RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/activerecord/OSVDB-103438.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2014-0080
-osvdb: 103438
-url: http://osvdb.org/show/osvdb/103438
-title: Data Injection Vulnerability in Active Record
-date: 2014-02-18
-description: |
-  Ruby on Rails contains a flaw in connection_adapters/postgresql/cast.rb
-  in Active Record. This issue may allow a remote attacker to inject data
-  into PostgreSQL array columns via a specially crafted string.
-cvss_v2:
-unaffected_versions:
-  - "< 3.2.0"
-  - ~> 3.2.0
-patched_versions:
-  - ~> 4.0.3
-  - ">= 4.1.0.beta2"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-108664.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2014-3482
-osvdb: 108664
-url: http://osvdb.org/show/osvdb/108664
-title: SQL Injection Vulnerability in Active Record
-date: 2014-07-02
-description: |
-  Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack.
-  The issue is due to the PostgreSQL adapter for Active Record not properly
-  sanitizing user-supplied input when quoting bitstring. This may allow a remote
-  attacker to inject or manipulate SQL queries in the back-end database,
-  allowing for the manipulation or disclosure of arbitrary data.
-cvss_v2:
-unaffected_versions:
-  - ">= 4.0.0"
-patched_versions:
-  - ~> 3.2.19

data/data/ruby-advisory-db/gems/activerecord/OSVDB-108665.yml DELETED

@@ -1,24 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2014-3483
-osvdb: 108665
-url: http://osvdb.org/show/osvdb/108665
-title: SQL Injection Vulnerability in Active Record
-date: 2014-07-02
-description: |
-  Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack.
-  The issue is due to the PostgreSQL adapter for Active Record not properly
-  sanitizing user-supplied input when quoting ranges. This may allow a remote
-  attacker to inject or manipulate SQL queries in the back-end database,
-  allowing for the manipulation or disclosure of arbitrary data.
-cvss_v2:
-unaffected_versions:
-  - "< 4.0.0"
-patched_versions:
-  - ~> 4.0.7
-  - ">= 4.1.3"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml DELETED

@@ -1,25 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-2661
-osvdb: 82403
-url: http://www.osvdb.org/show/osvdb/82403
-title: Ruby on Rails where Method ActiveRecord Class SQL Injection
-date: 2012-05-31
-description: |
-  Ruby on Rails (RoR) contains a flaw that may allow an attacker to carry out
-  an SQL injection attack. The issue is due to the ActiveRecord class not
-  properly sanitizing user-supplied input to the 'where' method. This may
-  allow an attacker to inject or manipulate SQL queries in an application
-  built on RoR, allowing for the manipulation or disclosure of arbitrary data.
-cvss_v2: 5.0
-unaffected_versions:
-  - ~> 2.3.14
-patched_versions:
-  - ~> 3.0.13
-  - ~> 3.1.5
-  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml DELETED

@@ -1,24 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-2660
-osvdb: 82610
-url: http://www.osvdb.org/show/osvdb/82610
-title:
-  Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query
-  Arbitrary IS NULL Clause Injection
-date: 2012-05-31
-description: |
-  Ruby on Rails contains a flaw related to the way ActiveRecord handles
-  parameters in conjunction with the way Rack parses query parameters.
-  This issue may allow an attacker to inject arbitrary 'IS NULL' clauses in
-  to application SQL queries. This may also allow an attacker to have the
-  SQL query check for NULL in arbitrary places.
-cvss_v2: 7.5
-patched_versions:
-  - ~> 3.0.13
-  - ~> 3.1.5
-  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-88661.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-6496
-osvdb: 88661
-url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
-title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass
-date: 2012-12-22
-description: |
-  Due to the way dynamic finders in Active Record extract options from method
-  parameters, a method parameter can mistakenly be used as a scope.  Carefully
-  crafted requests can use the scope to inject arbitrary SQL.
-cvss_v2: 6.4
-patched_versions:
-  - ~> 3.0.18
-  - ~> 3.1.9
-  - ">= 3.2.10"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml DELETED

@@ -1,24 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0155
-osvdb: 89025
-url: http://osvdb.org/show/osvdb/89025
-title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-date: 2013-01-08
-description: |
-  Ruby on Rails contains a flaw in the Active Record. The issue is due to an
-  error with the way the Active Record handles parameters combined with an
-  error during the parsing of the JSON parameters. This may allow a remote
-  attacker to bypass restrictions abd issue unexpected database queries with
-  "IS NULL" or empty where clauses, and forcing the query to unexpectedly check
-  for NULL or eliminate a WHERE clause.
-cvss_v2: 10.0
-patched_versions:
-  - ~> 2.3.16
-  - ~> 3.0.19
-  - ~> 3.1.10
-  - ">= 3.2.11"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0276
-osvdb: 90072
-url: http://osvdb.org/show/osvdb/90072
-title: Ruby on Rails Active Record attr_protected Method Bypass
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw in the attr_protected method of the
-  Active Record. The issue is triggered during the handling of a specially
-  crafted request, which may allow a remote attacker to bypass protection
-  mechanisms and alter values that would otherwise be protected.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 2.3.17"
-  - "~> 3.1.11"
-  - ">= 3.2.12"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0277
-osvdb: 90073
-url: http://osvdb.org/show/osvdb/90073
-title: |
-  Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
-  Code Execution
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.
-  The issue is triggered when the system is configured to allow users to
-  directly provide values to be serialized and deserialized using YAML.
-  With a specially crafted YAML attribute, a remote attacker can deserialize
-  arbitrary YAML and execute code associated with it.
-cvss_v2: 10.0
-patched_versions:
-  - "~> 2.3.17"
-  - ">= 3.1.0"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-1854
-osvdb: 91453
-url: http://osvdb.org/show/osvdb/91453
-title: Symbol DoS vulnerability in Active Record
-date: 2013-03-19
-description: |
-  When a hash is provided as the find value for a query, the keys of
-  the hash may be converted to symbols. Carefully crafted requests can
-  coerce `params[:name]` to return a hash, and the keys to that hash
-  may be converted to symbols. Ruby symbols are not garbage collected,
-  so an attacker can initiate a denial of service attack by creating a
-  large number of symbols.
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 3.0.0
-patched_versions:
-  - ~> 2.3.18
-  - ~> 3.1.12
-  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activeresource/OSVDB-95749.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: activeresource
-osvdb: 95749
-url: http://osvdb.org/show/osvdb/95749
-title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
-date: 2008-08-15
-description: |
-  activeresource contains a format string flaw in the request function of
-  lib/active_resource/connection.rb. The issue is triggered as format string
-  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input
-  when passed via the 'result.code' and 'result.message' variables. This may
-  allow a remote attacker to cause a denial of service or potentially execute
-  arbitrary code.
-patched_versions:
-  - ">= 2.2.0"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml DELETED

@@ -1,54 +0,0 @@
----
-gem: activesupport
-cve: 2015-3226
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
-title: |
-  XSS Vulnerability in ActiveSupport::JSON.encode
-date: 2015-06-16
-description: |
-  When a `Hash` containing user-controlled data is encode as JSON (either through
-  `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
-  escaping that matches the guarantee implied by the `escape_html_entities_in_json`
-  option (which is enabled by default). If this resulting JSON string is subsequently
-  inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
-  For example, the following code snippet is vulnerable to this attack:
-      <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
-  Similarly, the following is also vulnerable:
-      <script>
-        var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
-      </script>
-  All applications that renders JSON-encoded strings that contains user-controlled
-  data in their views should either upgrade to one of the FIXED versions or use
-  the suggested workaround immediately.
-  Workarounds
-  -----------
-  To work around this problem add an initializer with the following code:
-    module ActiveSupport
-      module JSON
-        module Encoding
-          private
-          class EscapedString
-            def to_s
-              self
-            end
-          end
-        end
-      end
-    end
-unaffected_versions:
-  - "< 4.1.0"
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml DELETED

@@ -1,32 +0,0 @@
----
-gem: activesupport
-cve: 2015-3227
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
-title: |
-  Possible Denial of Service attack in Active Support
-date: 2015-06-16
-description: |
-  Specially crafted XML documents can cause applications to raise a
-  `SystemStackError` and potentially cause a denial of service attack.  This
-  only impacts applications using REXML or JDOM as their XML processor.  Other
-  XML processors that Rails supports are not impacted.
-  All users running an affected release should either upgrade or use one of the work arounds immediately.
-  Workarounds
-  -----------
-  Use an XML parser that is not impacted by this problem, such as Nokogiri or
-  LibXML.  You can change the processor like this:
-    ActiveSupport::XmlMini.backend = 'Nokogiri'
-  If you cannot change XML parsers, then adjust
-  `RUBY_THREAD_MACHINE_STACK_SIZE`.
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"
-  - "~> 3.2.22"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-1098
-osvdb: 79726
-url: http://osvdb.org/79726
-title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
-date: 2012-03-01
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because athe application does not validate direct
-  manipulations of SafeBuffer objects via '[]' and other methods. This may
-  allow a user to create a specially crafted request that would execute
-  arbitrary script code in a user's browser within the trust relationship
-  between their browser and the server.
-cvss_v2: 4.3
-unaffected_versions:
-  - "< 3.0.0"
-patched_versions:
-  - ~> 3.0.12
-  - ~> 3.1.4
-  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-3464
-osvdb: 84516
-url: http://www.osvdb.org/show/osvdb/84516
-title: Ruby on Rails HTML Escaping Code XSS
-date: 2012-08-09
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because the HTML escaping code functionality does
-  not properly escape a single quote character. This may allow a user to create
-  a specially crafted request that would execute arbitrary script code in a
-  user's browser within the trust relationship between their browser and the
-  server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.0.17
-  - ~> 3.1.8
-  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml DELETED

@@ -1,25 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2013-0333
-osvdb: 89594
-url: http://osvdb.org/show/osvdb/89594
-title:
-  Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
-  Execution
-date: 2013-01-28
-description: |
-  Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple
-  parsing backends, one of which involves transforming JSON into YAML via the
-  YAML parser. With a specially crafted payload, an attacker can subvert the
-  backend into decoding a subset of YAML. This may allow a remote attacker to
-  bypass restrictions, allowing them to bypass authentication systems, inject
-  arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on
-  a Rails application.
-cvss_v2: 9.3
-patched_versions:
-  - ~> 2.3.16
-  - ">= 3.0.20"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml DELETED

@@ -1,28 +0,0 @@
----
-gem: activesupport
-framework: rails
-platform: jruby
-cve: 2013-1856
-osvdb: 91451
-url: http://www.osvdb.org/show/osvdb/91451
-title: XML Parsing Vulnerability affecting JRuby users
-date: 2013-03-19
-description: |
- The ActiveSupport XML parsing functionality supports multiple
- pluggable backends. One backend supported for JRuby users is
- ActiveSupport::XmlMini_JDOM which makes use of the
- javax.xml.parsers.DocumentBuilder class. In some JVM configurations
- the default settings of that class can allow an attacker to construct
- XML which, when parsed, will contain the contents of arbitrary URLs
- including files from the application server. They may also allow for
- various denial of service attacks. Action Pack
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.1.12
-  - ">= 3.2.13"