RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/passenger/{OSVDB-94074.yml → CVE-2013-4136.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: passenger
 cve: 2013-4136
 osvdb: 94074
-url: http://osvdb.org/show/osvdb/94074
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-4136
 title: Phusion Passenger Gem for Ruby Utils.cpp Temporary Directory Creation Symlink Local Privilege Escalation
 date: 2013-06-10
 description: Phusion Passenger Gem for Ruby contains a flaw as the program creates

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1831.yml CHANGED

@@ -2,7 +2,7 @@
 gem: passenger
 cve: 2014-1831
 osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-1831
 title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
 date: 2014-01-28
 description: Phusion Passenger contains a flaw as the program creates the server instance

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1832.yml CHANGED

@@ -2,7 +2,7 @@
 gem: passenger
 cve: 2014-1832
 osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-1832
 title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
 date: 2014-01-29
 description: Phusion Passenger contains a flaw as the program creates the server instance

data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml CHANGED

@@ -3,14 +3,15 @@ gem: passenger
 cve: 2016-10345
 url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
 title:  Predictable tmp File Path Vulnerability in Phusion Passenger
-date: 2017-04-18
+date: 2016-11-09
 description: >-
   In Phusion Passenger before 5.1.0, a known /tmp filename was used during
   passenger-install-nginx-module execution, which could allow local attackers
   to gain the privileges of the passenger user.
-cvss_v3: 5.5
+cvss_v2: 4.6
+cvss_v3: 7.8
 patched_versions:
   - ">= 5.1.0"

data/data/ruby-advisory-db/gems/pdfkit/{OSVDB-90867.yml → CVE-2013-1607.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: pdfkit
 cve: 2013-1607
 osvdb: 90867
-url: http://osvdb.org/show/osvdb/90867
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1607
 title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
 date: 2013-02-21
 description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.

data/data/ruby-advisory-db/gems/point-cli/{OSVDB-108577.yml → CVE-2014-4997.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: point-cli
 cve: 2014-4997
 osvdb: 108577
-url: http://osvdb.org/show/osvdb/108577
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-4997
 title: point-cli Gem for Ruby /lib/commands/setup.rb Process Table Local Plaintext Credential Disclosure
 date: 2014-06-30
 description: point-cli Gem for Ruby contains a flaw in /lib/commands/setup.rb that is due to the application exposing credential information in plaintext in the process table. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/private_address_check/CVE-2017-0904.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: private_address_check
+cve: 2017-0904
+url: https://github.com/jtdowney/private_address_check/issues/1
+title: private_address_check Ruby Gem Resolv.getaddresses Server-Side Request Forgery
+date: 2017-11-07
+description: |
+  The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's
+  Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security
+  measures, such as when used to blacklist private network addresses to prevent server-side
+  request forgery.
+cvss_v2: 6.8
+cvss_v3: 8.1
+patched_versions:
+  - ">= 0.4.0"

data/data/ruby-advisory-db/gems/private_address_check/CVE-2017-0909.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: private_address_check
+cve: 2017-0909
+url: https://github.com/jtdowney/private_address_check/pull/3
+title: private_address_check Ruby Gem Blacklist Bypass privilege escalation
+date: 2017-11-09
+description: |
+  The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete
+  blacklist of common private/local network addresses used to prevent server-side request forgery.
+cvss_v2: 7.5
+cvss_v3: 9.8
+patched_versions:
+  - ">= 0.4.1"

data/data/ruby-advisory-db/gems/private_address_check/CVE-2018-3759.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: private_address_check
+cve: 2018-3759
+url: https://github.com/jtdowney/private_address_check/commit/4068228187db87fea7577f7020099399772bb147
+title: private_address_check Ruby Gem Time-of-check Time-of-use race condition
+date: 2018-05-03
+description: |
+  private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU)
+  race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0
+  can trigger this case where the initial resolution is a public address by the subsequent
+  resolution is a private address.
+patched_versions:
+  - ">= 0.5.0"

data/data/ruby-advisory-db/gems/puma/CVE-2019-16770.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: puma
+cve: 2019-16770
+ghsa: 7xx3-m584-x994
+url: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994
+date: 2019-12-05
+title: Keepalive thread overload/DoS in puma
+description: |
+  A poorly-behaved client could use keepalive requests to monopolize
+  Puma's reactor and create a denial of service attack.
+  If more keepalive connections to Puma are opened than there are
+  threads available, additional connections will wait permanently if
+  the attacker sends requests frequently enough.
+cvss_v3: 8.8
+cvss_v2: 6.8
+patched_versions:
+  - "~> 3.12.2"
+  - ">= 4.3.1"

data/data/ruby-advisory-db/gems/puma/CVE-2020-11076.yml ADDED

@@ -0,0 +1,22 @@
+---
+gem: puma
+cve: 2020-11076
+ghsa: x7jg-6pwg-fx5h
+url: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
+date: 2020-05-22
+title: HTTP Smuggling via Transfer-Encoding Header in Puma
+description: |-
+  ### Impact
+  By using an invalid transfer-encoding header, an attacker could
+  [smuggle an HTTP response.](https://portswigger.net/web-security/request-smuggling)
+  ### Patches
+  The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
+cvss_v3: 7.5
+patched_versions:
+  - "~> 3.12.5"
+  - ">= 4.3.4"

data/data/ruby-advisory-db/gems/puma/CVE-2020-11077.yml ADDED

@@ -0,0 +1,31 @@
+---
+gem: puma
+cve: 2020-11077
+ghsa: w64w-qqph-5gxm
+url: https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm
+date: 2020-05-22
+title: HTTP Smuggling via Transfer-Encoding Header in Puma
+description: |-
+  ### Impact
+  This is a similar but different vulnerability to the one patched in 3.12.5 and 4.3.4.
+  A client could smuggle a request through a proxy, causing the proxy to send a response
+  back to another unknown client.
+  If the proxy uses persistent connections and the client adds another request in via HTTP
+  pipelining, the proxy may mistake it as the first request's body. Puma, however,
+  would see it as two requests, and when processing the second request, send back
+  a response that the proxy does not expect. If the proxy has reused the persistent
+  connection to Puma to send another request for a different client, the second response
+  from the first client will be sent to the second client.
+  ### Patches
+  The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
+cvss_v3: 6.8
+patched_versions:
+- "~> 3.12.6"
+- ">= 4.3.5"

data/data/ruby-advisory-db/gems/puma/CVE-2020-5247.yml ADDED

@@ -0,0 +1,25 @@
+---
+gem: puma
+cve: 2020-5247
+ghsa: 84j7-475p-hp8v
+url: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
+date: 2020-02-27
+title: HTTP Response Splitting vulnerability in puma
+description: |-
+  If an application using Puma allows untrusted input in a response header,
+  an attacker can use newline characters (i.e. CR, LF) to end the header and
+  inject malicious content, such as additional headers or an entirely new
+  response body. This vulnerability is known as HTTP Response Splitting.
+  While not an attack in itself, response splitting is a vector for several
+  other attacks, such as cross-site scripting (XSS).
+cvss_v3: 6.5
+patched_versions:
+  - "~> 3.12.4"
+  - ">= 4.3.3"
+related:
+  cve:
+    - 2019-16254

data/data/ruby-advisory-db/gems/puma/CVE-2020-5249.yml ADDED

@@ -0,0 +1,36 @@
+---
+gem: puma
+cve: 2020-5249
+ghsa: 33vf-4xgg-9r58
+url: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
+date: 2020-03-03
+title: HTTP Response Splitting (Early Hints) in Puma
+description: |-
+  ### Impact
+  If an application using Puma allows untrusted input in an early-hints header,
+  an attacker can use a carriage return character to end the header and inject
+  malicious content, such as additional headers or an entirely new response body.
+  This vulnerability is known as [HTTP Response
+  Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
+  While not an attack in itself, response splitting is a vector for several other
+  attacks, such as cross-site scripting (XSS).
+  This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),
+  which fixed this vulnerability but only for regular responses.
+  ### Patches
+  This has been fixed in 4.3.3 and 3.12.4.
+  ### Workarounds
+  Users can not allow untrusted/user input in the Early Hints response header.
+cvss_v3: 6.5
+patched_versions:
+  - "~> 3.12.4"
+  - ">= 4.3.3"
+related:
+  cve:
+    - 2020-5247

data/data/ruby-advisory-db/gems/rack-cache/{OSVDB-83077.yml → CVE-2012-2671.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack-cache
 cve: 2012-2671
 osvdb: 83077
-url: http://osvdb.org/83077
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-2671
 title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
 date: 2012-06-06

data/data/ruby-advisory-db/gems/rack-cors/CVE-2017-11173.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: rack-cors
+cve: 2017-11173
+date: 2015-07-13
+url: https://github.com/cyu/rack-cors/issues/86
+title: rack-cors Gem Missing Anchor permits unauthorized CORS requests
+description: |
+  Missing anchor in generated regex for rack-cors before 0.4.1
+  allows a malicious third-party site to perform CORS requests.
+  If the configuration were intended to allow only the trusted
+  example.com domain name and not the malicious example.net domain name,
+  then example.com.example.net (as well as example.com-example.net) would
+  be inadvertently allowed.
+cvss_v2: 6.8
+patched_versions:
+  - ">= 0.4.1"
+related:
+  url:
+    - https://github.com/cyu/rack-cors/issues/86
+    - http://seclists.org/fulldisclosure/2017/Jul/22

data/data/ruby-advisory-db/gems/rack-cors/CVE-2019-18978.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: rack-cors
+cve: 2019-18978
+ghsa: pf8f-w267-mq2h
+url: https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d
+date: 2019-11-15
+title: rack-cors directory traversal via path
+description: |
+  An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem
+  before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources
+  because resource matching does not ensure that pathnames are in a canonical format.
+patched_versions:
+- ">= 1.0.4"

data/data/ruby-advisory-db/gems/rack-protection/CVE-2018-1000119.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: rack-protection
+cve: 2018-1000119
+url: https://github.com/sinatra/rack-protection/pull/98
+date: 2018-03-07
+title: rack-protection gem timing attack vulnerability when validating CSRF token
+description: |
+  Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains
+  a timing attack vulnerability in the CSRF token checking that can result in signatures
+  can be exposed. This attack appear to be exploitable via network connectivity to
+  the ruby application.
+cvss_v3: 5.9
+cvss_v2: 4.3
+patched_versions:
+  - ~> 1.5.5
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/rack-protection/CVE-2018-7212.yml ADDED

@@ -0,0 +1,12 @@
+---
+gem: rack-protection
+cve: 2018-7212
+url: https://github.com/sinatra/sinatra/pull/1379
+title: Path traversal is possible via backslash characters on Windows.
+date: 2018-02-18
+description: |
+  An issue was discovered in rack-protection 2.x before 2.0.1 on Windows. Path traversal
+  is possible via backslash characters.
+patched_versions:
+  - ">= 2.0.1"
+  - "~> 1.5.4"

data/data/ruby-advisory-db/gems/rack-ssl/{OSVDB-104734.yml → CVE-2014-2538.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack-ssl
 cve: 2014-2538
 osvdb: 104734
-url: http://osvdb.org/show/osvdb/104734
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-2538
 title: rack-ssl Gem for Ruby Error Message Reflected XSS
 date: 2013-07-09
 description: rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.

data/data/ruby-advisory-db/gems/rack/{OSVDB-78121.yml → CVE-2011-5036.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack
 cve: 2011-5036
 osvdb: 78121
-url: http://osvdb.org/show/osvdb/78121
+url: https://nvd.nist.gov/vuln/detail/CVE-2011-5036
 title: |
   Rack Hash Collision Form Parameter Parsing Remote DoS
 date: 2011-12-28

data/data/ruby-advisory-db/gems/rack/{OSVDB-89317.yml → CVE-2012-6109.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack
 cve: 2012-6109
 osvdb: 89317
-url: http://osvdb.org/show/osvdb/89317
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-6109
 title: |
   Rack Regular Expressions Engine Content-Disposition Header Parsing Infinite Loop Remote DoS
 date: 2012-05-04

data/data/ruby-advisory-db/gems/rack/{OSVDB-89320.yml → CVE-2013-0183.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack
 cve: 2013-0183
 osvdb: 89320
-url: http://osvdb.org/show/osvdb/89320
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0183
 title: |
   Rack Long String Parsing Memory Consumption Remote DoS
 date: 2013-01-07

data/data/ruby-advisory-db/gems/rack/{OSVDB-89327.yml → CVE-2013-0184.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack
 cve: 2013-0184
 osvdb: 89327
-url: http://osvdb.org/show/osvdb/89327
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0184
 title: |
   Rack Rack::Auth::AbstractRequest Class Unspecified Remote DoS
 date: 2013-01-13

data/data/ruby-advisory-db/gems/rack/{OSVDB-89938.yml → CVE-2013-0262.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack
 cve: 2013-0262
 osvdb: 89938
-url: http://osvdb.org/show/osvdb/89938
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0262
 title: |
   Rack Rack::File Function Symlink Traversal Arbitrary File Disclosure
 date: 2013-02-07

data/data/ruby-advisory-db/gems/rack/{OSVDB-89939.yml → CVE-2013-0263.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rack
 cve: 2013-0263
 osvdb: 89939
-url: http://osvdb.org/show/osvdb/89939
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0263
 title: |
   Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
 date: 2013-02-07

data/data/ruby-advisory-db/gems/rack/CVE-2018-16470.yml ADDED

@@ -0,0 +1,56 @@
+---
+gem: rack
+cve: 2018-16470
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
+title: Possible DoS vulnerability in Rack
+date: 2018-11-05
+description: |
+  There is a possible DoS vulnerability in the multipart parser in Rack. This
+  vulnerability has been assigned the CVE identifier CVE-2018-16470.
+  Versions Affected:  2.0.4, 2.0.5
+  Not affected:       <= 2.0.3
+  Fixed Versions:     2.0.6
+  Impact
+  ------
+  There is a possible DoS vulnerability in the multipart parser in Rack.
+  Carefully crafted requests can cause the multipart parser to enter a
+  pathological state, causing the parser to use CPU resources disproportionate to
+  the request size.
+  Impacted code can look something like this:
+  ```
+  Rack::Request.new(env).params
+  ```
+  But any code that uses the multi-part parser may be vulnerable.
+  Rack users that have manually adjusted the buffer size in the multipart parser
+  may be vulnerable as well.
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Releases
+  --------
+  The 2.0.6 release is available at the normal locations.
+  Workarounds
+  -----------
+  To work around this issue, the following code can be used:
+  ```
+  require "rack/multipart/parser"
+  Rack::Multipart::Parser.send :remove_const, :BUFSIZE
+  Rack::Multipart::Parser.const_set :BUFSIZE, 16384
+  ```
+unaffected_versions:
+  - "<= 2.0.3"
+patched_versions:
+  - ">= 2.0.6"