RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.8.0 - Mend

bundler-audit 0.6.1 → 0.8.0

Files changed (426) hide show

data/data/ruby-advisory-db/gems/open-uri-cached/OSVDB-121701.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: open-uri-cached
-cve: 2015-3649
-osvdb: 121701
-url: http://seclists.org/oss-sec/2015/q2/373
-title: open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege Escalation
-date: 2015-05-05
-description: |
-  open-uri-cached Gem for Ruby contains a flaw that is due to the
-  program creating temporary files in a predictable, unsafe manner when using
-  YAML. This may allow a local attacker to gain elevated privileges.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/paperclip/CVE-2015-2963.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: paperclip
-cve: 2015-2963
-url: https://robots.thoughtbot.com/paperclip-security-release
-title: |
-  Paperclip Gem for Ruby vulnerable to content type spoofing
-date: 2015-06-05
-description: |
-  There is an issue where if an HTML file is uploaded with a .html
-  extension, but the content type is listed as being `image/jpeg`, this
-  will bypass a validation checking for images. But it will also pass the
-  spoof check, because a file named .html and containing actual HTML
-  passes the spoof check.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 4.2.2"

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paperclip
-osvdb: 103151
-url: http://osvdb.org/show/osvdb/103151
-title: Paperclip Gem for Ruby contains a flaw
-date: 2014-01-31
-description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
-  validate the file extension, instead only validating the Content-Type header during file uploads.
-  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
-  spoofing the content-type.
-cvss_v2:
-patched_versions:
-  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paratrooper-newrelic
-cve: 2014-1234
-osvdb: 101839
-url: http://www.osvdb.org/show/osvdb/101839
-title: Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure
-date: 2014-01-08
-description: |
-  Paratrooper-newrelic Gem for Ruby contains a flaw in
-  /lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes
-  the API key, allowing a local attacker to gain access to it by monitoring the
-  process tree.
-cvss_v2: 2.1

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paratrooper-pingdom
-cve: 2014-1233
-osvdb: 101847
-url: http://www.osvdb.org/show/osvdb/101847
-title: paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials Local Disclosure
-date: 2013-12-26
-description: |
-  paratrooper-pingdom Gem for Ruby contains a flaw in
-  /lib/paratrooper-pingdom.rb. The issue is triggered when the script exposes
-  API login credentials, allowing a local attacker to gain access to the API
-  key, username, and password for the API login by monitoring the process tree.
-cvss_v2: 2.1

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1831.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: passenger
-cve: 2014-1831
-osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
-title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
-date: 2014-01-28
-description: Phusion Passenger contains a flaw as the program creates the server instance
-  directory insecurely. It is possible for a local attacker to use a symlink attack against
-  the directory to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.37"

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1832.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: passenger
-cve: 2014-1832
-osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
-title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
-date: 2014-01-29
-description: Phusion Passenger contains a flaw as the program creates the server instance
-  directory insecurely. It is possible for a local attacker to use a symlink attack against
-  the directory to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.38"

data/data/ruby-advisory-db/gems/passenger/CVE-2015-7519.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: passenger
-cve: 2015-7519
-url: https://blog.phusion.nl/2015/12/07/cve-2015-7519/
-title: Phusion Passenger Server allows to overwrite headers in some cases
-date: 2015-11-23
-description: It is possible in some cases, for clients to overwrite headers
-  set by the server, resulting in a medium level security issue.
-  Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python
-  applications, while Passenger 4 uses an SCGI-inspired format to pass
-  headers to all applications. This implies a conversion to
-  UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters
-  like '-' and '_' is lost.
-patched_versions:
-  - "~> 4.0.60"
-  - ">= 5.0.22"

data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: passenger
-cve: 2016-10345
-url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
-title:  Predictable tmp File Path Vulnerability in Phusion Passenger
-date: 2017-04-18
-description: >-
-  In Phusion Passenger before 5.1.0, a known /tmp filename was used during
-  passenger-install-nginx-module execution, which could allow local attackers
-  to gain the privileges of the passenger user.
-cvss_v3: 5.5
-patched_versions:
-  - ">= 5.1.0"

data/data/ruby-advisory-db/gems/passenger/OSVDB-90738.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: passenger
-cve: 2012-6135
-osvdb: 90738
-url: http://old.blog.phusion.nl/2013/03/05/phusion-passenger-4-0-beta-1-and-2-arbitrary-file-deletion-vulnerability/
-title: Phusion Passenger Gem for Ruby Arbitrary File Deletion
-date: 2012-02-01
-description: Phusion Passenger Gem for Ruby contains a flaw that is triggered
-  during application startup. This issue may allow a local attacker to delete
-  arbitrary files via an application process. If the program has completed the
-  start up process this vulnerability is no longer exploitable.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.0"
-unaffected_versions:
-  - "< 4.0.0"

data/data/ruby-advisory-db/gems/passenger/OSVDB-93752.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: passenger
-cve: 2013-2119
-osvdb: 93752
-url: http://osvdb.org/show/osvdb/93752
-title: Phusion Passenger Gem for Ruby Predictable Temporary Filename Generation Symlink Local Privilege Escalation
-date: 2013-05-29
-description: Phusion Passenger Gem for Ruby contains a flaw as the program creates
-  temporary files insecurely. It is possible for a local attacker to use a symlink
-  attack against the Nginx config file to cause the program to unexpectedly overwrite
-  the file, allowing a local attacker to execute code with elevated privileges.
-cvss_v2: 4.6
-patched_versions:
-  - "~> 3.0.21"
-  - ">= 4.0.5"

data/data/ruby-advisory-db/gems/passenger/OSVDB-94074.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: passenger
-cve: 2013-4136
-osvdb: 94074
-url: http://osvdb.org/show/osvdb/94074
-title: Phusion Passenger Gem for Ruby Utils.cpp Temporary Directory Creation Symlink Local Privilege Escalation
-date: 2013-06-10
-description: Phusion Passenger Gem for Ruby contains a flaw as the program creates
-  temporary directories insecurely. It is possible for a local attacker to use a
-  symlink attack against the Utils.cpp file to allow the attacker to gain elevated
-  privileges.
-cvss_v2: 4.6
-patched_versions:
-  - ">= 4.0.8"

data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: pdfkit
-cve: 2013-1607
-osvdb: 90867
-url: http://osvdb.org/show/osvdb/90867
-title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
-date: 2013-02-21
-description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.
-cvss_v2:
-patched_versions:
-  - ">= 0.5.3"

data/data/ruby-advisory-db/gems/point-cli/OSVDB-108577.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: point-cli
-cve: 2014-4997
-osvdb: 108577
-url: http://osvdb.org/show/osvdb/108577
-title: point-cli Gem for Ruby /lib/commands/setup.rb Process Table Local Plaintext Credential Disclosure
-date: 2014-06-30
-description: point-cli Gem for Ruby contains a flaw in /lib/commands/setup.rb that is due to the application exposing credential information in plaintext in the process table. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/quick_magick/OSVDB-106954.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: quick_magick
-osvdb: 106954
-url: http://osvdb.org/show/osvdb/106954
-title: quick_magick Gem for Ruby QuickMagick::Image.read Function Crafted String Handling Remote Command Injection
-date: 2011-01-12
-description: quick_magick Gem for Ruby contains a flaw in the QuickMagick::Image.read function. The issue is triggered when handling a specially crafted string. This may allow a remote attacker to inject arbitrary commands.

data/data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: rack-attack
-osvdb: 132234
-url: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1
-title: |
-  rack-attack Gem for Ruby missing normalization before request path
-  processing
-date: 2015-12-18
-description: |
-  When using rack-attack with a rails app, developers expect the request
-  path to be normalized. In particular, trailing slashes are stripped so
-  a request path "/login/" becomes "/login" by the time you're in
-  ActionController.
-  Since Rack::Attack runs before ActionDispatch, the request path is not
-  yet normalized. This can cause throttles and blacklists to not work as
-  expected.
-  E.g., a throttle:
-  `throttle('logins', ...) {|req| req.path == "/login" }`
-  would not match a request to '/login/', though Rails would route
-  '/login/' to the same '/login' action.
-patched_versions:
-  - ">= 4.3.1"

data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rack-cache
-cve: 2012-2671
-osvdb: 83077
-url: http://osvdb.org/83077
-title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
-date: 2012-06-06
-description: |
-  Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
-  sensitive HTTP headers. This will result in a weakness that may make it
-  easier for an attacker to gain access to a user's session via a specially
-  crafted header.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 1.2"

data/data/ruby-advisory-db/gems/rack-mini-profiler/CVE-2016-4442.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: rack-mini-profiler
-cve: 2016-4442
-url: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c
-title: rack-mini-profiler may disclose information to unauthorized users
-date: 2016-05-18
-description: >-
-  Carefully crafted requests can expose information about
-  strings and objects allocated during the request for unauthorised
-  users.
-patched_versions:
-  - ">= 0.10.1"
-related:
-  url:
-    - http://seclists.org/oss-sec/2016/q2/516

data/data/ruby-advisory-db/gems/rack-ssl/OSVDB-104734.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: rack-ssl
-cve: 2014-2538
-osvdb: 104734
-url: http://osvdb.org/show/osvdb/104734
-title: rack-ssl Gem for Ruby Error Message Reflected XSS
-date: 2013-07-09
-description: rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 1.3.4"

data/data/ruby-advisory-db/gems/rack/CVE-2015-3225.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rack
-cve: 2015-3225
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
-title: |
-  Potential Denial of Service Vulnerability in Rack
-date: 2015-06-16
-description: |
-  Carefully crafted requests can cause a `SystemStackError` and potentially
-  cause a denial of service attack.
-  All users running an affected release should upgrade.
-patched_versions:
-  - ">= 1.6.2"
-  - "~> 1.5.4"
-  - "~> 1.4.6"

data/data/ruby-advisory-db/gems/rack/OSVDB-78121.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: rack
-cve: 2011-5036
-osvdb: 78121
-url: http://osvdb.org/show/osvdb/78121
-title: |
-  Rack Hash Collision Form Parameter Parsing Remote DoS
-date: 2011-12-28
-description: |
-  Rack contains a flaw that may allow a remote denial of service. The issue is
-  triggered when an attacker sends multiple crafted parameters which trigger
-  hash collisions, and will result in loss of availability for the program via
-  CPU consumption.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 1.1.3"
-  - "~> 1.2.5"
-  - "~> 1.3.6"
-  - ">= 1.4.0"

data/data/ruby-advisory-db/gems/rack/OSVDB-89317.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: rack
-cve: 2012-6109
-osvdb: 89317
-url: http://osvdb.org/show/osvdb/89317
-title: |
-  Rack Regular Expressions Engine Content-Disposition Header Parsing Infinite Loop Remote DoS
-date: 2012-05-04
-description: |
-  Rack contains a flaw in the Regular Expressions Engine that may allow a remote
-  denial of service. The issue is triggered when parsing context-disposition
-  headers. With a specially crafted header, a remote attacker can cause an
-  infinite loop, which will result in a loss of availability for the webserver.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.1.4"
-  - "~> 1.2.6"
-  - "~> 1.3.7"
-  - ">= 1.4.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89320.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: rack
-cve: 2013-0183
-osvdb: 89320
-url: http://osvdb.org/show/osvdb/89320
-title: |
-  Rack Long String Parsing Memory Consumption Remote DoS
-date: 2013-01-07
-description: |
-  Rack contains a flaw that may allow a remote denial of service. The issue is
-  triggered when parsing an overly long string. With a specially crafted string,
-  a remote attacker can cause a consumption of memory. This will result in a
-  loss of availability for the webserver.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 1.3.8"
-  - ">= 1.4.3"

data/data/ruby-advisory-db/gems/rack/OSVDB-89327.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rack
-cve: 2013-0184
-osvdb: 89327
-url: http://osvdb.org/show/osvdb/89327
-title: |
-  Rack Rack::Auth::AbstractRequest Class Unspecified Remote DoS
-date: 2013-01-13
-description: |
-  Rack contains a flaw in the Rack::Auth::AbstractRequest class that may allow
-  a remote denial of service. The issue is triggered when an unspecified error
-  occurs, which will result in a loss of availability for the webserver.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.1.5"
-  - "~> 1.2.7"
-  - "~> 1.3.9"
-  - ">= 1.4.4"

data/data/ruby-advisory-db/gems/rack/OSVDB-89938.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rack
-cve: 2013-0262
-osvdb: 89938
-url: http://osvdb.org/show/osvdb/89938
-title: |
-  Rack Rack::File Function Symlink Traversal Arbitrary File Disclosure
-date: 2013-02-07
-description: |
-  Rack contains a flaw as the Rack::File function creates temporary files
-  insecurely. It is possible for a local attacker to use a symlink attack to
-  traverse to an arbitrary file and disclose its contents
-cvss_v2: 4.3
-patched_versions:
-- "~> 1.4.5"
-- ">= 1.5.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: rack
-cve: 2013-0263
-osvdb: 89939
-url: http://osvdb.org/show/osvdb/89939
-title: |
-  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
-date: 2013-02-07
-description: |
-  Rack contains a flaw that is due to an error in the Rack::Session::Cookie
-  function. Users of the Marshal session cookie encoding (the default), are
-  subject to a timing attack that may lead an attacker to execute arbitrary
-  code. This attack is more practical against 'cloud' users as intra-cloud
-  latencies are sufficiently low to make the attack viable.
-cvss_v2: 5.1
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.8
-  - ~> 1.3.10
-  - ~> 1.4.5
-  - ">= 1.5.2"