bundler-audit 0.5.0 → 0.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +11 -6
- data/ChangeLog.md +7 -1
- data/Gemfile +1 -1
- data/README.md +13 -7
- data/bin/bundler-audit +3 -0
- data/data/ruby-advisory-db.ts +1 -1
- data/data/ruby-advisory-db/.gitignore +0 -1
- data/data/ruby-advisory-db/.travis.yml +0 -6
- data/data/ruby-advisory-db/CONTRIBUTING.md +34 -21
- data/data/ruby-advisory-db/CONTRIBUTORS.md +2 -0
- data/data/ruby-advisory-db/Gemfile +1 -1
- data/data/ruby-advisory-db/README.md +38 -21
- data/data/ruby-advisory-db/gems/RedCloth/{OSVDB-115941.yml → CVE-2012-6684.yml} +6 -1
- data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml +102 -102
- data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7581.yml +2 -2
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml +45 -45
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0752.yml +96 -0
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2097.yml +90 -0
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2098.yml +89 -0
- data/data/ruby-advisory-db/gems/actionpack/CVE-2016-6316.yml +57 -0
- data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml +80 -80
- data/data/ruby-advisory-db/gems/actionview/CVE-2016-2097.yml +89 -0
- data/data/ruby-advisory-db/gems/actionview/CVE-2016-6316.yml +56 -0
- data/data/ruby-advisory-db/gems/activemodel/CVE-2016-0753.yml +78 -78
- data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml +91 -91
- data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml +73 -0
- data/data/ruby-advisory-db/gems/administrate/CVE-2016-3098.yml +14 -0
- data/data/ruby-advisory-db/gems/aescrypt/CVE-2013-7463.yml +10 -0
- data/data/ruby-advisory-db/gems/archive-tar-minitar/CVE-2016-10173.yml +16 -0
- data/data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml +2 -1
- data/data/ruby-advisory-db/gems/doorkeeper/CVE-2016-6582.yml +43 -0
- data/data/ruby-advisory-db/gems/espeak-ruby/CVE-2016-10193.yml +15 -0
- data/data/ruby-advisory-db/gems/festivaltts4r/CVE-2016-10194.yml +12 -0
- data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8968.yml +21 -0
- data/data/ruby-advisory-db/gems/git-fastclone/CVE-2015-8969.yml +13 -0
- data/data/ruby-advisory-db/gems/mail/OSVDB-131677.yml +18 -11
- data/data/ruby-advisory-db/gems/minitar/CVE-2016-10173.yml +16 -0
- data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-8806.yml +42 -0
- data/data/ruby-advisory-db/gems/nokogiri/CVE-2016-4658.yml +32 -0
- data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-5029.yml +44 -0
- data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml +16 -0
- data/data/ruby-advisory-db/gems/rack-mini-profiler/CVE-2016-4442.yml +17 -0
- data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml +17 -0
- data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml +14 -0
- data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml +13 -0
- data/data/ruby-advisory-db/gems/spina/CVE-2015-4619.yml +16 -0
- data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml +1 -1
- data/data/ruby-advisory-db/rubies/ruby/CVE-2015-1855.yml +17 -0
- data/data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml +19 -0
- data/data/ruby-advisory-db/spec/advisory_example.rb +19 -4
- data/gemspec.yml +1 -1
- data/lib/bundler/audit/cli.rb +10 -5
- data/lib/bundler/audit/database.rb +13 -3
- data/lib/bundler/audit/version.rb +1 -1
- data/spec/bundle/secure/Gemfile +1 -1
- data/spec/cli_spec.rb +80 -25
- data/spec/database_spec.rb +5 -5
- data/spec/integration_spec.rb +2 -2
- metadata +35 -5
@@ -5,103 +5,103 @@ cve: 2015-7577
|
|
5
5
|
date: 2016-01-25
|
6
6
|
url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
|
7
7
|
|
8
|
-
title: Nested attributes rejection proc bypass in Active Record
|
8
|
+
title: Nested attributes rejection proc bypass in Active Record
|
9
9
|
|
10
10
|
description: |
|
11
|
-
There is a vulnerability in how the nested attributes feature in Active Record
|
12
|
-
handles updates in combination with destroy flags when destroying records is
|
13
|
-
disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
|
14
|
-
|
15
|
-
Versions Affected: 3.1.0 and newer
|
16
|
-
Not affected: 3.0.x and older
|
17
|
-
Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
|
18
|
-
|
19
|
-
Impact
|
20
|
-
------
|
21
|
-
When using the nested attributes feature in Active Record you can prevent the
|
22
|
-
destruction of associated records by passing the `allow_destroy: false` option
|
23
|
-
to the `accepts_nested_attributes_for` method. However due to a change in the
|
24
|
-
commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
|
25
|
-
being called because it assumes that the record will be destroyed anyway.
|
26
|
-
|
27
|
-
However this isn't true if `:allow_destroy` is false so this leads to changes
|
28
|
-
that would have been rejected being applied to the record. Attackers could use
|
29
|
-
this do things like set attributes to invalid values and to clear all of the
|
30
|
-
attributes amongst other things. The severity will be dependent on how the
|
31
|
-
application has used this feature.
|
32
|
-
|
33
|
-
All users running an affected release should either upgrade or use one of
|
34
|
-
the workarounds immediately.
|
35
|
-
|
36
|
-
Releases
|
37
|
-
--------
|
38
|
-
The FIXED releases are available at the normal locations.
|
39
|
-
|
40
|
-
Workarounds
|
41
|
-
-----------
|
42
|
-
If you can't upgrade, please use the following monkey patch in an initializer
|
43
|
-
that is loaded before your application:
|
44
|
-
|
45
|
-
```
|
46
|
-
$ cat config/initializers/nested_attributes_bypass_fix.rb
|
47
|
-
module ActiveRecord
|
48
|
-
module NestedAttributes
|
49
|
-
private
|
50
|
-
|
51
|
-
def reject_new_record?(association_name, attributes)
|
52
|
-
will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes)
|
53
|
-
end
|
54
|
-
|
55
|
-
def call_reject_if(association_name, attributes)
|
56
|
-
return false if will_be_destroyed?(association_name, attributes)
|
57
|
-
|
58
|
-
case callback = self.nested_attributes_options[association_name][:reject_if]
|
59
|
-
when Symbol
|
60
|
-
method(callback).arity == 0 ? send(callback) : send(callback, attributes)
|
61
|
-
when Proc
|
62
|
-
callback.call(attributes)
|
63
|
-
end
|
64
|
-
end
|
65
|
-
|
66
|
-
def will_be_destroyed?(association_name, attributes)
|
67
|
-
allow_destroy?(association_name) && has_destroy_flag?(attributes)
|
68
|
-
end
|
69
|
-
|
70
|
-
def allow_destroy?(association_name)
|
71
|
-
self.nested_attributes_options[association_name][:allow_destroy]
|
72
|
-
end
|
73
|
-
end
|
74
|
-
end
|
75
|
-
```
|
76
|
-
|
77
|
-
Patches
|
78
|
-
-------
|
79
|
-
To aid users who aren't able to upgrade immediately we have provided patches for
|
80
|
-
the two supported release series. They are in git-am format and consist of a
|
81
|
-
single changeset.
|
82
|
-
|
83
|
-
* 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
|
84
|
-
* 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
|
85
|
-
* 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
|
86
|
-
* 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
|
87
|
-
|
88
|
-
Please note that only the 4.1.x and 4.2.x series are supported at present. Users
|
89
|
-
of earlier unsupported releases are advised to upgrade as soon as possible as we
|
90
|
-
cannot guarantee the continued availability of security fixes for unsupported
|
91
|
-
releases.
|
92
|
-
|
93
|
-
Credits
|
94
|
-
-------
|
95
|
-
Thank you to Justin Coyne for reporting the problem and working with us to fix it.
|
96
|
-
|
97
|
-
[1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
|
11
|
+
There is a vulnerability in how the nested attributes feature in Active Record
|
12
|
+
handles updates in combination with destroy flags when destroying records is
|
13
|
+
disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
|
14
|
+
|
15
|
+
Versions Affected: 3.1.0 and newer
|
16
|
+
Not affected: 3.0.x and older
|
17
|
+
Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
|
18
|
+
|
19
|
+
Impact
|
20
|
+
------
|
21
|
+
When using the nested attributes feature in Active Record you can prevent the
|
22
|
+
destruction of associated records by passing the `allow_destroy: false` option
|
23
|
+
to the `accepts_nested_attributes_for` method. However due to a change in the
|
24
|
+
commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
|
25
|
+
being called because it assumes that the record will be destroyed anyway.
|
26
|
+
|
27
|
+
However this isn't true if `:allow_destroy` is false so this leads to changes
|
28
|
+
that would have been rejected being applied to the record. Attackers could use
|
29
|
+
this do things like set attributes to invalid values and to clear all of the
|
30
|
+
attributes amongst other things. The severity will be dependent on how the
|
31
|
+
application has used this feature.
|
32
|
+
|
33
|
+
All users running an affected release should either upgrade or use one of
|
34
|
+
the workarounds immediately.
|
35
|
+
|
36
|
+
Releases
|
37
|
+
--------
|
38
|
+
The FIXED releases are available at the normal locations.
|
39
|
+
|
40
|
+
Workarounds
|
41
|
+
-----------
|
42
|
+
If you can't upgrade, please use the following monkey patch in an initializer
|
43
|
+
that is loaded before your application:
|
44
|
+
|
45
|
+
```
|
46
|
+
$ cat config/initializers/nested_attributes_bypass_fix.rb
|
47
|
+
module ActiveRecord
|
48
|
+
module NestedAttributes
|
49
|
+
private
|
50
|
+
|
51
|
+
def reject_new_record?(association_name, attributes)
|
52
|
+
will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes)
|
53
|
+
end
|
54
|
+
|
55
|
+
def call_reject_if(association_name, attributes)
|
56
|
+
return false if will_be_destroyed?(association_name, attributes)
|
57
|
+
|
58
|
+
case callback = self.nested_attributes_options[association_name][:reject_if]
|
59
|
+
when Symbol
|
60
|
+
method(callback).arity == 0 ? send(callback) : send(callback, attributes)
|
61
|
+
when Proc
|
62
|
+
callback.call(attributes)
|
63
|
+
end
|
64
|
+
end
|
65
|
+
|
66
|
+
def will_be_destroyed?(association_name, attributes)
|
67
|
+
allow_destroy?(association_name) && has_destroy_flag?(attributes)
|
68
|
+
end
|
69
|
+
|
70
|
+
def allow_destroy?(association_name)
|
71
|
+
self.nested_attributes_options[association_name][:allow_destroy]
|
72
|
+
end
|
73
|
+
end
|
74
|
+
end
|
75
|
+
```
|
76
|
+
|
77
|
+
Patches
|
78
|
+
-------
|
79
|
+
To aid users who aren't able to upgrade immediately we have provided patches for
|
80
|
+
the two supported release series. They are in git-am format and consist of a
|
81
|
+
single changeset.
|
82
|
+
|
83
|
+
* 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
|
84
|
+
* 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
|
85
|
+
* 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
|
86
|
+
* 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
|
87
|
+
|
88
|
+
Please note that only the 4.1.x and 4.2.x series are supported at present. Users
|
89
|
+
of earlier unsupported releases are advised to upgrade as soon as possible as we
|
90
|
+
cannot guarantee the continued availability of security fixes for unsupported
|
91
|
+
releases.
|
92
|
+
|
93
|
+
Credits
|
94
|
+
-------
|
95
|
+
Thank you to Justin Coyne for reporting the problem and working with us to fix it.
|
96
|
+
|
97
|
+
[1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
|
98
98
|
|
99
99
|
unaffected_versions:
|
100
100
|
- "~> 3.0.0"
|
101
101
|
- "< 3.0.0"
|
102
102
|
|
103
103
|
patched_versions:
|
104
|
-
- "
|
105
|
-
- "~> 4.2.5.1"
|
106
|
-
- "~> 4.1.14.1"
|
104
|
+
- ">= 5.0.0.beta1.1"
|
105
|
+
- "~> 4.2.5, >= 4.2.5.1"
|
106
|
+
- "~> 4.1.14, >= 4.1.14.1"
|
107
107
|
- "~> 3.2.22.1"
|
@@ -0,0 +1,73 @@
|
|
1
|
+
---
|
2
|
+
gem: activerecord
|
3
|
+
framework: rails
|
4
|
+
cve: 2016-6317
|
5
|
+
date: 2016-08-11
|
6
|
+
url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
|
7
|
+
|
8
|
+
title: Unsafe Query Generation Risk in Active Record
|
9
|
+
|
10
|
+
description: |
|
11
|
+
There is a vulnerability when Active Record is used in conjunction with JSON
|
12
|
+
parameter parsing. This vulnerability is similar to CVE-2012-2660,
|
13
|
+
CVE-2012-2694 and CVE-2013-0155.
|
14
|
+
|
15
|
+
Impact
|
16
|
+
------
|
17
|
+
|
18
|
+
Due to the way Active Record interprets parameters in combination with the way
|
19
|
+
that JSON parameters are parsed, it is possible for an attacker to issue
|
20
|
+
unexpected database queries with "IS NULL" or empty where clauses. This issue
|
21
|
+
does *not* let an attacker insert arbitrary values into an SQL query, however
|
22
|
+
they can cause the query to check for NULL or eliminate a WHERE clause when
|
23
|
+
most users wouldn't expect it.
|
24
|
+
|
25
|
+
For example, a system has password reset with token functionality:
|
26
|
+
|
27
|
+
```ruby
|
28
|
+
unless params[:token].nil?
|
29
|
+
user = User.find_by_token(params[:token])
|
30
|
+
user.reset_password!
|
31
|
+
end
|
32
|
+
```
|
33
|
+
|
34
|
+
An attacker can craft a request such that `params[:token]` will return
|
35
|
+
`[nil]`. The `[nil]` value will bypass the test for nil, but will still add
|
36
|
+
an "IN ('xyz', NULL)" clause to the SQL query.
|
37
|
+
|
38
|
+
Similarly, an attacker can craft a request such that `params[:token]` will
|
39
|
+
return an empty hash. An empty hash will eliminate the WHERE clause of the
|
40
|
+
query, but can bypass the `nil?` check.
|
41
|
+
|
42
|
+
Note that this impacts not only dynamic finders (`find_by_*`) but also
|
43
|
+
relations (`User.where(:name => params[:name])`).
|
44
|
+
|
45
|
+
All users running an affected release should either upgrade or use one of the
|
46
|
+
work arounds immediately. All users running an affected release should upgrade
|
47
|
+
immediately. Please note, this vulnerability is a variant of CVE-2012-2660,
|
48
|
+
CVE-2012-2694, and CVE-2013-0155. Even if you upgraded to address those
|
49
|
+
issues, you must take action again.
|
50
|
+
|
51
|
+
If this chance in behavior impacts your application, you can manually decode
|
52
|
+
the original values from the request like so:
|
53
|
+
|
54
|
+
`ActiveSupport::JSON.decode(request.body)`
|
55
|
+
|
56
|
+
Workarounds
|
57
|
+
-----------
|
58
|
+
This problem can be mitigated by casting the parameter to a string before
|
59
|
+
passing it to Active Record. For example:
|
60
|
+
|
61
|
+
```ruby
|
62
|
+
unless params[:token].nil? || params[:token].to_s.empty?
|
63
|
+
user = User.find_by_token(params[:token].to_s)
|
64
|
+
user.reset_password!
|
65
|
+
end
|
66
|
+
```
|
67
|
+
|
68
|
+
unaffected_versions:
|
69
|
+
- "< 4.2.0"
|
70
|
+
- ">= 5.0.0"
|
71
|
+
|
72
|
+
patched_versions:
|
73
|
+
- ">= 4.2.7.1"
|
@@ -0,0 +1,14 @@
|
|
1
|
+
---
|
2
|
+
gem: administrate
|
3
|
+
cve: 2016-3098
|
4
|
+
title: Cross-site request forgery (CSRF) vulnerability in administrate gem
|
5
|
+
date: 2016-04-01
|
6
|
+
url: http://seclists.org/oss-sec/2016/q2/0
|
7
|
+
|
8
|
+
description: >-
|
9
|
+
`Administrate::ApplicationController` actions didn't have CSRF
|
10
|
+
protection. Remote attackers can hijack user's sessions and use any
|
11
|
+
functionality that administrate exposes on their behalf.
|
12
|
+
|
13
|
+
patched_versions:
|
14
|
+
- ">= 0.1.5"
|
@@ -0,0 +1,10 @@
|
|
1
|
+
---
|
2
|
+
gem: aescrypt
|
3
|
+
cve: 2013-7463
|
4
|
+
date: 2013-10-01
|
5
|
+
url: https://github.com/Gurpartap/aescrypt/issues/4
|
6
|
+
title: Vulnerability in aescrypt because IV is not randomized
|
7
|
+
description: |
|
8
|
+
The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the
|
9
|
+
AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to
|
10
|
+
defeat cryptographic protection mechanisms via a chosen plaintext attack.
|
@@ -0,0 +1,16 @@
|
|
1
|
+
---
|
2
|
+
gem: archive-tar-minitar
|
3
|
+
cve: 2016-10173
|
4
|
+
url: https://github.com/atoulme/minitar/issues/5
|
5
|
+
title: Archive-Tar-Minitar Directory Traversal Vulnerability
|
6
|
+
date: 2016-08-22
|
7
|
+
description: |
|
8
|
+
Minitar allows attackers to overwrite arbitrary files during archive
|
9
|
+
extraction via a .. (dot dot) in an extracted filename. Analogous
|
10
|
+
vulnerabilities for unzip and tar:
|
11
|
+
https://www.cvedetails.com/cve/CVE-2001-1268/ and
|
12
|
+
http://www.cvedetails.com/cve/CVE-2001-1267/
|
13
|
+
|
14
|
+
Credit: ecneladis
|
15
|
+
patched_versions:
|
16
|
+
- ">= 0.6.1"
|
@@ -0,0 +1,43 @@
|
|
1
|
+
---
|
2
|
+
gem: doorkeeper
|
3
|
+
cve: 2016-6582
|
4
|
+
date: 2016-08-18
|
5
|
+
url: "http://www.openwall.com/lists/oss-security/2016/08/19/2"
|
6
|
+
|
7
|
+
title: Doorkeeper gem does not revoke tokens & uses wrong auth/auth method
|
8
|
+
|
9
|
+
description: |
|
10
|
+
Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the
|
11
|
+
following ways:
|
12
|
+
|
13
|
+
1. Public clients making valid, unauthenticated calls to revoke a token
|
14
|
+
would not have their token revoked
|
15
|
+
2. Requests were not properly authenticating the *client credentials* but
|
16
|
+
were, instead, looking at the access token in a second location
|
17
|
+
3. Because of 2, the requests were also not authorizing confidential
|
18
|
+
clients' ability to revoke a given token. It should only revoke tokens
|
19
|
+
that belong to it.
|
20
|
+
|
21
|
+
The security implication is: OAuth 2.0 clients who "log out" a user expect
|
22
|
+
to have the corresponding access & refresh tokens revoked, preventing an
|
23
|
+
attacker who may have already hijacked the session from continuing to
|
24
|
+
impersonate the victim. Because of the bug described above, this is not the
|
25
|
+
case. As far as OWASP is concerned, this counts as broken authentication
|
26
|
+
design.
|
27
|
+
|
28
|
+
MITRE has assigned CVE-2016-6582 due to the security issues raised. An
|
29
|
+
attacker, thanks to 1, can replay a hijacked session after a victim logs
|
30
|
+
out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a
|
31
|
+
compromised confidential client could "grief" other clients by revoking
|
32
|
+
their tokens (albeit this is an exceptionally narrow attack with little
|
33
|
+
value).
|
34
|
+
|
35
|
+
unaffected_versions:
|
36
|
+
- "< 1.2.0"
|
37
|
+
|
38
|
+
patched_versions:
|
39
|
+
- ">= 4.2.0"
|
40
|
+
|
41
|
+
related:
|
42
|
+
url:
|
43
|
+
- https://github.com/doorkeeper-gem/doorkeeper/commit/fb938051777a3c9cb071e96fc66458f8f615bd53
|
@@ -0,0 +1,15 @@
|
|
1
|
+
cve: 2016-10193
|
2
|
+
gem: espeak-ruby
|
3
|
+
url: https://github.com/dejan/espeak-ruby/issues/7
|
4
|
+
title: espeak-ruby Gem for Ruby Arbitrary Command Execution
|
5
|
+
date: 2016-04-13
|
6
|
+
|
7
|
+
description: |
|
8
|
+
espeak-ruby passes user modifiable strings directly to a shell
|
9
|
+
command. An attacker can execute malicious commands by modifying
|
10
|
+
the strings that are passed as arguments to the speak, save, bytes
|
11
|
+
and bytes_wav methods in the lib/espeak/speech.rb library.
|
12
|
+
|
13
|
+
patched_versions:
|
14
|
+
- '>= 1.0.3'
|
15
|
+
|
@@ -0,0 +1,12 @@
|
|
1
|
+
cve: 2016-10194
|
2
|
+
gem: festivaltts4r
|
3
|
+
url: https://github.com/spejman/festivaltts4r/issues/1
|
4
|
+
title: festivaltts4r Gem for Ruby Arbitrary Command Execution
|
5
|
+
date: 2016-04-23
|
6
|
+
|
7
|
+
description: |
|
8
|
+
festivaltts4r passes user modifiable strings directly to a shell
|
9
|
+
command. An attacker can execute malicious commands by modifying
|
10
|
+
the strings that are passed as arguments to the to_speech and
|
11
|
+
and to_mp3 methods in lib/festivaltts4r/festival4r.rb library.
|
12
|
+
|
@@ -0,0 +1,21 @@
|
|
1
|
+
---
|
2
|
+
gem: git-fastclone
|
3
|
+
cve: 2015-8968
|
4
|
+
url: https://hackerone.com/reports/104465
|
5
|
+
title: git-fastclone permits arbitrary shell command execution from .gitmodules
|
6
|
+
date: 2015-12-11
|
7
|
+
description: |
|
8
|
+
Git allows executing arbitrary shell commands using git-remote-ext via a
|
9
|
+
remote URLs. Normally git never requests URLs that the user doesn't
|
10
|
+
specifically request, so this is not a serious security concern. However,
|
11
|
+
submodules did allow the remote repository to specify what URL to clone
|
12
|
+
from.
|
13
|
+
|
14
|
+
If an attacker can instruct a user to run a recursive clone from a
|
15
|
+
repository they control, they can get a client to run an arbitrary shell
|
16
|
+
command. Alternately, if an attacker can MITM an unencrypted git clone,
|
17
|
+
they could exploit this. The ext command will be run if the repository is
|
18
|
+
recursively cloned or if submodules are updated. This attack works when
|
19
|
+
cloning both local and remote repositories.
|
20
|
+
patched_versions:
|
21
|
+
- ">= 1.0.1"
|
@@ -0,0 +1,13 @@
|
|
1
|
+
---
|
2
|
+
gem: git-fastclone
|
3
|
+
cve: 2015-8969
|
4
|
+
url: https://hackerone.com/reports/105190
|
5
|
+
title: git-fastclone Shell Metacharacter Injection Arbitrary Command Execution
|
6
|
+
date: 2015-12-15
|
7
|
+
description: |
|
8
|
+
git-fastclone before 1.0.5 passes user modifiable strings directly to a shell
|
9
|
+
command. An attacker can execute malicious commands by modifying the strings
|
10
|
+
that are passed as arguments to "cd " and "git clone " commands in the
|
11
|
+
library.
|
12
|
+
patched_versions:
|
13
|
+
- ">= 1.0.5"
|
@@ -1,19 +1,26 @@
|
|
1
1
|
---
|
2
2
|
gem: mail
|
3
|
+
cve: 2015-9097
|
3
4
|
osvdb: 131677
|
4
|
-
url:
|
5
|
-
title:
|
5
|
+
url: https://hackerone.com/reports/137631
|
6
|
+
title: SMTP command injection
|
6
7
|
date: 2015-12-09
|
7
8
|
description: |
|
8
|
-
Because
|
9
|
-
|
10
|
-
|
9
|
+
Because Mail does not disallow CRLF in email addresses, an attacker can
|
10
|
+
inject SMTP commands in specially crafted email addresses passed to
|
11
|
+
RCPT TO and MAIL FROM.
|
11
12
|
|
12
|
-
|
13
|
-
|
13
|
+
Not affected by this vulnerability:
|
14
|
+
* Ruby 2.4.0+ with a fix for CVE-2015-9096.
|
15
|
+
* Applications that do not use SMTP delivery.
|
16
|
+
* Applications that validate email addresses to not include CRLF.
|
14
17
|
|
15
|
-
The
|
16
|
-
Recipient Email Addresses." 2015. The attacks described in the paper
|
17
|
-
p. 4) can be applied to the library without any modification.
|
18
|
+
The injection attack is described in Terada, Takeshi. "SMTP Injection via
|
19
|
+
Recipient Email Addresses." 2015. The attacks described in the paper
|
20
|
+
(Terada, p. 4) can be applied to the library without any modification.
|
18
21
|
patched_versions:
|
19
|
-
- ">= 2.
|
22
|
+
- ">= 2.5.5"
|
23
|
+
related:
|
24
|
+
url:
|
25
|
+
- http://www.mbsd.jp/Whitepaper/smtpi.pdf
|
26
|
+
- https://github.com/mikel/mail/pull/1097
|