RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/spree/OSVDB-119205.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: spree
-osvdb: 119205
-url: https://spreecommerce.com/blog/security-updates-2015-3-3
-title: Spree API Information Disclosure CSRF
-date: 2015-03-05
-description: |
-  Spree contains a flaw in the API as HTTP requests do not require multiple
-  steps, explicit confirmation, or a unique token when performing certain
-  sensitive actions. By tricking a user into following a specially crafted
-  link, a context-dependent attacker can perform a Cross-Site Request Forgery
-  (CSRF / XSRF) attack causing the victim to disclose potentially sensitive
-  information to attackers.
-patched_versions:
-  - ~> 2.2.10
-  - ~> 2.3.8
-  - ~> 2.4.5
-  - ">= 3.0.0.rc4"

data/data/ruby-advisory-db/gems/spree/OSVDB-125699.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: spree
-osvdb: 125699
-url: https://spreecommerce.com/blog/security-updates-2015-7-28
-title: |
-  Spree RABL templates rendering allows Arbitrary Code Execution and File
-  Disclosure
-date: 2015-07-28
-description: |
-  Spree contains a flaw where the rendering of arbitrary RABL templates allows
-  for execution arbitrary files on the host system, as well as disclosing the
-  existence of files on the system. This is a different issue than
-  OSVDB-125701.
-patched_versions:
-  - ~> 2.2.13
-  - ~> 2.3.12
-  - ~> 2.4.9
-  - ">= 3.0.3"

data/data/ruby-advisory-db/gems/spree/OSVDB-125701.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: spree
-osvdb: 125701
-url: https://spreecommerce.com/blog/security-updates-2015-7-20
-title: |
-  Spree RABL templates rendering allows Arbitrary Code Execution and File
-  Disclosure
-date: 2015-07-20
-description: |
-  Spree contains a flaw where the rendering of arbitrary RABL templates allows
-  for execution arbitrary files on the host system, as well as disclosing the
-  existence of files on the system.
-patched_versions:
-  - ~> 2.2.12
-  - ~> 2.3.11
-  - ~> 2.4.8
-  - ">= 3.0.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125712.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: spree
-osvdb: 125712
-url: https://spreecommerce.com/blog/security-issue-all-versions
-title: |
-  Product Scopes could allow for unauthenticated remote command execution
-date: 2012-07-02
-description: |
-  Product Scopes could allow for unauthenticated remote command execution.
-  This was corrected by removing conditions_any scope and use ARel query
-  building instead.
-patched_versions:
-  - ~> 0.11.4
-  - ~> 0.70.6
-  - ~> 1.0.5
-  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125713.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: spree
-osvdb: 125713
-url: https://spreecommerce.com/blog/security-issue-all-versions
-title: |
-  Potential XSS vulnerability related to the analytics dashboard
-date: 2012-07-02
-description: |
-  Spree has a flaw in its analytics dashboard where keywords are not escaped,
-  leading to potential XSS.
-patched_versions:
-  - ~> 0.11.4
-  - ~> 0.70.6
-  - ~> 1.0.5
-  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-69098.yml DELETED

@@ -1,19 +0,0 @@
----
-gem: spree
-cve: 2010-3978
-osvdb: 69098
-url: https://spreecommerce.com/blog/json-hijacking-vulnerability
-title: |
-  Spree Multiple Script JSON Request Validation Weakness Remote Information
-  Disclosure
-date: 2010-11-02
-description: |
-  Spree contains a flaw that may lead to an unauthorized information
-  disclosure. The issue is triggered when the application exchanges data using
-  the JSON service without validating requests, which will disclose sensitive
-  user and order information to a context-dependent attacker when a logged-in
-  user visits a crafted website.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 0.11.2
-  - ">= 0.30.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-73751.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: spree
-osvdb: 73751
-url: https://spreecommerce.com/blog/security-fixes
-title: Spree Content Controller Unspecified Arbitrary File Disclosure
-date: 2011-04-19
-description: |
-  Spree Gem for Ruby would allow a user to request a specially crafted URL and
-  expose arbitrary files on the server
-patched_versions:
-  - ">= 0.50.1"

data/data/ruby-advisory-db/gems/spree/OSVDB-76011.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: spree
-osvdb: 76011
-url: https://spreecommerce.com/blog/remote-command-product-group
-title: |
-  Spree Search ProductScope Class search[send][] Parameter Arbitrary Command
-  Execution
-date: 2011-10-05
-description: |
-  The ProductScope class fails to properly sanitize user-supplied input via the
-  'search[send][]' parameter resulting in arbitrary command execution. With a
-  specially crafted request, a remote attacker can potentially cause arbitrary
-  command execution.
-patched_versions:
-  - ">= 0.60.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-81505.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: spree
-cve: 2008-7310
-osvdb: 81505
-url: https://spreecommerce.com/blog/security-vulnerability-mass-assignment
-title: |
-  Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation
-date: 2008-09-22
-description: |
-  Spree contains a hash restriction weakness that occurs when parsing a
-  modified URL. This may allow an attacker to manipulate order state values.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-81506.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: spree
-cve: 2008-7311
-osvdb: 81506
-url: https://spreecommerce.com/blog/security-vulernability-session-cookie-store
-title: |
-  Spree Hardcoded config.action_controller_session Hash Value Cryptographic
-  Protection Weakness
-date: 2008-08-12
-description: |
-  Spree contains a hardcoded flaw related to the
-  config.action_controller_session hash value. This may allow an attacker to
-  more easily bypass cryptographic protection.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-90865.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: spree
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.0
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91216
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary
-  Ruby Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'promotion_action' parameter to promotion_actions_controller.rb. This may
-  allow a remote authenticated attacker to instantiate arbitrary Ruby objects
-  and potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91217
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'payment_method' parameter to payment_methods_controller.rb. This may allow
-  a remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91218
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'calculator_type' parameter to promotions_controller.rb. This may allow a
-  remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91219
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'promotion_rule' parameter to promotion_rules_controller.rb. This may allow
-  a remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree_auth/OSVDB-90865.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: spree_auth
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0

data/data/ruby-advisory-db/gems/spree_auth_devise/OSVDB-90865.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: spree_auth_devise
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.0
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/sprockets/CVE-2014-7819.yml DELETED

@@ -1,27 +0,0 @@
----
-gem: sprockets
-cve: 2014-7819
-osvdb: 113965
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
-title: Arbitrary file existence disclosure in Sprockets
-date: 2014-10-30
-description: |
-  Specially crafted requests can be used to determine whether a file exists on
-  the filesystem that is outside an application's root directory.  The files
-  will not be served, but attackers can determine whether or not the file
-  exists.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 2.0.5
-  - ~> 2.1.4
-  - ~> 2.2.3
-  - ~> 2.3.3
-  - ~> 2.4.6
-  - ~> 2.5.1
-  - ~> 2.7.1
-  - ~> 2.8.3
-  - ~> 2.9.4
-  - ~> 2.10.2
-  - ~> 2.11.3
-  - ~> 2.12.3
-  - ">= 3.0.0.beta.3"

data/data/ruby-advisory-db/gems/sprout/OSVDB-100598.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: sprout
-cve: 2013-6421
-osvdb: 100598
-url: http://www.osvdb.org/show/osvdb/100598
-title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution
-date: 2013-12-02
-description: |
-  sprout Gem for Ruby contains a flaw in the unpack_zip() function in
-  archive_unpacker.rb. The issue is due to the program failing to properly
-  sanitize input passed via the 'zip_file', 'dir', 'zip_name', and 'output'
-  parameters. This may allow a context-dependent attacker to execute arbitrary
-  code.
-cvss_v2: 7.5
-unaffected_versions:
-  - '< 0.7.246'

data/data/ruby-advisory-db/gems/sup/CVE-2013-4478.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: sup
-cve: 2013-4478
-osvdb: 99074
-url: http://www.phenoelit.org/stuff/whatsup.txt
-title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
-date: 2013-10-29
-description: Sup MUA contains a flaw that is triggered when handling email
-  attachment content. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 6.8
-patched_versions:
-  - "~> 0.13.2.1"
-  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4479.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: sup
-cve: 2013-4479
-osvdb: 99074
-url: http://www.phenoelit.org/stuff/whatsup.txt
-title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
-date: 2013-10-29
-description: Sup MUA contains a flaw that is triggered when handling email
-  attachment content. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 6.8
-patched_versions:
-  - "~> 0.13.2.1"
-  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/thumbshooter/OSVDB-91839.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: thumbshooter
-cve: 2013-1898
-osvdb: 91839
-url: http://osvdb.org/show/osvdb/91839
-title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-03-26
-description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml DELETED

@@ -1,22 +0,0 @@
----
-gem: twitter-bootstrap-rails
-framework: rails
-cve: 2014-4920
-osvdb: 109206
-url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter/
-title: Reflective XSS Vulnerability in twitter-bootstrap-rails
-date: 2014-03-25
-description: |
-  The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a
-  reflected cross-site scripting (XSS) attack. This flaw exists because the
-  bootstrap_flash helper method does not validate input when handling flash
-  messages before returning it to users. This may allow a context-dependent
-  attacker to create a specially crafted request that would execute arbitrary
-  script code in a user's browser session within the trust relationship between
-  their browser and the server.
-cvss_v2:
-patched_versions:
-  - ">= 3.2.0"

data/data/ruby-advisory-db/gems/uglifier/OSVDB-126747.yml DELETED

@@ -1,19 +0,0 @@
----
-gem: uglifier
-osvdb: 126747
-url: https://github.com/mishoo/UglifyJS2/issues/751
-title: uglifier incorrectly handles non-boolean comparisons during minification
-date: 2015-07-21
-description: |
-  The upstream library for the Ruby uglifier gem, UglifyJS, is
-  affected by a vulnerability that allows a specially crafted
-  Javascript file to have altered functionality after minification.
-  This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated
-  to allow potentially malicious code to be hidden within secure code,
-  and activated by the minification process.
-  For more information, consult: https://zyan.scripts.mit.edu/blog/backdooring-js/
-patched_versions:
-  - ">= 2.7.2"

data/data/ruby-advisory-db/gems/web-console/CVE-2015-3224.yml DELETED

@@ -1,22 +0,0 @@
----
-gem: web-console
-cve: 2015-3224
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw
-title: |
-  IP whitelist bypass in Web Console
-date: 2015-06-16
-description: |
-  Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).
-  Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.
-  All affected users should either upgrade or use one of the work arounds immediately.
-  To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.
-patched_versions:
-  - ">= 2.1.3"