RubyGems - bundler-audit - Versions diffs - 0.5.0 → 0.8.0.rc1 - Mend

bundler-audit 0.5.0 → 0.8.0.rc1

Files changed (398) hide show

data/data/ruby-advisory-db/gems/devise/CVE-2015-8314.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: devise
-cve: 2015-8314
-url: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
-title: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
-date: 2016-01-18
-description: |
-  Devise version before 3.5.4 uses cookies to implement a "Remember me"
-  functionality. However, it generates the same cookie for all devices. If an
-  attacker manages to steal a remember me cookie and the user does not change
-  the password frequently, the cookie can be used to gain access to the
-  application indefinitely.
-patched_versions:
-  - ">= 3.5.4"

data/data/ruby-advisory-db/gems/devise/OSVDB-114435.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: devise
-osvdb: 114435
-url: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
-title: CSRF token fixation attacks in Devise
-date: 2013-08-02
-description: |
-  Devise contains a flaw that allows a remote, user-assisted attacker to
-  conduct a CSRF token fixation attack. This issue is triggered as previous
-  CSRF tokens are not properly invalidated when a new token is created.
-  If an attacker has knowledge of said token, a specially crafted request can
-  be made to it, allowing the attacker to conduct CSRF attacks.
-patched_versions:
-  - ~> 2.2.5
-  - ">= 3.0.1"

data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: devise
-cve: 2013-0233
-osvdb: 89642
-url: http://osvdb.org/show/osvdb/89642
-title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
-date: 2013-01-28
-description: |
-  Devise contains a flaw that is triggered during when a type conversion error
-  occurs during the parsing of a malformed request. With a specially crafted
-  request, a remote attacker can bypass security restrictions.
-cvss_v2: 6.8
-patched_versions:
-  - ~> 1.5.4
-  - ~> 2.0.5
-  - ~> 2.1.3
-  - ">= 2.2.3"

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2014-8144.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: doorkeeper
-cve: 2014-8144
-osvdb: 116010
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw
-title: |
-  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
-  and earlier.
-date: 2014-12-18
-description: |
-  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
-  and earlier allows remote attackers to hijack the user's OAuth
-  autorization code. This vulnerability has been assigned the CVE
-  identifier CVE-2014-8144.
-  Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
-  on the Internet can then read a user's authorization code with
-  arbitrary scope from any Doorkeeper-compatible Rails app you are
-  logged in.
-cvss_v2: 6.8
-patched_versions:
-  - ~> 1.4.1
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/doorkeeper/OSVDB-118830.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: doorkeeper
-osvdb: 118830
-url: http://www.osvdb.org/show/osvdb/118830
-title: |
-  Doorkeeper Gem for Ruby stores sensitive information
-  in production logs
-date: 2015-02-10
-description: |
-  Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb.
-  The issue is due to the program storing sensitive information in
-  production logs. This may allow a local attacker to gain access to
-  sensitive information.
-cvss_v2:
-patched_versions:
-  - "~> 1.4.2"
-  - ">= 2.1.2"

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-110439.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: dragonfly
-osvdb: 110439
-url: http://osvdb.org/show/osvdb/110439
-title: Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution
-date: 2014-08-25
-description: |
-  Dragonfly Gem for Ruby contains a flaw in Uploading & Processing that is due
-  to the gem failing to restrict arbitrary commands to imagemagicks convert.
-  This may allow a remote attacker to gain read/write access to the filesystem
-  and execute arbitrary commands.
-patched_versions:
-  - ">= 1.0.7"

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: dragonfly
-cve: 2013-1756
-osvdb: 90647
-url: http://www.osvdb.org/show/osvdb/90647
-title: Dragonfly Gem for Ruby Crafted Request Parsing Remote Code Execution
-date: 2013-02-19
-description: |
-  Dragonfly Gem for Ruby contains a flaw that is triggered during the parsing
-  of a specially crafted request. This may allow a remote attacker to execute
-  arbitrary code.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.9.13"
-unaffected_versions:
-  - "< 0.7.0"

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-96798.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: dragonfly
-cve: 2013-5671
-osvdb: 96798
-url: http://osvdb.org/show/osvdb/96798
-title: fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution
-date: 2013-09-03
-description: |
-  fog-dragonfly Gem for Ruby contains a flaw that is due to the program
-  failing to properly sanitize input passed via the imagemagickutils.rb script.
-  This may allow a remote attacker to execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.8.4"

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-97854.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: dragonfly
-osvdb: 97854
-url: http://osvdb.org/show/osvdb/97854
-title: Dragonfly Gem for Ruby on Windows Shell Escaping Weakness
-date: 2011-09-01
-description: |
-  Dragonfly Gem for Ruby contains a flaw that is due to the program failing to
-  properly escape a shell that contains injected characters. This may allow a
-  context-dependent attacker to potentially execute arbitrary commands.
-patched_versions:
-  - ">= 0.9.6"

data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: echor
-cve: 2014-1834
-osvdb: 102129
-url: http://osvdb.org/show/osvdb/102129
-title: echor Gem for Ruby backplane.rb perform_request Function Arbitrary Command Execution
-date: 2014-01-14
-description: |
-  Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request
-  function that is triggered when a semi-colon (;) is injected into a username
-  or password. This may allow a context-dependent attacker to inject arbitrary
-  commands if the gem is used in a rails application.

data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: echor
-cve: 2014-1835
-osvdb: 102130
-url: http://osvdb.org/show/osvdb/102130
-title: echor Gem for Ruby Process Listing Local Plaintext Credential Disclosure
-date: 2014-01-14
-description: |
-  echor Gem for Ruby contains a flaw that is due to the program exposing
-  credential information in the system process listing. This may allow a local
-  attacker to gain access to plaintext credential information.

data/data/ruby-advisory-db/gems/ember-source/CVE-2013-4170.yml DELETED

@@ -1,25 +0,0 @@
----
-gem: ember-source
-cve: 2013-4170
-url: https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM
-title: |
-  Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data
-date: 2013-07-25
-description: |
-  In general, Ember.js escapes or strips any user-supplied content
-  before inserting it in strings that will be sent to innerHTML.
-  However, the `tagName` property of an `Ember.View` was inserted into
-  such a string without being sanitized. This means that if an
-  application assigns a view's `tagName` to user-supplied data, a
-  specially-crafted payload could execute arbitrary JavaScript in the
-  context of the current domain ("XSS").
-  This vulnerability only affects applications that assign or bind
-  user-provided content to `tagName`.
-patched_versions:
-  - ~> 1.0.0.rc1.1
-  - ~> 1.0.0.rc2.1
-  - ~> 1.0.0.rc3.1
-  - ~> 1.0.0.rc4.1
-  - ~> 1.0.0.rc5.1
-  - ">= 1.0.0.rc6.1"

data/data/ruby-advisory-db/gems/ember-source/CVE-2014-0013.yml DELETED

@@ -1,33 +0,0 @@
----
-gem: ember-source
-cve: 2014-0013
-url: https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4
-title: |
-  Ember.js Potential XSS Exploit With User-Supplied Data When Binding
-  Primitive Values
-date: 2014-01-14
-description: |
-  In general, Ember.js escapes or strips any user-supplied content before
-  inserting it in strings that will be sent to innerHTML.  However, we have
-  identified a vulnerability that could lead to unescaped content being inserted
-  into the innerHTML string without being sanitized.
-  When a primitive value is used as the Handlebars context, that value is not
-  properly escaped.  An example of this would be using the `{{each}}` helper to
-  iterate over an array of user-supplied strings and using `{{this}}` inside the
-  block to display each string.
-  In applications that contain templates whose context is a primitive value and
-  use the `{{this}}` keyword to display that value, a specially-crafted payload
-  could execute arbitrary JavaScript in the context of the current domain
-  ("XSS").
-  This vulnerability affects applications that contain templates whose context is
-  set to a user-supplied primitive value (such as a string or number) and also
-  contain the `{{this}}` special Handlebars variable to display the value.
-patched_versions:
-  - ~> 1.0.1
-  - ~> 1.1.3
-  - ~> 1.2.1
-  - ~> 1.3.1
-  - ">= 1.4.0.beta.2"

data/data/ruby-advisory-db/gems/ember-source/CVE-2014-0014.yml DELETED

@@ -1,30 +0,0 @@
----
-gem: ember-source
-cve: 2014-0014
-url: https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4
-title: |
-  Ember.js Potential XSS Exploit With User-Supplied Data When Using {{group}}
-  Helper
-date: 2014-01-14
-description: |
-  In general, Ember.js escapes or strips any user-supplied content before
-  inserting it in strings that will be sent to innerHTML.  However, we have
-  identified a vulnerability that could lead to unescaped content being inserted
-  into the innerHTML string without being sanitized.
-  When using the `{{group}}` helper, user supplied content in the template was not
-  being sanitized. Though the vulnerability exists in Ember.js proper, it is only
-  exposed via the use of an experimental plugin.
-  In applications that use the `{{group}}` helper, a specially-crafted payload
-  could execute arbitrary JavaScript in the context of the current domain
-  ("XSS").
-  This vulnerability only affects applications that use the `{{group}}` helper
-  to display user-provided content.
-patched_versions:
-  - ~> 1.0.1
-  - ~> 1.1.3
-  - ~> 1.2.1
-  - ~> 1.3.1
-  - ">= 1.4.0.beta.2"

data/data/ruby-advisory-db/gems/ember-source/CVE-2014-0046.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: ember-source
-cve: 2014-0046
-url: https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ
-title: Ember.js XSS Vulnerability With {{link-to}} Helper in Non-block Form
-date: 2014-02-07
-description: |
-  In general, Ember.js escapes or strips any user-supplied content before
-  inserting it in strings that will be sent to innerHTML.  However, a change made
-  to the implementation of the {{link-to}} helper means that any user-supplied
-  data bound to the {{link-to}} helper's title attribute will not be escaped
-  correctly.
-  In applications that use the {{link-to}} helper in non-block form and bind
-  the title attribute to user-supplied content, a specially-crafted payload
-  could execute arbitrary JavaScript in the context of the current domain
-  ("XSS").
-  All users running an affected release and binding user-supplied data to the
-  {{link-to}} helper's title attribute should either upgrade or use one of the
-  workarounds immediately.
-patched_versions:
-  - ~> 1.2.2
-  - ">= 1.3.2"
-unaffected_versions:
-  - "< 1.2.0"

data/data/ruby-advisory-db/gems/ember-source/CVE-2015-1866.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: ember-source
-cve: 2015-1866
-url: https://groups.google.com/forum/#!topic/ember-security/nbntfs2EbRU
-title: Ember.js XSS Vulnerability With {{view "select"}} Options
-date: 2015-04-14
-description: |
-  In general, Ember.js escapes or strips any user-supplied content before
-  inserting it in strings that will be sent to innerHTML.  However, a
-  change made to the implementation of the select view means that any
-  user-supplied data bound to an option's label will not be escaped
-  correctly.
-  In applications that use Ember's select view and pass user-supplied
-  content to the label, a specially-crafted payload could execute
-  arbitrary JavaScript in the context of the current domain ("XSS").
-  All users running an affected release and binding user-supplied data to
-  the select options should either upgrade or use one of the workarounds
-  immediately.
-patched_versions:
-  - ~> 1.10.1
-  - ~> 1.11.2
-  - ">= 1.12.0"
-unaffected_versions:
-  - "< 1.10.0"

data/data/ruby-advisory-db/gems/ember-source/CVE-2015-7565.yml DELETED

@@ -1,30 +0,0 @@
----
-gem: ember-source
-cve: 2015-7565
-url: https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY
-title: Ember.js XSS Vulnerability with User-Supplied JSON
-date: 2016-01-14
-description: |
-  By default, Ember will escape any values in Handlebars templates that
-  use double curlies (`{{value}}`). Developers can specifically opt out of
-  this escaping behavior by passing an instance of `SafeString` rather
-  than a raw string, which tells Ember that it should not escape the
-  string because the developer has taken responsibility for escapement.
-  It is possible for an attacker to create a specially-crafted payload
-  that causes a non-sanitized string to be treated as a `SafeString`, and
-  thus bypass Ember's normal escaping behavior. This could allow an
-  attacker to execute arbitrary JavaScript in the context of the current
-  domain ("XSS").
-  All users running an affected release should either upgrade or use of
-  the workarounds immediately.
-patched_versions:
-  - ~> 1.11.4
-  - ~> 1.12.2
-  - ~> 1.13.12
-  - ~> 2.0.3
-  - ~> 2.1.2
-  - ">= 2.2.1"
-unaffected_versions:
-  - "< 1.8.0"

data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: enum_column3
-osvdb: 94679
-url: http://osvdb.org/show/osvdb/94679
-title: enum_column3 Gem for Ruby Symbol Creation Remote DoS
-date: 2013-06-26
-description: The enum_column3 Gem for Ruby contains a flaw that may allow a remote denial of service. The issue is due to the program typecasting unexpected strings to symbols. This may allow a remote attacker to crash the program.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: extlib
-cve: 2013-1802
-osvdb: 90740
-url: http://osvdb.org/show/osvdb/90740
-title: extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
-date: 2013-01-08
-description: |
-  extlib Gem for Ruby contains a flaw that is triggered when a type casting
-  error occurs during the parsing of parameters. This may allow a
-  context-dependent attacker to potentially execute arbitrary code.
-cvss_v2: 9.3
-patched_versions:
-  - ">= 0.9.16"

data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: fastreader
-cve: 2013-2615
-osvdb: 91232
-url: http://osvdb.org/show/osvdb/91232
-title: fastreader Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-13
-description: |
-  fastreader Gem for Ruby contains a flaw that is triggered during the handling
-  of specially crafted input passed via a URL that contains a ';' character.
-  This may allow a context-dependent attacker to potentially execute arbitrary
-  commands.
-cvss_v2: 9.3

data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-101445.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: fat_free_crm
-osvdb: 101445
-cve: 2013-7222
-url: http://osvdb.org/show/osvdb/101445
-title: Fat Free CRM Gem for Ruby lack of support for cycling the Rails
-  session secret
-date: 2013-12-24
-description: |
-  Fat Free CRM contains a flaw that is due to the application defining a static
-  security session token in config/initialiers/secret_token.rb. If a remote
-  attacker has explicit knowledge of this token, they can potentially execute
-  arbitrary code.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.13.0"
-  - "~> 0.12.1"

data/data/ruby-advisory-db/gems/fat_free_crm/OSVDB-101446.yml DELETED

@@ -1,19 +0,0 @@
----
-gem: fat_free_crm
-osvdb: 101446
-cve: 2013-7223
-url: http://osvdb.org/show/osvdb/101446
-title: Fat Free CRM Gem for Ruby contains multiple cross-site request forgery
-  (CSRF) vulnerabilities
-date: 2013-12-24
-description: |
-  Fat Free CRM contains a flaw as the application is missing the protect_from_forgery
-  statement, therefore HTTP requests to app/controllers/application_controller.rb
-  do not require multiple steps, explicit confirmation, or a unique token when
-  performing certain sensitive actions. By tricking a user into following a specially
-  crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery
-  (CSRF / XSRF) attack causing the victim to perform unspecified actions.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 0.13.0"
-  - "~> 0.12.1"