RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-79727.yml → CVE-2012-1099.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2012-1099
 osvdb: 79727
-url: http://www.osvdb.org/show/osvdb/79727
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-1099
 title:
   Ruby on Rails actionpack/lib/action_view/helpers/form_options_helper.rb
   Manually Generated Select Tag Options XSS

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-84243.yml → CVE-2012-3424.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2012-3424
 osvdb: 84243
-url: http://www.osvdb.org/show/osvdb/84243
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-3424
 title:
   Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb
   with_http_digest Helper Method Remote DoS

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-84515.yml → CVE-2012-3463.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2012-3463
 osvdb: 84515
-url: http://osvdb.org/84515
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-3463
 title: Ruby on Rails select_tag Helper Method prompt Value XSS
 date: 2012-08-09

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-84513.yml → CVE-2012-3465.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2012-3465
 osvdb: 84513
-url: http://www.osvdb.org/show/osvdb/84513
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-3465
 title: Ruby on Rails strip_tags Helper Method XSS
 date: 2012-08-09

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-89026.yml → CVE-2013-0156.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-0156
 osvdb: 89026
-url: http://osvdb.org/show/osvdb/89026
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0156
 title:
   Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
   Remote Code Execution

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-91452.yml → CVE-2013-1855.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-1855
 osvdb: 91452
-url: http://www.osvdb.org/show/osvdb/91452
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1855
 title: XSS vulnerability in sanitize_css in Action Pack
 date: 2013-03-19

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-91454.yml → CVE-2013-1857.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-1857
 osvdb: 91454
-url: http://osvdb.org/show/osvdb/91454
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1857
 title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
 date: 2013-03-19

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-103439.yml → CVE-2014-0081.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2014-0081
 osvdb: 103439
-url: http://osvdb.org/show/osvdb/103439
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-0081
 title: XSS Vulnerability in number_to_currency, number_to_percentage and number_to_human
 date: 2014-02-18

data/data/ruby-advisory-db/gems/actionpack/{OSVDB-103440.yml → CVE-2014-0082.yml} RENAMED

@@ -3,7 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2014-0082
 osvdb: 103440
-url: http://osvdb.org/show/osvdb/103440
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-0082
 title: Denial of Service Vulnerability in Action View when using render :text
 date: 2014-02-18
@@ -16,7 +16,7 @@ description: |
 cvss_v2: 5.0
 unaffected_versions:
-  - ~> 4.0.0
+  - ">= 4.0.0"
 patched_versions:
   - ">= 3.2.17"

data/data/ruby-advisory-db/gems/actionpack/CVE-2015-7576.yml CHANGED

@@ -109,6 +109,9 @@ description: |
     Thank you to Daniel Waterworth for reporting the problem and working with us to
     fix it.
+cvss_v2: 4.3
+cvss_v3: 3.7
 patched_versions:
   - ">= 5.0.0.beta1.1"
   - "~> 4.2.5, >= 4.2.5.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-0751.yml CHANGED

@@ -64,6 +64,9 @@ description: |
   -------
   Aaron Patterson <3<3
+cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
   - ">= 5.0.0.beta1.1"
   - "~> 4.2.5, >= 4.2.5.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2016-2097.yml CHANGED

@@ -87,4 +87,5 @@ unaffected_versions:
 patched_versions:
   - "~> 3.2.22.2"
-  - "~> 4.1.14, >= 4.1.14.2"
+  - "~> 4.1.14"
+  - ">= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionpack/CVE-2020-8164.yml ADDED

@@ -0,0 +1,49 @@
+---
+gem: actionpack
+framework: rails
+cve: 2020-8164
+date: 2020-05-18
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY
+title: Possible Strong Parameters Bypass in ActionPack
+description: |
+  There is a strong parameters bypass vector in ActionPack.
+  Versions Affected:  rails <= 6.0.3
+  Not affected:       rails < 4.0.0
+  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
+  Impact
+  ------
+  In some cases user supplied information can be inadvertently leaked from
+  Strong Parameters.  Specifically the return value of `each`, or `each_value`,
+  or `each_pair` will return the underlying "untrusted" hash of data that was
+  read from the parameters.  Applications that use this return value may be
+  inadvertently use untrusted user input.
+  Impacted code will look something like this:
+  ```
+  def update
+    # Attacker has included the parameter: `{ is_admin: true }`
+    User.update(clean_up_params)
+  end
+  def clean_up_params
+     params.each { |k, v|  SomeModel.check(v) if k == :name }
+  end
+  ```
+  Note the mistaken use of `each` in the `clean_up_params` method in the above
+  example.
+  Workarounds
+  -----------
+  Do not use the return values of `each`, `each_value`, or `each_pair` in your
+  application.
+unaffected_versions:
+  - "< 4.0.0"
+patched_versions:
+  - "~> 5.2.4.3"
+  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/actionpack/CVE-2020-8166.yml ADDED

@@ -0,0 +1,31 @@
+---
+gem: actionpack
+framework: rails
+cve: 2020-8166
+date: 2020-05-18
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
+title: Ability to forge per-form CSRF tokens given a global CSRF token
+description: |
+  It is possible to possible to, given a global CSRF token such as the one
+  present in the authenticity_token meta tag, forge a per-form CSRF token for
+  any action for that session.
+  Versions Affected:  rails < 5.2.5, rails < 6.0.4
+  Not affected:       Applications without existing HTML injection vulnerabilities.
+  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
+  Impact
+  ------
+  Given the ability to extract the global CSRF token, an attacker would be able to
+  construct a per-form CSRF token for that session.
+  Workarounds
+  -----------
+  This is a low-severity security issue. As such, no workaround is necessarily
+  until such time as the application can be upgraded.
+patched_versions:
+  - "~> 5.2.4.3"
+  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml CHANGED

@@ -85,6 +85,9 @@ description: |
   -------
   Thanks John Poulin for reporting this!
+cvss_v2: 5.0
+cvss_v3: 7.5
 # "~> 3.2.22.1" is found in gems/actionpack/CVE-2016-0752.yml
 patched_versions:
   - ">= 5.0.0.beta1.1"

data/data/ruby-advisory-db/gems/actionview/CVE-2019-5418.yml ADDED

@@ -0,0 +1,98 @@
+---
+gem: actionview
+framework: rails
+cve: 2019-5418
+date: 2019-03-13
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
+title: File Content Disclosure in Action View
+description: |
+  There is a possible file content disclosure vulnerability in Action View. This
+  vulnerability has been assigned the CVE identifier CVE-2019-5418.
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
+  Impact
+  ------
+  There is a possible file content disclosure vulnerability in Action View.
+  Specially crafted accept headers in combination with calls to `render file:`
+  can cause arbitrary files on the target server to be rendered, disclosing the
+  file contents.
+  The impact is limited to calls to `render` which render file contents without
+  a specified accept format.  Impacted code in a controller looks something like
+  this:
+  ```
+  class UserController < ApplicationController
+    def index
+      render file: "#{Rails.root}/some/file"
+    end
+  end
+  ```
+  Rendering templates as opposed to files is not impacted by this vulnerability.
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Releases
+  --------
+  The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are
+  available at the normal locations.
+  Workarounds
+  -----------
+  This vulnerability can be mitigated by specifying a format for file rendering,
+  like this:
+  ```
+  class UserController < ApplicationController
+    def index
+      render file: "#{Rails.root}/some/file", formats: [:html]
+    end
+  end
+  ```
+  In summary, impacted calls to `render` look like this:
+  ```
+  render file: "#{Rails.root}/some/file"
+  ```
+  The vulnerability can be mitigated by changing to this:
+  ```
+  render file: "#{Rails.root}/some/file", formats: [:html]
+  ```
+  Other calls to `render` are not impacted.
+  Alternatively, the following monkey patch can be applied in an initializer:
+  ```
+  $ cat config/initializers/formats_filter.rb
+  # frozen_string_literal: true
+  ActionDispatch::Request.prepend(Module.new do
+    def formats
+      super().select do |format|
+        format.symbol || format.ref == "*/*"
+      end
+    end
+  end)
+  ```
+  Credits
+  -------
+  Thanks to John Hawthorn <john@hawthorn.email> of GitHub
+patched_versions:
+  - "~> 4.2.11, >= 4.2.11.1"
+  - "~> 5.0.7, >= 5.0.7.2"
+  - "~> 5.1.6, >= 5.1.6.2"
+  - "~> 5.2.2, >= 5.2.2.1"
+  - ">= 6.0.0.beta3"

data/data/ruby-advisory-db/gems/actionview/CVE-2019-5419.yml ADDED

@@ -0,0 +1,95 @@
+---
+gem: actionview
+framework: rails
+cve: 2019-5419
+date: 2019-03-13
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
+title: Denial of Service Vulnerability in Action View
+description: |
+  There is a potential denial of service vulnerability in actionview.
+  This vulnerability has been assigned the CVE identifier CVE-2019-5419.
+  Impact
+  ------
+  Specially crafted accept headers can cause the Action View template location
+  code to consume 100% CPU, causing the server unable to process requests.  This
+  impacts all Rails applications that render views.
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+  Workarounds
+  -----------
+  This vulnerability can be mitigated by wrapping `render` calls with
+  `respond_to` blocks.  For example, the following example is vulnerable:
+  ```
+  class UserController < ApplicationController
+    def index
+      render "index"
+    end
+  end
+  ```
+  But the following code is not vulnerable:
+  ```
+  class UserController < ApplicationController
+    def index
+      respond_to |format|
+        format.html { render "index" }
+      end
+    end
+  end
+  ```
+  Implicit rendering is impacted, so this code is vulnerable:
+  ```
+  class UserController < ApplicationController
+    def index
+    end
+  end
+  ```
+  But can be changed this this:
+  ```
+  class UserController < ApplicationController
+    def index
+      respond_to |format|
+        format.html { render "index" }
+      end
+    end
+  end
+  ```
+  Alternatively to specifying the format, the following monkey patch can be
+  applied in an initializer:
+  ```
+  $ cat config/initializers/formats_filter.rb
+  # frozen_string_literal: true
+  ActionDispatch::Request.prepend(Module.new do
+    def formats
+      super().select do |format|
+        format.symbol || format.ref == "*/*"
+      end
+    end
+  end)
+  ```
+  Credits
+  -------
+  Thanks to John Hawthorn <john@hawthorn.email> of GitHub
+patched_versions:
+  - ">= 6.0.0.beta3"
+  - "~> 5.2.2, >= 5.2.2.1"
+  - "~> 5.1.6, >= 5.1.6.2"
+  - "~> 5.0.7, >= 5.0.7.2"
+  - "~> 4.2.11, >= 4.2.11.1"

data/data/ruby-advisory-db/gems/actionview/CVE-2020-5267.yml ADDED

@@ -0,0 +1,69 @@
+---
+gem: actionview
+framework: rails
+cve: 2020-5267
+date: 2020-03-19
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
+title: Possible XSS vulnerability in ActionView
+description: |
+  There is a possible XSS vulnerability in ActionView's JavaScript literal
+  escape helpers.  Views that use the `j` or `escape_javascript` methods
+  may be susceptible to XSS attacks.
+  Versions Affected:  All.
+  Not affected:       None.
+  Fixed Versions:     6.0.2.2, 5.2.4.2
+  Impact
+  ------
+  There is a possible XSS vulnerability in the `j` and `escape_javascript`
+  methods in ActionView.  These methods are used for escaping JavaScript string
+  literals.  Impacted code will look something like this:
+  ```erb
+  <script>let a = `<%= j unknown_input %>`</script>
+  ```
+  or
+  ```erb
+  <script>let a = `<%= escape_javascript unknown_input %>`</script>
+  ```
+  Releases
+  --------
+  The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.
+  Workarounds
+  -----------
+  For those that can't upgrade, the following monkey patch may be used:
+  ```ruby
+  ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
+    {
+      "`" => "\\`",
+      "$" => "\\$"
+    }
+  )
+  module ActionView::Helpers::JavaScriptHelper
+    alias :old_ej :escape_javascript
+    alias :old_j :j
+    def escape_javascript(javascript)
+      javascript = javascript.to_s
+      if javascript.empty?
+        result = ""
+      else
+        result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
+      end
+      javascript.html_safe? ? result.html_safe : result
+    end
+    alias :j :escape_javascript
+  end
+  ```
+patched_versions:
+  - "~> 5.2.4, >= 5.2.4.2"
+  - ">= 6.0.2.2"