RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.7.0 - Mend

bundler-audit 0.6.1 → 0.7.0

Files changed (391) hide show

data/data/ruby-advisory-db/gems/administrate/CVE-2016-3098.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: administrate
-cve: 2016-3098
-title: Cross-site request forgery (CSRF) vulnerability in administrate gem
-date: 2016-04-01
-url: http://seclists.org/oss-sec/2016/q2/0
-description: >-
-  `Administrate::ApplicationController` actions didn't have CSRF
-  protection. Remote attackers can hijack user's sessions and use any
-  functionality that administrate exposes on their behalf.
-patched_versions:
-  - ">= 0.1.5"

data/data/ruby-advisory-db/gems/aescrypt/CVE-2013-7463.yml DELETED

@@ -1,10 +0,0 @@
----
-gem: aescrypt
-cve: 2013-7463
-date: 2013-10-01
-url: https://github.com/Gurpartap/aescrypt/issues/4
-title: Vulnerability in aescrypt because IV is not randomized
-description: |
-  The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the
-  AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to
-  defeat cryptographic protection mechanisms via a chosen plaintext attack.

data/data/ruby-advisory-db/gems/archive-tar-minitar/CVE-2016-10173.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: archive-tar-minitar
-cve: 2016-10173
-url: https://github.com/atoulme/minitar/issues/5
-title: Archive-Tar-Minitar Directory Traversal Vulnerability
-date: 2016-08-22
-description: |
-  Minitar allows attackers to overwrite arbitrary files during archive
-  extraction via a .. (dot dot) in an extracted filename. Analogous
-  vulnerabilities for unzip and tar:
-  https://www.cvedetails.com/cve/CVE-2001-1268/ and
-  http://www.cvedetails.com/cve/CVE-2001-1267/
-  Credit: ecneladis
-patched_versions:
-  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/as/OSVDB-112683.yml DELETED

@@ -1,10 +0,0 @@
----
-gem: as
-osvdb: 112683
-url: http://osvdb.org/show/osvdb/112683
-title: as Gem for Ruby Process List Local Plaintext Credentials Disclosure
-date: 2014-09-25
-description: |
-  as Gem for Ruby contains a flaw that is due to the program displaying
-  credential information in plaintext in the process list. This may
-  allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/authlogic/OSVDB-89064.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: authlogic
-cve: 2012-6497
-osvdb: 89064
-url: http://osvdb.org/show/osvdb/89064
-title: Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness
-date: 2012-12-21
-description: |
-  Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered
-  when the program makes an unsafe method call for find_by_id. With a specially
-  crafted parameter in an environment that knows the secret_token value in
-  secret_token.rb, a remote attacker to more easily conduct SQL injection
-  attacks.
-patched_versions:
-  - ">= 3.3.0"

data/data/ruby-advisory-db/gems/auto_awesomplete/OSVDB-132800.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: auto_awesomplete
-osvdb: 132800
-url: https://github.com/Tab10id/auto_awesomplete/issues/2
-title: |
-  auto_awesomplete Gem for Ruby allows arbitrary search execution
-date: 2016-01-08
-description: |
-  auto_awesomplete Gem for Ruby contains a flaw that is triggered when handling the
-  'params[:default_class_name]' option. This allows users to search any object
-  of all given ActiveRecord classes.

data/data/ruby-advisory-db/gems/auto_select2/OSVDB-132800.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: auto_select2
-osvdb: 132800
-url: https://github.com/Loriowar/auto_select2/issues/4
-title: |
-  auto_select2 Gem for Ruby allows arbitrary search execution
-date: 2016-01-08
-description: |
-  auto_select2 Gem for Ruby contains a flaw that is triggered when handling the
-  'params[:default_class_name]' option. This allows users to search any object
-  of all given ActiveRecord classes.
-patched_versions:
-  - ">= 0.5.0"

data/data/ruby-advisory-db/gems/awesome_spawn/CVE-2014-0156.yml DELETED

@@ -1,19 +0,0 @@
----
-gem: awesome_spawn
-cve: 2014-0156
-url: https://github.com/ManageIQ/awesome_spawn/commit/e524f85f1c6e292ef7d117d7818521307ac269ff
-title: OS command injection flaw in awesome_spawn
-date: 2014-03-28
-description: >-
-  Awesome spawn contains OS command injection vulnerability, which allows
-  execution of additional commands passed to Awesome spawn as arguments, e.g.
-  AwesomeSpawn.run('ls',:params => {'-l' => ";touch haxored"}). If untrusted
-  input was included in command arguments, attacker could use this flaw to
-  execute arbitrary command.
-cvss_v2:  6.8
-patched_versions:
-  - "~> 1.2.0"
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/backup-agoddard/OSVDB-108578.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: backup-agoddard
-cve: 2014-4993
-osvdb: 108578
-url: http://osvdb.org/show/osvdb/108578
-title: backup-agoddard Gem for Ruby /lib/backup/cli/utility.rb Process Table Local Plaintext Password Disclosure
-date: 2014-06-30
-description: backup-agoddard Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108569.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: backup_checksum
-cve: 2014-4993
-osvdb: 108569
-url: http://osvdb.org/show/osvdb/108569
-title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Process List Local Plaintext Password Disclosure
-date: 2014-06-30
-description: |
-  backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb
-  that is triggered as the program displays password information in plaintext
-  in the process list. This may allow a local attacker to gain access to
-  password information.

data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108570.yml DELETED

@@ -1,10 +0,0 @@
----
-gem: backup_checksum
-osvdb: 108570
-url: http://osvdb.org/show/osvdb/108570
-title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: |
-  backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb
-  that is triggered when handling metacharacters. This may allow a remote
-  attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/bcrypt-ruby/OSVDB-62067.yml DELETED

@@ -1,19 +0,0 @@
----
-gem: bcrypt-ruby
-platform: jruby
-osvdb: 62067
-url: http://www.mindrot.org/files/jBCrypt/internat.adv
-title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
-date: 2010-02-01
-description: |
-  bcrypt-ruby Gem for Ruby suffered from a bug related to character
-  encoding that substantially reduced the entropy of hashed passwords
-  containing non US-ASCII characters. An incorrect encoding step
-  transparently replaced such characters by '?' prior to hashing. In the
-  worst case of a password consisting solely of non-US-ASCII characters,
-  this would cause its hash to be equivalent to all other such passwords
-  of the same length. This issue only affects the JRuby implementation.
-  This gem has been renamed. Please use "bcrypt" from now on.
-patched_versions:
-  - ">= 2.1.4"

data/data/ruby-advisory-db/gems/bcrypt/OSVDB-62067.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: bcrypt
-platform: jruby
-osvdb: 62067
-url: http://www.mindrot.org/files/jBCrypt/internat.adv
-title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
-date: 2010-02-01
-description: |
-  bcrypt-ruby Gem for Ruby suffered from a bug related to character
-  encoding that substantially reduced the entropy of hashed passwords
-  containing non US-ASCII characters. An incorrect encoding step
-  transparently replaced such characters by '?' prior to hashing. In the
-  worst case of a password consisting solely of non-US-ASCII characters,
-  this would cause its hash to be equivalent to all other such passwords
-  of the same length. This issue only affects the JRuby implementation.
-patched_versions:
-  - ">= 2.1.4"

data/data/ruby-advisory-db/gems/bio-basespace-sdk/OSVDB-101031.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: bio-basespace-sdk
-cve: 2013-7111
-osvdb: 101031
-url: http://osvdb.org/show/osvdb/101031
-title: Bio Basespace SDK Gem for Ruby Command Line API Key Disclosure
-date: 2013-12-14
-description: Bio Basespace SDK Gem for Ruby contains a flaw that is due to the API client code passing the API_KEY to a curl command. This may allow a local attacker to gain access to API key information by monitoring the process table.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108899.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: brbackup
-osvdb: 108899
-url: http://osvdb.org/show/osvdb/108899
-title: brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection
-date: 2014-07-09
-description: |
-  brbackup Gem for Ruby contains a flaw that may allow carrying out an SQL
-  injection attack. The issue is due to the /lib/brbackup.rb script not
-  properly sanitizing user-supplied input to the 'name' parameter. This may
-  allow a remote attacker to inject or manipulate SQL queries in the back-end
-  database, allowing for the manipulation or disclosure of arbitrary data.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108900.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: brbackup
-osvdb: 108900
-url: http://osvdb.org/show/osvdb/108900
-title: brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote Command Execution
-date: 2014-07-09
-description: |
-  brbackup Gem for Ruby contains a flaw that is triggered as input passed
-  via the 'dbuser' variable is not properly sanitized. This may allow a
-  remote attacker to inject shell metacharacters and execute arbitrary
-  commands.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108901.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: brbackup
-cve: 2014-5004
-osvdb: 108901
-url: http://osvdb.org/show/osvdb/108901
-title: brbackup Gem for Ruby Process List Local Plaintext Password Disclosure
-date: 2014-07-09
-description: |
-  brbackup Gem for Ruby contains a flaw that is due to the program exposing
-  password information in plaintext in the process list. This may allow a
-  local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/bson/CVE-2015-4412.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: bson
-cve: 2015-4412
-url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
-title: Data Injection Vulnerability in bson Rubygem
-date: 2015-06-04
-description: >-
-  A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.
-vendor_patch:
-  - https://github.com/mongodb/mongo-ruby-driver/compare/6ae981167759d5819ba3d41e374e5b2af5b79077~1...9859a3ab9773a8a883eb8438b665a921cc991c71
-  - https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7
-patched_versions:
-  - "~> 1.12.3"
-  - ">= 3.0.4"

data/data/ruby-advisory-db/gems/builder/OSVDB-95668.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: builder
-osvdb: 95668
-url: http://osvdb.org/show/osvdb/95668
-title: Builder Gem for Ruby Tag Name Handling Private Method Exposure
-date: 2007-06-15
-description: |
-  Builder Gem for Ruby contains a flaw in the handling of tag names. The issue
-  is triggered when the program reads tag names from XML data and then calls a
-  method with that name. With a specially crafted file, a context-dependent
-  attacker can call private methods and manipulate data.
-patched_versions:
-  - ">= 2.1.2"

data/data/ruby-advisory-db/gems/bundler/OSVDB-110004.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: bundler
-cve: 2013-0334
-osvdb: 110004
-url: http://www.osvdb.org/show/osvdb/110004
-title: Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing
-date: 2014-08-13
-description: |
-  Bundler Gem for Ruby contains a flaw that is triggered when handling
-  a gemfile that contains multiple top-level source lines. This may allow a
-  context-dependent attacker to install specially crafted gems on a remote
-  system, leading to arbitrary code execution.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 1.7.0"

data/data/ruby-advisory-db/gems/bundler/OSVDB-115090.yml DELETED

@@ -1,13 +0,0 @@
----
-gem: bundler
-osvdb: 115090
-url: http://www.osvdb.org/show/osvdb/115090
-title: Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing
-date: 2013-02-12
-description: |
-  Bundler Gem for Ruby contains a flaw as SSL certificates are not properly
-  validated. By spoofing the SSL server via a certificate that appears valid,
-  an attacker with the ability to intercept network traffic (e.g. MiTM, DNS
-  cache poisoning) can disclose and optionally manipulate transmitted data.
-patched_versions:
-  - ">= 1.3.0.pre.8"

data/data/ruby-advisory-db/gems/bundler/OSVDB-115091.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: bundler
-osvdb: 115091
-url: http://www.osvdb.org/show/osvdb/115091
-title: Bundler Gem for Ruby Redirection Remote HTTP Basic Authentication Credential Disclosure
-date: 2013-02-12
-description: |
-   Bundler Gem for Ruby contains a flaw that is triggered during the
-   redirection to other hosts. This may allow a remote attacker to gain access
-   to HTTP basic authentication credential information.
-patched_versions:
-  - ">= 1.3.0.pre.8"

data/data/ruby-advisory-db/gems/bundler/OSVDB-115917.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: bundler
-osvdb: 115917
-url: http://www.osvdb.org/show/osvdb/115917
-title: Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential Disclosure
-date: 2011-09-20
-description: |
-  Bundler Gem for Ruby contains a flaw that is due to the program listing
-  credential information in plaintext in the install command process listing.
-  This may allow a local attacker to gain access to credential information.
-patched_versions:
-  - ">= 1.1.rc"

data/data/ruby-advisory-db/gems/cap-strap/OSVDB-108574.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: cap-strap
-cve: 2014-4992
-osvdb: 108574
-url: http://osvdb.org/show/osvdb/108574
-title: cap-strap Gem for Ruby Process Table Local Plaintext Credential Disclosure
-date: 2014-06-30
-description: cap-strap Gem for Ruby contains a flaw that is due to the application exposing credential information in plaintext in the process table listing. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/cap-strap/OSVDB-108575.yml DELETED

@@ -1,7 +0,0 @@
----
-gem: cap-strap
-osvdb: 108575
-url: http://osvdb.org/show/osvdb/108575
-title: cap-strap Gem for Ruby Hardcoded Password Crypt Hash Salt Weakness
-date: 2014-06-30
-description: cap-strap Gem for Ruby contains a flaw that is due to the application using a hardcoded default 'sa' salt for password encryption. This may allow a local attacker to more easily decrypt passwords.

data/data/ruby-advisory-db/gems/ciborg/OSVDB-108586.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: ciborg
-cve: 2014-5003
-osvdb: 108586
-url: http://osvdb.org/show/osvdb/108586
-title: ciborg Gem for Ruby default.rb /tmp/perlbrew-installer Local Symlink File Overwrite
-date: 2014-06-30
-description: ciborg Gem for Ruby contains a flaw as default.rb creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/perlbrew-installer file to cause the program to unexpectedly overwrite an arbitrary file.

data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: cocaine
-cve: 2013-4457
-osvdb: 98835
-url: http://www.osvdb.org/show/osvdb/98835
-title: Cocaine Gem for Ruby contains a flaw
-date: 2013-10-22
-description: Cocaine Gem for Ruby contains a flaw that is due to the method
-  of variable interpolation used by the program. With a specially crafted
-  object, a context-dependent attacker can execute arbitrary commands.
-cvss_v2: 6.8
-unaffected_versions:
-  - < 0.4.0
-patched_versions:
-  - '>= 0.5.3'

data/data/ruby-advisory-db/gems/codders-dataset/OSVDB-108582.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: codders-dataset
-cve: 2014-4991
-osvdb: 108582
-url: http://osvdb.org/show/osvdb/108582
-title: codders-dataset Gem for Ruby /lib/dataset/database/postgresql.rb Process Table Local Plaintext Credential Disclosure
-date: 2014-06-30
-description: codders-dataset Gem for Ruby contains a flaw in /lib/dataset/database/postgresql.rb that is due to the application exposing credential information in plaintext in the process table. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/codders-dataset/OSVDB-108583.yml DELETED

@@ -1,8 +0,0 @@
----
-gem: codders-dataset
-cve: 2014-4991
-osvdb: 108583
-url: http://osvdb.org/show/osvdb/108583
-title: codders-dataset Gem for Ruby /lib/dataset/database/mysql.rb Process Table Local Plaintext Credential Disclosure
-date: 2014-06-30
-description: codders-dataset Gem for Ruby contains a flaw in /lib/dataset/database/mysql.rb that is due to the application exposing credential information in plaintext in the process table. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: colorscore
-cve: 2015-7541
-osvdb: 132516
-url: http://seclists.org/oss-sec/2016/q1/17
-title: colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection
-date: 2016-01-04
-description: |
-  The contents of the `image_path`, `colors`, and `depth` variables generated
-  from possibly user-supplied input are passed directly to the shell via
-  `convert ...`.
-  If a user supplies a value that includes shell metacharacters such as ';', an
-  attacker may be able to execute shell commands on the remote system as the
-  user id of the Ruby process.
-  To resolve this issue, the aforementioned variables (especially `image_path`)
-  must be sanitized for shell metacharacters.
-patched_versions:
-  - '>= 0.0.5'

data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml DELETED

@@ -1,9 +0,0 @@
----
-gem: command_wrap
-cve: 2013-1875
-osvdb: 91450
-url: http://osvdb.org/show/osvdb/91450
-title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-18
-description: command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: crack
-cve: 2013-1800
-osvdb: 90742
-url: http://osvdb.org/show/osvdb/90742
-title: crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
-description: |
-  crack Gem for Ruby contains a flaw that is triggered when a type casting
-  error occurs during the parsing of parameters. This may allow a
-  context-dependent attacker to potentially execute arbitrary code.
-date: 2013-01-09
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.3.2"