RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/mail/{OSVDB-70667.yml → CVE-2011-0739.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: mail
 cve: 2011-0739
 osvdb: 70667
-url: http://www.osvdb.org/show/osvdb/70667
+url: https://nvd.nist.gov/vuln/detail/CVE-2011-0739
 title: >
   Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
   Address Arbitrary Shell Command Injection

data/data/ruby-advisory-db/gems/mail/{OSVDB-81631.yml → CVE-2012-2139.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: mail
 cve: 2012-2139
 osvdb: 81631
-url: http://www.osvdb.org/show/osvdb/81631
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-2139
 title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
 date: 2012-03-14

data/data/ruby-advisory-db/gems/mail/{OSVDB-81632.yml → CVE-2012-2140.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: mail
 cve: 2012-2140
 osvdb: 81632
-url: http://www.osvdb.org/show/osvdb/81632
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-2140
 title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution
 date: 2012-03-14

data/data/ruby-advisory-db/gems/mail/{OSVDB-131677.yml → CVE-2015-9097.yml} RENAMED

File without changes

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-129854.yml CHANGED

@@ -19,3 +19,7 @@ description: |
   * only trusted TileJSON content is loaded
   * TileJSON content comes only from mapbox.com URLs
   * a Mapbox map ID is supplied, rather than a TileJSON URL
+patched_versions:
+  - '~> 1.6.5'
+  - '>= 2.1.7'

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-132871.yml CHANGED

@@ -20,3 +20,7 @@ description: |
   * the map does not use a share control (L.mapbox.sharecontrol)
   * only trusted TileJSON content is loaded
+patched_versions:
+  - '~> 1.6.6'
+  - '>= 2.2.4'

data/data/ruby-advisory-db/gems/marginalia/CVE-2019-1010191.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: marginalia
+cve: 2019-1010191
+url: https://github.com/basecamp/marginalia/pull/73
+date: 2019-07-26
+title: SQL injection vulnerability via Marginalia::Comment
+description: |
+  The 'marginalia' gem is affected by a SQL Injection vulnerability. All SQL
+  queries are affected when a user controller argument is added as a component.
+  This affects users that add a component that is user controller, for instance
+  a parameter or a header.
+  The issue is resolved in version 1.6.
+patched_versions:
+  - ">= 1.6"
+cvss_v3: 9.8

data/data/ruby-advisory-db/gems/matestack-ui-core/CVE-2020-5241.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: matestack-ui-core
+cve: 2020-5241
+date: 2020-02-10
+url: https://github.com/matestack/matestack-ui-core/security/advisories/GHSA-3jqw-vv45-mjhh
+title: |
+  matestack-ui-core is vulnerable to XSS/Script injection
+description: |
+  matestack-ui-core does not excape strings by default and does not cover this in the docs.
+  matestack-ui-core should escape strings by default in order to prevent XSS/Script injection vulnerability.
+  v0.7.4 fixes that by escaping strings by default.
+cvss_v2: 10.0
+cvss_v3: 9.8
+patched_versions:
+  - ">= 0.7.4"

data/data/ruby-advisory-db/gems/md2pdf/{OSVDB-92290.yml → CVE-2013-1948.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: md2pdf
 cve: 2013-1948
 osvdb: 92290
-url: http://osvdb.org/show/osvdb/92290
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-1948
 title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
 date: 2013-04-13
 description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands

data/data/ruby-advisory-db/gems/mini_magick/{OSVDB-91231.yml → CVE-2013-2616.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: mini_magick
 cve: 2013-2616
 osvdb: 91231
-url: http://osvdb.org/show/osvdb/91231
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-2616
 title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
 date: 2013-03-12
 description: |

data/data/ruby-advisory-db/gems/mini_magick/CVE-2019-13574.yml ADDED

@@ -0,0 +1,14 @@
+gem: mini_magick
+cve: 2019-13574
+url: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
+title: Remote command execution via filename
+date: 2019-07-12
+description: |
+  A remote shell execution vulnerability when using MiniMagick::Image.open with URL coming from unsanitized user input.
+  e.g. `MiniMagick::Image.open("| touch.txt")`
+cvss_v3: 7.5
+patched_versions:
+  - ">= 4.9.4"
+related:
+  url:
+    - https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851

data/data/ruby-advisory-db/gems/minitar/CVE-2016-10173.yml CHANGED

@@ -13,4 +13,8 @@ description: |
   Credit: ecneladis
 patched_versions:
-  - ">= 0.6.1"
+  - ">= 0.6.0"
+related:
+  url:
+    - https://github.com/halostatue/minitar/issues/16
+    - https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4

data/data/ruby-advisory-db/gems/multi_xml/{OSVDB-89148.yml → CVE-2013-0175.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: multi_xml
 cve: 2013-0175
 osvdb: 89148
-url: http://osvdb.org/show/osvdb/89148
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0175
 title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
 date: 2013-01-11

data/data/ruby-advisory-db/gems/mysql-binuuid-rails/CVE-2018-18476.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: mysql-binuuid-rails
+cve: 2018-18476
+url: https://gist.github.com/viraptor/881276ea61e8d56bac6e28454c79f1e6
+title: mysql-binuuid-rails allows SQL Injection by removing default string escaping
+date: 2018-10-19
+description: |
+  mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes
+  default string escaping for affected database columns. ActiveRecord does not
+  explicitly escape the Binary data type (Type::Binary::Data) for mysql.
+  mysql-binuuid-rails uses a data type that is derived from the base Binary
+  type, except, it doesn’t convert the value to hex. Instead, it assumes the
+  string value provided is a valid hex string and doesn’t do any checks on it.
+patched_versions:
+  - ">= 1.1.1"
+related:
+  url:
+    - https://github.com/nedap/mysql-binuuid-rails/pull/18

data/data/ruby-advisory-db/gems/net-ldap/{OSVDB-106108.yml → CVE-2014-0083.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: net-ldap
 cve: 2014-0083
 osvdb: 106108
-url: http://osvdb.org/show/osvdb/106108
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-0083
 title:  Net::LDAP for Ruby lib/net/ldap/password.rb SSHA Password Generation Weak Salt
 date: 2014-02-13
 description: Net::LDAP for Ruby contains a flaw in lib/net/ldap/password.rb. The

data/data/ruby-advisory-db/gems/net-ldap/CVE-2017-17718.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: net-ldap
+cve: 2017-17718
+date: 2017-12-17
+url: https://github.com/ruby-ldap/ruby-net-ldap/issues/258
+title: No validation of hostname certificate in net-ldap
+description: |
+  The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL
+  Certificate Validation. The LDAP server's certificate was not verified
+  to match the host it was supposed to be connecting to.
+patched_versions:
+  - ">= 0.16.0"
+related:
+  url:
+    - https://github.com/ruby-ldap/ruby-net-ldap/pull/279
+    - https://github.com/ruby-ldap/ruby-net-ldap/commit/e4c46a223a19feda78393a793711353aa1febdcd

data/data/ruby-advisory-db/gems/netaddr/CVE-2019-17383.yml ADDED

@@ -0,0 +1,13 @@
+---
+gem: netaddr
+cve: 2019-17383
+ghsa: 49pj-69vf-c689
+url: https://github.com/dspinhirne/netaddr-rb/pull/20
+date: 2019-10-14
+title: netaddr world-writeable file permissions
+description: |
+  The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions,
+  such that a gem install may result in 0777 permissions in the target filesystem.
+cvss_v3: 9.8
+patched_versions:
+- ">= 2.0.4"

data/data/ruby-advisory-db/gems/newrelic_rpm/{OSVDB-90189.yml → CVE-2013-0284.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: newrelic_rpm
 cve: 2013-0284
 osvdb: 90189
-url: http://osvdb.org/show/osvdb/90189
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0284
 title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
 date: 2012-12-06

data/data/ruby-advisory-db/gems/nokogiri/{OSVDB-90946.yml → CVE-2012-6685.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: nokogiri
 cve: 2012-6685
 osvdb: 90946
-url: http://www.osvdb.org/show/osvdb/90946
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-6685
 title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Internal Network Response Remote Disclosure
 date: 2012-06-08
 description: libxml2 contains a flaw that may lead to unauthorized disclosure of

data/data/ruby-advisory-db/gems/nokogiri/{OSVDB-101179.yml → CVE-2013-6460.yml} RENAMED

@@ -3,7 +3,7 @@ gem: nokogiri
 platform: jruby
 cve: 2013-6460
 osvdb: 101179
-url: http://osvdb.org/show/osvdb/101179
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-6460
 title: |
   Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
 date: 2013-12-14

data/data/ruby-advisory-db/gems/nokogiri/{OSVDB-101458.yml → CVE-2013-6461.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: nokogiri
 cve: 2013-6461
 osvdb: 101458
-url: http://www.osvdb.org/show/osvdb/101458
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-6461
 title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS
 date: 2013-12-14
 description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.

data/data/ruby-advisory-db/gems/nokogiri/CVE-2016-4658.yml CHANGED

@@ -21,6 +21,7 @@ description: |
   service or possibly have unspecified other impact via vectors related to
   the XPointer range-to function.
+cvss_v2: 10.0
 cvss_v3: 9.8
 patched_versions:

data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-15412.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: nokogiri
+cve: 2017-15412
+url: https://github.com/sparklemotion/nokogiri/issues/1714
+title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
+date: 2018-01-29
+description: |
+  The version of libxml2 packaged with Nokogiri contains a
+  vulnerability. Nokogiri has mitigated these issue by upgrading to
+  libxml 2.9.6.
+  It was discovered that libxml2 incorrecty handled certain files. An attacker
+  could use this issue with specially constructed XML data to cause libxml2 to
+  consume resources, leading to a denial of service.
+patched_versions:
+  - ">= 1.8.2"
+related:
+  cve:
+    - 2017-18258
+  url:
+    - https://usn.ubuntu.com/usn/usn-3513-1/
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15412.html

data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-16932.yml ADDED

@@ -0,0 +1,21 @@
+---
+gem: nokogiri
+cve: 2017-16932
+url: https://github.com/sparklemotion/nokogiri/issues/1714
+title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
+date: 2018-01-29
+description: |
+  The version of libxml2 packaged with Nokogiri contains a
+  vulnerability. Nokogiri has mitigated these issue by upgrading to
+  libxml 2.9.5.
+  Wei Lei discovered that libxml2 incorrecty handled certain parameter
+  entities. An attacker could use this issue with specially constructed XML
+  data to cause libxml2 to consume resources, leading to a denial of service.
+patched_versions:
+  - ">= 1.8.1"
+related:
+  url:
+    - https://usn.ubuntu.com/usn/usn-3504-1/
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html

data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-9050.yml ADDED

@@ -0,0 +1,60 @@
+---
+gem: nokogiri
+cve: 2017-9050
+url: https://github.com/sparklemotion/nokogiri/issues/1673
+title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities
+date: 2017-09-19
+description: |
+  The version of libxml2 packaged with Nokogiri contains several
+  vulnerabilities. Nokogiri has mitigated these issues by upgrading to
+  libxml 2.9.5.
+  It was discovered that a type confusion error existed in libxml2. An
+  attacker could use this to specially construct XML data that
+  could cause a denial of service or possibly execute arbitrary
+  code. (CVE-2017-0663)
+  It was discovered that libxml2 did not properly validate parsed entity
+  references. An attacker could use this to specially construct XML
+  data that could expose sensitive information. (CVE-2017-7375)
+  It was discovered that a buffer overflow existed in libxml2 when
+  handling HTTP redirects. An attacker could use this to specially
+  construct XML data that could cause a denial of service or possibly
+  execute arbitrary code. (CVE-2017-7376)
+  Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in
+  libxml2 when handling elements. An attacker could use this to specially
+  construct XML data that could cause a denial of service or possibly
+  execute arbitrary code. (CVE-2017-9047)
+  Marcel Böhme and Van-Thuan Pham discovered a buffer overread
+  in libxml2 when handling elements. An attacker could use this
+  to specially construct XML data that could cause a denial of
+  service. (CVE-2017-9048)
+  Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads
+  in libxml2 when handling parameter-entity references. An attacker
+  could use these to specially construct XML data that could cause a
+  denial of service. (CVE-2017-9049, CVE-2017-9050)
+patched_versions:
+  - ">= 1.8.1"
+related:
+  cve:
+    - 2017-0663
+    - 2017-7375
+    - 2017-7376
+    - 2017-9047
+    - 2017-9048
+    - 2017-9049
+    - 2017-9050
+  url:
+    - https://usn.ubuntu.com/usn/usn-3424-1/
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html
+    - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html

data/data/ruby-advisory-db/gems/nokogiri/CVE-2018-14404.yml ADDED

@@ -0,0 +1,69 @@
+---
+gem: nokogiri
+cve: 2018-14404
+date: 2018-10-04
+url: https://github.com/sparklemotion/nokogiri/issues/1785
+title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
+description: |
+  Nokogiri 1.8.5 has been released.
+  This is a security and bugfix release. It addresses two CVEs in upstream
+  libxml2 rated as "medium" by Red Hat, for which details are below.
+  If you're using your distro's system libraries, rather than Nokogiri's
+  vendored libraries, there's no security need to upgrade at this time,
+  though you may want to check with your distro whether they've patched this
+  (Canonical has patched Ubuntu packages). Note that these patches are not
+  yet (as of 2018-10-04) in an upstream release of libxml2.
+  Full details about the security update are available in Github Issue #1785.
+  [#1785]: https://github.com/sparklemotion/nokogiri/issues/1785
+  -----
+  [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404
+  and CVE-2018-14567. Full details are available in #1785. Note that these
+  patches are not yet (as of 2018-10-04) in an upstream release of libxml2.
+  -----
+  CVE-2018-14404
+  Permalink:
+  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html
+  Description:
+  A NULL pointer dereference vulnerability exists in the
+  xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when
+  parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR
+  case. Applications processing untrusted XSL format inputs with the use of
+  the libxml2 library may be vulnerable to a denial of service attack due
+  to a crash of the application
+  Canonical rates this vulnerability as "Priority: Medium"
+  -----
+  CVE-2018-14567
+  Permalink:
+  https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html
+  Description:
+  infinite loop in LZMA decompression
+  Canonical rates this vulnerability as "Priority: Medium"
+patched_versions:
+  - ">= 1.8.5"
+related:
+  cve:
+    - 2018-14567
+  url:
+    - https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ
+    - https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594
+    - https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74

data/data/ruby-advisory-db/gems/nokogiri/CVE-2018-8048.yml ADDED

@@ -0,0 +1,36 @@
+---
+gem: nokogiri
+cve: 2018-8048
+date: 2018-03-29
+url: https://github.com/sparklemotion/nokogiri/pull/1746
+title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
+description: |
+  [MRI] Behavior in libxml2 has been reverted which caused
+  CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and
+  CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is
+  here:
+  https://github.com/GNOME/libxml2/commit/960f0e2
+  and more information is available about this commit and its impact
+  here:
+  https://github.com/flavorjones/loofah/issues/144
+  This release simply reverts the libxml2 commit in question to protect
+  users of Nokogiri's vendored libraries from similar vulnerabilities.
+  If you're offended by what happened here, I'd kindly ask that you
+  comment on the upstream bug report here:
+  https://bugzilla.gnome.org/show_bug.cgi?id=769760
+patched_versions:
+  - ">= 1.8.3"
+related:
+  cve:
+    - 2018-3740
+    - 2018-3741
+  url:
+    - https://github.com/GNOME/libxml2/commit/960f0e2
+    - https://bugzilla.gnome.org/show_bug.cgi?id=769760