bundler-audit 0.6.1 → 0.7.0.1

data/data/ruby-advisory-db/rubies/ruby/{OSVDB-74829.yml → CVE-2011-3389.yml}

@@ -1,6 +1,6 @@
 ---
 engine: ruby
-cve: 2004-2770
+cve: 2011-3389
 osvdb: 74829
 url: http://www.osvdb.org/show/osvdb/74829
 title: SSL Chained Initialization Vector CBC Mode MiTM Weakness (BEAST)

data/data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml

@@ -17,3 +17,4 @@ description: |
   (Terada, p. 4) can be applied to without any modification.
 patched_versions:
   - ">= 2.4.0"
+  - "~> 2.3.5"

data/data/ruby-advisory-db/rubies/ruby/CVE-2017-0898.yml

@@ -0,0 +1,19 @@
+---
+engine: ruby
+cve: 2017-0898
+url: https://www.ruby-lang.org/en/news/2017/09/14/sprintf-buffer-underrun-cve-2017-0898/
+title: Buffer underrun vulnerability in Kernel.sprintf
+date: 2017-09-14
+description: |
+  There is a buffer underrun vulnerability in the sprintf method of Kernel module.
+
+  If a malicious format string which contains a precious specifier (*) is
+  passed and a huge minus value is also passed to the specifier, buffer
+  underrun may be caused. In such situation, the result may contains heap, or
+  the Ruby interpreter may crash.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.8"
+  - "~> 2.3.5"
+  - ">= 2.4.2"

data/data/ruby-advisory-db/rubies/ruby/CVE-2017-10784.yml

@@ -0,0 +1,25 @@
+---
+engine: ruby
+cve: 2017-10784
+url: https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
+title: Escape sequence injection vulnerability in the Basic authentication of WEBrick
+date: 2017-09-14
+description: |
+  There is an escape sequence injection vulnerability in the Basic
+  authentication of WEBrick bundled by Ruby.
+
+
+  When using the Basic authentication of WEBrick, clients can pass an
+  arbitrary string as the user name. WEBrick outputs the passed user name
+  intact to its log, then an attacker can inject malicious escape sequences to
+  the log and dangerous control characters may be executed on a victim’s
+  terminal emulator.
+
+  This vulnerability is similar to a vulnerability already fixed, but it had
+  not been fixed in the Basic authentication.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.8"
+  - "~> 2.3.5"
+  - ">= 2.4.2"

data/data/ruby-advisory-db/rubies/ruby/CVE-2017-14033.yml

@@ -0,0 +1,22 @@
+---
+engine: ruby
+cve: 2017-14033
+url: https://www.ruby-lang.org/en/news/2017/09/14/openssl-asn1-buffer-underrun-cve-2017-14033/
+title: Buffer underrun vulnerability in OpenSSL ASN1 decode
+date: 2017-09-14
+description: |
+  There is a buffer underrun vulnerability in OpenSSL bundled by Ruby.
+
+  If a malicious string is passed to the decode method of OpenSSL::ASN1,
+  buffer underrun may be caused and the Ruby interpreter may crash.
+  All users running an affected release should either upgrade or use one of
+  the workarounds immediately.
+
+  The OpenSSL library is also distributed as a gem. If you can’t upgrade Ruby
+  itself, install OpenSSL gem newer than version 2.0.0. But this workaround is
+  only available with Ruby 2.4 series. When using Ruby 2.2 series or 2.3
+  series, the gem does not override the bundled version of OpenSSL.
+patched_versions:
+  - "~> 2.2.8"
+  - "~> 2.3.5"
+  - ">= 2.4.2"

data/data/ruby-advisory-db/rubies/ruby/CVE-2017-14064.yml

@@ -0,0 +1,20 @@
+---
+engine: ruby
+cve: 2017-14064
+url: https://www.ruby-lang.org/en/news/2017/09/14/json-heap-exposure-cve-2017-14064/
+title: Heap exposure vulnerability in generating JSON
+date: 2017-09-14
+description: |
+  There is a heap exposure vulnerability in JSON bundled by Ruby.
+
+  The generate method of JSON module optionally accepts an instance of
+  JSON::Ext::Generator::State class. If a malicious instance is passed, the
+  result may include contents of heap.  All users running an affected release
+  should either upgrade or use one of the workarounds immediately.
+
+  The JSON library is also distributed as a gem. If you can’t upgrade Ruby
+  itself, install JSON gem newer than version 2.0.4.
+patched_versions:
+  - "~> 2.2.8"
+  - "~> 2.3.5"
+  - ">= 2.4.2"

data/data/ruby-advisory-db/rubies/ruby/CVE-2017-17405.yml

@@ -0,0 +1,22 @@
+---
+engine: ruby
+cve: 2017-17405
+url: https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
+title: Command injection vulnerability in Net::FTP
+date: 2017-12-14
+description: |
+  There is a command injection vulnerability in Net::FTP bundled with Ruby.
+
+  `Net::FTP#get`, `getbinaryfile`, `gettextfile`, `put`, `putbinaryfile`, and
+  `puttextfile` use `Kernel#open` to open a local file. If the `localfile`
+  argument starts with the pipe character `"|"`, the command following the
+  pipe character is executed. The default value of `localfile` is
+  `File.basename(remotefile)`, so malicious FTP servers could cause arbitrary
+  command execution.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.9"
+  - "~> 2.3.6"
+  - "~> 2.4.3"
+  - "> 2.5.0.preview.1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2017-17742.yml

@@ -0,0 +1,22 @@
+---
+engine: ruby
+cve: 2017-17742
+url: https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
+title: HTTP response splitting in WEBrick
+date: 2018-03-28
+description: |
+  There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby.
+
+  If a script accepts an external input and outputs it without modification as
+  a part of HTTP responses, an attacker can use newline characters to deceive
+  the clients that the HTTP response header is stopped at there, and can inject
+  fake HTTP responses after the newline characters to show malicious contents
+  to the clients.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.10"
+  - "~> 2.3.7"
+  - "~> 2.4.4"
+  - "~> 2.5.1"
+  - "> 2.6.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2018-16395.yml

@@ -0,0 +1,36 @@
+---
+engine: ruby
+cve: 2018-16395
+url: https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/
+title: Incorrect equality check in OpenSSL::X509::Name
+date: 2018-10-17
+description: |
+  The equality check of `OpenSSL::X509::Name` is not correctly in openssl
+  extension library bundled with Ruby.
+
+  An instance of `OpenSSL::X509::Name` contains entities such as `CN`, `C`
+  and so on. Some two instances of `OpenSSL::X509::Name` are equal only when
+  all entities are exactly equal. However, there is a bug that the equality
+  check is not correct if the value of an entity of the argument (right-hand
+  side) starts with the value of the receiver (left-hand side). So, if a
+  malicious X.509 certificate is passed to compare with an existing
+  certificate, there is a possibility to be judged incorrectly that they are
+  equal.
+
+  It is strongly recommended for Ruby users to upgrade your Ruby installation
+  or take one of the following workarounds as soon as possible.
+
+  `openssl` gem 2.1.2 or later includes the fix for the vulnerability, so
+  upgrade `openssl` gem to the latest version if you are using Ruby 2.4 or
+  later series.
+
+  `gem install openssl -v ">= 2.1.2"`
+
+  However, in Ruby 2.3 series, you cannot override bundled version of openssl
+  with `openssl` gem. Please upgrade your Ruby installation to the latest
+  version.
+patched_versions:
+  - "~> 2.3.8"
+  - "~> 2.4.5"
+  - "~> 2.5.2"
+  - ">= 2.6.0-preview3"

data/data/ruby-advisory-db/rubies/ruby/CVE-2018-16396.yml

@@ -0,0 +1,26 @@
+---
+engine: ruby
+cve: 2018-16396
+url: https://www.ruby-lang.org/en/news/2018/10/17/not-propagated-taint-flag-in-some-formats-of-pack-cve-2018-16396/
+title: Tainted flags not always propogated in Array#pack and String#unpack
+date: 2018-10-17
+description: |
+  In `Array#pack` and `String#unpack` with some formats, the tainted flags of
+  the original data are not propagated to the returned string/array.
+
+  `Array#pack` method converts the receiver’s contents into a string with
+  specified format. If the receiver contains some tainted objects, the
+  returned string also should be tainted. `String#unpack` method which
+  converts the receiver into an array also should propagate its tainted flag
+  to the objects contained in the returned array. But, with `B`, `b`, `H` and
+  `h` directives, the tainted flags are not propagated. So, if a script
+  processes unreliable inputs by `Array#pack` and/or `String#unpack` with these
+  directives and checks the reliability with tainted flags, the check might be
+  wrong.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.3.8"
+  - "~> 2.4.5"
+  - "~> 2.5.2"
+  - ">= 2.6.0-preview3"

data/data/ruby-advisory-db/rubies/ruby/CVE-2018-6914.yml

@@ -0,0 +1,27 @@
+---
+engine: ruby
+cve: 2018-6914
+url: https://www.ruby-lang.org/en/news/2018/03/28/unintentional-file-and-directory-creation-with-directory-traversal-cve-2018-6914/
+title: Unintentional file and directory creation with directory traversal in tempfile and tmpdir
+date: 2018-03-28
+description: |
+  There is an unintentional directory creation vulnerability in tmpdir library
+  bundled with Ruby. And there is also an unintentional file creation
+  vulnerability in tempfile library bundled with Ruby, because it uses tmpdir
+  internally
+
+  `Dir.mktmpdir` method introduced by tmpdir library accepts the prefix and the
+  suffix of the directory which is created as the first parameter. The prefix can
+  contain relative directory specifiers `../`, so this method can be used to
+  target any directory. So, if a script accepts an external input as the prefix,
+  and the targeted directory has inappropriate permissions or the ruby process
+  has inappropriate privileges, the attacker can create a directory or a file at
+  any directory.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.10"
+  - "~> 2.3.7"
+  - "~> 2.4.4"
+  - "~> 2.5.1"
+  - "> 2.6.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2018-8777.yml

@@ -0,0 +1,21 @@
+---
+engine: ruby
+cve: 2018-8777
+url: https://www.ruby-lang.org/en/news/2018/03/28/large-request-dos-in-webrick-cve-2018-8777/
+title: DoS by large request in WEBrick
+date: 2018-03-28
+description: |
+  There is a out-of-memory DoS vulnerability with a large request in WEBrick
+  bundled with Ruby
+
+  If an attacker sends a large request which contains huge HTTP headers,
+  WEBrick try to process it on memory, so the request causes the out-of-memory
+  DoS attack.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.10"
+  - "~> 2.3.7"
+  - "~> 2.4.4"
+  - "~> 2.5.1"
+  - "> 2.6.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2018-8778.yml

@@ -0,0 +1,20 @@
+---
+engine: ruby
+cve: 2018-8778
+url: https://www.ruby-lang.org/en/news/2018/03/28/buffer-under-read-unpack-cve-2018-8778/
+title: Buffer under-read in String#unpack
+date: 2018-03-28
+description: |
+  `String#unpack` receives format specifiers as its parameter, and can be
+  specified the position of parsing the data by the specifier `@`. If a big
+  number is passed with `@`, the number is treated as the negative value, and
+  out-of-buffer read is occurred. So, if a script accepts an external input as
+  the argument of `String#unpack`, the attacker can read data on heaps.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.10"
+  - "~> 2.3.7"
+  - "~> 2.4.4"
+  - "~> 2.5.1"
+  - "> 2.6.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2018-8779.yml

@@ -0,0 +1,28 @@
+---
+engine: ruby
+cve: 2018-8779
+url: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-unixsocket-cve-2018-8779/
+title: Unintentional socket creation by poisoned NUL byte in UNIXServer and UNIXSocket
+date: 2018-03-28
+description: |
+  There is a unintentional socket creation vulnerability in `UNIXServer.open`
+  method of socket library bundled with Ruby. And there is also a unintentional
+  socket access vulnerability in `UNIXSocket.open` method.
+
+  `UNIXServer.open` accepts the path of the socket to be created at the first
+  parameter. If the path contains NUL (`\0`) bytes, this method recognize that
+  the path is completed before the NUL bytes. So, if a script accepts an external
+  input as the argument of this method, the attacker can make the socket file in
+  the unintentional path. And, `UNIXSocket.open` also accepts the path of the
+  socket to be created at the first parameter without checking NUL bytes like
+  `UNIXServer.open`. So, if a script accepts an external input as the argument of
+  this method, the attacker can accepts the socket file in the unintentional
+  path.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.10"
+  - "~> 2.3.7"
+  - "~> 2.4.4"
+  - "~> 2.5.1"
+  - "> 2.6.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2018-8780.yml

@@ -0,0 +1,22 @@
+---
+engine: ruby
+cve: 2018-8780
+url: https://www.ruby-lang.org/en/news/2018/03/28/poisoned-nul-byte-dir-cve-2018-8780/
+title: Unintentional directory traversal by poisoned NUL byte in Dir
+date: 2018-03-28
+description: |
+  There is an unintentional directory traversal in some methods in `Dir`
+
+  `Dir.open`, `Dir.new`, `Dir.entries` and `Dir.empty?` accept the path of the
+  target directory as their parameter. If the parameter contains NUL (`\0`)
+  bytes, these methods recognize that the path is completed before the NUL bytes.
+  So, if a script accepts an external input as the argument of these methods, the
+  attacker can make the unintentional directory traversal.
+
+  All users running an affected release should upgrade immediately.
+patched_versions:
+  - "~> 2.2.10"
+  - "~> 2.3.7"
+  - "~> 2.4.4"
+  - "~> 2.5.1"
+  - "> 2.6.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2019-15845.yml

@@ -0,0 +1,18 @@
+---
+engine: ruby
+cve: 2019-15845
+url: https://www.ruby-lang.org/en/news/2019/10/01/nul-injection-file-fnmatch-cve-2019-15845/
+title: A NUL injection vulnerability of File.fnmatch and File.fnmatch?
+date: 2019-10-01
+description: |
+  Built-in methods File.fnmatch and its alias File.fnmatch? accept the path
+  pattern as their first parameter. When the pattern contains NUL character
+  (\0), the methods recognize that the path pattern ends immediately before the
+  NUL byte. Therefore, a script that uses an external input as the pattern
+  argument, an attacker can make it wrongly match a pathname that is the second
+  parameter.
+patched_versions:
+  - "~> 2.4.8"
+  - "~> 2.5.7"
+  - "~> 2.6.5"
+  - "> 2.7.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2019-16201.yml

@@ -0,0 +1,15 @@
+---
+engine: ruby
+cve: 2019-16201
+url: https://www.ruby-lang.org/en/news/2019/10/01/webrick-regexp-digestauth-dos-cve-2019-16201/
+title: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication
+date: 2019-10-01
+description: |
+  Regular expression denial of service vulnerability of WEBrick’s Digest
+  authentication module was found. An attacker can exploit this vulnerability
+  to cause an effective denial of service against a WEBrick service.
+patched_versions:
+  - "~> 2.4.8"
+  - "~> 2.5.7"
+  - "~> 2.6.5"
+  - "> 2.7.0-preview1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2019-16254.yml

@@ -0,0 +1,19 @@
+---
+engine: ruby
+cve: 2019-16254
+url: https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
+title: HTTP response splitting in WEBrick (Additional fix)
+date: 2019-10-01
+description: |
+  If a program using WEBrick inserts untrusted input into the response header,
+  an attacker can exploit it to insert a newline character to split a header,
+  and inject malicious content to deceive clients.
+
+  This is the same issue as CVE-2017-17742. The previous fix was incomplete,
+  which addressed the CRLF vector, but did not address an isolated CR or an
+  isolated LF.
+patched_versions:
+  - "~> 2.4.8"
+  - "~> 2.5.7"
+  - "~> 2.6.5"
+  - "> 2.7.0-preview1"