RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-7499.yml DELETED

@@ -1,37 +0,0 @@
----
-gem: nokogiri
-cve: 2015-7499
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
-title: |
-  Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
-date: 2016-01-19
-description: |
-  Nokogiri version 1.6.7.2 has been released, pulling in several upstream
-  patches to the vendored libxml2 to address the following CVE:
-  CVE-2015-7499
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlGROW function in parser.c
-  in libxml2 before 2.9.3 allows context-dependent attackers to
-  obtain sensitive process memory information via unspecified
-  vectors.
-  libxml2 could be made to crash if it opened a specially crafted
-  file. It was discovered that libxml2 incorrectly handled certain
-  malformed documents. If a user or automated system were tricked
-  into opening a specially crafted document, an attacker could
-  possibly cause libxml2 to crash, resulting in a denial of service.
-cvss_v2: 5.0
-unaffected_versions:
-  - "< 1.6.0"
-patched_versions:
-  - ">= 1.6.7.2"
-related:
-  url:
-    - https://github.com/sparklemotion/nokogiri/commit/9eb540e7c905924a42757bf0a34c2c00707d536c

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-8806.yml DELETED

@@ -1,42 +0,0 @@
----
-gem: nokogiri
-cve: 2015-8806
-url: https://github.com/sparklemotion/nokogiri/issues/1473
-title: Denial of service or RCE from libxml2 and libxslt
-date: 2016-06-07
-description: |
-  Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,
-  which are libraries Nokogiri depends on. It was discovered that libxml2 and
-  libxslt incorrectly handled certain malformed documents, which can allow
-  malicious users to cause issues ranging from denial of service to remote code
-  execution attacks.
-  For more information, the Ubuntu Security Notice is a good start:
-  http://www.ubuntu.com/usn/usn-2994-1/
-patched_versions:
-  - ">= 1.6.8"
-unaffected_versions:
-  - "< 1.6.0"
-related:
-  cve:
-    - 2016-1762
-    - 2016-1833
-    - 2016-1834
-    - 2016-1835
-    - 2016-1836
-    - 2016-1837
-    - 2016-1838
-    - 2016-1839
-    - 2016-1840
-    - 2016-2073
-    - 2016-3627
-    - 2016-3705
-    - 2016-4447
-    - 2016-4449
-    - 2016-4483
-  url:
-    - https://github.com/sparklemotion/nokogiri/issues/1473
-    - https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028
-    - https://mail.gnome.org/archives/xml/2016-May/msg00023.html
-    - http://www.ubuntu.com/usn/usn-2994-1/

data/data/ruby-advisory-db/gems/nokogiri/CVE-2016-4658.yml DELETED

@@ -1,32 +0,0 @@
----
-gem: nokogiri
-cve: 2016-4658
-url: https://github.com/sparklemotion/nokogiri/issues/1615
-title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
-date: 2017-03-11
-description: |
-  Nokogiri version 1.7.1 has been released, pulling in several upstream
-  patches to the vendored libxml2 to address the following CVEs:
-  CVE-2016-4658
-  CVSS v3 Base Score: 9.8 (Critical)
-  libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
-  watchOS before 3 allows remote attackers to execute arbitrary code or cause
-  a denial of service (memory corruption) via a crafted XML document.
-  CVE-2016-5131
-  CVSS v3 Base Score: 8.8 (HIGH)
-  Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google
-  Chrome before 52.0.2743.82, allows remote attackers to cause a denial of
-  service or possibly have unspecified other impact via vectors related to
-  the XPointer range-to function.
-cvss_v3: 9.8
-patched_versions:
-  - ">= 1.7.1"
-related:
-  cve:
-    - 2016-5131
-  url:
-    - https://github.com/sparklemotion/nokogiri/issues/1615

data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-5029.yml DELETED

@@ -1,44 +0,0 @@
----
-gem: nokogiri
-cve: 2017-5029
-url: https://github.com/sparklemotion/nokogiri/issues/1634
-title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
-date: 2017-05-09
-description: |
-    nokogiri version 1.7.2 has been released.
-    This is a security update based on 1.7.1, addressing two upstream
-    libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical
-    and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.
-    These patches only apply when using Nokogiri's vendored libxslt
-    package. If you're using your distro's system libraries, there's no
-    need to upgrade from 1.7.0.1 or 1.7.1 at this time.
-    Full details are available at the github issue linked to in the
-    changelog below.
-    -----
-    # 1.7.2 / 2017-05-09
-    ## Security Notes
-    [MRI] Upstream libxslt patches are applied to the vendored libxslt
-    1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
-    For more information:
-    * https://github.com/sparklemotion/nokogiri/issues/1634
-    * http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
-    * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
-patched_versions:
-  - ">= 1.7.2"
-related:
-  cve:
-    - 2016-4738
-    - 2017-5029
-  url:
-    - http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
-    - http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: nokogiri
-platform: jruby
-cve: 2013-6460
-osvdb: 101179
-url: http://osvdb.org/show/osvdb/101179
-title: |
-  Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
-date: 2013-12-14
-description: |
-  Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of
-  service. The issue is triggered when handling a specially crafted XML
-  document, which can result in an infinite loop. This may allow a
-  context-dependent attacker to crash the server.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.5.11"
-  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: nokogiri
-cve: 2013-6461
-osvdb: 101458
-url: http://www.osvdb.org/show/osvdb/101458
-title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS
-date: 2013-12-14
-description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.
-  The issue is due to an incorrectly configured XML parser accepting XML external entities from
-  an untrusted source. By sending specially crafted XML data, a remote attacker can cause an infinite
-  loop and crash the program.
-cvss_v2:
-patched_versions:
-  - ~> 1.5.11
-  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-118481.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: nokogiri
-platform: jruby
-osvdb: 118481
-url: https://github.com/sparklemotion/nokogiri/pull/1087
-title: |
-  Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
-  Remote DoS
-date: 2014-04-30
-description: |
-  Nokogiri Gem for JRuby contains a flaw that is triggered when handling a root
-  element in an XML document. This may allow a remote attacker to cause a
-  consumption of memory resources.
-patched_versions:
-  - ">= 1.6.3"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-90946.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: nokogiri
-cve: 2012-6685
-osvdb: 90946
-url: http://www.osvdb.org/show/osvdb/90946
-title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Internal Network Response Remote Disclosure
-date: 2012-06-08
-description: libxml2 contains a flaw that may lead to unauthorized disclosure of
- potentially sensitive information. The issue is triggered when handling the
- expansion of XML external entities (XXE), which can be used to trigger URL's
- on an internal network and allow a remote attacker to gain access to their
- responses.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 1.5.4"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml DELETED

@@ -1,19 +0,0 @@
----
-gem: nori
-cve: 2013-0285
-osvdb: 90196
-url: http://osvdb.org/show/osvdb/90196
-title: Ruby Gem nori Parameter Parsing Remote Code Execution
-date: 2013-01-10
-description: |
-  The Ruby Gem nori has a parameter parsing error that may allow an attacker
-  to execute arbitrary code. This vulnerability has to do with type casting
-  during parsing, and is related to CVE-2013-0156.
-cvss_v2: 7.5
-patched_versions:
-  - ~> 1.0.3
-  - ~> 1.1.4
-  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml DELETED

@@ -1,22 +0,0 @@
----
-gem: omniauth-facebook
-cve: 2013-4562
-osvdb: 99693
-url: http://www.osvdb.org/show/osvdb/99693
-title: omniauth-facebook Gem for Ruby Unspecified CSRF
-date: 2013-11-12
-description: |
-  omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
-  require multiple steps, explicit confirmation, or a unique token when
-  performing certain sensitive actions. By tricking a user into following
-  a specially crafted link, a context-dependent attacker can perform a
-  Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
-  perform an unspecified action.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.5.0"
-unaffected_versions:
-  - "<= 1.4.0"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: omniauth-facebook
-cve: 2013-4593
-osvdb: 99888
-url: http://www.osvdb.org/show/osvdb/99888
-title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass
-date: 2013-11-14
-description: |
-  omniauth-facebook Gem for Ruby contains a flaw that is due to the application
-  supporting passing the access token via the URL. This may allow a remote
-  attacker to bypass authentication and authenticate as another user.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.5.1"

data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: omniauth-oauth2
-cve: 2012-6134
-osvdb: 90264
-url: http://www.osvdb.org/show/osvdb/90264
-title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
-date: 2012-09-08
-description: |
-  The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
-  inject values into a user's session through a CSRF attack.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.1.1"

data/data/ruby-advisory-db/gems/open-uri-cached/OSVDB-121701.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: open-uri-cached
-cve: 2015-3649
-osvdb: 121701
-url: http://seclists.org/oss-sec/2015/q2/373
-title: open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege Escalation
-date: 2015-05-05
-description: |
-  open-uri-cached Gem for Ruby contains a flaw that is due to the
-  program creating temporary files in a predictable, unsafe manner when using
-  YAML. This may allow a local attacker to gain elevated privileges.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/paperclip/CVE-2015-2963.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: paperclip
-cve: 2015-2963
-url: https://robots.thoughtbot.com/paperclip-security-release
-title: |
-  Paperclip Gem for Ruby vulnerable to content type spoofing
-date: 2015-06-05
-description: |
-  There is an issue where if an HTML file is uploaded with a .html
-  extension, but the content type is listed as being `image/jpeg`, this
-  will bypass a validation checking for images. But it will also pass the
-  spoof check, because a file named .html and containing actual HTML
-  passes the spoof check.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 4.2.2"

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: paperclip
-osvdb: 103151
-url: http://osvdb.org/show/osvdb/103151
-title: Paperclip Gem for Ruby contains a flaw
-date: 2014-01-31
-description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
-  validate the file extension, instead only validating the Content-Type header during file uploads.
-  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
-  spoofing the content-type.
-cvss_v2:
-patched_versions:
-  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: paratrooper-newrelic
-cve: 2014-1234
-osvdb: 101839
-url: http://www.osvdb.org/show/osvdb/101839
-title: Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure
-date: 2014-01-08
-description: |
-  Paratrooper-newrelic Gem for Ruby contains a flaw in
-  /lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes
-  the API key, allowing a local attacker to gain access to it by monitoring the
-  process tree.
-cvss_v2: 2.1

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: paratrooper-pingdom
-cve: 2014-1233
-osvdb: 101847
-url: http://www.osvdb.org/show/osvdb/101847
-title: paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials Local Disclosure
-date: 2013-12-26
-description: |
-  paratrooper-pingdom Gem for Ruby contains a flaw in
-  /lib/paratrooper-pingdom.rb. The issue is triggered when the script exposes
-  API login credentials, allowing a local attacker to gain access to the API
-  key, username, and password for the API login by monitoring the process tree.
-cvss_v2: 2.1

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1831.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: passenger
-cve: 2014-1831
-osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
-title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
-date: 2014-01-28
-description: Phusion Passenger contains a flaw as the program creates the server instance
-  directory insecurely. It is possible for a local attacker to use a symlink attack against
-  the directory to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.37"

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1832.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: passenger
-cve: 2014-1832
-osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
-title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
-date: 2014-01-29
-description: Phusion Passenger contains a flaw as the program creates the server instance
-  directory insecurely. It is possible for a local attacker to use a symlink attack against
-  the directory to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.38"

data/data/ruby-advisory-db/gems/passenger/CVE-2015-7519.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: passenger
-cve: 2015-7519
-url: https://blog.phusion.nl/2015/12/07/cve-2015-7519/
-title: Phusion Passenger Server allows to overwrite headers in some cases
-date: 2015-11-23
-description: It is possible in some cases, for clients to overwrite headers
-  set by the server, resulting in a medium level security issue.
-  Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python
-  applications, while Passenger 4 uses an SCGI-inspired format to pass
-  headers to all applications. This implies a conversion to
-  UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters
-  like '-' and '_' is lost.
-patched_versions:
-  - "~> 4.0.60"
-  - ">= 5.0.22"

data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: passenger
-cve: 2016-10345
-url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
-title:  Predictable tmp File Path Vulnerability in Phusion Passenger
-date: 2017-04-18
-description: >-
-  In Phusion Passenger before 5.1.0, a known /tmp filename was used during
-  passenger-install-nginx-module execution, which could allow local attackers
-  to gain the privileges of the passenger user.
-cvss_v3: 5.5
-patched_versions:
-  - ">= 5.1.0"