RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.8.0 - Mend

bundler-audit 0.6.1 → 0.8.0

Files changed (426) hide show

data/data/ruby-advisory-db/gems/kajam/OSVDB-108530.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: kajam
-osvdb: 108530
-url: http://osvdb.org/show/osvdb/108530
-title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: |
-  kajam Gem for Ruby contains a flaw in
-  /dataset/lib/dataset/database/postgresql.rb that is triggered when handling
-  metacharacters. This may allow a remote attacker to execute arbitrary
-  commands.

data/data/ruby-advisory-db/gems/karo/OSVDB-108573.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: karo
-osvdb: 108573
-url: http://osvdb.org/show/osvdb/108573
-title: karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: |
-  karo Gem for Ruby contains a flaw in db.rb that is triggered when handling
-  metacharacters. This may allow a remote attacker to execute arbitrary
-  commands.

data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: karteek-docsplit
-cve: 2013-1933
-osvdb: 92117
-url: http://osvdb.org/show/osvdb/92117
-title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-08
-description: Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2: 9.3

data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108571.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: kcapifony
-cve: 2014-5001
-osvdb: 108571
-url: http://osvdb.org/show/osvdb/108571
-title: kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password Disclosure
-date: 2014-06-30
-description: kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered as the program displays password information in plaintext in the process list. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/kcapifony/OSVDB-108572.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: kcapifony
-osvdb: 108572
-url: http://osvdb.org/show/osvdb/108572
-title: kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: kelredd-pruview
-cve: 2013-1947
-osvdb: 92228
-url: http://osvdb.org/show/osvdb/92228
-title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-04
-description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
-cvss_v2: 9.3

data/data/ruby-advisory-db/gems/kompanee-recipes/OSVDB-108593.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: kompanee-recipes
-osvdb: 108593
-url: http://osvdb.org/show/osvdb/108593
-title: kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb Multiple Variable Handling Remote Command Execution Weakness
-date: 2014-06-30
-description: |
-  kompanee-recipes Gem for Ruby contains a flaw in
-  /lib/kompanee-recipes/heroku.rb that is triggered when handling shell
-  metacharacters passed via the 'password', 'user', 'deploy_name', and
-  'application' variables. This may allow a remote attacker to execute
-  arbitrary commands.

data/data/ruby-advisory-db/gems/lawn-login/OSVDB-108576.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: lawn-login
-cve: 2014-5000
-osvdb: 108576
-url: http://osvdb.org/show/osvdb/108576
-title: lawn-login Gem for Ruby /lib/lawn.rb Process Table Local Plaintext Password Disclosure
-date: 2014-06-30
-description: lawn-login Gem for Ruby contains a flaw in /lib/lawn.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/ldap_fluff/OSVDB-90579.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: ldap_fluff
-cve: 2012-5604
-osvdb: 90579
-url: http://osvdb.org/show/osvdb/90579
-title: Red Hat Subscription Asset Manager rubygem-ldap_fluff Active Directory Authentication Bypass
-date: 2012-12-04
-description: Red Hat Subscription Asset Manager contains a flaw in the
-  rubygem-ldap_fluff component. The issue is triggered when using Microsoft
-  Active Directory server as the authentication back-end. This may result in
-  authentication no longer being enforced, allowing a remote attacker to
-  trivially bypass it.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.1.3"

data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: ldoce
-cve: 2013-1911
-osvdb: 91870
-url: http://osvdb.org/show/osvdb/91870
-title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-01
-description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
-cvss_v2: 6.8

data/data/ruby-advisory-db/gems/lean-ruport/OSVDB-108581.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: lean-ruport
-cve: 2014-4998
-osvdb: 108581
-url: http://osvdb.org/show/osvdb/108581
-title: lean-ruport Gem for Ruby /test/tc_database.rb Process Table Local Plaintext MySQL Password Disclosure
-date: 2014-06-30
-description: lean-ruport Gem for Ruby contains a flaw in /test/tc_database.rb that is due to the application exposing MySQL password information in plaintext in the process table. This may allow a local attacker to gain access to MySQL password information.

data/data/ruby-advisory-db/gems/lingq/OSVDB-108585.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: lingq
-osvdb: 108585
-url: http://osvdb.org/show/osvdb/108585
-title: lingq Gem for Ruby client.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: lingq Gem for Ruby contains a flaw in client.rb that is triggered when handling metacharacters. This may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: loofah
-osvdb: 90945
-url: http://www.osvdb.org/show/osvdb/90945
-title: Loofah HTML and XSS injection vulnerability
-date: 2012-09-08
-description: |
-  Loofah Gem for Ruby contains a flaw that allows a remote cross-site
-  scripting (XSS) attack. This flaw exists because the
-  Loofah::HTML::Document\#text function passes properly sanitized
-  user-supplied input to the Loofah::XssFoliate and
-  Loofah::Helpers\#strip_tags functions which convert input back to
-  text. This may allow an attacker to create a specially crafted
-  request that would execute arbitrary script code in a user's browser
-  within the trust relationship between their browser and the server.
-cvss_v2: 5.0
-patched_versions:
-  - ">=  0.4.6"

data/data/ruby-advisory-db/gems/lynx/OSVDB-108579.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: lynx
-osvdb: 108579
-url: http://osvdb.org/show/osvdb/108579
-title: lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command Execution
-date: 2014-06-30
-description: lynx Gem for Ruby contains a flaw in lib/lynx/pipe/run.rb that may allow a remote attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/lynx/OSVDB-108580.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: lynx
-cve: 2014-5002
-osvdb: 108580
-url: http://osvdb.org/show/osvdb/108580
-title: lynx Gem for Ruby command/basic.rb Process Table Local Plaintext Password Disclosure
-date: 2014-06-30
-description: lynx Gem for Ruby contains a flaw in command/basic.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/mail/OSVDB-131677.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: mail
-cve: 2015-9097
-osvdb: 131677
-url: https://hackerone.com/reports/137631
-title: SMTP command injection
-date: 2015-12-09
-description: |
-  Because Mail does not disallow CRLF in email addresses, an attacker can
-  inject SMTP commands in specially crafted email addresses passed to
-  RCPT TO and MAIL FROM.
-  Not affected by this vulnerability:
-    * Ruby 2.4.0+ with a fix for CVE-2015-9096.
-    * Applications that do not use SMTP delivery.
-    * Applications that validate email addresses to not include CRLF.
-  The injection attack is described in Terada, Takeshi. "SMTP Injection via
-  Recipient Email Addresses." 2015. The attacks described in the paper
-  (Terada, p. 4) can be applied to the library without any modification.
-patched_versions:
-- ">= 2.5.5"
-related:
-  url:
-    - http://www.mbsd.jp/Whitepaper/smtpi.pdf
-    - https://github.com/mikel/mail/pull/1097

data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: mail
-cve: 2011-0739
-osvdb: 70667
-url: http://www.osvdb.org/show/osvdb/70667
-title: >
-  Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
-  Address Arbitrary Shell Command Injection
-date: 2011-01-25
-description: |
-  Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
-  input passed from an email from address in the 'deliver()' function in
-  'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
-  command line argument. This may allow a remote attacker to inject arbitrary
-  shell commands.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 2.2.15"

data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: mail
-cve: 2012-2139
-osvdb: 81631
-url: http://www.osvdb.org/show/osvdb/81631
-title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
-date: 2012-03-14
-description: |
-  Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
-cvss_v2: 5.0
-patched_versions:
-- ">= 2.4.4"

data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: mail
-cve: 2012-2140
-osvdb: 81632
-url: http://www.osvdb.org/show/osvdb/81632
-title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution
-date: 2012-03-14
-description: |
-  Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim
-  delivery methods, which may allow an attacker to execute arbitrary shell
-  commands..
-cvss_v2: 7.5
-patched_versions:
-- ">= 2.4.4"

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-129854.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: mapbox-rails
-osvdb: 129854
-url: https://nodesecurity.io/advisories/49
-title: mapbox-rails Content Injection via TileJSON attribute
-date: 2015-10-24
-description: |
-  Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable
-  to a cross-site-scripting attack in certain uncommon usage scenarios.
-  If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON
-  content from a non-Mapbox URL, it is possible for a malicious user with
-  control over the TileJSON content to inject script content into the
-  "attribution" value of the TileJSON which will be executed in the context of
-  the page using Mapbox.js.
-  Such usage is uncommon. The following usage scenarios are not vulnerable:
-  * only trusted TileJSON content is loaded
-  * TileJSON content comes only from mapbox.com URLs
-  * a Mapbox map ID is supplied, rather than a TileJSON URL

data/data/ruby-advisory-db/gems/mapbox-rails/OSVDB-132871.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: mapbox-rails
-osvdb: 132871
-url: https://nodesecurity.io/advisories/74
-title: mapbox-rails Content Injection via TileJSON Name
-date: 2016-01-12
-description: |
-  Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable
-  to a cross-site-scripting attack in certain uncommon usage scenarios.
-  If you use L.mapbox.map and L.mapbox.shareControl it is possible for a
-  malicious user with control over the TileJSON content to inject script
-  content into the name value of the TileJSON. After clicking on the share
-  control, the malicious code will execute in the context of the page using
-  Mapbox.js.
-  Such usage is uncommon. L.mapbox.shareControl is not automatically added to
-  Mapbox.js maps and must be explicitly added. The following usage scenarios
-  are not vulnerable:
-  * the map does not use a share control (L.mapbox.sharecontrol)
-  * only trusted TileJSON content is loaded

data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: md2pdf
-cve: 2013-1948
-osvdb: 92290
-url: http://osvdb.org/show/osvdb/92290
-title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-13
-description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2: 10.0

data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: mini_magick
-cve: 2013-2616
-osvdb: 91231
-url: http://osvdb.org/show/osvdb/91231
-title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-12
-description: |
-  MiniMagick Gem for Ruby contains a flaw that is triggered during the handling
-  of specially crafted input from an untrusted source passed via a URL that
-  contains a ';' character. This may allow a context-dependent attacker to
-  potentially execute arbitrary commands.
-cvss_v2: 9.3
-patched_versions:
-  - ">= 3.6.0"

data/data/ruby-advisory-db/gems/minitar/CVE-2016-10173.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: minitar
-cve: 2016-10173
-url: https://github.com/halostatue/minitar/issues/16
-title: Minitar Directory Traversal Vulnerability
-date: 2016-08-22
-description: |
-  Minitar allows attackers to overwrite arbitrary files during archive
-  extraction via a .. (dot dot) in an extracted filename. Analogous
-  vulnerabilities for unzip and tar:
-  https://www.cvedetails.com/cve/CVE-2001-1268/ and
-  http://www.cvedetails.com/cve/CVE-2001-1267/
-  Credit: ecneladis
-patched_versions:
-  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/moped/CVE-2015-4410.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: moped
-cve: 2015-4410
-url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
-title: Data Injection Vulnerability in moped Rubygem
-date: 2015-06-04
-description: >-
-  A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.
-vendor_patch:
-  - https://github.com/mongoid/moped/compare/e5fc928bcb5b7b89d171e31e31483be4185971b9...32cba17ad7d3da326778b4d8cd4b52e75bca9d40
-  - https://github.com/mongoid/moped/commit/276fbfd23c5ffb65e6bd18d564c8b6878c2498ac
-patched_versions:
-  - "~> 1.5.3"
-  - ">= 2.0.5"

data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: multi_xml
-cve: 2013-0175
-osvdb: 89148
-url: http://osvdb.org/show/osvdb/89148
-title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
-date: 2013-01-11
-description: |
-  The multi_xml Gem for Ruby contains a flaw that is triggered when an error
-  occurs during the parsing of the 'XML' parameter. With a crafted request
-  containing arbitrary symbol and yaml types, a remote attacker can execute
-  arbitrary commands.
-patched_versions:
-  - ">= 0.5.2"

data/data/ruby-advisory-db/gems/mustache-js-rails/OSVDB-131671.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: mustache-js-rails
-osvdb: 131671
-url: https://blog.srcclr.com/handlebars_vulnerability_research_findings/
-title: mustache.js - quoteless attributes in templates can lead to XSS
-date: 2015-11-17
-description: |
-  The upstream 'mustache.js' node.js module was found to not properly escape
-  backtick (`) and equals (=) characters, leading to possible content injection
-  via attributes in templates.
-  Example:
-  * Template: <a href={{foo}}/>
-  * Input: { 'foo' : 'test.com onload=alert(1)'}
-  * Rendered result: <a href=test.com onload=alert(1)/>
-patched_versions:
-  - ">= 2.0.3"

data/data/ruby-advisory-db/gems/net-ldap/OSVDB-106108.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: net-ldap
-cve: 2014-0083
-osvdb: 106108
-url: http://osvdb.org/show/osvdb/106108
-title:  Net::LDAP for Ruby lib/net/ldap/password.rb SSHA Password Generation Weak Salt
-date: 2014-02-13
-description: Net::LDAP for Ruby contains a flaw in lib/net/ldap/password.rb. The
-  issue is due to the program generating SSHA passwords with a weak salt value
-  that is between 0 and 999. This may allow a local attacker to more easily gain
-  access to password information.
-cvss_v2: 1.9
-patched_versions:
-  - ">= 0.6.0"

data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: newrelic_rpm
-cve: 2013-0284
-osvdb: 90189
-url: http://osvdb.org/show/osvdb/90189
-title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
-date: 2012-12-06
-description: |
-  A bug in the Ruby agent causes database connection information and raw SQL
-  statements to be transmitted to New Relic servers. The database connection
-  information includes the database IP address, username, and password
-cvss_v2: 5.0
-patched_versions:
-  - ">= 3.5.3.25"