RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/gtk2/{OSVDB-40774.yml → CVE-2007-6183.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: gtk2
 cve: 2007-6183
 osvdb: 40774
-url: http://osvdb.org/show/osvdb/40774
+url: https://nvd.nist.gov/vuln/detail/CVE-2007-6183
 title:
   Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
   Format String

data/data/ruby-advisory-db/gems/gyazo/{OSVDB-108563.yml → CVE-2014-4994.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: gyazo
 cve: 2014-4994
 osvdb: 108563
-url: http://osvdb.org/show/osvdb/108563
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-4994
 title: gyazo Gem for Ruby client.rb Metacharacter Handling Remote Command Execution
 date: 2014-06-30
 description: gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/haml/CVE-2017-1002201.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: haml
+cve: 2017-1002201
+url: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
+title: haml failure to escape single quotes
+date: 2017-05-08
+description: |
+  In haml versions prior to version 5.0.0.beta.2, when using user input to
+  perform tasks on the server, characters like < > " ' must be escaped properly.
+  In this case, the ' character was missed. An attacker can manipulate the input
+  to introduce additional attributes, potentially executing code.
+cvss_v2: 4.3
+cvss_v3: 6.1
+patched_versions:
+  - ">= 5.0.0.beta.2"
+related:
+  url:
+    - https://snyk.io/vuln/SNYK-RUBY-HAML-20362

data/data/ruby-advisory-db/gems/httparty/{OSVDB-90741.yml → CVE-2013-1801.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: httparty
 cve: 2013-1801
 osvdb: 90741
-url: http://osvdb.org/show/osvdb/90741
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1801
 title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
 date: 2013-01-14
 description: |

data/data/ruby-advisory-db/gems/i18n/CVE-2014-10077.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: i18n
+cve: 2014-10077
+url: https://github.com/svenfuchs/i18n/pull/289
+title: i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling DoS
+date: 2014-09-27
+description: |
+  i18n Gem for Ruby contains a flaw in the Hash#slice() function in
+  lib/i18n/core_ext/hash.rb that is triggered when calling a hash when
+  :some_key is in keep_keys but not in the hash. This may allow an attacker
+  to cause the program to crash.
+patched_versions:
+  - ">= 0.8.0"
+related:
+  osvdb:
+    - 121500

data/data/ruby-advisory-db/gems/iodine/GHSA-85rf-xh54-whp3.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: iodine
+ghsa: 85rf-xh54-whp3
+url: https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3
+date: 2019-10-07
+title: iodine path traversal via malicious URL drafting attack
+description: |
+  Malicious URL drafting attack against iodines static file server
+  may allow path traversal
+  Impact:
+  A path traversal vulnerability was detected in iodine's static file service.
+  This vulnerability effects any application running iodine's static file server
+  on an effected iodine version.
+  Malicious URL drafting may cause the static file server to attempt a response
+  containing data from files that shouldn't be normally accessible from the
+  public folder.
+patched_versions:
+- ">= 0.7.34"

data/data/ruby-advisory-db/gems/jekyll/CVE-2018-17567.yml ADDED

@@ -0,0 +1,14 @@
+---
+gem: jekyll
+cve: 2018-17567
+date: 2018-09-28
+url: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/
+title: Jekyll _config.yml privilege escalation
+description: Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows
+  attackers to access arbitrary files by specifying a symlink in the "include" key
+  in the "_config.yml" file.
+cvss_v3: 7.5
+patched_versions:
+- "~> 3.6.3"
+- "~> 3.7.4"
+- ">= 3.8.4"

data/data/ruby-advisory-db/gems/jquery-rails/CVE-2019-11358.yml ADDED

@@ -0,0 +1,24 @@
+---
+gem: jquery-rails
+framework: rails
+cve: 2019-11358
+date: 2019-04-19
+url: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/
+title: Prototype pollution attack through jQuery $.extend
+description: |
+  jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of
+  bject.prototype pollution. If an unsanitized source object contained an
+  enumerable __proto__ property, it could extend the native Object.prototype.
+cvss_v2: 4.3
+cvss_v3: 6.1
+patched_versions:
+  - ">= 4.3.4"
+related:
+  url:
+    - https://hackerone.com/reports/454365
+    - https://github.com/jquery/jquery/pull/4333
+    - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b
+    - https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434

data/data/ruby-advisory-db/gems/jquery-ui-rails/CVE-2016-7103.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: jquery-ui-rails
+framework: rails
+cve: 2016-7103
+date: 2016-08-27
+url: https://github.com/jquery/api.jqueryui.com/issues/281
+title: XSS Vulnerability on closeText option of Dialog jQuery UI
+description: |
+  Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might
+  allow remote attackers to inject arbitrary web script or HTML via the
+  closeText parameter of the dialog function.
+cvss_v2: 4.3
+cvss_v3: 6.1
+patched_versions:
+  - ">= 6.0.0"
+related:
+  url:
+    - https://github.com/jquery/jquery-ui/pull/1635
+    - https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/History.md#600

data/data/ruby-advisory-db/gems/json-jwt/CVE-2018-1000539.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: json-jwt
+cve: 2018-1000539
+date: 2018-04-30
+url: https://github.com/nov/json-jwt/pull/62
+title: Auth tag forgery vulnerability with AES-GCM encrypted JWT
+description: |
+  Ruby's OpenSSL bindings do not check the length of the supplied
+  authentication tag when decrypting an authenticated encryption mode
+  such as AES-GCM, leaving this up to the authors of a gem/app to
+  implement for properly validating the message.
+  json-jwt was not checking for the authentication tag length, meaning
+  that with a one byte tag the JWT would be considered not tampered
+  with. This means that with an average of 128 (max 256) attempts an
+  attacker can forge a valid signature.
+unaffected_versions:
+  - "< 0.5.1"
+patched_versions:
+  - ">= 1.9.4"

data/data/ruby-advisory-db/gems/json-jwt/CVE-2019-18848.yml ADDED

@@ -0,0 +1,15 @@
+---
+gem: json-jwt
+cve: 2019-18848
+ghsa: cff7-6h4q-q5pj
+url: https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a
+date: 2019-11-14
+title: |
+  json-jwt improper input validation due to lack of element count when
+  splitting string
+description: |
+  The json-jwt gem before 1.11.0 for Ruby lacks an element count during
+  the splitting of a JWE string.
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.11.0"

data/data/ruby-advisory-db/gems/json/CVE-2013-0269.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: json
+cve: 2013-0269
+osvdb: 101137
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0269
+title: json Gem for Ruby multiple Remote DoS vulnerabilities
+date: 2013-02-12
+description: |
+  The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby
+  allows remote attackers to cause a denial of service (resource consumption) or
+  bypass the mass assignment protection mechanism via a crafted JSON document
+  that triggers the creation of arbitrary Ruby symbols or certain internal
+  objects, as demonstrated by conducting a SQL injection attack against
+  Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
+cvss_v2: 9.0
+patched_versions:
+  - ~> 1.5.5
+  - ~> 1.6.8
+  - ">= 1.7.7"

data/data/ruby-advisory-db/gems/json/CVE-2020-10663.yml ADDED

@@ -0,0 +1,35 @@
+---
+gem: json
+cve: 2020-10663
+url: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/
+title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix)
+date: 2020-03-19
+description: |
+  There is an unsafe object creation vulnerability in the json gem bundled with
+  Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663.
+  We strongly recommend upgrading the json gem.
+  Details
+  -------
+  When parsing certain JSON documents, the json gem (including the one bundled
+  with Ruby) can be coerced into creating arbitrary objects in the target system.
+  This is the same issue as CVE-2013-0269. The previous fix was incomplete, which
+  addressed JSON.parse(user_input), but didn’t address some other styles of JSON
+  parsing including JSON(user_input) and JSON.parse(user_input, nil).
+  See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a
+  Denial of Service by creating many garbage-uncollectable Symbol objects, but
+  this kind of attack is no longer valid because Symbol objects are now
+  garbage-collectable. However, creating arbitrary objects may cause severe
+  security consequences depending upon the application code.
+patched_versions:
+  - ">= 2.3.0"
+related:
+  cve:
+    - 2013-0269
+  url:
+    - https://groups.google.com/forum/#!topic/ruby-security-ann/ermX1eQqqKA

data/data/ruby-advisory-db/gems/kafo/{OSVDB-106826.yml → CVE-2014-0135.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: kafo
 cve: 2014-0135
 osvdb: 106826
-url: http://osvdb.org/show/osvdb/106826
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-0135
 title: Kafo default_values.yaml Insecure Permissions Local Information Disclosure
 date: 2014-03-13
 description: Kafo contains a flaw that is due to the program using insecure

data/data/ruby-advisory-db/gems/kajam/{OSVDB-108529.yml → CVE-2014-4999.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: kajam
 cve: 2014-4999
 osvdb: 108529
-url: http://osvdb.org/show/osvdb/108529
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-4999
 title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Process List Local Plaintext Password Disclosure
 date: 2014-06-30
 description: |

data/data/ruby-advisory-db/gems/kaminari/CVE-2020-11082.yml ADDED

@@ -0,0 +1,34 @@
+---
+gem: kaminari
+cve: 2020-11082
+ghsa: r5jw-62xg-j433
+url: https://github.com/kaminari/kaminari/security/advisories/GHSA-r5jw-62xg-j433
+date: 2020-05-28
+title: Cross-Site Scripting in Kaminari via `original_script_name` parameter
+description: |-
+  ### Impact
+  There was a vulnerability in versions of Kaminari that would allow an attacker to inject arbitrary code into pages with pagination links.
+  For example, an attacker could craft pagination links that link to other domain or host:
+  https://example.com/posts?page=4&original_script_name=https://another-host.example.com
+  In addition, an attacker could also craft pagination links that include JavaScript code that runs when a user clicks the link:
+  https://example.com/posts?page=4&original_script_name=javascript:alert(42)%3b//
+  ### Releases
+  The 1.2.1 gem including the patch has already been released.
+  All past released versions are affected by this vulnerability.
+  ### Workarounds
+  Application developers who can't update the gem can workaround by overriding the `PARAM_KEY_EXCEPT_LIST` constant.
+  ```ruby
+  module Kaminari::Helpers
+    PARAM_KEY_EXCEPT_LIST = [:authenticity_token, :commit, :utf8, :_method, :script_name, :original_script_name].freeze
+  end
+  ```
+cvss_v3: 6.4
+patched_versions:
+  - ">= 1.2.1"

data/data/ruby-advisory-db/gems/karteek-docsplit/{OSVDB-92117.yml → CVE-2013-1933.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: karteek-docsplit
 cve: 2013-1933
 osvdb: 92117
-url: http://osvdb.org/show/osvdb/92117
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1933
 title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
 date: 2013-04-08
 description: Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands

data/data/ruby-advisory-db/gems/kcapifony/{OSVDB-108571.yml → CVE-2014-5001.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: kcapifony
 cve: 2014-5001
 osvdb: 108571
-url: http://osvdb.org/show/osvdb/108571
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-5001
 title: kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password Disclosure
 date: 2014-06-30
 description: kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/kelredd-pruview/{OSVDB-92228.yml → CVE-2013-1947.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: kelredd-pruview
 cve: 2013-1947
 osvdb: 92228
-url: http://osvdb.org/show/osvdb/92228
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1947
 title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
 date: 2013-04-04
 description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.

data/data/ruby-advisory-db/gems/lawn-login/{OSVDB-108576.yml → CVE-2014-5000.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: lawn-login
 cve: 2014-5000
 osvdb: 108576
-url: http://osvdb.org/show/osvdb/108576
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-5000
 title: lawn-login Gem for Ruby /lib/lawn.rb Process Table Local Plaintext Password Disclosure
 date: 2014-06-30
 description: lawn-login Gem for Ruby contains a flaw in /lib/lawn.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/ldap_fluff/{OSVDB-90579.yml → CVE-2012-5604.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: ldap_fluff
 cve: 2012-5604
 osvdb: 90579
-url: http://osvdb.org/show/osvdb/90579
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-5604
 title: Red Hat Subscription Asset Manager rubygem-ldap_fluff Active Directory Authentication Bypass
 date: 2012-12-04
 description: Red Hat Subscription Asset Manager contains a flaw in the

data/data/ruby-advisory-db/gems/ldoce/{OSVDB-91870.yml → CVE-2013-1911.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: ldoce
 cve: 2013-1911
 osvdb: 91870
-url: http://osvdb.org/show/osvdb/91870
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1911
 title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution
 date: 2013-04-01
 description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/lean-ruport/{OSVDB-108581.yml → CVE-2014-4998.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: lean-ruport
 cve: 2014-4998
 osvdb: 108581
-url: http://osvdb.org/show/osvdb/108581
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-4998
 title: lean-ruport Gem for Ruby /test/tc_database.rb Process Table Local Plaintext MySQL Password Disclosure
 date: 2014-06-30
 description: lean-ruport Gem for Ruby contains a flaw in /test/tc_database.rb that is due to the application exposing MySQL password information in plaintext in the process table. This may allow a local attacker to gain access to MySQL password information.

data/data/ruby-advisory-db/gems/lita_coin/CVE-2019-15224.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: lita_coin
+cve: 2019-15224
+ghsa: 333g-rpr4-7hxq
+url: https://github.com/rubygems.org/issues/2097
+date: 2019-08-20
+title: Code execution backdoor in lita_coin
+description: |
+  The lita_coin gem 0.0.3 for Ruby, as distributed on RubyGems.org, included a code-execution
+  backdoor inserted by a third party.
+  No unaffected version is known to exist, as the gem appears to have been entirely removed.
+unaffected_versions:
+  - "< 0.0.3"
+  - "> 0.0.3"
+related:
+  url:
+    - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

data/data/ruby-advisory-db/gems/loofah/CVE-2018-16468.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: loofah
+cve: 2018-16468
+url: https://github.com/flavorjones/loofah/issues/154
+title: Loofah XSS Vulnerability
+date: 2018-10-30
+description: |
+  In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in
+  sanitized output when a crafted SVG element is republished.
+cvss_v3: 6.4
+patched_versions:
+  - ">=  2.2.3"
+related:
+  url:
+    - https://hackerone.com/reports/429267

data/data/ruby-advisory-db/gems/loofah/CVE-2018-8048.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: loofah
+cve: 2018-8048
+url: https://github.com/flavorjones/loofah/issues/144
+title: Loofah XSS Vulnerability
+date: 2018-03-16
+description: |
+  Loofah allows non-whitelisted attributes to be present in sanitized
+  output when input with specially-crafted HTML fragments.
+patched_versions:
+  - ">=  2.2.1"

data/data/ruby-advisory-db/gems/loofah/CVE-2019-15587.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: loofah
+cve: 2019-15587
+url: https://github.com/flavorjones/loofah/issues/171
+title: Loofah XSS Vulnerability
+date: 2019-10-22
+description: |
+  In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in
+  sanitized output when a crafted SVG element is republished.
+cvss_v3: 6.4
+patched_versions:
+  - ">= 2.3.1"

data/data/ruby-advisory-db/gems/lynx/{OSVDB-108580.yml → CVE-2014-5002.yml} RENAMED

@@ -2,7 +2,10 @@
 gem: lynx
 cve: 2014-5002
 osvdb: 108580
-url: http://osvdb.org/show/osvdb/108580
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-5002
 title: lynx Gem for Ruby command/basic.rb Process Table Local Plaintext Password Disclosure
 date: 2014-06-30
 description: lynx Gem for Ruby contains a flaw in command/basic.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.
+patched_versions:
+  - '>= 1.0.0'