RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/web-console/OSVDB-112346.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: web-console
-osvdb: 112346
-url: http://www.osvdb.org/show/osvdb/112346
-title: Web Console Gem for Ruby contains an unspecified flaw
-date: 2014-09-29
-description: The Web Console Gem for Ruby on Rails contains an unspecified flaw that
-  may allow an attacker to have an unspecified impact. No further details have been
-  provided by the vendor.
-cvss_v2:
-patched_versions:
-  - ">= 2.0.0.beta4"

data/data/ruby-advisory-db/gems/webbynode/OSVDB-100920.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: webbynode
-cve: 2013-7086
-osvdb: 100920
-url: http://osvdb.org/show/osvdb/100920
-title: Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution
-date: 2013-12-12
-description: |
-  Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
-  when handling a specially crafted growlnotify message. This may allow a
-  context-dependent attacker to execute arbitrary commands.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/wicked/OSVDB-98270.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: wicked
-cve: 2013-4413
-osvdb: 98270
-url: http://www.osvdb.org/show/osvdb/98270
-title: Wicked Gem for Ruby contains a flaw
-date: 2013-10-08
-description: Wicked Gem for Ruby contains a flaw that is due to the program
-  failing to properly sanitize input passed via the 'the_step' parameter
-  upon submission to the render_redirect.rb script.
-  This may allow a remote attacker to gain access to arbitrary files.
-cvss_v2: 5.0
-patched_versions:
-  - '>= 1.0.1'

data/data/ruby-advisory-db/gems/will_paginate/OSVDB-101138.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: will_paginate
-osvdb: 101138
-cve: 2013-6459
-url: http://osvdb.org/show/osvdb/101138
-title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
-date: 2013-09-19
-description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
-  This flaw exists because the application does not validate certain unspecified input related to
-  generated pagination links before returning it to the user. This may allow an attacker to create
-  a specially crafted request that would execute arbitrary script code in a users browser within the
-  trust relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 3.0.5"

data/data/ruby-advisory-db/gems/xaviershay-dm-rails/OSVDB-118579.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: xaviershay-dm-rails
-cve: 2015-2179
-osvdb: 118579
-url: http://osvdb.org/show/osvdb/118579
-title: |
-  xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table
-date: 2015-02-17
-description: |
-  xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function
-  in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is
-  due to the function exposing sensitive information via the process table.
-  This may allow a local attack to gain access to MySQL credential information.

data/data/ruby-advisory-db/lib/cf_scrape.py DELETED

@@ -1,5 +0,0 @@
-import cfscrape
-import sys
-scraper = cfscrape.create_scraper() # returns a requests.Session object
-print scraper.get(sys.argv[1]).content

data/data/ruby-advisory-db/lib/osvdb_scrape.rb DELETED

@@ -1,92 +0,0 @@
-require 'pry'
-require 'nokogiri'
-require 'yaml'
-require 'date'
-class OSVDB
-  attr_accessor :osvdb, :cve, :title, :description, :date, :cvss_v2, :gem, :url, :patched_versions, :page
-  def initialize(osvdb)
-    self.osvdb = osvdb
-    self.url = "http://osvdb.org/show/osvdb/#{self.osvdb}"
-    scrape!
-    parse!
-  end
-  def scrape!
-    html = `bash --login -c "python cf_scrape.py #{self.url}"`
-    doc = Nokogiri::XML(html) do |config|
-      config.nonet.noent
-    end
-    self.page = doc
-  end
-  def parse!
-    page.search(".show_vuln_table").search("td ul li").each do |li|
-      case li.children[0].text.strip
-      when "CVE ID:"
-        self.cve = li.children[1].text
-      when "Vendor URL:"
-        self.set_gem(li.children[1].text)
-      end
-    end
-    self.description = page.search(".show_vuln_table").search("tr td tr .white_content p")[0].text
-    self.date = page.search(".show_vuln_table").search("tr td tr .white_content tr td")[0].text
-    self.title = page.search("title").text.gsub(/\d+: /, "")
-    if cvss_p = page.search(".show_vuln_table").search("tr td tr .white_content div p")[0]
-      self.set_cvss(cvss_p.children[0].text)
-    end
-  end
-  def set_gem(vendortext)
-    ["https://rubygems.org/gems/", "http://rubygems.org/gems/"].each do |str|
-      if vendortext.match(str)
-        self.gem = vendortext.gsub(str,"")
-      end
-    end
-  end
-  def set_cvss(text)
-    self.cvss_v2 = text.strip.gsub("CVSSv2 Base Score = ", "")
-  end
-  def date
-    Date.parse(@date)
-  end
-  def cvss_v2
-    @cvss_v2.nil? ? nil : @cvss_v2.to_f
-  end
-  def gem
-    @gem.nil? ? "unknown" : @gem
-  end
-  def to_yaml
-    { 'gem' => gem,
-      'cve' => cve,
-      'osvdb' => osvdb.to_i,
-      'url' => url,
-      'title' => title,
-      'date' => date,
-      'description' => description,
-      'cvss_v2' => cvss_v2,
-      'patched_versions' => patched_versions
-    }.to_yaml(options = { line_width: 80 })
-  end
-  def filename
-    "OSVDB-#{osvdb}.yml"
-  end
-  def to_advisory!
-    gems_path = File.join(File.dirname(__FILE__), "..", "gems")
-    adv_path = File.absolute_path(File.join(gems_path, self.gem))
-    FileUtils.mkdir(adv_path) unless File.exists?(adv_path)
-    File.open(File.join(adv_path, filename), "w") do |io|
-      io.puts self.to_yaml
-    end
-  end
-end

data/data/ruby-advisory-db/libraries/rubygems/CVE-2013-4287.yml DELETED

@@ -1,19 +0,0 @@
----
-library: rubygems
-cve: 2013-4287
-osvdb: 97163
-url: http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html
-title: RubyGems Multiple API Call Version Validation CPU Consumption DoS
-date: 2013-09-09
-description: |
-  RubyGems contains a flaw that may allow a denial of service. The issue is
-  triggered when handling the gem build, Gem::Package, or Gem::PackageTask API
-  calls, which attempt to validate the version of the program. This may allow a
-  context-dependent attacker to cause a consumption of CPU resources and crash
-  the program.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 1.8.23.1
-  - ~> 1.8.26
-  - ~> 2.0.8
-  - ">= 2.1.0"

data/data/ruby-advisory-db/libraries/rubygems/CVE-2013-4363.yml DELETED

@@ -1,20 +0,0 @@
----
-library: rubygems
-cve: 2013-4363
-osvdb: 97163
-url: http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
-title: RubyGems Multiple API Call Version Validation CPU Consumption DoS
-date: 2013-09-24
-description: |
-  RubyGems contains a flaw that may allow a denial of service. The issue is
-  triggered when handling the gem build, Gem::Package, or Gem::PackageTask API
-  calls, which attempt to validate the version of the program. This may allow a
-  context-dependent attacker to cause a consumption of CPU resources and crash
-  the program. This vulnerability is due to an incomplete fix for
-  CVE-2013-4287, which allowed a denial of service via improper validation.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 1.8.23.2
-  - ~> 1.8.27
-  - ~> 2.0.10
-  - ">= 2.1.5"

data/data/ruby-advisory-db/libraries/rubygems/CVE-2015-3900.yml DELETED

@@ -1,19 +0,0 @@
----
-library: rubygems
-cve: 2015-3900
-osvdb: 122162
-url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
-title: |
-  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
-  Hostname Validation Request Hijacking
-date: 2015-05-14
-description: |
-  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
-  that is triggered when handling hostnames in SRV records. With a specially
-  crafted response, a context-dependent attacker may conduct DNS hijacking
-  attacks.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 2.0.16
-  - ~> 2.2.4
-  - ">= 2.4.7"

data/data/ruby-advisory-db/libraries/rubygems/CVE-2015-4020.yml DELETED

@@ -1,19 +0,0 @@
----
-library: rubygems
-cve: 2015-4020
-url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
-title: |
-  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
-  Hostname Validation Request Hijacking
-date: 2015-06-08
-description: |
-  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
-  that is triggered when handling hostnames in SRV records. With a specially
-  crafted response, a context-dependent attacker may conduct DNS hijacking
-  attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,
-  which allowed redirection to an arbitrary gem server in any security domain.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 2.0.17
-  - ~> 2.2.5
-  - ">= 2.4.8"

data/data/ruby-advisory-db/libraries/rubygems/OSVDB-33561.yml DELETED

@@ -1,17 +0,0 @@
----
-library: rubygems
-cve: 2007-0469
-osvdb: 33561
-url: http://www.osvdb.org/show/osvdb/33561
-title: |
-  RubyGems installer.rb extract_files Function Crafted GEM Package Arbitrary
-  File Overwrite
-date: 2007-01-22
-description: |
-  The extract_files function in installer.rb in RubyGems before 0.9.1 does not
-  check whether files exist before overwriting them, which allows user-assisted
-  remote attackers to overwrite arbitrary files, cause a denial of service, or
-  execute arbitrary code via crafted GEM packages.
-cvss_v2: 9.3
-patched_versions:
-  - ">= 0.9.1"

data/data/ruby-advisory-db/libraries/rubygems/OSVDB-81444.yml DELETED

@@ -1,14 +0,0 @@
----
-library: rubygems
-cve: 2012-2126
-osvdb: 81444
-url: http://www.osvdb.org/show/osvdb/81444
-title: RubyGems SSL Certificate Validation MitM Spoofing Weakness
-date: 2012-04-20
-description: |
-  RubyGems contains a flaw related to the validation of SSL certificates when
-  accessing certain services and APIs. This may allow a man-in-the-middle
-  attacker to spoof a valid server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 1.8.23"

data/data/ruby-advisory-db/libraries/rubygems/OSVDB-85809.yml DELETED

@@ -1,16 +0,0 @@
----
-library: rubygems
-cve: 2012-2125
-osvdb: 85809
-url: http://www.osvdb.org/show/osvdb/85809
-title: |
-  RubyGems HTTPS to HTTP Redirection MitM Downloaded Installation File
-  Manipulation
-date: 2012-09-25
-description: |
-  RubyGems contains a flaw that is triggered by the gem fetcher allowing for
-  redirection of HTTPS to HTTP. This may allow a remote attacker to conduct a
-  man-in-the-middle attack to alter downloaded gem installation files.
-cvss_v2: 5.8
-patched_versions:
-  - ">= 1.8.23"

data/data/ruby-advisory-db/rubies/jruby/CVE-2010-1330.yml DELETED

@@ -1,17 +0,0 @@
----
-engine: jruby
-cve: 2010-1330
-osvdb: 77297
-url: http://jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability
-title: |
-  JRuby XSS in the regular expression engine when processing invalid UTF-8 byte
-  sequences
-date: 2010-04-26
-description: |
-  The regular expression engine in JRuby before 1.4.1, when $KCODE is set to
-  'u', does not properly handle characters immediately after a UTF-8
-  character, which allows remote attackers to conduct cross-site scripting
-  (XSS) attacks via a crafted string.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 1.4.1"

data/data/ruby-advisory-db/rubies/jruby/CVE-2011-4838.yml DELETED

@@ -1,15 +0,0 @@
----
-engine: jruby
-cve: 2011-4838
-osvdb: 78116
-url: http://jruby.org/2011/12/27/jruby-1-6-5-1
-title: JRuby Hash Collision Form Parameter Parsing Remote DoS
-date: 2011-12-27
-description: |
-  JRuby contains a flaw that may allow a remote denial of service. The issue is
-  triggered when an attacker sends multiple crafted parameters which trigger
-  hash collisions, and will result in loss of availability for the program via
-  CPU consumption.
-cvss_v2: 7.8
-patched_versions:
-  - ">= 1.6.5.1"

data/data/ruby-advisory-db/rubies/jruby/CVE-2012-5370.yml DELETED

@@ -1,17 +0,0 @@
----
-engine: jruby
-cve: 2012-5370
-osvdb: 87864
-url: http://jruby.org/2012/12/03/jruby-1-7-1
-title: JRuby MurmurHash Implementation Hash Collision Remote DoS
-date: 2012-11-23
-description: |
-  JRuby contains a flaw related to the MurmurHash implementation that may allow
-  a remote denial of service. The issue is triggered when hash values are
-  computed without having the ability to cause hash collisions restricted. When
-  sending specially crafted input to an application maintaining a hash table, a
-  context-dependent attacker can cause a consumption of CPU resources. This
-  will result in a loss of availability for the program.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 1.7.1"

data/data/ruby-advisory-db/rubies/jruby/OSVDB-94644.yml DELETED

@@ -1,12 +0,0 @@
----
-engine: jruby
-osvdb: 94644
-url: http://www.osvdb.org/show/osvdb/94644
-title: JRuby Null Byte Request Arbitrary File Access
-date: 2010-05-26
-description: |
-  JRuby contains a flaw that is due to the program failing to properly check
-  for null byte requests in certain file operations. This may allow a remote
-  attacker to gain access to arbitrary files. No further details are available.
-patched_versions:
-  - ">= 1.6.2"

data/data/ruby-advisory-db/rubies/rbx/OSVDB-78119.yml DELETED

@@ -1,13 +0,0 @@
----
-engine: rbx
-osvdb: 78119
-url: http://www.osvdb.org/show/osvdb/78119
-title: Rubinius Hash Collision Form Parameter Parsing Remote DoS
-date: 2011-12-28
-description: |
-  Rubinius contains a flaw that may allow a remote denial of service. The issue
-  is triggered when an attacker sends multiple crafted parameters which trigger
-  hash collisions, and will result in loss of availability for the program via
-  CPU consumption.
-patched_versions:
-  - ">= 1.3.1"

data/data/ruby-advisory-db/rubies/rbx/OSVDB-87861.yml DELETED

@@ -1,17 +0,0 @@
----
-engine: rbx
-cve: 2012-5372
-osvdb: 87861
-url: http://www.osvdb.org/show/osvdb/87861
-title: Rubinius MurmurHash3 Implementation Hash Collision Remote DoS
-date: 2012-11-23
-description: |
-  Rubinius contains a flaw related to the MurmurHash3 implementation that may
-  allow a remote denial of service. The issue is triggered when hash values
-  are computed without having the ability to cause hash collisions restricted.
-  When sending specially crafted input to an application maintaining a hash
-  table, a context-dependent attacker can cause a consumption of CPU resources.
-  This will result in a loss of availability for the program.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 1.3.1"

data/data/ruby-advisory-db/rubies/ruby/CVE-2007-5162.yml DELETED

@@ -1,16 +0,0 @@
----
-engine: ruby
-cve: 2007-5162
-url: https://www.ruby-lang.org/en/news/2007/10/04/net-https-vulnerability/
-title: Ruby Net::HTTPS library does not validate server certificate CN
-date: 2007-09-27
-description: |
-  The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS
-  libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN)
-  field in a server certificate matches the domain name in an HTTPS request,
-  which makes it easier for remote attackers to intercept SSL transmissions via
-  a man-in-the-middle attack or spoofed web site.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 1.8.5.114
-  - ">= 1.8.6.111"

data/data/ruby-advisory-db/rubies/ruby/CVE-2007-5770.yml DELETED

@@ -1,17 +0,0 @@
----
-engine: ruby
-cve: 2007-5770
-url: http://www.cvedetails.com/cve/CVE-2007-5770/
-title: Ruby Net::HTTPS library does not validate server certificate CN
-date: 2007-10-08
-description: |
-  The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5)
-  Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the
-  commonName (CN) field in a server certificate matches the domain name in a
-  request sent over SSL, which makes it easier for remote attackers to
-  intercept SSL transmissions via a man-in-the-middle attack or spoofed web
-  site, different components than CVE-2007-5162.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 1.8.6.230
-  - ">= 1.8.7"