RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0.1 - Mend

bundler-audit 0.6.1 → 0.7.0.1

Files changed (402) hide show

data/data/ruby-advisory-db/gems/nokogiri/CVE-2019-11068.yml ADDED

@@ -0,0 +1,49 @@
+---
+gem: nokogiri
+cve: 2019-11068
+date: 2019-04-22
+url: https://github.com/sparklemotion/nokogiri/issues/1892
+title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
+description: |
+  Nokogiri v1.10.3 has been released.
+  This is a security release. It addresses a CVE in upstream libxslt rated as
+  "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More
+  details are available below.
+  If you're using your distro's system libraries, rather than Nokogiri's
+  vendored libraries, there's no security need to upgrade at this time, though
+  you may want to check with your distro whether they've patched this
+  (Canonical has patched Ubuntu packages). Note that this patch is not yet (as
+  of 2019-04-22) in an upstream release of libxslt.
+  Full details about the security update are available in Github Issue
+  [#1892] https://github.com/sparklemotion/nokogiri/issues/1892.
+  ---
+  CVE-2019-11068
+  Permalinks are:
+  - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068
+  - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068
+  Description:
+  > libxslt through 1.1.33 allows bypass of a protection mechanism
+  > because callers of xsltCheckRead and xsltCheckWrite permit access
+  > even upon receiving a -1 error code. xsltCheckRead can return -1 for
+  > a crafted URL that is not actually invalid and is subsequently
+  > loaded.
+  Canonical rates this as "Priority: Medium".
+  Debian rates this as "NVD Severity: High (attack range: remote)".
+patched_versions:
+  - ">= 1.10.3"
+related:
+  url:
+    - https://groups.google.com/forum/#!msg/ruby-security-ann/_y80o1zZlOs/k4SDX6hoAAAJ
+    - https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6

data/data/ruby-advisory-db/gems/nokogiri/CVE-2019-13117.yml ADDED

@@ -0,0 +1,80 @@
+---
+gem: nokogiri
+cve: 2019-13117
+date: 2019-10-31
+url: https://github.com/sparklemotion/nokogiri/issues/1943
+title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities
+description: |
+  Nokogiri v1.10.5 has been released.
+  This is a security release. It addresses three CVEs in upstream libxml2,
+  for which details are below.
+  If you're using your distro's system libraries, rather than Nokogiri's
+  vendored libraries, there's no security need to upgrade at this time,
+  though you may want to check with your distro whether they've patched this
+  (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses
+  these vulnerabilities.
+  Full details about the security update are available in Github Issue
+  [#1943] https://github.com/sparklemotion/nokogiri/issues/1943.
+  ---
+  CVE-2019-13117
+  https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html
+  Priority: Low
+  Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings
+  could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This
+  could allow an attacker to discern whether a byte on the stack contains the
+  characters A, a, I, i, or 0, or any other character.
+  Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
+  ---
+  CVE-2019-13118
+  https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html
+  Priority: Low
+  Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an
+  xsl:number instruction was too narrow and an invalid character/length
+  combination could be passed to xsltNumberFormatDecimal, leading to a read
+  of uninitialized stack data
+  Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
+  ---
+  CVE-2019-18197
+  https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html
+  Priority: Medium
+  Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't
+  reset under certain circumstances. If the relevant memory area happened to
+  be freed and reused in a certain way, a bounds check could fail and memory
+  outside a buffer could be written to, or uninitialized data could be
+  disclosed.
+  Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
+patched_versions:
+  - ">= 1.10.5"
+related:
+  url:
+    - https://groups.google.com/d/msg/ruby-security-ann/-Wq4aouIA3Q/yc76ZHemBgAJ
+    - https://usn.ubuntu.com/4164-1/
+    - https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1
+    - https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
+    - https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
+  cve:
+    - 2019-13118
+    - 2019-18197

data/data/ruby-advisory-db/gems/nokogiri/CVE-2019-5477.yml ADDED

@@ -0,0 +1,31 @@
+---
+gem: nokogiri
+cve: 2019-5477
+date: 2019-08-11
+url: https://github.com/sparklemotion/nokogiri/issues/1915
+title: Nokogiri Command Injection Vulnerability via Nokogiri::CSS::Tokenizer#load_file
+description: |
+  A command injection vulnerability in Nokogiri v1.10.3 and earlier allows
+  commands to be executed in a subprocess by Ruby's `Kernel.open` method.
+  Processes are vulnerable only if the undocumented method
+  `Nokogiri::CSS::Tokenizer#load_file` is being passed untrusted user input.
+  This vulnerability appears in code generated by the Rexical gem versions
+  v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner
+  code for parsing CSS queries. The underlying vulnerability was addressed in
+  Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in
+  Nokogiri v1.10.4.
+  Upgrade to Nokogiri v1.10.4, or avoid calling the undocumented method
+  `Nokogiri::CSS::Tokenizer#load_file` with untrusted user input.
+patched_versions:
+  - ">= 1.10.4"
+cvss_v2: 7.5
+cvss_v3: 9.8
+related:
+  url:
+    - https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
+    - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ

data/data/ruby-advisory-db/gems/nokogiri/CVE-2020-7595.yml ADDED

@@ -0,0 +1,20 @@
+---
+gem: nokogiri
+cve: 2020-7595
+url: https://github.com/sparklemotion/nokogiri/issues/1992
+date: 2020-02-12
+title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation
+description: |-
+  Nokogiri has backported the patch for CVE-2020-7595 into its vendored version
+  of libxml2, and released this as v1.10.8
+  CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and
+  so Nokogiri versions <= v1.10.7 are vulnerable.
+patched_versions:
+  - ">= 1.10.8"
+cvss_v2: 5.0
+cvss_v3: 7.5

data/data/ruby-advisory-db/gems/nori/{OSVDB-90196.yml → CVE-2013-0285.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: nori
 cve: 2013-0285
 osvdb: 90196
-url: http://osvdb.org/show/osvdb/90196
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-0285
 title: Ruby Gem nori Parameter Parsing Remote Code Execution
 date: 2013-01-10

data/data/ruby-advisory-db/gems/omniauth-facebook/{OSVDB-99693.yml → CVE-2013-4562.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: omniauth-facebook
 cve: 2013-4562
 osvdb: 99693
-url: http://www.osvdb.org/show/osvdb/99693
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-4562
 title: omniauth-facebook Gem for Ruby Unspecified CSRF
 date: 2013-11-12

data/data/ruby-advisory-db/gems/omniauth-facebook/{OSVDB-99888.yml → CVE-2013-4593.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: omniauth-facebook
 cve: 2013-4593
 osvdb: 99888
-url: http://www.osvdb.org/show/osvdb/99888
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-4593
 title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass
 date: 2013-11-14

data/data/ruby-advisory-db/gems/omniauth-oauth2/{OSVDB-90264.yml → CVE-2012-6134.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: omniauth-oauth2
 cve: 2012-6134
 osvdb: 90264
-url: http://www.osvdb.org/show/osvdb/90264
+url: https://nvd.nist.gov/vuln/detail/CVE-2012-6134
 title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
 date: 2012-09-08

data/data/ruby-advisory-db/gems/omniauth-saml/CVE-2017-11430.yml ADDED

@@ -0,0 +1,17 @@
+---
+gem: omniauth-saml
+cve: 2017-11430
+url: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
+date: 2018-02-27
+title: omniauth-saml authentication bypass via incorrect XML canonicalization and DOM traversal
+description: |
+  OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the
+  results of XML DOM traversal and canonicalization APIs in such a way that an attacker
+  may be able to manipulate the SAML data without invalidating the cryptographic signature,
+  allowing the attack to potentially bypass authentication to SAML service providers.
+cvss_v3: 9.8
+cvss_v2: 7.5
+patched_versions:
+  - ">= 1.10.0"

data/data/ruby-advisory-db/gems/omniauth/CVE-2015-9284.yml ADDED

@@ -0,0 +1,25 @@
+---
+gem: omniauth
+cve: 2015-9284
+url: https://github.com/omniauth/omniauth/pull/809
+title: CSRF vulnerability in OmniAuth's request phase
+date: 2015-05-25
+description: |
+  The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site
+  Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing
+  accounts to be connected without user intent, user interaction, or feedback to
+  the user. This permits a secondary account to be able to sign into the web
+  application as the primary account.
+  In order to mitigate this vulnerability, Rails users should consider using the
+  `omniauth-rails_csrf_protection` gem.
+  More info is available here: https://github.com/omniauth/omniauth/pull/809#issuecomment-502079405
+cvss_v2: 6.8
+cvss_v3: 8.8
+related:
+  url:
+    - https://github.com/cookpad/omniauth-rails_csrf_protection

data/data/ruby-advisory-db/gems/omniauth/CVE-2017-18076.yml ADDED

@@ -0,0 +1,18 @@
+---
+gem: omniauth
+cve: 2017-18076
+url: https://github.com/omniauth/omniauth/pull/867
+title: omniauth leaks authenticity token in callback params
+date: 2017-01-11
+description: |
+  In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value is improperly protected because POST (in addition to GET) parameters are stored in the session and become available in the environment of the callback phase.
+cvss_v2: 6.8
+patched_versions:
+  - ">= 1.3.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-18076

data/data/ruby-advisory-db/gems/omniauth_amazon/CVE-2019-15224.yml ADDED

@@ -0,0 +1,19 @@
+---
+gem: omniauth_amazon
+cve: 2019-15224
+ghsa: 333g-rpr4-7hxq
+url: https://github.com/rubygems.org/issues/2097
+date: 2019-08-20
+title: Code execution backdoor in omniauth_amazon
+description: |-
+  The omniauth_amazon gem 1.0.1 for Ruby, as distributed on RubyGems.org, included a
+  code-execution backdoor inserted by a third party.
+  Users of an affected version should consider downgrading to the last non-affected version of
+  1.0.1.
+unaffected_versions:
+  - "< 1.0.1"
+  - "> 1.0.1"
+related:
+  url:
+    - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

data/data/ruby-advisory-db/gems/openssl/CVE-2016-7798.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: openssl
+cve: 2016-7798
+url: https://github.com/ruby/openssl/issues/49
+date: 2017-10-24
+title: Incorrect handling of initialization vector in the GCM mode in OpenSSL
+description: |
+  The openssl gem for Ruby uses the same initialization vector (IV) in
+  GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for
+  context-dependent attackers to bypass the encryption protection mechanism.
+cvss_v3: 7.5
+cvss_v2: 5.0
+patched_versions:
+  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/ox/CVE-2017-15928.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: ox
+cve: 2017-15928
+url: https://github.com/ohler55/ox/issues/194
+date: 2017-10-27
+title: ox ruby gem segmentation fault via parse_obj
+description: |
+  In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation
+  fault when a crafted input is supplied to parse_obj. NOTE: the vendor has stated
+  "Ox should handle the error more gracefully" but has not confirmed a security implication.
+cvss_v3: 7.5
+cvss_v2: 5.0
+patched_versions:
+  - ">= 2.8.1"

data/data/ruby-advisory-db/gems/ox/CVE-2017-16229.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: ox
+cve: 2017-16229
+url: https://github.com/ohler55/ox/issues/195
+date: 2017-10-29
+title: ox ruby gem stack overflow in sax_parse
+description: |
+  In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based
+  buffer over-read in the read_from_str function in sax_buf.c when a crafted input
+  is supplied to sax_parse.
+cvss_v3: 5.5
+cvss_v2: 4.3
+patched_versions:
+  - ">= 2.8.2"

data/data/ruby-advisory-db/gems/padrino-contrib/CVE-2019-16145.yml ADDED

@@ -0,0 +1,11 @@
+---
+gem: padrino-contrib
+cve: 2019-16145
+ghsa: rwpr-83g3-96g7
+url: https://github.com/padrino/padrino-contrib/pull/35
+date: 2019-09-23
+title: padrino-contrib XSS via caption parameter of breadcrumbs helper
+description: |
+  The breadcrumbs contributed module through 0.2.0 for Padrino Framework
+  allows XSS via a caption.
+cvss_v3: 6.1

data/data/ruby-advisory-db/gems/paperclip/CVE-2017-0889.yml ADDED

@@ -0,0 +1,23 @@
+---
+gem: paperclip
+cve: 2017-0889
+url: https://github.com/thoughtbot/paperclip/pull/2435
+date: 2018-01-23
+title: |
+  Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
+  in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
+description: |
+  Paperclip gem provides multiple ways a file can be uploaded to a web server.
+  The vulnerability affects two of Paperclip’s IO adapters that accept URLs as
+  attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are
+  used, Paperclip acts as a proxy and downloads the file from the website URI
+  that is passed in. The library does not perform any validation to protect
+  against Server Side Request Forgery (SSRF) exploits by default. This may allow
+  a remote attacker to access information about internal network resources.
+cvss_v2: 7.5
+patched_versions:
+  - ">= 5.2.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2017-0889
+    - https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4

data/data/ruby-advisory-db/gems/paranoid2/CVE-2019-13589.yml ADDED

@@ -0,0 +1,16 @@
+---
+gem: paranoid2
+cve: 2019-13589
+ghsa: 4g4c-8gqh-m4vm
+url: https://github.com/rubygems/rubygems.org/issues/2051
+date: 2019-07-16
+title: Code backdoor in paranoid2
+description: |
+  The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included
+  a code-execution backdoor inserted by a third party.
+  The current version, without this backdoor, is 1.1.5.
+cvss_v3: 9.8
+unaffected_versions:
+  - "> 1.1.6"
+  - "< 1.1.6"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/{OSVDB-101839.yml → CVE-2014-1234.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: paratrooper-newrelic
 cve: 2014-1234
 osvdb: 101839
-url: http://www.osvdb.org/show/osvdb/101839
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-1234
 title: Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure
 date: 2014-01-08
 description: |

data/data/ruby-advisory-db/gems/paratrooper-pingdom/{OSVDB-101847.yml → CVE-2014-1233.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: paratrooper-pingdom
 cve: 2014-1233
 osvdb: 101847
-url: http://www.osvdb.org/show/osvdb/101847
+url: https://nvd.nist.gov/vuln/detail/CVE-2014-1233
 title: paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials Local Disclosure
 date: 2013-12-26
 description: |

data/data/ruby-advisory-db/gems/passenger/{OSVDB-93752.yml → CVE-2013-2119.yml} RENAMED

@@ -2,7 +2,7 @@
 gem: passenger
 cve: 2013-2119
 osvdb: 93752
-url: http://osvdb.org/show/osvdb/93752
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-2119
 title: Phusion Passenger Gem for Ruby Predictable Temporary Filename Generation Symlink Local Privilege Escalation
 date: 2013-05-29
 description: Phusion Passenger Gem for Ruby contains a flaw as the program creates