RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: gitlab-grit
-cve: 2013-4489
-osvdb: 99370
-url: http://www.osvdb.org/show/osvdb/99370
-title: GitLab Grit Gem for Ruby contains a flaw
-date: 2013-11-04
-description: GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script.
-  The issue is triggered when input passed via the code search box is not properly sanitized,
-  which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to
-  execute arbitrary commands.
-cvss_v2:
-patched_versions:
-  - '>= 2.6.1'

data/data/ruby-advisory-db/gems/gnms/OSVDB-108594.yml DELETED

@@ -1,7 +0,0 @@
----
-gem: gnms
-osvdb: 108594
-url: http://osvdb.org/show/osvdb/108594
-title: gnms Gem for Ruby /lib/cmd_parse.rb ip Variable Shell Metacharacter Handling Remote Command Injection
-date: 2014-06-30
-description: gnms Gem for Ruby contains a flaw in /lib/cmd_parse.rb that is triggered when handling shell metacharacters passed via the 'ip' variable. This may allow a remote attacker to inject arbitrary commands.

data/data/ruby-advisory-db/gems/gollum-grit_adapter/CVE-2014-9489.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: gollum-grit_adapter
-cve: 2014-9489
-url: https://github.com/gollum/gollum/issues/913
-title: |
-  gollum-grit_adapter Search Functionality Allows Arbitrary Command
-  Execution
-date: 2014-12-04
-description: |
-  The gollum-grit_adapter gem contains a flaw that can allow arbitrary
-  command execution.
-  Grit implements its search functionality by shelling out to `git grep`. In
-  turn, `git grep` takes a `-O` or `--open-files-in-pages` option that will
-  pipe the results of `grep` to an arbitrary process. By failing to properly
-  sanitize user input search parameters, an attacker can thus perform command
-  execution.
-  Note that the grep result must find the string 'master' (or
-  whatever is the default branch that gollum uses) in any of the wiki's
-  documents for this to succeed.
-patched_versions:
-  - ">= 0.1.1"

data/data/ruby-advisory-db/gems/gollum/CVE-2015-7314.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: gollum
-cve: 2015-7314
-osvdb: 127779
-url: https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1
-title: gollum Upload File Functionality Permits Arbitrary File Access
-date: 2015-09-20
-description: |
-  The gollum gem contains a flaw in its upload file functionality that can
-  allow arbitrary file access. This occurs due to a lack of type checking
-  when handling temporary files during the upload process.
-patched_versions:
-  - ">= 4.0.1"

data/data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: gtk2
-cve: 2007-6183
-osvdb: 40774
-url: http://osvdb.org/show/osvdb/40774
-title:
-  Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
-  Format String
-date: 2007-11-27
-description: |
-  Format string vulnerability in the mdiag_initialize function in
-  gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
-  SVN versions before 20071127, allows context-dependent attackers to execute
-  arbitrary code via format string specifiers in the message parameter.
-cvss_v2: 6.8
-patched_versions:
-  - "> 0.16.0"

data/data/ruby-advisory-db/gems/gyazo/OSVDB-108563.yml DELETED

@@ -1,10 +0,0 @@
----
-gem: gyazo
-cve: 2014-4994
-osvdb: 108563
-url: http://osvdb.org/show/osvdb/108563
-title: gyazo Gem for Ruby client.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: gyazo Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/handlebars-source/OSVDB-131671.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: handlebars-source
-osvdb: 131671
-url: https://blog.srcclr.com/handlebars_vulnerability_research_findings/
-title: handlebars.js - quoteless attributes in templates can lead to XSS
-date: 2015-08-24
-description: |
-  The upstream 'handlebars' node.js module was found to not properly escape
-  equals (=) signs, leading to possible content injection via attributes
-  in templates.
-  Example:
-  * Template: <a href={{foo}}/>
-  * Input: { 'foo' : 'test.com onload=alert(1)'}
-  * Rendered result: <a href=test.com onload=alert(1)/>
-patched_versions:
-  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/http/CVE-2015-1828.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: http
-cve: 2015-1828
-osvdb: 119927
-url: https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU
-title: HTTPS MitM vulnerability in http.rb
-date: 2015-03-24
-description: |
-  http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification.
-  Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.7.3"
-  - "~> 0.6.4"

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: httparty
-cve: 2013-1801
-osvdb: 90741
-url: http://osvdb.org/show/osvdb/90741
-title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
-date: 2013-01-14
-description: |
-  httparty Gem for Ruby contains a flaw that is triggered when a type casting
-  error occurs during the parsing of parameters. This may allow a
-  context-dependent attacker to potentially execute arbitrary code.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.10.0"

data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: i18n
-cve: 2013-4492
-osvdb: 100528
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
-title: i18n missing translation error message XSS
-date: 2013-12-03
-description: |
-  The HTML exception message raised by I18n::MissingTranslation fails
-  to escape the keys.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 0.5.1
-  - '>= 0.6.6'

data/data/ruby-advisory-db/gems/jquery-rails/CVE-2015-1840.yml DELETED

@@ -1,36 +0,0 @@
----
-gem: jquery-rails
-cve: 2015-1840
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
-title: CSRF Vulnerability in jquery-rails
-date: 2015-06-16
-description: |
-  In the scenario where an attacker might be able to control the href attribute
-  of an anchor tag or the action attribute of a form tag that will trigger a
-  POST action, the attacker can set the href or action to
-  " https://attacker.com" (note the leading space) that will be passed to
-  JQuery, who will see this as a same origin request, and send the user's CSRF
-  token to the attacker domain.
-  To work around this problem, change code that allows users to control the
-  href attribute of an anchor tag or the action attribute of a form tag to
-  filter the user parameters.
-  For example, code like this:
-    link_to params
-  to code like this:
-    link_to filtered_params
-    def filtered_params
-      \# Filter just the parameters that you trust
-    end
-  See also:
-  - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/
-cvss_v2: 5.0
-patched_versions:
-  - ">= 4.0.4"
-  - "~> 3.1.3"

data/data/ruby-advisory-db/gems/jquery-ujs/CVE-2015-1840.yml DELETED

@@ -1,35 +0,0 @@
----
-gem: jquery-ujs
-cve: 2015-1840
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
-title: CSRF Vulnerability in jquery-ujs
-date: 2015-06-16
-description: |
-  In the scenario where an attacker might be able to control the href attribute
-  of an anchor tag or the action attribute of a form tag that will trigger a
-  POST action, the attacker can set the href or action to
-  " https://attacker.com" (note the leading space) that will be passed to
-  JQuery, who will see this as a same origin request, and send the user's CSRF
-  token to the attacker domain.
-  To work around this problem, change code that allows users to control the
-  href attribute of an anchor tag or the action attribute of a form tag to
-  filter the user parameters.
-  For example, code like this:
-    link_to params
-  to code like this:
-    link_to filtered_params
-    def filtered_params
-      \# Filter just the parameters that you trust
-    end
-  See also:
-  - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/
-cvss_v2: 5.0
-patched_versions:
-  - ">= 1.0.4"

data/data/ruby-advisory-db/gems/jruby-openssl/CVE-2009-4123.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: jruby-openssl
-platform: jruby
-cve: 2009-4123
-url: http://jruby.org/2009/12/07/vulnerability-in-jruby-openssl
-title: jruby-openssl Gem for JRuby fails to do proper certificate validation
-date: 2009-12-07
-description: |
-  A security problem involving peer certificate verification was found where
-  failed verification silently did nothing, making affected applications
-  vulnerable to attackers. Attackers could lead a client application to believe
-  that a secure connection to a rogue SSL server is legitimate. Attackers could
-  also penetrate client-validated SSL server applications with a dummy
-  certificate.
-patched_versions:
-  - ">= 0.6"

data/data/ruby-advisory-db/gems/jruby-sandbox/OSVDB-106279.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: jruby-sandbox
-platform: jruby
-osvdb: 106279
-url: http://www.phenoelit.org/stuff/jruby-sandbox.txt
-title: jruby-sandbox Java Class Importation Sandbox Bypass
-date: 2014-04-24
-description: |
-  jruby-sandbox contains a flaw that is triggered when importing Java Classes.
-  This may allow a remote attacker to bypass the sandbox for code execution.
-patched_versions:
-  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/json/OSVDB-101137.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: json
-cve: 2013-0269
-osvdb: 101137
-url: http://osvdb.org/show/osvdb/101137
-title: json Gem for Ruby JSON::GenericObject Function Arbitrary Addition Creation
-date: 2013-02-04
-description: |
-  json Gem for Ruby contains a flaw in the JSON::GenericObject function. The
-  issue is due to the program failing to restrict users from creating additions
-  regardless of the state of create_additions. This may allow a remote attacker
-  to create arbitrary additions.
-cvss_v2: 9.0
-patched_versions:
-  - ">= 1.7.7"
-unaffected_versions:
-  - "< 1.7.0"

data/data/ruby-advisory-db/gems/json/OSVDB-101157.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: json
-osvdb: 101157
-url: http://osvdb.org/show/osvdb/101157
-title: json Gem for Ruby Data Handling Stack Buffer Overflow
-date: 2007-05-21
-description: |
-  json Gem for Ruby contains an overflow condition that is triggered as
-  user-supplied input is not properly validated when handling specially crafted
-  data. This may allow a remote attacker to cause a stack-based buffer
-  overflow, resulting in a denial of service or potentially allowing the
-  execution of arbitrary code.
-patched_versions:
-  - ">= 1.1.0"

data/data/ruby-advisory-db/gems/json/OSVDB-90074.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: json
-cve: 2013-0269
-osvdb: 90074
-url: http://osvdb.org/show/osvdb/90074
-title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw that may allow a remote denial of service.
-  The issue is due to the JSON gem being tricked in to generating Ruby symbols
-  during the parsing of certain JSON documents. Since Ruby symbols are not
-  garbage collected, a remote attacker can crash a users system. This also may
-  allow the attacker to create arbitrary objects that may be used to bypass
-  certain security mechanisms and potentially allow SQL injection attacks to
-  be conducted.
-cvss_v2: 9.0
-patched_versions:
-  - ~> 1.5.5
-  - ~> 1.6.8
-  - ">= 1.7.7"

data/data/ruby-advisory-db/gems/kafo/OSVDB-106826.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: kafo
-cve: 2014-0135
-osvdb: 106826
-url: http://osvdb.org/show/osvdb/106826
-title: Kafo default_values.yaml Insecure Permissions Local Information Disclosure
-date: 2014-03-13
-description: Kafo contains a flaw that is due to the program using insecure
-  world-readable permissions for the default_values.yaml file. This may allow a
-  local attacker to gain access to password and other unspecified sensitive
-  information located within the file.
-cvss_v2: 1.9
-patched_versions:
-  - "~> 0.3.17"
-  - ">= 0.5.2"

data/data/ruby-advisory-db/gems/kajam/OSVDB-108529.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: kajam
-cve: 2014-4999
-osvdb: 108529
-url: http://osvdb.org/show/osvdb/108529
-title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Process List Local Plaintext Password Disclosure
-date: 2014-06-30
-description: |
-  kajam Gem for Ruby contains a flaw in
-  /dataset/lib/dataset/database/postgresql.rb that is triggered as the program
-  exposes the MySQL or PostgreSQL password in the process list. This may allow
-  a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/kajam/OSVDB-108530.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: kajam
-osvdb: 108530
-url: http://osvdb.org/show/osvdb/108530
-title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: |
-  kajam Gem for Ruby contains a flaw in
-  /dataset/lib/dataset/database/postgresql.rb that is triggered when handling
-  metacharacters. This may allow a remote attacker to execute arbitrary
-  commands.

data/data/ruby-advisory-db/gems/karo/OSVDB-108573.yml DELETED

@@ -1,10 +0,0 @@
----
-gem: karo
-osvdb: 108573
-url: http://osvdb.org/show/osvdb/108573
-title: karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: |
-  karo Gem for Ruby contains a flaw in db.rb that is triggered when handling
-  metacharacters. This may allow a remote attacker to execute arbitrary
-  commands.

data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: karteek-docsplit
-cve: 2013-1933
-osvdb: 92117
-url: http://osvdb.org/show/osvdb/92117
-title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-08
-description: Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2: 9.3

data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108571.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: kcapifony
-cve: 2014-5001
-osvdb: 108571
-url: http://osvdb.org/show/osvdb/108571
-title: kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password Disclosure
-date: 2014-06-30
-description: kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108572.yml DELETED

@@ -1,7 +0,0 @@
----
-gem: kcapifony
-osvdb: 108572
-url: http://osvdb.org/show/osvdb/108572
-title: kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: kelredd-pruview
-cve: 2013-1947
-osvdb: 92228
-url: http://osvdb.org/show/osvdb/92228
-title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-04
-description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
-cvss_v2: 9.3

data/data/ruby-advisory-db/gems/kompanee-recipes/OSVDB-108593.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: kompanee-recipes
-osvdb: 108593
-url: http://osvdb.org/show/osvdb/108593
-title: kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb Multiple Variable Handling Remote Command Execution Weakness
-date: 2014-06-30
-description: |
-  kompanee-recipes Gem for Ruby contains a flaw in
-  /lib/kompanee-recipes/heroku.rb that is triggered when handling shell
-  metacharacters passed via the 'password', 'user', 'deploy_name', and
-  'application' variables. This may allow a remote attacker to execute
-  arbitrary commands.

data/data/ruby-advisory-db/gems/lawn-login/OSVDB-108576.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: lawn-login
-cve: 2014-5000
-osvdb: 108576
-url: http://osvdb.org/show/osvdb/108576
-title: lawn-login Gem for Ruby /lib/lawn.rb Process Table Local Plaintext Password Disclosure
-date: 2014-06-30
-description: lawn-login Gem for Ruby contains a flaw in /lib/lawn.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.