RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: rbovirt
-cve: 2014-0036
-osvdb: 104080
-url: http://osvdb.org/show/osvdb/104080
-title: rbovirt Gem for Ruby contains a flaw
-date: 2014-03-05
-description: |
-  rbovirt Gem for Ruby contains a flaw related to certificate validation.
-  The issue is due to the program failing to validate SSL certificates. This may
-  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
-  poisoning) to spoof the SSL server via an arbitrary certificate that appears
-  valid. Such an attack would allow for the interception of sensitive traffic,
-  and potentially allow for the injection of content into the SSL stream.
-cvss_v2: 6.8
-patched_versions:
-  - '>= 0.0.24'

data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml DELETED

@@ -1,27 +0,0 @@
----
-gem: rdoc
-cve: 2013-0256
-osvdb: 90004
-url: http://www.osvdb.org/show/osvdb/90004
-title: RDoc 2.3.0 through 3.12 XSS Exploit
-date: 2013-02-06
-description: |
-  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
-  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
-  may lead to cookie disclosure to third parties.
-  The exploit exists in darkfish.js which is copied from the RDoc install
-  location to the generated documentation.
-  RDoc is a static documentation generation tool. Patching the library itself
-  is insufficient to correct this exploit.
-  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.9.5
-  - ~> 3.12.1
-  - ">= 4.0"

data/data/ruby-advisory-db/gems/redcarpet/CVE-2015-5147.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: redcarpet
-cve: 2015-5147
-osvdb: 123859
-url: http://seclists.org/oss-sec/2015/q2/818
-title: redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow
-date: 2015-06-22
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a stack overflow.
-  This flaw exists because the header_anchor() function in html.c uses
-  variable length arrays (VLA) without any range checking. This may
-  allow a remote attacker to execute arbitrary code.
-cvss_v2: 7.5
-unaffected_versions:
-  - "< 3.3.0"
-patched_versions:
-  - ">= 3.3.2"

data/data/ruby-advisory-db/gems/redcarpet/OSVDB-120415.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: redcarpet
-osvdb: 120415
-url: http://danlec.com/blog/bug-in-sundown-and-redcarpet
-title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
-date: 2015-04-07
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting
-  (XSS) attack. This flaw exists because the parse_inline() function in
-  markdown.c does not validate input before returning it to users. This may
-  allow a remote attacker to create a specially crafted request that would
-  execute arbitrary script code in a user's browser session within the trust
-  relationship between their browser and the server.
-cvss_v2:
-patched_versions:
-  - ">= 3.2.3"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: redis-namespace
-osvdb: 96425
-url: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
-title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
-date: 2013-08-03
-description: |
-  redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
-  The issue is triggered when handling exec commands called via send(). This may allow a
-  remote attacker to execute arbitrary commands.
-patched_versions:
-  - ">= 1.3.1"
-  - "~> 1.2.2"
-  - "~> 1.1.1"
-  - "~> 1.0.4"

data/data/ruby-advisory-db/gems/refile/OSVDB-120857.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: refile
-osvdb: 120857
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/VIfMO2LvzNs
-title: refile Gem for Ruby contains a remote code execution vulnerability
-date: 2015-04-15
-description: |
-  refile Gem for Ruby contains a flaw that is triggered when input is not
-  sanitized when handling the 'remote_image_url' field in a form, where
-  'image' is the name of the attachment. This may allow a remote attacker
-  to execute arbitrary shell commands.
-cvss_v2:
-unaffected_versions:
-  - "< 0.5.0"
-patched_versions:
-  - '>= 0.5.4'

data/data/ruby-advisory-db/gems/rest-client/CVE-2015-1820.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: rest-client
-cve: 2015-1820
-osvdb: 119878
-url: https://github.com/rest-client/rest-client/issues/369
-title: 'rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses'
-date: 2015-03-24
-description: |
-  rest-client in abstract_response.rb improperly handles Set-Cookie headers on
-  HTTP 30x redirection responses. Any cookies will be forwarded to the
-  redirection target regardless of domain, path, or expiration.
-  If you control a redirection source, you can cause rest-client to perform a
-  request to any third-party domain with cookies of your choosing, which may be
-  useful in performing a session fixation attack.
-  If you control a redirection target, you can steal any cookies set by the
-  third-party redirection request.
-cvss_v2:
-unaffected_versions:
-  - "<= 1.6.0"
-patched_versions:
-  - ">= 1.8.0"

data/data/ruby-advisory-db/gems/rest-client/OSVDB-117461.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: rest-client
-cve: 2015-3448
-osvdb: 117461
-url: http://www.osvdb.org/show/osvdb/117461
-title: Rest-Client Gem for Ruby logs password information in plaintext
-date: 2015-01-12
-description: Rest-Client Ruby Gem contains a flaw that is due to the application
-  logging password information in plaintext. This may allow a local attacker
-  to gain access to password information.
-cvss_v2:
-patched_versions:
-  - ">= 1.7.3"

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: rgpg
-cve: 2013-4203
-osvdb: 95948
-url: http://www.osvdb.org/show/osvdb/95948
-title: rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution
-date: 2013-08-02
-description: |
-  rgpg Gem for Ruby contains a flaw in the GpgHelper module
-  (lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly
-  sanitize user-supplied input before being used in the system() function for
-  execution. This may allow a remote attacker to execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: ruby-saml
-cve: 2016-5697
-url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995
-title: XML signature wrapping attack
-date: 2016-06-24
-description: |
-  ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
-  in the specific scenario where there was a signature that referenced at the same time
-  2 elements (but past the scheme validator process since 1 of the element was inside
-  the encrypted assertion).
-  ruby-saml users must update to 1.3.0, which implements 3 extra validations to
-  mitigate this kind of attack.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-117903.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: ruby-saml
-osvdb: 117903
-url: http://www.osvdb.org/show/osvdb/117903
-title: Ruby-Saml Gem is vulnerable to arbitrary code execution
-date: 2015-02-03
-description: |
-  ruby-saml contains a flaw that is triggered as the URI value of a SAML response is
-  not properly sanitized through a prepared statement. This may allow a remote
-  attacker to execute arbitrary shell commands on the host machine.
-cvss_v2:
-patched_versions:
-  - ">= 0.8.2"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124383.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: ruby-saml
-osvdb: 124383
-url: https://github.com/onelogin/ruby-saml/pull/247
-title: Ruby-Saml Gem is vulnerable to entity expansion attacks
-date: 2015-06-30
-description: |
-  ruby-saml before 1.0.0 is vulnerable to entity expansion attacks.
-cvss_v2: 3.9
-patched_versions:
-  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124991.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: ruby-saml
-osvdb: 124991
-url: https://github.com/onelogin/ruby-saml/pull/225
-title: Ruby-Saml Gem is vulnerable to XPath Injection
-date: 2015-04-29
-description: |
-  ruby-saml before 1.0.0 is vulnerable to XPath injection on xml_security.rb. The
-  lack of prepared statements allows for possibly command injection, leading to
-  arbitrary code execution
-cvss_v2: 6.7
-patched_versions:
-  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: ruby_parser
-cve: 2013-0162
-osvdb: 90561
-url: http://osvdb.org/show/osvdb/90561
-title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
-date: 2013-02-21
-description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: rubyzip
-cve: 2017-5946
-url: https://github.com/rubyzip/rubyzip/issues/315
-title: Directory traversal vulnerability in rubyzip
-date: 2017-02-27
-description: |
-  The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory
-  traversal vulnerability. If a site allows uploading of .zip files, an attacker
-  can upload a malicious file that uses "../" pathname substrings to write arbitrary
-  files to the filesystem.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 1.2.1"

data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: safemode
-cve: 2016-3693
-title: Safemode Gem for Ruby is vulnerable to information disclosure
-date: 2016-04-20
-url: http://seclists.org/oss-sec/2016/q2/119
-description: |
-  Safemode is initialised with an optional 'delegate' object.
-  If the delegated object is a Rails controller, 'inspect' could
-  be called which then exposes all informations about the App,
-  including routes, secret tokens, caches and so on.
-patched_versions:
-  - ">= 1.2.4"

data/data/ruby-advisory-db/gems/screen_capture/OSVDB-107783.yml DELETED

@@ -1,7 +0,0 @@
----
-gem: screen_capture
-osvdb: 107783
-url: http://osvdb.org/show/osvdb/107783
-title: Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command Execution
-date: 2014-06-07
-description: Screen Capture Gem for Ruby contains a flaw in screen_capture.rb that is triggered when handling input passed via the URL. This may allow a context-dependent attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/sentry-raven/OSVDB-115654.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: sentry-raven
-cve: 2014-9490
-osvdb: 115654
-url: http://osvdb.org/show/osvdb/115654
-title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service
-date: 2014-12-08
-description: Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script
-  that is triggered when large numeric values are stored as an exponent or in
-  scientific notation. With a specially crafted request, an attacker can cause
-  the software to consume excessive resources resulting in a denial of service.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.12.2"

data/data/ruby-advisory-db/gems/sfpagent/OSVDB-105971.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: sfpagent
-cve: 2014-2888
-osvdb: 105971
-url: http://www.osvdb.org/show/osvdb/105971
-title: sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution
-date: 2014-04-16
-description: |
-  sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
-  input is not properly sanitized when handling module names with shell
-  metacharacters. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.4.15"

data/data/ruby-advisory-db/gems/show_in_browser/OSVDB-93490.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: show_in_browser
-cve: 2013-2105
-osvdb: 93490
-url: http://osvdb.org/show/osvdb/93490
-title: Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection
-date: 2013-05-17
-description: Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user's browser.

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126329.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126329
-url: https://github.com/mperham/sidekiq/commit/a695ff347ae50f641dfc35189131b232ea0aa1db
-title: |
-  Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements
-  Reflected XSS
-date: 2015-05-11
-description: |
-  XSS via batch failure error_class and error_message in Sidekiq::Web
-patched_versions:
-  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126330.yml DELETED

@@ -1,10 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126330
-url: https://github.com/mperham/sidekiq/commit/99b12fb50fe244c5a317f03f1bed9b333ec56ebe
-title: |
-  Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb Description Element XSS
-date: 2014-10-13
-description: XSS via batch description in Sidekiq::Web
-patched_versions:
-  - ">= 1.9.1"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126331.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126331
-url: https://github.com/mperham/sidekiq/commit/651400ed8f237118346895c99dc28ca94f3169d3
-title: Sidekiq Pro Gem for Ruby CSRF in Job Filtering
-date: 2015-07-17
-description: |
-  Sidekiq::Web job filtering lacks CSRF protection. This issue
-  is related to OSVDB-125675.
-patched_versions:
-  - ">= 2.0.6"
-related:
-  osvdb:
-    - 125675

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125675.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: sidekiq
-osvdb: 125675
-url: https://github.com/mperham/sidekiq/pull/2422
-title: Sidekiq Gem for Ruby Multiple Unspecified CSRF
-date: 2015-07-06
-description: Sidekiq::Web lacks CSRF protection
-patched_versions:
-  - ">= 3.4.2"

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125676.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: sidekiq
-osvdb: 125676
-url: https://github.com/mperham/sidekiq/issues/2330
-title: |
-  Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
-  Reflected XSS
-date: 2015-06-04
-description: XSS via queue name in Sidekiq::Web
-patched_versions:
-  - ">= 3.4.0"
-related:
-  osvdb:
-    - 125677

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125678.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: sidekiq
-osvdb: 125678
-url: https://github.com/mperham/sidekiq/pull/2309
-title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS
-date: 2015-04-21
-description: XSS via job arguments display class in Sidekiq::Web
-patched_versions:
-  - ">= 3.4.0"

data/data/ruby-advisory-db/gems/sounder/OSVDB-96278.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: sounder
-cve: 2013-5647
-osvdb: 96278
-url: http://www.osvdb.org/show/osvdb/96278
-title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution
-date: 2013-08-14
-description: |
-  Sounder Gem for Ruby contains a flaw that is triggered during the handling
-  of file names. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 1.0.2"

data/data/ruby-advisory-db/gems/spina/CVE-2015-4619.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: spina
-cve: 2015-4619
-title: Cross-site request forgery (CSRF) vulnerability in Spina gem
-date: 2015-06-16
-url: http://www.openwall.com/lists/oss-security/2015/06/16/11
-description: >-
-  `Spina::ApplicationController` actions didn't have CSRF
-  protection. This causes a CSRF vulnerability across the
-  entire engine which includes administrative functionality
-  such as creating users, changing passwords,
-  and media management.
-patched_versions:
-  - ">= 0.6.29"