RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/actionview/CVE-2020-8163.yml ADDED

@@ -0,0 +1,29 @@
+---
+gem: actionview
+framework: rails
+cve: 2020-8163
+date: 2020-05-15
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/hWuKcHyoKh0
+title: Potential remote code execution of user-provided local names in ActionView
+description: |
+  There was a vulnerability in versions of Rails prior to 5.0.1 that would
+  allow an attacker who controlled the `locals` argument of a `render` call.
+  Versions Affected:  rails < 5.0.1
+  Not affected:       Applications that do not allow users to control the names of locals.
+  Fixed Versions:     4.2.11.2
+  Impact
+  ------
+  In the scenario where an attacker might be able to control the name of a
+  local passed into `render`, they can acheive remote code execution.
+  Workarounds
+  -----------
+  Until such time as the patch can be applied, application developers should
+  ensure that all user-provided local names are alphanumeric.
+patched_versions:
+  - ">= 4.2.11.2"

data/data/ruby-advisory-db/gems/actionview/CVE-2020-8167.yml ADDED

@@ -0,0 +1,45 @@
+---
+gem: actionview
+framework: rails
+cve: 2020-8167
+date: 2020-05-18
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0
+title: CSRF Vulnerability in rails-ujs
+description: |
+  There is an vulnerability in rails-ujs that allows attackers to send
+  CSRF tokens to wrong domains.
+  Versions Affected:  rails <= 6.0.3
+  Not affected:       Applications which don't use rails-ujs.
+  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
+  Impact
+  ------
+  This is a regression of CVE-2015-1840.
+  In the scenario where an attacker might be able to control the href attribute of an anchor tag or
+  the action attribute of a form tag that will trigger a POST action, the attacker can set the
+  href or action to a cross-origin URL, and the CSRF token will be sent.
+  Workarounds
+  -----------
+  To work around this problem, change code that allows users to control the href attribute of an anchor
+  tag or the action attribute of a form tag to filter the user parameters.
+  For example, code like this:
+      link_to params
+  to code like this:
+      link_to filtered_params
+      def filtered_params
+        # Filter just the parameters that you trust
+      end
+patched_versions:
+  - "~> 5.2.4.3"
+  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/active-support/CVE-2018-3779.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: active-support
+cve: 2018-3779
+url: https://hackerone.com/reports/392311
+title: Malicious ruby gem - active-support
+date: 2018-08-09
+description: |
+  The gem duplicates official `activesupport` (no hyphen) code, but adds a
+  compiled extension. The extension attempts to resolve a base64 encoded
+  domain, downloads a payload, and executes.
+  Replace this gem with the official `activesupport` gem.
+related:
+  url:
+    - https://github.com/rubygems/rubygems.org/pull/1762

data/data/ruby-advisory-db/gems/activejob/CVE-2018-16476.yml ADDED

@@ -0,0 +1,36 @@
+---
+gem: activejob
+cve: 2018-16476
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
+title: Broken Access Control vulnerability in Active Job
+date: 2018-11-27
+description: |
+  There is a vulnerability in Active Job. This vulnerability has been
+  assigned the CVE identifier CVE-2018-16476.
+  Versions Affected: >= 4.2.0
+  Not affected: < 4.2.0
+  Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1
+  Impact
+  ------
+  Carefully crafted user input can cause Active Job to deserialize it using GlobalId
+  and allow an attacker to have access to information that they should not have.
+  Vulnerable code will look something like this:
+      MyJob.perform_later(user_input)
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+unaffected_versions:
+  - "< 4.2.0"
+patched_versions:
+  - "~> 4.2.11"
+  - "~> 5.0.7.1"
+  - "~> 5.1.6.1"
+  - "~> 5.1.7"
+  - ">= 5.2.1.1"

data/data/ruby-advisory-db/gems/activemodel/CVE-2016-0753.yml CHANGED

@@ -83,6 +83,9 @@ description: |
   [John Backus](https://github.com/backus) from BlockScore for reporting this!
+cvss_v2: 5.0
+cvss_v3: 5.3
 unaffected_versions:
   - "<= 4.0.13"

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-82610.yml → CVE-2012-2660.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2012-2660
 osvdb: 82610
-url: http://www.osvdb.org/show/osvdb/82610
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-2660
 title:
   Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query
   Arbitrary IS NULL Clause Injection

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-82403.yml → CVE-2012-2661.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2012-2661
 osvdb: 82403
-url: http://www.osvdb.org/show/osvdb/82403
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-2661
 title: Ruby on Rails where Method ActiveRecord Class SQL Injection
 date: 2012-05-31

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-89025.yml → CVE-2013-0155.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2013-0155
 osvdb: 89025
-url: http://osvdb.org/show/osvdb/89025
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0155
 title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
 date: 2013-01-08

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-90072.yml → CVE-2013-0276.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2013-0276
 osvdb: 90072
-url: http://osvdb.org/show/osvdb/90072
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0276
 title: Ruby on Rails Active Record attr_protected Method Bypass
 date: 2013-02-11

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-90073.yml → CVE-2013-0277.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2013-0277
 osvdb: 90073
-url: http://osvdb.org/show/osvdb/90073
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0277
 title: |
   Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
   Code Execution

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-91453.yml → CVE-2013-1854.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2013-1854
 osvdb: 91453
-url: http://osvdb.org/show/osvdb/91453
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1854
 title: Symbol DoS vulnerability in Active Record
 date: 2013-03-19

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-103438.yml → CVE-2014-0080.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2014-0080
 osvdb: 103438
-url: http://osvdb.org/show/osvdb/103438
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-0080
 title: Data Injection Vulnerability in Active Record
 date: 2014-02-18

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-108664.yml → CVE-2014-3482.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2014-3482
 osvdb: 108664
-url: http://osvdb.org/show/osvdb/108664
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-3482
 title: SQL Injection Vulnerability in Active Record
 date: 2014-07-02

data/data/ruby-advisory-db/gems/activerecord/{OSVDB-108665.yml → CVE-2014-3483.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activerecord
 framework: rails
 cve: 2014-3483
 osvdb: 108665
-url: http://osvdb.org/show/osvdb/108665
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-3483
 title: SQL Injection Vulnerability in Active Record
 date: 2014-07-02

data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml CHANGED

@@ -96,6 +96,9 @@ description: |
   [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
+cvss_v2: 5.0
+cvss_v3: 5.3
 unaffected_versions:
   - "~> 3.0.0"
   - "< 3.0.0"

data/data/ruby-advisory-db/gems/activeresource/CVE-2020-8151.yml ADDED

@@ -0,0 +1,48 @@
+---
+gem: activeresource
+cve: 2020-8151
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
+title: activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding
+date: 2020-05-05
+description: |
+  activeresource contains a lack of encoding flaw in the element_path function of
+  lib/active_resource/base.rb.
+  There is an issue with the way Active Resource encodes data before querying the back end server.  This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.
+  Impacted code will look something like this:
+  ```
+  require 'activeresource'
+  class Test < ActiveResource::Base
+    self.site = 'http://127.0.0.1:3000'
+  end
+  Test.exists?(untrusted_user_input)
+  ```
+  Where untrusted user input is passed to an Active Resource model.  Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.
+  Workarounds
+  -------------
+  For those that can't upgrade, the following monkey patch can be applied:
+  ```
+  module ActiveResource
+   class Base
+     class << self
+       def element_path(id, prefix_options = {}, query_options = nil)
+         check_prefix_options(prefix_options)
+         prefix_options, query_options = split_options(prefix_options) if query_options.nil?
+         "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
+       end
+     end
+   end
+  end
+  ```
+patched_versions:
+  - ">= 5.1.1"

data/data/ruby-advisory-db/gems/activestorage/CVE-2018-16477.yml ADDED

@@ -0,0 +1,43 @@
+---
+gem: activestorage
+framework: rails
+cve: 2018-16477
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
+title: Bypass vulnerability in Active Storage
+date: 2018-11-27
+description: |
+  There is a vulnerability in Active Storage. This vulnerability has been
+  assigned the CVE identifier CVE-2018-16477.
+  Versions Affected:  >= 5.2.0
+  Not affected:       < 5.2.0
+  Fixed Versions:     5.2.1.1
+  Impact
+  ------
+  Signed download URLs generated by `ActiveStorage` for Google Cloud Storage
+  service and Disk service include `content-disposition` and `content-type`
+  parameters that an attacker can modify. This can be used to upload specially
+  crafted HTML files and have them served and executed inline. Combined with
+  other techniques such as cookie bombing and specially crafted AppCache manifests,
+  an attacker can gain access to private signed URLs within a specific storage path.
+  Vulnerable apps are those using either GCS or the Disk service in production.
+  Other storage services such as S3 or Azure aren't affected.
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately. For those using GCS, it's also recommended to run the
+  following to update existing blobs:
+  ```
+  ActiveStorage::Blob.find_each do |blob|
+    blob.send :update_service_metadata
+  end
+  ```
+unaffected_versions:
+  - "< 5.2.0"
+patched_versions:
+  - ">= 5.2.1.1"

data/data/ruby-advisory-db/gems/activestorage/CVE-2020-8162.yml ADDED

@@ -0,0 +1,31 @@
+---
+gem: activestorage
+framework: rails
+cve: 2020-8162
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
+title: Circumvention of file size limits in ActiveStorage
+date: 2020-05-18
+description: |
+  There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
+  direct file upload to be modified by an end user.
+  Versions Affected:  rails < 5.2.4.2, rails < 6.0.3.1
+  Not affected:       Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
+  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
+  Impact
+  ------
+  Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
+  new signature from the server. This could be used to bypass controls in place on the server to limit upload size.
+  Workarounds
+  -----------
+  This is a low-severity security issue. As such, no workaround is necessarily
+  until such time as the application can be upgraded.
+patched_versions:
+  - "~> 5.2.4.3"
+  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/activesupport/{OSVDB-79726.yml → CVE-2012-1098.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activesupport
 framework: rails
 cve: 2012-1098
 osvdb: 79726
-url: http://osvdb.org/79726
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-1098
 title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
 date: 2012-03-01

data/data/ruby-advisory-db/gems/activesupport/{OSVDB-84516.yml → CVE-2012-3464.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activesupport
 framework: rails
 cve: 2012-3464
 osvdb: 84516
-url: http://www.osvdb.org/show/osvdb/84516
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-3464
 title: Ruby on Rails HTML Escaping Code XSS
 date: 2012-08-09

data/data/ruby-advisory-db/gems/activesupport/{OSVDB-89594.yml → CVE-2013-0333.yml} RENAMED

@@ -3,7 +3,7 @@ gem: activesupport
 framework: rails
 cve: 2013-0333
 osvdb: 89594
-url: http://osvdb.org/show/osvdb/89594
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0333
 title:
   Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
   Execution

data/data/ruby-advisory-db/gems/activesupport/{OSVDB-91451.yml → CVE-2013-1856.yml} RENAMED

@@ -4,7 +4,7 @@ framework: rails
 platform: jruby
 cve: 2013-1856
 osvdb: 91451
-url: http://www.osvdb.org/show/osvdb/91451
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1856
 title: XML Parsing Vulnerability affecting JRuby users
 date: 2013-03-19

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml CHANGED

@@ -1,5 +1,6 @@
 ---
 gem: activesupport
+framework: rails
 cve: 2015-3226
 url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
 title: |

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml CHANGED

@@ -1,5 +1,6 @@
 ---
 gem: activesupport
+framework: rails
 cve: 2015-3227
 url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
 title: |

data/data/ruby-advisory-db/gems/activesupport/CVE-2020-8165.yml ADDED

@@ -0,0 +1,41 @@
+---
+gem: activesupport
+framework: rails
+cve: 2020-8165
+date: 2020-05-18
+url: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
+title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
+description: |
+  There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
+  untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
+  from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
+  ```
+  data = cache.fetch("demo", raw: true) { untrusted_string }
+  ```
+  Versions Affected:  rails < 5.2.5, rails < 6.0.4
+  Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
+  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
+  Impact
+  ------
+  Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
+  this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
+  In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
+  they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
+  reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
+  detect if data was serialized using the raw option upon deserialization.
+  Workarounds
+  -----------
+  It is recommended that application developers apply the suggested patch or upgrade to the latest release as
+  soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
+  the `raw` argument should be double-checked to ensure that they conform to the expected format.
+patched_versions:
+  - "~> 5.2.4.3"
+  - ">= 6.0.3.1"