RubyGems - bundler-audit - Versions diffs - 0.6.0 → 0.8.0.rc2 - Mend

bundler-audit 0.6.0 → 0.8.0.rc2

Files changed (427) hide show

data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml DELETED Viewed

@@ -1,73 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2016-6317
-date: 2016-08-11
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
-title: Unsafe Query Generation Risk in Active Record
-description: |
-  There is a vulnerability when Active Record is used in conjunction with JSON
-  parameter parsing. This vulnerability is similar to CVE-2012-2660,
-  CVE-2012-2694 and CVE-2013-0155.
-  Impact
-  ------
-  Due to the way Active Record interprets parameters in combination with the way
-  that JSON parameters are parsed, it is possible for an attacker to issue
-  unexpected database queries with "IS NULL" or empty where clauses.  This issue
-  does *not* let an attacker insert arbitrary values into an SQL query, however
-  they can cause the query to check for NULL or eliminate a WHERE clause when
-  most users wouldn't expect it.
-  For example, a system has password reset with token functionality:
-  ```ruby
-      unless params[:token].nil?
-        user = User.find_by_token(params[:token])
-        user.reset_password!
-      end
-  ```
-  An attacker can craft a request such that `params[:token]` will return
-  `[nil]`.  The `[nil]` value will bypass the test for nil, but will still add
-  an "IN ('xyz', NULL)" clause to the SQL query.
-  Similarly, an attacker can craft a request such that `params[:token]` will
-  return an empty hash.  An empty hash will eliminate the WHERE clause of the
-  query, but can bypass the `nil?` check.
-  Note that this impacts not only dynamic finders (`find_by_*`) but also
-  relations (`User.where(:name => params[:name])`).
-  All users running an affected release should either upgrade or use one of the
-  work arounds immediately. All users running an affected release should upgrade
-  immediately. Please note, this vulnerability is a variant of CVE-2012-2660,
-  CVE-2012-2694, and CVE-2013-0155.  Even if you upgraded to address those
-  issues, you must take action again.
-  If this chance in behavior impacts your application, you can manually decode
-  the original values from the request like so:
-      `ActiveSupport::JSON.decode(request.body)`
-  Workarounds
-  -----------
-  This problem can be mitigated by casting the parameter to a string before
-  passing it to Active Record.  For example:
-    ```ruby
-      unless params[:token].nil? || params[:token].to_s.empty?
-        user = User.find_by_token(params[:token].to_s)
-        user.reset_password!
-      end
-    ```
-unaffected_versions:
-  - "< 4.2.0"
-  - ">= 5.0.0"
-patched_versions:
-  - ">= 4.2.7.1"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2014-0080
-osvdb: 103438
-url: http://osvdb.org/show/osvdb/103438
-title: Data Injection Vulnerability in Active Record
-date: 2014-02-18
-description: |
-  Ruby on Rails contains a flaw in connection_adapters/postgresql/cast.rb
-  in Active Record. This issue may allow a remote attacker to inject data
-  into PostgreSQL array columns via a specially crafted string.
-cvss_v2:
-unaffected_versions:
-  - "< 3.2.0"
-  - ~> 3.2.0
-patched_versions:
-  - ~> 4.0.3
-  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-108664.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2014-3482
-osvdb: 108664
-url: http://osvdb.org/show/osvdb/108664
-title: SQL Injection Vulnerability in Active Record
-date: 2014-07-02
-description: |
-  Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack.
-  The issue is due to the PostgreSQL adapter for Active Record not properly
-  sanitizing user-supplied input when quoting bitstring. This may allow a remote
-  attacker to inject or manipulate SQL queries in the back-end database,
-  allowing for the manipulation or disclosure of arbitrary data.
-cvss_v2:
-unaffected_versions:
-  - ">= 4.0.0"
-patched_versions:
-  - ~> 3.2.19

data/data/ruby-advisory-db/gems/activerecord/OSVDB-108665.yml DELETED Viewed

@@ -1,24 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2014-3483
-osvdb: 108665
-url: http://osvdb.org/show/osvdb/108665
-title: SQL Injection Vulnerability in Active Record
-date: 2014-07-02
-description: |
-  Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack.
-  The issue is due to the PostgreSQL adapter for Active Record not properly
-  sanitizing user-supplied input when quoting ranges. This may allow a remote
-  attacker to inject or manipulate SQL queries in the back-end database,
-  allowing for the manipulation or disclosure of arbitrary data.
-cvss_v2:
-unaffected_versions:
-  - "< 4.0.0"
-patched_versions:
-  - ~> 4.0.7
-  - ">= 4.1.3"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml DELETED Viewed

@@ -1,25 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-2661
-osvdb: 82403
-url: http://www.osvdb.org/show/osvdb/82403
-title: Ruby on Rails where Method ActiveRecord Class SQL Injection
-date: 2012-05-31
-description: |
-  Ruby on Rails (RoR) contains a flaw that may allow an attacker to carry out
-  an SQL injection attack. The issue is due to the ActiveRecord class not
-  properly sanitizing user-supplied input to the 'where' method. This may
-  allow an attacker to inject or manipulate SQL queries in an application
-  built on RoR, allowing for the manipulation or disclosure of arbitrary data.
-cvss_v2: 5.0
-unaffected_versions:
-  - ~> 2.3.14
-patched_versions:
-  - ~> 3.0.13
-  - ~> 3.1.5
-  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml DELETED Viewed

@@ -1,24 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-2660
-osvdb: 82610
-url: http://www.osvdb.org/show/osvdb/82610
-title:
-  Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query
-  Arbitrary IS NULL Clause Injection
-date: 2012-05-31
-description: |
-  Ruby on Rails contains a flaw related to the way ActiveRecord handles
-  parameters in conjunction with the way Rack parses query parameters.
-  This issue may allow an attacker to inject arbitrary 'IS NULL' clauses in
-  to application SQL queries. This may also allow an attacker to have the
-  SQL query check for NULL in arbitrary places.
-cvss_v2: 7.5
-patched_versions:
-  - ~> 3.0.13
-  - ~> 3.1.5
-  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-88661.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-6496
-osvdb: 88661
-url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
-title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass
-date: 2012-12-22
-description: |
-  Due to the way dynamic finders in Active Record extract options from method
-  parameters, a method parameter can mistakenly be used as a scope.  Carefully
-  crafted requests can use the scope to inject arbitrary SQL.
-cvss_v2: 6.4
-patched_versions:
-  - ~> 3.0.18
-  - ~> 3.1.9
-  - ">= 3.2.10"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml DELETED Viewed

@@ -1,24 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0155
-osvdb: 89025
-url: http://osvdb.org/show/osvdb/89025
-title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-date: 2013-01-08
-description: |
-  Ruby on Rails contains a flaw in the Active Record. The issue is due to an
-  error with the way the Active Record handles parameters combined with an
-  error during the parsing of the JSON parameters. This may allow a remote
-  attacker to bypass restrictions abd issue unexpected database queries with
-  "IS NULL" or empty where clauses, and forcing the query to unexpectedly check
-  for NULL or eliminate a WHERE clause.
-cvss_v2: 10.0
-patched_versions:
-  - ~> 2.3.16
-  - ~> 3.0.19
-  - ~> 3.1.10
-  - ">= 3.2.11"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0276
-osvdb: 90072
-url: http://osvdb.org/show/osvdb/90072
-title: Ruby on Rails Active Record attr_protected Method Bypass
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw in the attr_protected method of the
-  Active Record. The issue is triggered during the handling of a specially
-  crafted request, which may allow a remote attacker to bypass protection
-  mechanisms and alter values that would otherwise be protected.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 2.3.17"
-  - "~> 3.1.11"
-  - ">= 3.2.12"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0277
-osvdb: 90073
-url: http://osvdb.org/show/osvdb/90073
-title: |
-  Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
-  Code Execution
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.
-  The issue is triggered when the system is configured to allow users to
-  directly provide values to be serialized and deserialized using YAML.
-  With a specially crafted YAML attribute, a remote attacker can deserialize
-  arbitrary YAML and execute code associated with it.
-cvss_v2: 10.0
-patched_versions:
-  - "~> 2.3.17"
-  - ">= 3.1.0"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-1854
-osvdb: 91453
-url: http://osvdb.org/show/osvdb/91453
-title: Symbol DoS vulnerability in Active Record
-date: 2013-03-19
-description: |
-  When a hash is provided as the find value for a query, the keys of
-  the hash may be converted to symbols. Carefully crafted requests can
-  coerce `params[:name]` to return a hash, and the keys to that hash
-  may be converted to symbols. Ruby symbols are not garbage collected,
-  so an attacker can initiate a denial of service attack by creating a
-  large number of symbols.
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 3.0.0
-patched_versions:
-  - ~> 2.3.18
-  - ~> 3.1.12
-  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activeresource/OSVDB-95749.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: activeresource
-osvdb: 95749
-url: http://osvdb.org/show/osvdb/95749
-title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
-date: 2008-08-15
-description: |
-  activeresource contains a format string flaw in the request function of
-  lib/active_resource/connection.rb. The issue is triggered as format string
-  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input
-  when passed via the 'result.code' and 'result.message' variables. This may
-  allow a remote attacker to cause a denial of service or potentially execute
-  arbitrary code.
-patched_versions:
-  - ">= 2.2.0"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml DELETED Viewed

@@ -1,54 +0,0 @@
----
-gem: activesupport
-cve: 2015-3226
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
-title: |
-  XSS Vulnerability in ActiveSupport::JSON.encode
-date: 2015-06-16
-description: |
-  When a `Hash` containing user-controlled data is encode as JSON (either through
-  `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
-  escaping that matches the guarantee implied by the `escape_html_entities_in_json`
-  option (which is enabled by default). If this resulting JSON string is subsequently
-  inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
-  For example, the following code snippet is vulnerable to this attack:
-      <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
-  Similarly, the following is also vulnerable:
-      <script>
-        var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
-      </script>
-  All applications that renders JSON-encoded strings that contains user-controlled
-  data in their views should either upgrade to one of the FIXED versions or use
-  the suggested workaround immediately.
-  Workarounds
-  -----------
-  To work around this problem add an initializer with the following code:
-    module ActiveSupport
-      module JSON
-        module Encoding
-          private
-          class EscapedString
-            def to_s
-              self
-            end
-          end
-        end
-      end
-    end
-unaffected_versions:
-  - "< 4.1.0"
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml DELETED Viewed

@@ -1,32 +0,0 @@
----
-gem: activesupport
-cve: 2015-3227
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
-title: |
-  Possible Denial of Service attack in Active Support
-date: 2015-06-16
-description: |
-  Specially crafted XML documents can cause applications to raise a
-  `SystemStackError` and potentially cause a denial of service attack.  This
-  only impacts applications using REXML or JDOM as their XML processor.  Other
-  XML processors that Rails supports are not impacted.
-  All users running an affected release should either upgrade or use one of the work arounds immediately.
-  Workarounds
-  -----------
-  Use an XML parser that is not impacted by this problem, such as Nokogiri or
-  LibXML.  You can change the processor like this:
-    ActiveSupport::XmlMini.backend = 'Nokogiri'
-  If you cannot change XML parsers, then adjust
-  `RUBY_THREAD_MACHINE_STACK_SIZE`.
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"
-  - "~> 3.2.22"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-1098
-osvdb: 79726
-url: http://osvdb.org/79726
-title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
-date: 2012-03-01
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because athe application does not validate direct
-  manipulations of SafeBuffer objects via '[]' and other methods. This may
-  allow a user to create a specially crafted request that would execute
-  arbitrary script code in a user's browser within the trust relationship
-  between their browser and the server.
-cvss_v2: 4.3
-unaffected_versions:
-  - "< 3.0.0"
-patched_versions:
-  - ~> 3.0.12
-  - ~> 3.1.4
-  - ">= 3.2.2"