb: 77199
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU
+title: XSS vulnerability in the translate helper method in Ruby on Rails
+date: 2011-11-17
+description: |
+  A cross-site scripting (XSS) flaw was found in the way the 'translate' helper
+  method of the Ruby on Rails performed HTML escaping of interpolated user
+  input, when interpolation in combination with HTML-safe translations were
+  used. A remote attacker could use this flaw to execute arbitrary HTML or web
+  script by providing a specially-crafted input to Ruby on Rails application,
+  using the ActionPack module and its 'translate' helper method without explicit
+  (application specific) sanitization of user provided input.
+cvss_v2: 4.3
+patched_versions:
+  - "~> 3.0.11"
+  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml ADDED

@@ -0,0 +1,95 @@
+---
+gem: actionview
+framework: rails
+cve: 2016-0752
+date: 2016-01-25
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00"
+title: Possible Information Leak Vulnerability in Action View
+description: |
+  There is a possible directory traversal and information leak vulnerability in
+  Action View. This vulnerability has been assigned the CVE identifier
+  CVE-2016-0752.
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
+  Impact
+  ------
+  Applications that pass unverified user input to the `render` method in a
+  controller may be vulnerable to an information leak vulnerability.
+  Impacted code will look something like this:
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+  Carefully crafted requests can cause the above code to render files from
+  unexpected places like outside the application's view directory, and can
+  possibly escalate this to a remote code execution attack.
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+  Workarounds
+  -----------
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method.  Instead, verify that data before passing it to the `render` method.
+  For example, change this:
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+  To this:
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for
+  the two supported release series. They are in git-am format and consist of a
+  single changeset.
+  * 3-2-render_data_leak.patch - Patch for 3.2 series
+  * 4-1-render_data_leak.patch - Patch for 4.1 series
+  * 4-2-render_data_leak.patch - Patch for 4.2 series
+  * 5-0-render_data_leak.patch - Patch for 5.0 series
+  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
+  of earlier unsupported releases are advised to upgrade as soon as possible as we
+  cannot guarantee the continued availability of security fixes for unsupported
+  releases.
+  Credits
+  -------
+  Thanks John Poulin for reporting this!
+cvss_v2: 5.0
+cvss_v3: 7.5
+# "~> 3.2.22.1" is found in gems/actionpack/CVE-2016-0752.yml
+patched_versions:
+  - ">= 5.0.0.beta1.1"
+  - "~> 4.2.5, >= 4.2.5.1"
+  - "~> 4.1.14, >= 4.1.14.1"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-2097.yml ADDED

@@ -0,0 +1,89 @@
+---
+gem: actionview
+framework: rails
+cve: 2016-2097
+date: 2016-02-29
+url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"
+title: Possible Information Leak Vulnerability in Action View
+description: |
+  There is a possible directory traversal and information leak vulnerability
+  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
+  patch was not covering all the scenarios. This vulnerability has been
+  assigned the CVE identifier CVE-2016-2097.
+  Versions Affected:  3.2.x, 4.0.x, 4.1.x
+  Not affected:       4.2+
+  Fixed Versions:     3.2.22.2, 4.1.14.2
+  Impact
+  ------
+  Applications that pass unverified user input to the `render` method in a
+  controller may be vulnerable to an information leak vulnerability.
+  Impacted code will look something like this:
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+  Carefully crafted requests can cause the above code to render files from
+  unexpected places like outside the application's view directory, and can
+  possibly escalate this to a remote code execution attack.
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+  Workarounds
+  -----------
+  A workaround to this issue is to not pass arbitrary user input to the `render`
+  method. Instead, verify that data before passing it to the `render` method.
+  For example, change this:
+  ```ruby
+  def index
+    render params[:id]
+  end
+  ```
+  To this:
+  ```ruby
+  def index
+    render verify_template(params[:id])
+  end
+  private
+  def verify_template(name)
+    # add verification logic particular to your application here
+  end
+  ```
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches
+  for it. It is in git-am format and consist of a single changeset.
+  * 3-2-render_data_leak_2.patch - Patch for 3.2 series
+  * 4-1-render_data_leak_2.patch - Patch for 4.1 series
+  Credits
+  -------
+  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
+  and working with us in the patch!
+unaffected_versions:
+  - ">= 4.2.0"
+# "~> 3.2.22.2"  is found in gems/actionpack/CVE-2016-2097.yml
+patched_versions:
+  - "~> 4.1.14, >= 4.1.14.2"