RubyGems - bundler-audit - Versions diffs - 0.6.0 → 0.8.0.rc2 - Mend

bundler-audit 0.6.0 → 0.8.0.rc2

Files changed (427) hide show

data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: rubyzip
-cve: 2017-5946
-url: https://github.com/rubyzip/rubyzip/issues/315
-title: Directory traversal vulnerability in rubyzip
-date: 2017-02-27
-description: |
-  The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory
-  traversal vulnerability. If a site allows uploading of .zip files, an attacker
-  can upload a malicious file that uses "../" pathname substrings to write arbitrary
-  files to the filesystem.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 1.2.1"

data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: safemode
-cve: 2016-3693
-title: Safemode Gem for Ruby is vulnerable to information disclosure
-date: 2016-04-20
-url: http://seclists.org/oss-sec/2016/q2/119
-description: |
-  Safemode is initialised with an optional 'delegate' object.
-  If the delegated object is a Rails controller, 'inspect' could
-  be called which then exposes all informations about the App,
-  including routes, secret tokens, caches and so on.
-patched_versions:
-  - ">= 1.2.4"

data/data/ruby-advisory-db/gems/screen_capture/OSVDB-107783.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: screen_capture
-osvdb: 107783
-url: http://osvdb.org/show/osvdb/107783
-title: Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command Execution
-date: 2014-06-07
-description: Screen Capture Gem for Ruby contains a flaw in screen_capture.rb that is triggered when handling input passed via the URL. This may allow a context-dependent attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/sentry-raven/OSVDB-115654.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sentry-raven
-cve: 2014-9490
-osvdb: 115654
-url: http://osvdb.org/show/osvdb/115654
-title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service
-date: 2014-12-08
-description: Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script
-  that is triggered when large numeric values are stored as an exponent or in
-  scientific notation. With a specially crafted request, an attacker can cause
-  the software to consume excessive resources resulting in a denial of service.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.12.2"

data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: sfpagent
-cve: 2014-2888
-osvdb: 105971
-url: http://www.osvdb.org/show/osvdb/105971
-title: sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution
-date: 2014-04-16
-description: |
-  sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
-  input is not properly sanitized when handling module names with shell
-  metacharacters. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.4.15"

data/data/ruby-advisory-db/gems/show_in_browser/OSVDB-93490.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: show_in_browser
-cve: 2013-2105
-osvdb: 93490
-url: http://osvdb.org/show/osvdb/93490
-title: Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection
-date: 2013-05-17
-description: Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user's browser.

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126329.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126329
-url: https://github.com/mperham/sidekiq/commit/a695ff347ae50f641dfc35189131b232ea0aa1db
-title: |
-  Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements
-  Reflected XSS
-date: 2015-05-11
-description: |
-  XSS via batch failure error_class and error_message in Sidekiq::Web
-patched_versions:
-  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126330.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126330
-url: https://github.com/mperham/sidekiq/commit/99b12fb50fe244c5a317f03f1bed9b333ec56ebe
-title: |
-  Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb Description Element XSS
-date: 2014-10-13
-description: XSS via batch description in Sidekiq::Web
-patched_versions:
-  - ">= 1.9.1"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126331.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126331
-url: https://github.com/mperham/sidekiq/commit/651400ed8f237118346895c99dc28ca94f3169d3
-title: Sidekiq Pro Gem for Ruby CSRF in Job Filtering
-date: 2015-07-17
-description: |
-  Sidekiq::Web job filtering lacks CSRF protection. This issue
-  is related to OSVDB-125675.
-patched_versions:
-  - ">= 2.0.6"
-related:
-  osvdb:
-    - 125675

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125675.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: sidekiq
-osvdb: 125675
-url: https://github.com/mperham/sidekiq/pull/2422
-title: Sidekiq Gem for Ruby Multiple Unspecified CSRF
-date: 2015-07-06
-description: Sidekiq::Web lacks CSRF protection
-patched_versions:
-  - ">= 3.4.2"

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125676.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sidekiq
-osvdb: 125676
-url: https://github.com/mperham/sidekiq/issues/2330
-title: |
-  Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
-  Reflected XSS
-date: 2015-06-04
-description: XSS via queue name in Sidekiq::Web
-patched_versions:
-  - ">= 3.4.0"
-related:
-  osvdb:
-    - 125677

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125678.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: sidekiq
-osvdb: 125678
-url: https://github.com/mperham/sidekiq/pull/2309
-title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS
-date: 2015-04-21
-description: XSS via job arguments display class in Sidekiq::Web
-patched_versions:
-  - ">= 3.4.0"

data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sounder
-cve: 2013-5647
-osvdb: 96278
-url: http://www.osvdb.org/show/osvdb/96278
-title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution
-date: 2013-08-14
-description: |
-  Sounder Gem for Ruby contains a flaw that is triggered during the handling
-  of file names. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 1.0.2"

data/data/ruby-advisory-db/gems/spina/CVE-2015-4619.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: spina
-cve: 2015-4619
-title: Cross-site request forgery (CSRF) vulnerability in Spina gem
-date: 2015-06-16
-url: http://www.openwall.com/lists/oss-security/2015/06/16/11
-description: >-
-  `Spina::ApplicationController` actions didn't have CSRF
-  protection. This causes a CSRF vulnerability across the
-  entire engine which includes administrative functionality
-  such as creating users, changing passwords,
-  and media management.
-patched_versions:
-  - ">= 0.6.29"

data/data/ruby-advisory-db/gems/spree/OSVDB-119205.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: spree
-osvdb: 119205
-url: https://spreecommerce.com/blog/security-updates-2015-3-3
-title: Spree API Information Disclosure CSRF
-date: 2015-03-05
-description: |
-  Spree contains a flaw in the API as HTTP requests do not require multiple
-  steps, explicit confirmation, or a unique token when performing certain
-  sensitive actions. By tricking a user into following a specially crafted
-  link, a context-dependent attacker can perform a Cross-Site Request Forgery
-  (CSRF / XSRF) attack causing the victim to disclose potentially sensitive
-  information to attackers.
-patched_versions:
-  - ~> 2.2.10
-  - ~> 2.3.8
-  - ~> 2.4.5
-  - ">= 3.0.0.rc4"

data/data/ruby-advisory-db/gems/spree/OSVDB-125699.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: spree
-osvdb: 125699
-url: https://spreecommerce.com/blog/security-updates-2015-7-28
-title: |
-  Spree RABL templates rendering allows Arbitrary Code Execution and File
-  Disclosure
-date: 2015-07-28
-description: |
-  Spree contains a flaw where the rendering of arbitrary RABL templates allows
-  for execution arbitrary files on the host system, as well as disclosing the
-  existence of files on the system. This is a different issue than
-  OSVDB-125701.
-patched_versions:
-  - ~> 2.2.13
-  - ~> 2.3.12
-  - ~> 2.4.9
-  - ">= 3.0.3"

data/data/ruby-advisory-db/gems/spree/OSVDB-125701.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-osvdb: 125701
-url: https://spreecommerce.com/blog/security-updates-2015-7-20
-title: |
-  Spree RABL templates rendering allows Arbitrary Code Execution and File
-  Disclosure
-date: 2015-07-20
-description: |
-  Spree contains a flaw where the rendering of arbitrary RABL templates allows
-  for execution arbitrary files on the host system, as well as disclosing the
-  existence of files on the system.
-patched_versions:
-  - ~> 2.2.12
-  - ~> 2.3.11
-  - ~> 2.4.8
-  - ">= 3.0.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125712.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: spree
-osvdb: 125712
-url: https://spreecommerce.com/blog/security-issue-all-versions
-title: |
-  Product Scopes could allow for unauthenticated remote command execution
-date: 2012-07-02
-description: |
-  Product Scopes could allow for unauthenticated remote command execution.
-  This was corrected by removing conditions_any scope and use ARel query
-  building instead.
-patched_versions:
-  - ~> 0.11.4
-  - ~> 0.70.6
-  - ~> 1.0.5
-  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125713.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: spree
-osvdb: 125713
-url: https://spreecommerce.com/blog/security-issue-all-versions
-title: |
-  Potential XSS vulnerability related to the analytics dashboard
-date: 2012-07-02
-description: |
-  Spree has a flaw in its analytics dashboard where keywords are not escaped,
-  leading to potential XSS.
-patched_versions:
-  - ~> 0.11.4
-  - ~> 0.70.6
-  - ~> 1.0.5
-  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-69098.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: spree
-cve: 2010-3978
-osvdb: 69098
-url: https://spreecommerce.com/blog/json-hijacking-vulnerability
-title: |
-  Spree Multiple Script JSON Request Validation Weakness Remote Information
-  Disclosure
-date: 2010-11-02
-description: |
-  Spree contains a flaw that may lead to an unauthorized information
-  disclosure. The issue is triggered when the application exchanges data using
-  the JSON service without validating requests, which will disclose sensitive
-  user and order information to a context-dependent attacker when a logged-in
-  user visits a crafted website.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 0.11.2
-  - ">= 0.30.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-73751.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: spree
-osvdb: 73751
-url: https://spreecommerce.com/blog/security-fixes
-title: Spree Content Controller Unspecified Arbitrary File Disclosure
-date: 2011-04-19
-description: |
-  Spree Gem for Ruby would allow a user to request a specially crafted URL and
-  expose arbitrary files on the server
-patched_versions:
-  - ">= 0.50.1"

data/data/ruby-advisory-db/gems/spree/OSVDB-76011.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: spree
-osvdb: 76011
-url: https://spreecommerce.com/blog/remote-command-product-group
-title: |
-  Spree Search ProductScope Class search[send][] Parameter Arbitrary Command
-  Execution
-date: 2011-10-05
-description: |
-  The ProductScope class fails to properly sanitize user-supplied input via the
-  'search[send][]' parameter resulting in arbitrary command execution. With a
-  specially crafted request, a remote attacker can potentially cause arbitrary
-  command execution.
-patched_versions:
-  - ">= 0.60.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-81505.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: spree
-cve: 2008-7310
-osvdb: 81505
-url: https://spreecommerce.com/blog/security-vulnerability-mass-assignment
-title: |
-  Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation
-date: 2008-09-22
-description: |
-  Spree contains a hash restriction weakness that occurs when parsing a
-  modified URL. This may allow an attacker to manipulate order state values.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-81506.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: spree
-cve: 2008-7311
-osvdb: 81506
-url: https://spreecommerce.com/blog/security-vulernability-session-cookie-store
-title: |
-  Spree Hardcoded config.action_controller_session Hash Value Cryptographic
-  Protection Weakness
-date: 2008-08-12
-description: |
-  Spree contains a hardcoded flaw related to the
-  config.action_controller_session hash value. This may allow an attacker to
-  more easily bypass cryptographic protection.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-90865.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: spree
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.0
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91216
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary
-  Ruby Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'promotion_action' parameter to promotion_actions_controller.rb. This may
-  allow a remote authenticated attacker to instantiate arbitrary Ruby objects
-  and potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91217
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'payment_method' parameter to payment_methods_controller.rb. This may allow
-  a remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91218
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'calculator_type' parameter to promotions_controller.rb. This may allow a
-  remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"