RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/ldap_fluff/OSVDB-90579.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: ldap_fluff
-cve: 2012-5604
-osvdb: 90579
-url: http://osvdb.org/show/osvdb/90579
-title: Red Hat Subscription Asset Manager rubygem-ldap_fluff Active Directory Authentication Bypass
-date: 2012-12-04
-description: Red Hat Subscription Asset Manager contains a flaw in the
-  rubygem-ldap_fluff component. The issue is triggered when using Microsoft
-  Active Directory server as the authentication back-end. This may result in
-  authentication no longer being enforced, allowing a remote attacker to
-  trivially bypass it.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.1.3"

data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: ldoce
-cve: 2013-1911
-osvdb: 91870
-url: http://osvdb.org/show/osvdb/91870
-title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-01
-description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
-cvss_v2: 6.8

data/data/ruby-advisory-db/gems/lean-ruport/OSVDB-108581.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: lean-ruport
-cve: 2014-4998
-osvdb: 108581
-url: http://osvdb.org/show/osvdb/108581
-title: lean-ruport Gem for Ruby /test/tc_database.rb Process Table Local Plaintext MySQL Password Disclosure
-date: 2014-06-30
-description: lean-ruport Gem for Ruby contains a flaw in /test/tc_database.rb that is due to the application exposing MySQL password information in plaintext in the process table. This may allow a local attacker to gain access to MySQL password information.

data/data/ruby-advisory-db/gems/lingq/OSVDB-108585.yml DELETED

@@ -1,7 +0,0 @@
----
-gem: lingq
-osvdb: 108585
-url: http://osvdb.org/show/osvdb/108585
-title: lingq Gem for Ruby client.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: lingq Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: loofah
-osvdb: 90945
-url: http://www.osvdb.org/show/osvdb/90945
-title: Loofah HTML and XSS injection vulnerability
-date: 2012-09-08
-description: |
-  Loofah Gem for Ruby contains a flaw that allows a remote cross-site
-  scripting (XSS) attack. This flaw exists because the
-  Loofah::HTML::Document\#text function passes properly sanitized
-  user-supplied input to the Loofah::XssFoliate and
-  Loofah::Helpers\#strip_tags functions which convert input back to
-  text. This may allow an attacker to create a specially crafted
-  request that would execute arbitrary script code in a user's browser
-  within the trust relationship between their browser and the server.
-cvss_v2: 5.0
-patched_versions:
-  - ">=  0.4.6"

data/data/ruby-advisory-db/gems/lynx/OSVDB-108579.yml DELETED

@@ -1,7 +0,0 @@
----
-gem: lynx
-osvdb: 108579
-url: http://osvdb.org/show/osvdb/108579
-title: lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command Execution
-date: 2014-06-30
-description: lynx Gem for Ruby contains a flaw in lib/lynx/pipe/run.rb that may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/lynx/OSVDB-108580.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: lynx
-cve: 2014-5002
-osvdb: 108580
-url: http://osvdb.org/show/osvdb/108580
-title: lynx Gem for Ruby command/basic.rb Process Table Local Plaintext Password Disclosure
-date: 2014-06-30
-description: lynx Gem for Ruby contains a flaw in command/basic.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/mail/OSVDB-131677.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: mail
-cve: 2015-9097
-osvdb: 131677
-url: https://hackerone.com/reports/137631
-title: SMTP command injection
-date: 2015-12-09
-description: |
-  Because Mail does not disallow CRLF in email addresses, an attacker can
-  inject SMTP commands in specially crafted email addresses passed to
-  RCPT TO and MAIL FROM.
-  Not affected by this vulnerability:
-    * Ruby 2.4.0+ with a fix for CVE-2015-9096.
-    * Applications that do not use SMTP delivery.
-    * Applications that validate email addresses to not include CRLF.
-  The injection attack is described in Terada, Takeshi. "SMTP Injection via
-  Recipient Email Addresses." 2015. The attacks described in the paper
-  (Terada, p. 4) can be applied to the library without any modification.
-patched_versions:
-- ">= 2.5.5"
-related:
-  url:
-    - http://www.mbsd.jp/Whitepaper/smtpi.pdf
-    - https://github.com/mikel/mail/pull/1097

data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: mail
-cve: 2011-0739
-osvdb: 70667
-url: http://www.osvdb.org/show/osvdb/70667
-title: >
-  Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
-  Address Arbitrary Shell Command Injection
-date: 2011-01-25
-description: |
-  Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
-  input passed from an email from address in the 'deliver()' function in
-  'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
-  command line argument. This may allow a remote attacker to inject arbitrary
-  shell commands.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 2.2.15"

data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: mail
-cve: 2012-2139
-osvdb: 81631
-url: http://www.osvdb.org/show/osvdb/81631
-title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
-date: 2012-03-14
-description: |
-  Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
-cvss_v2: 5.0
-patched_versions:
-- ">= 2.4.4"

data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: mail
-cve: 2012-2140
-osvdb: 81632
-url: http://www.osvdb.org/show/osvdb/81632
-title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution
-date: 2012-03-14
-description: |
-  Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim
-  delivery methods, which may allow an attacker to execute arbitrary shell
-  commands..
-cvss_v2: 7.5
-patched_versions:
-- ">= 2.4.4"

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-129854.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: mapbox-rails
-osvdb: 129854
-url: https://nodesecurity.io/advisories/49
-title: mapbox-rails Content Injection via TileJSON attribute
-date: 2015-10-24
-description: |
-  Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable
-  to a cross-site-scripting attack in certain uncommon usage scenarios.
-  If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON
-  content from a non-Mapbox URL, it is possible for a malicious user with
-  control over the TileJSON content to inject script content into the
-  "attribution" value of the TileJSON which will be executed in the context of
-  the page using Mapbox.js.
-  Such usage is uncommon. The following usage scenarios are not vulnerable:
-  * only trusted TileJSON content is loaded
-  * TileJSON content comes only from mapbox.com URLs
-  * a Mapbox map ID is supplied, rather than a TileJSON URL

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-132871.yml DELETED

@@ -1,22 +0,0 @@
----
-gem: mapbox-rails
-osvdb: 132871
-url: https://nodesecurity.io/advisories/74
-title: mapbox-rails Content Injection via TileJSON Name
-date: 2016-01-12
-description: |
-  Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable
-  to a cross-site-scripting attack in certain uncommon usage scenarios.
-  If you use L.mapbox.map and L.mapbox.shareControl it is possible for a
-  malicious user with control over the TileJSON content to inject script
-  content into the name value of the TileJSON. After clicking on the share
-  control, the malicious code will execute in the context of the page using
-  Mapbox.js.
-  Such usage is uncommon. L.mapbox.shareControl is not automatically added to
-  Mapbox.js maps and must be explicitly added. The following usage scenarios
-  are not vulnerable:
-  * the map does not use a share control (L.mapbox.sharecontrol)
-  * only trusted TileJSON content is loaded

data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: md2pdf
-cve: 2013-1948
-osvdb: 92290
-url: http://osvdb.org/show/osvdb/92290
-title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-13
-description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2: 10.0

data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: mini_magick
-cve: 2013-2616
-osvdb: 91231
-url: http://osvdb.org/show/osvdb/91231
-title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-12
-description: |
-  MiniMagick Gem for Ruby contains a flaw that is triggered during the handling
-  of specially crafted input from an untrusted source passed via a URL that
-  contains a ';' character. This may allow a context-dependent attacker to
-  potentially execute arbitrary commands.
-cvss_v2: 9.3
-patched_versions:
-  - ">= 3.6.0"

data/data/ruby-advisory-db/gems/minitar/CVE-2016-10173.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: minitar
-cve: 2016-10173
-url: https://github.com/halostatue/minitar/issues/16
-title: Minitar Directory Traversal Vulnerability
-date: 2016-08-22
-description: |
-  Minitar allows attackers to overwrite arbitrary files during archive
-  extraction via a .. (dot dot) in an extracted filename. Analogous
-  vulnerabilities for unzip and tar:
-  https://www.cvedetails.com/cve/CVE-2001-1268/ and
-  http://www.cvedetails.com/cve/CVE-2001-1267/
-  Credit: ecneladis
-patched_versions:
-  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/moped/CVE-2015-4410.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: moped
-cve: 2015-4410
-url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
-title: Data Injection Vulnerability in moped Rubygem
-date: 2015-06-04
-description: >-
-  A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.
-vendor_patch:
-  - https://github.com/mongoid/moped/compare/e5fc928bcb5b7b89d171e31e31483be4185971b9...32cba17ad7d3da326778b4d8cd4b52e75bca9d40
-  - https://github.com/mongoid/moped/commit/276fbfd23c5ffb65e6bd18d564c8b6878c2498ac
-patched_versions:
-  - "~> 1.5.3"
-  - ">= 2.0.5"

data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: multi_xml
-cve: 2013-0175
-osvdb: 89148
-url: http://osvdb.org/show/osvdb/89148
-title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
-date: 2013-01-11
-description: |
-  The multi_xml Gem for Ruby contains a flaw that is triggered when an error
-  occurs during the parsing of the 'XML' parameter. With a crafted request
-  containing arbitrary symbol and yaml types, a remote attacker can execute
-  arbitrary commands.
-patched_versions:
-  - ">= 0.5.2"

data/data/ruby-advisory-db/gems/mustache-js-rails/OSVDB-131671.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: mustache-js-rails
-osvdb: 131671
-url: https://blog.srcclr.com/handlebars_vulnerability_research_findings/
-title: mustache.js - quoteless attributes in templates can lead to XSS
-date: 2015-11-17
-description: |
-  The upstream 'mustache.js' node.js module was found to not properly escape
-  backtick (`) and equals (=) characters, leading to possible content injection
-  via attributes in templates.
-  Example:
-  * Template: <a href={{foo}}/>
-  * Input: { 'foo' : 'test.com onload=alert(1)'}
-  * Rendered result: <a href=test.com onload=alert(1)/>
-patched_versions:
-  - ">= 2.0.3"

data/data/ruby-advisory-db/gems/net-ldap/OSVDB-106108.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: net-ldap
-cve: 2014-0083
-osvdb: 106108
-url: http://osvdb.org/show/osvdb/106108
-title:  Net::LDAP for Ruby lib/net/ldap/password.rb SSHA Password Generation Weak Salt
-date: 2014-02-13
-description: Net::LDAP for Ruby contains a flaw in lib/net/ldap/password.rb. The
-  issue is due to the program generating SSHA passwords with a weak salt value
-  that is between 0 and 999. This may allow a local attacker to more easily gain
-  access to password information.
-cvss_v2: 1.9
-patched_versions:
-  - ">= 0.6.0"

data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: newrelic_rpm
-cve: 2013-0284
-osvdb: 90189
-url: http://osvdb.org/show/osvdb/90189
-title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
-date: 2012-12-06
-description: |
-  A bug in the Ruby agent causes database connection information and raw SQL
-  statements to be transmitted to New Relic servers. The database connection
-  information includes the database IP address, username, and password
-cvss_v2: 5.0
-patched_versions:
-  - ">= 3.5.3.25"

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-1819.yml DELETED

@@ -1,52 +0,0 @@
----
-gem: nokogiri
-cve: 2015-1819
-url: https://github.com/sparklemotion/nokogiri/issues/1374
-title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
-date: 2015-04-14
-description: |
-  Several vulnerabilities were discovered in the libxml2 and libxslt libraries
-  that the Nokogiri gem depends on.
-  CVE-2015-1819
-  A denial of service flaw was found in the way libxml2 parsed XML
-  documents. This flaw could cause an application that uses libxml2 to use an
-  excessive amount of memory.
-  CVE-2015-7941
-  libxml2 does not properly stop parsing invalid input, which allows
-  context-dependent attackers to cause a denial of service (out-of-bounds read
-  and libxml2 crash) via crafted specially XML data.
-  CVE-2015-7942
-  The xmlParseConditionalSections function in parser.c in libxml2
-  does not properly skip intermediary entities when it stops parsing invalid
-  input, which allows context-dependent attackers to cause a denial of service
-  (out-of-bounds read and crash) via crafted XML data.
-  CVE-2015-7995
-  The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not
-  check whether the parent node is an element, which allows attackers to cause
-  a denial of service using a specially crafted XML document.
-  CVE-2015-8035
-  The xz_decomp function in xzlib.c in libxml2 2.9.1 does not
-  properly detect compression errors, which allows context-dependent attackers
-  to cause a denial of service (process hang) via crafted XML data.
-  Another vulnerability was discoverd in libxml2 that could cause parsing
-  of unclosed comments to result in "conditional jump or move depends on
-  uninitialized value(s)" and unsafe memory access. This issue does not have a
-  CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4.
-patched_versions:
-  - "~> 1.6.6.4"
-  - ">= 1.6.7.rc4"
-related:
-  cve:
-    - 2015-7941
-    - 2015-7942
-    - 2015-7995
-    - 2015-8035
-  url:
-    - https://github.com/sparklemotion/nokogiri/pull/1376
-    - https://github.com/sparklemotion/nokogiri/commit/8f3de6d88d0da11fb62a45daa61b85ce71b4af59

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-5312.yml DELETED

@@ -1,92 +0,0 @@
----
-gem: nokogiri
-cve: 2015-5312
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
-title: Nokogiri gem contains several vulnerabilities in libxml2
-date: 2015-12-15
-description: |
-  Nokogiri version 1.6.7.1 has been released, pulling in several upstream
-  patches to the vendored libxml2 to address the following CVEs:
-  CVE-2015-5312
-  CVSS v2 Base Score: 7.1 (HIGH)
-  The xmlStringLenDecodeEntities function in parser.c in libxml2
-  before 2.9.3 does not properly prevent entity expansion, which
-  allows context-dependent attackers to cause a denial of
-  service (CPU consumption) via crafted XML data, a different
-  vulnerability than CVE-2014-3660.
-  CVE-2015-7497
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlDictComputeFastQKey
-  function in dict.c in libxml2 before 2.9.3 allows
-  context-dependent attackers to cause a denial of service via
-  unspecified vectors.
-  CVE-2015-7498
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlParseXmlDecl function in
-  parser.c in libxml2 before 2.9.3 allows context-dependent
-  attackers to cause a denial of service via unspecified vectors
-  related to extracting errors after an encoding conversion
-  failure.
-  CVE-2015-7499
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlGROW function in parser.c
-  in libxml2 before 2.9.3 allows context-dependent attackers to
-  obtain sensitive process memory information via unspecified
-  vectors.
-  CVE-2015-7500
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  The xmlParseMisc function in parser.c in libxml2 before 2.9.3
-  allows context-dependent attackers to cause a denial of
-  service (out-of-bounds heap read) via unspecified vectors
-  related to incorrect entities boundaries and start tags.
-  CVE-2015-8241
-  CVSS v2 Base Score: 6.4 (MEDIUM)
-  The xmlNextChar function in libxml2 2.9.2 does not properly
-  check the state, which allows context-dependent attackers to
-  cause a denial of service (heap-based buffer over-read and
-  application crash) or obtain sensitive information via crafted
-  XML data.
-  CVE-2015-8242
-  CVSS v2 Base Score: 5.8 (MEDIUM)
-  The xmlSAX2TextNode function in SAX2.c in the push interface in
-  the HTML parser in libxml2 before 2.9.3 allows
-  context-dependent attackers to cause a denial of
-  service (stack-based buffer over-read and application crash) or
-  obtain sensitive information via crafted XML data.
-  CVE-2015-8317
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  The xmlParseXMLDecl function in parser.c in libxml2 before
-  2.9.3 allows context-dependent attackers to obtain sensitive
-  information via an (1) unterminated encoding value or (2)
-  incomplete XML declaration in XML data, which triggers an
-  out-of-bounds heap read.
-cvss_v2: 7.1
-unaffected_versions:
-  - "< 1.6.0"
-patched_versions:
-  - ">= 1.6.7.1"
-related:
-  cve:
-    - 2015-7497
-    - 2015-7498
-    - 2015-7499
-    - 2015-7500
-    - 2015-8241
-    - 2015-8242
-    - 2015-8317
-  url:
-    - https://github.com/sparklemotion/nokogiri/pull/1378
-    - https://github.com/sparklemotion/nokogiri/commit/4205af1a2a546f79d1b48df2ad8b27299c0099c5