RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/rexical/CVE-2019-5477.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: rexical
+cve: 2019-5477
+date: 2019-08-11
+url: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
+title: Rexical Command Injection Vulnerability
+description: |
+  A command injection vulnerability appears in code generated by the Rexical
+  gem versions v1.0.6 and earlier. It allows commands to be executed in a
+  subprocess by Ruby's `Kernel.open` method.
+patched_versions:
+  - ">= 1.0.7"
+cvss_v2: 7.5
+cvss_v3: 9.8
+related:
+  url:
+    - https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06
+    - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ

data/data/ruby-advisory-db/gems/rgpg/{OSVDB-95948.yml → CVE-2013-4203.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: rgpg
 cve: 2013-4203
 osvdb: 95948
-url: http://www.osvdb.org/show/osvdb/95948
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-4203
 title: rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution
 date: 2013-08-02
 description: |

data/data/ruby-advisory-db/gems/rubocop/CVE-2017-8418.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: rubocop
+cve: 2017-8418
+url: https://github.com/bbatsov/rubocop/issues/4336
+date: 2017-05-01
+title: |
+  RuboCop: insecure use of /tmp
+description: |
+  RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local
+  users to exploit this to tamper with cache files belonging to other users.
+cvss_v2: 2.1
+patched_versions:
+  - ">= 0.49.0"
+related:
+  url:
+    - http://www.openwall.com/lists/oss-security/2017/05/01/14

data/data/ruby-advisory-db/gems/ruby-openid/CVE-2019-11027.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: ruby-openid
+cve: 2019-11027
+ghsa: fqfj-cmh6-hj49
+url: https://github.com/openid/ruby-openid/issues/122
+date: 2019-06-13
+title: ruby-openid SSRF via claimed_id request
+description: |
+  Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable
+  flaw. This library is used by Rails web applications to integrate with OpenID Providers.
+  Severity can range from medium to critical, depending on how a web application developer
+  chose to employ the ruby-openid library. Developers who based their OpenID integration
+  heavily on the "example app" provided by the project are at highest risk.
+cvss_v3: 9.8
+patched_versions:
+- ">= 2.9.0"

data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml CHANGED

@@ -12,6 +12,9 @@ description: |
   ruby-saml users must update to 1.3.0, which implements 3 extra validations to
   mitigate this kind of attack.
-cvss_v3: 6.1
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - ">= 1.3.0"

data/data/ruby-advisory-db/gems/ruby-saml/CVE-2017-11428.yml ADDED

@@ -0,0 +1,27 @@
+---
+gem: ruby-saml
+cve: 2017-11428
+url: https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f
+title: Authentication bypass via incorrect XML canonicalization and DOM traversal
+date: 2018-02-27
+description: |
+  ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect
+  XML canonicalization and DOM traversal. Specifically, there are inconsistencies in
+  handling of comments within XML nodes, resulting in incorrect parsing of the inner text
+  of XML nodes such that any inner text after the comment is lost prior to
+  cryptographically signing the SAML message. Text after the comment therefore has no
+  impact on the signature on the SAML message.
+  A remote attacker can modify SAML content for a SAML service provider without
+  invalidating the cryptographic signature, which may allow attackers to bypass
+  primary authentication for the affected SAML service provider.
+cvss_v2: 6.3
+patched_versions:
+  - ">= 1.7.0"
+related:
+  url:
+    - https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+    - https://www.kb.cert.org/vuls/id/475445

data/data/ruby-advisory-db/gems/ruby_parser-legacy/CVE-2019-18409.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: ruby_parser-legacy
+cve: 2019-18409
+date: 2019-10-24
+url: https://github.com/zenspider/ruby_parser-legacy/issues/1
+title: ruby_parser-legacy world writable files allow local privilege escalation
+description: |
+  The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local
+  privilege escalation because of world-writable files. For example,
+  if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used,
+  a local user can insert malicious code into the
+  ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.
+cvss_v2: 4.6
+cvss_v3: 7.8

data/data/ruby-advisory-db/gems/ruby_parser/{OSVDB-90561.yml → CVE-2013-0162.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: ruby_parser
 cve: 2013-0162
 osvdb: 90561
-url: http://osvdb.org/show/osvdb/90561
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0162
 title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
 date: 2013-02-21
 description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.

data/data/ruby-advisory-db/{libraries/rubygems/OSVDB-33561.yml → gems/rubygems-update/CVE-2007-0469.yml} RENAMED

@@ -1,8 +1,9 @@
 ---
+gem: rubygems-update
 library: rubygems
 cve: 2007-0469
 osvdb: 33561
-url: http://www.osvdb.org/show/osvdb/33561
+url: https://nvd.nist.gov/vuln/detail/CVE-2007-0469
 title: |
   RubyGems installer.rb extract_files Function Crafted GEM Package Arbitrary
   File Overwrite

data/data/ruby-advisory-db/{libraries/rubygems/OSVDB-85809.yml → gems/rubygems-update/CVE-2012-2125.yml} RENAMED

@@ -1,8 +1,9 @@
 ---
+gem: rubygems-update
 library: rubygems
 cve: 2012-2125
 osvdb: 85809
-url: http://www.osvdb.org/show/osvdb/85809
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-2125
 title: |
   RubyGems HTTPS to HTTP Redirection MitM Downloaded Installation File
   Manipulation

data/data/ruby-advisory-db/{libraries/rubygems/OSVDB-81444.yml → gems/rubygems-update/CVE-2012-2126.yml} RENAMED

@@ -1,8 +1,9 @@
 ---
+gem: rubygems-update
 library: rubygems
 cve: 2012-2126
 osvdb: 81444
-url: http://www.osvdb.org/show/osvdb/81444
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-2126
 title: RubyGems SSL Certificate Validation MitM Spoofing Weakness
 date: 2012-04-20
 description: |

data/data/ruby-advisory-db/{libraries/rubygems → gems/rubygems-update}/CVE-2013-4287.yml RENAMED

@@ -1,4 +1,5 @@
 ---
+gem: rubygems-update
 library: rubygems
 cve: 2013-4287
 osvdb: 97163

data/data/ruby-advisory-db/{libraries/rubygems → gems/rubygems-update}/CVE-2013-4363.yml RENAMED

@@ -1,4 +1,5 @@
 ---
+gem: rubygems-update
 library: rubygems
 cve: 2013-4363
 osvdb: 97163

data/data/ruby-advisory-db/{libraries/rubygems → gems/rubygems-update}/CVE-2015-3900.yml RENAMED

@@ -1,4 +1,5 @@
 ---
+gem: rubygems-update
 library: rubygems
 cve: 2015-3900
 osvdb: 122162

data/data/ruby-advisory-db/{libraries/rubygems → gems/rubygems-update}/CVE-2015-4020.yml RENAMED

@@ -1,4 +1,5 @@
 ---
+gem: rubygems-update
 library: rubygems
 cve: 2015-4020
 url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0899.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2017-0899
+url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
+title: RubyGems ANSI escape sequence vulnerability
+date: 2017-08-29
+description: |
+  RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem
+  specifications that include terminal escape characters. Printing the gem
+  specification would execute terminal escape sequences.
+cvss_v2: 7.5
+patched_versions:
+  - ">= 2.4.5.3"
+  - ">= 2.5.2.1"
+  - ">= 2.6.13"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0900.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2017-0900
+url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
+title: RubyGems DoS vulnerability in the query command
+date: 2017-08-29
+description: |
+  RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem
+  specifications to cause a denial of service attack against RubyGems clients
+  who have issued a `query` command.
+cvss_v2: 5.0
+patched_versions:
+  - ">= 2.4.5.3"
+  - ">= 2.5.2.1"
+  - ">= 2.6.13"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0901.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2017-0901
+url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
+title: RubyGems vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
+date: 2017-08-29
+description: |
+  RubyGems version 2.6.12 and earlier fails to validate specification names,
+  allowing a maliciously crafted gem to potentially overwrite any file on the
+  filesystem.
+cvss_v2: 6.4
+patched_versions:
+  - ">= 2.4.5.3"
+  - ">= 2.5.2.1"
+  - ">= 2.6.13"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0902.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2017-0902
+url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
+title: RubyGems DNS request hijacking vulnerability
+date: 2017-08-29
+description: |
+  RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
+  vulnerability that allows a MITM attacker to force the RubyGems client to
+  down load and install gems from a server that the attacker controls.
+cvss_v2: 6.8
+patched_versions:
+  - ">= 2.4.5.3"
+  - ">= 2.5.2.1"
+  - ">= 2.6.13"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0903.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2017-0903
+url: https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
+title: Unsafe Object Deserialization Vulnerability in RubyGems
+date: 2017-10-09
+description: |
+  There is a possible unsafe object deserialization vulnerability in RubyGems.
+  It is possible for YAML deserialization of gem specifications to bypass class
+  white lists. Specially crafted serialized objects can possibly be used to
+  escalate to remote code execution.
+cvss_v2: 7.5
+unaffected_versions:
+  - "< 2.0.0"
+patched_versions:
+  - ">= 2.6.14"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8320.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2019-8320
+url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+title: Delete directory using symlink when decompressing tar
+date: 2019-03-05
+description: |
+  A Directory Traversal issue was discovered in RubyGems 2.7.6 and later
+  through 3.0.2. Before making new directories or touching files (which now
+  include path-checking code for symlinks), it would delete the target
+  destination. If that destination was hidden behind a symlink, a malicious gem
+  could delete arbitrary files on the user’s machine, presuming the attacker
+  could guess at paths. Given how frequently gem is run as sudo, and how
+  predictable paths are on modern systems (/tmp, /usr, etc.), this could
+  likely lead to data loss or an unusable system.
+unaffected_versions:
+  - "< 2.7.6"
+patched_versions:
+  - ">= 3.0.3"
+  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8321.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2019-8321
+url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+title: Escape sequence injection vulnerability in verbose
+date: 2019-03-05
+description: |
+  An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since
+  Gem::UserInteraction#verbose calls say without escaping, escape sequence
+  injection is possible.
+unaffected_versions:
+  - "< 2.6"
+patched_versions:
+  - ">= 3.0.3"
+  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8322.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2019-8322
+url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+title: Escape sequence injection vulnerability in gem owner
+date: 2019-03-05
+description: |
+  An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem
+  owner command outputs the contents of the API response directly to stdout.
+  Therefore, if the response is crafted, escape sequence injection may occur.
+unaffected_versions:
+  - "< 2.6"
+patched_versions:
+  - ">= 3.0.3"
+  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8323.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2019-8323
+url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+title: Escape sequence injection vulnerability in api response handling
+date: 2019-03-05
+description: |
+  An issue was discovered in RubyGems 2.6 and later through 3.0.2.
+  Gem::GemcutterUtilities#with_response may output the API response to stdout
+  as it is. Therefore, if the API side modifies the response, escape sequence
+  injection may occur.
+unaffected_versions:
+  - "< 2.6"
+patched_versions:
+  - ">= 3.0.3"
+  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8324.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2019-8324
+url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+title: Installing a malicious gem may lead to arbitrary code execution
+date: 2019-03-05
+description: |
+  An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted
+  gem with a multi-line name is not handled correctly. Therefore, an attacker
+  could inject arbitrary code to the stub line of gemspec, which is eval-ed by
+  code in ensure_loadable_spec during the preinstall check.
+unaffected_versions:
+  - "< 2.6"
+patched_versions:
+  - ">= 3.0.3"
+  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8325.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: rubygems-update
+library: rubygems
+cve: 2019-8325
+url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
+title: Escape sequence injection vulnerability in errors
+date: 2019-03-05
+description: |
+  An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since
+  Gem::CommandManager#run calls alert_error without escaping, escape sequence
+  injection is possible. (There are many ways to cause an error.)
+unaffected_versions:
+  - "< 2.6"
+patched_versions:
+  - ">= 3.0.3"
+  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml CHANGED

@@ -5,10 +5,13 @@ url: https://github.com/rubyzip/rubyzip/issues/315
 title: Directory traversal vulnerability in rubyzip
 date: 2017-02-27
 description: |
-  The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory
-  traversal vulnerability. If a site allows uploading of .zip files, an attacker
-  can upload a malicious file that uses "../" pathname substrings to write arbitrary
-  files to the filesystem.
-cvss_v3: 6.1
+  The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a
+  directory traversal vulnerability. If a site allows uploading of .zip files,
+  an attacker can upload a malicious file that uses "../" pathname substrings to
+  write arbitrary files to the filesystem.
+cvss_v2: 7.5
+cvss_v3: 9.8
 patched_versions:
   - ">= 1.2.1"

data/data/ruby-advisory-db/gems/rubyzip/CVE-2018-1000544.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: rubyzip
+date: 2018-06-14
+url: https://github.com/rubyzip/rubyzip/issues/369
+cve: 2018-1000544
+title: Directory Traversal in rubyzip
+description: |
+  rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability
+  in Zip::File component that can result in write arbitrary files to the filesystem.
+  If a site allows uploading of .zip files, an attacker can upload a malicious file
+  which contains symlinks or files with absolute pathnames "../" to write arbitrary
+  files to the filesystem.
+patched_versions:
+  - ">= 1.2.2"
+related:
+  cve:
+    - 2017-5946
+  url:
+    - https://security-tracker.debian.org/tracker/CVE-2018-1000544