RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.9.0.1 - Mend

bundler-audit 0.6.1 → 0.9.0.1

Files changed (436) hide show

data/data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml DELETED Viewed

@@ -1,24 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0155
-osvdb: 89025
-url: http://osvdb.org/show/osvdb/89025
-title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass
-date: 2013-01-08
-description: |
-  Ruby on Rails contains a flaw in the Active Record. The issue is due to an
-  error with the way the Active Record handles parameters combined with an
-  error during the parsing of the JSON parameters. This may allow a remote
-  attacker to bypass restrictions abd issue unexpected database queries with
-  "IS NULL" or empty where clauses, and forcing the query to unexpectedly check
-  for NULL or eliminate a WHERE clause.
-cvss_v2: 10.0
-patched_versions:
-  - ~> 2.3.16
-  - ~> 3.0.19
-  - ~> 3.1.10
-  - ">= 3.2.11"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0276
-osvdb: 90072
-url: http://osvdb.org/show/osvdb/90072
-title: Ruby on Rails Active Record attr_protected Method Bypass
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw in the attr_protected method of the
-  Active Record. The issue is triggered during the handling of a specially
-  crafted request, which may allow a remote attacker to bypass protection
-  mechanisms and alter values that would otherwise be protected.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 2.3.17"
-  - "~> 3.1.11"
-  - ">= 3.2.12"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-0277
-osvdb: 90073
-url: http://osvdb.org/show/osvdb/90073
-title: |
-  Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
-  Code Execution
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.
-  The issue is triggered when the system is configured to allow users to
-  directly provide values to be serialized and deserialized using YAML.
-  With a specially crafted YAML attribute, a remote attacker can deserialize
-  arbitrary YAML and execute code associated with it.
-cvss_v2: 10.0
-patched_versions:
-  - "~> 2.3.17"
-  - ">= 3.1.0"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2013-1854
-osvdb: 91453
-url: http://osvdb.org/show/osvdb/91453
-title: Symbol DoS vulnerability in Active Record
-date: 2013-03-19
-description: |
-  When a hash is provided as the find value for a query, the keys of
-  the hash may be converted to symbols. Carefully crafted requests can
-  coerce `params[:name]` to return a hash, and the keys to that hash
-  may be converted to symbols. Ruby symbols are not garbage collected,
-  so an attacker can initiate a denial of service attack by creating a
-  large number of symbols.
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 3.0.0
-patched_versions:
-  - ~> 2.3.18
-  - ~> 3.1.12
-  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activerecord-jdbc-adapter/OSVDB-114854.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: activerecord-jdbc-adapter
-platform: jruby
-osvdb: 114854
-url: http://osvdb.org/show/osvdb/114854
-title: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub()
-  Function SQL Injection
-date: 2013-02-25
-description: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying
-  out an SQL injection attack. The issue is due to the sql.gsub() function in
-  lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before
-  using it in SQL queries. This may allow a remote attacker to inject or
-  manipulate SQL queries in the back-end database, allowing for the
-  manipulation or disclosure of arbitrary data.
-unaffected_versions:
-  - "< 1.2.6"
-patched_versions:
-  - ">= 1.2.8"

data/data/ruby-advisory-db/gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: activerecord-oracle_enhanced-adapter
-osvdb: 95376
-url: http://osvdb.org/show/osvdb/95376
-title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
-date: 2008-10-10
-description: |
-  Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an
-  attacker to carry out an SQL injection attack. The issue is due to the
-  program not properly sanitizing user-supplied input related to the :limit and
-  :offset functions. This may allow an attacker to inject or manipulate SQL
-  queries in the back-end database, allowing for the manipulation or disclosure
-  of arbitrary data.
-patched_versions:
-  - ">= 1.1.8"

data/data/ruby-advisory-db/gems/activeresource/OSVDB-95749.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: activeresource
-osvdb: 95749
-url: http://osvdb.org/show/osvdb/95749
-title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
-date: 2008-08-15
-description: |
-  activeresource contains a format string flaw in the request function of
-  lib/active_resource/connection.rb. The issue is triggered as format string
-  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input
-  when passed via the 'result.code' and 'result.message' variables. This may
-  allow a remote attacker to cause a denial of service or potentially execute
-  arbitrary code.
-patched_versions:
-  - ">= 2.2.0"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml DELETED Viewed

@@ -1,54 +0,0 @@
----
-gem: activesupport
-cve: 2015-3226
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
-title: |
-  XSS Vulnerability in ActiveSupport::JSON.encode
-date: 2015-06-16
-description: |
-  When a `Hash` containing user-controlled data is encode as JSON (either through
-  `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
-  escaping that matches the guarantee implied by the `escape_html_entities_in_json`
-  option (which is enabled by default). If this resulting JSON string is subsequently
-  inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
-  For example, the following code snippet is vulnerable to this attack:
-      <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
-  Similarly, the following is also vulnerable:
-      <script>
-        var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
-      </script>
-  All applications that renders JSON-encoded strings that contains user-controlled
-  data in their views should either upgrade to one of the FIXED versions or use
-  the suggested workaround immediately.
-  Workarounds
-  -----------
-  To work around this problem add an initializer with the following code:
-    module ActiveSupport
-      module JSON
-        module Encoding
-          private
-          class EscapedString
-            def to_s
-              self
-            end
-          end
-        end
-      end
-    end
-unaffected_versions:
-  - "< 4.1.0"
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml DELETED Viewed

@@ -1,32 +0,0 @@
----
-gem: activesupport
-cve: 2015-3227
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
-title: |
-  Possible Denial of Service attack in Active Support
-date: 2015-06-16
-description: |
-  Specially crafted XML documents can cause applications to raise a
-  `SystemStackError` and potentially cause a denial of service attack.  This
-  only impacts applications using REXML or JDOM as their XML processor.  Other
-  XML processors that Rails supports are not impacted.
-  All users running an affected release should either upgrade or use one of the work arounds immediately.
-  Workarounds
-  -----------
-  Use an XML parser that is not impacted by this problem, such as Nokogiri or
-  LibXML.  You can change the processor like this:
-    ActiveSupport::XmlMini.backend = 'Nokogiri'
-  If you cannot change XML parsers, then adjust
-  `RUBY_THREAD_MACHINE_STACK_SIZE`.
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"
-  - "~> 3.2.22"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-1098
-osvdb: 79726
-url: http://osvdb.org/79726
-title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
-date: 2012-03-01
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because athe application does not validate direct
-  manipulations of SafeBuffer objects via '[]' and other methods. This may
-  allow a user to create a specially crafted request that would execute
-  arbitrary script code in a user's browser within the trust relationship
-  between their browser and the server.
-cvss_v2: 4.3
-unaffected_versions:
-  - "< 3.0.0"
-patched_versions:
-  - ~> 3.0.12
-  - ~> 3.1.4
-  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-3464
-osvdb: 84516
-url: http://www.osvdb.org/show/osvdb/84516
-title: Ruby on Rails HTML Escaping Code XSS
-date: 2012-08-09
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because the HTML escaping code functionality does
-  not properly escape a single quote character. This may allow a user to create
-  a specially crafted request that would execute arbitrary script code in a
-  user's browser within the trust relationship between their browser and the
-  server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.0.17
-  - ~> 3.1.8
-  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml DELETED Viewed

@@ -1,25 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2013-0333
-osvdb: 89594
-url: http://osvdb.org/show/osvdb/89594
-title:
-  Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
-  Execution
-date: 2013-01-28
-description: |
-  Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple
-  parsing backends, one of which involves transforming JSON into YAML via the
-  YAML parser. With a specially crafted payload, an attacker can subvert the
-  backend into decoding a subset of YAML. This may allow a remote attacker to
-  bypass restrictions, allowing them to bypass authentication systems, inject
-  arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on
-  a Rails application.
-cvss_v2: 9.3
-patched_versions:
-  - ~> 2.3.16
-  - ">= 3.0.20"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml DELETED Viewed

@@ -1,28 +0,0 @@
----
-gem: activesupport
-framework: rails
-platform: jruby
-cve: 2013-1856
-osvdb: 91451
-url: http://www.osvdb.org/show/osvdb/91451
-title: XML Parsing Vulnerability affecting JRuby users
-date: 2013-03-19
-description: |
- The ActiveSupport XML parsing functionality supports multiple
- pluggable backends. One backend supported for JRuby users is
- ActiveSupport::XmlMini_JDOM which makes use of the
- javax.xml.parsers.DocumentBuilder class. In some JVM configurations
- the default settings of that class can allow an attacker to construct
- XML which, when parsed, will contain the contents of arbitrary URLs
- including files from the application server. They may also allow for
- various denial of service attacks. Action Pack
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.1.12
-  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/administrate/CVE-2016-3098.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: administrate
-cve: 2016-3098
-title: Cross-site request forgery (CSRF) vulnerability in administrate gem
-date: 2016-04-01
-url: http://seclists.org/oss-sec/2016/q2/0
-description: >-
-  `Administrate::ApplicationController` actions didn't have CSRF
-  protection. Remote attackers can hijack user's sessions and use any
-  functionality that administrate exposes on their behalf.
-patched_versions:
-  - ">= 0.1.5"

data/data/ruby-advisory-db/gems/aescrypt/CVE-2013-7463.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: aescrypt
-cve: 2013-7463
-date: 2013-10-01
-url: https://github.com/Gurpartap/aescrypt/issues/4
-title: Vulnerability in aescrypt because IV is not randomized
-description: |
-  The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the
-  AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to
-  defeat cryptographic protection mechanisms via a chosen plaintext attack.

data/data/ruby-advisory-db/gems/archive-tar-minitar/CVE-2016-10173.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: archive-tar-minitar
-cve: 2016-10173
-url: https://github.com/atoulme/minitar/issues/5
-title: Archive-Tar-Minitar Directory Traversal Vulnerability
-date: 2016-08-22
-description: |
-  Minitar allows attackers to overwrite arbitrary files during archive
-  extraction via a .. (dot dot) in an extracted filename. Analogous
-  vulnerabilities for unzip and tar:
-  https://www.cvedetails.com/cve/CVE-2001-1268/ and
-  http://www.cvedetails.com/cve/CVE-2001-1267/
-  Credit: ecneladis
-patched_versions:
-  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/as/OSVDB-112683.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: as
-osvdb: 112683
-url: http://osvdb.org/show/osvdb/112683
-title: as Gem for Ruby Process List Local Plaintext Credentials Disclosure
-date: 2014-09-25
-description: |
-  as Gem for Ruby contains a flaw that is due to the program displaying
-  credential information in plaintext in the process list. This may
-  allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/authlogic/OSVDB-89064.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: authlogic
-cve: 2012-6497
-osvdb: 89064
-url: http://osvdb.org/show/osvdb/89064
-title: Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness
-date: 2012-12-21
-description: |
-  Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered
-  when the program makes an unsafe method call for find_by_id. With a specially
-  crafted parameter in an environment that knows the secret_token value in
-  secret_token.rb, a remote attacker to more easily conduct SQL injection
-  attacks.
-patched_versions:
-  - ">= 3.3.0"

data/data/ruby-advisory-db/gems/auto_awesomplete/OSVDB-132800.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: auto_awesomplete
-osvdb: 132800
-url: https://github.com/Tab10id/auto_awesomplete/issues/2
-title: |
-  auto_awesomplete Gem for Ruby allows arbitrary search execution
-date: 2016-01-08
-description: |
-  auto_awesomplete Gem for Ruby contains a flaw that is triggered when handling the
-  'params[:default_class_name]' option. This allows users to search any object
-  of all given ActiveRecord classes.

data/data/ruby-advisory-db/gems/auto_select2/OSVDB-132800.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: auto_select2
-osvdb: 132800
-url: https://github.com/Loriowar/auto_select2/issues/4
-title: |
-  auto_select2 Gem for Ruby allows arbitrary search execution
-date: 2016-01-08
-description: |
-  auto_select2 Gem for Ruby contains a flaw that is triggered when handling the
-  'params[:default_class_name]' option. This allows users to search any object
-  of all given ActiveRecord classes.
-patched_versions:
-  - ">= 0.5.0"

data/data/ruby-advisory-db/gems/awesome_spawn/CVE-2014-0156.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: awesome_spawn
-cve: 2014-0156
-url: https://github.com/ManageIQ/awesome_spawn/commit/e524f85f1c6e292ef7d117d7818521307ac269ff
-title: OS command injection flaw in awesome_spawn
-date: 2014-03-28
-description: >-
-  Awesome spawn contains OS command injection vulnerability, which allows
-  execution of additional commands passed to Awesome spawn as arguments, e.g.
-  AwesomeSpawn.run('ls',:params => {'-l' => ";touch haxored"}). If untrusted
-  input was included in command arguments, attacker could use this flaw to
-  execute arbitrary command.
-cvss_v2:  6.8
-patched_versions:
-  - "~> 1.2.0"
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/backup-agoddard/OSVDB-108578.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: backup-agoddard
-cve: 2014-4993
-osvdb: 108578
-url: http://osvdb.org/show/osvdb/108578
-title: backup-agoddard Gem for Ruby /lib/backup/cli/utility.rb Process Table Local Plaintext Password Disclosure
-date: 2014-06-30
-description: backup-agoddard Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb that is due to the application exposing password information in plaintext in the process table. This may allow a local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108569.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: backup_checksum
-cve: 2014-4993
-osvdb: 108569
-url: http://osvdb.org/show/osvdb/108569
-title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Process List Local Plaintext Password Disclosure
-date: 2014-06-30
-description: |
-  backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb
-  that is triggered as the program displays password information in plaintext
-  in the process list. This may allow a local attacker to gain access to
-  password information.

data/data/ruby-advisory-db/gems/backup_checksum/OSVDB-108570.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: backup_checksum
-osvdb: 108570
-url: http://osvdb.org/show/osvdb/108570
-title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Metacharacter Handling Remote Command Execution
-date: 2014-06-30
-description: |
-  backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb
-  that is triggered when handling metacharacters. This may allow a remote
-  attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/bcrypt/OSVDB-62067.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: bcrypt
-platform: jruby
-osvdb: 62067
-url: http://www.mindrot.org/files/jBCrypt/internat.adv
-title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
-date: 2010-02-01
-description: |
-  bcrypt-ruby Gem for Ruby suffered from a bug related to character
-  encoding that substantially reduced the entropy of hashed passwords
-  containing non US-ASCII characters. An incorrect encoding step
-  transparently replaced such characters by '?' prior to hashing. In the
-  worst case of a password consisting solely of non-US-ASCII characters,
-  this would cause its hash to be equivalent to all other such passwords
-  of the same length. This issue only affects the JRuby implementation.
-patched_versions:
-  - ">= 2.1.4"

data/data/ruby-advisory-db/gems/bcrypt-ruby/OSVDB-62067.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: bcrypt-ruby
-platform: jruby
-osvdb: 62067
-url: http://www.mindrot.org/files/jBCrypt/internat.adv
-title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby only)
-date: 2010-02-01
-description: |
-  bcrypt-ruby Gem for Ruby suffered from a bug related to character
-  encoding that substantially reduced the entropy of hashed passwords
-  containing non US-ASCII characters. An incorrect encoding step
-  transparently replaced such characters by '?' prior to hashing. In the
-  worst case of a password consisting solely of non-US-ASCII characters,
-  this would cause its hash to be equivalent to all other such passwords
-  of the same length. This issue only affects the JRuby implementation.
-  This gem has been renamed. Please use "bcrypt" from now on.
-patched_versions:
-  - ">= 2.1.4"

data/data/ruby-advisory-db/gems/bio-basespace-sdk/OSVDB-101031.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: bio-basespace-sdk
-cve: 2013-7111
-osvdb: 101031
-url: http://osvdb.org/show/osvdb/101031
-title: Bio Basespace SDK Gem for Ruby Command Line API Key Disclosure
-date: 2013-12-14
-description: Bio Basespace SDK Gem for Ruby contains a flaw that is due to the API client code passing the API_KEY to a curl command. This may allow a local attacker to gain access to API key information by monitoring the process table.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108899.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: brbackup
-osvdb: 108899
-url: http://osvdb.org/show/osvdb/108899
-title: brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection
-date: 2014-07-09
-description: |
-  brbackup Gem for Ruby contains a flaw that may allow carrying out an SQL
-  injection attack. The issue is due to the /lib/brbackup.rb script not
-  properly sanitizing user-supplied input to the 'name' parameter. This may
-  allow a remote attacker to inject or manipulate SQL queries in the back-end
-  database, allowing for the manipulation or disclosure of arbitrary data.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108900.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: brbackup
-osvdb: 108900
-url: http://osvdb.org/show/osvdb/108900
-title: brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote Command Execution
-date: 2014-07-09
-description: |
-  brbackup Gem for Ruby contains a flaw that is triggered as input passed
-  via the 'dbuser' variable is not properly sanitized. This may allow a
-  remote attacker to inject shell metacharacters and execute arbitrary
-  commands.

data/data/ruby-advisory-db/gems/brbackup/OSVDB-108901.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: brbackup
-cve: 2014-5004
-osvdb: 108901
-url: http://osvdb.org/show/osvdb/108901
-title: brbackup Gem for Ruby Process List Local Plaintext Password Disclosure
-date: 2014-07-09
-description: |
-  brbackup Gem for Ruby contains a flaw that is due to the program exposing
-  password information in plaintext in the process list. This may allow a
-  local attacker to gain access to password information.

data/data/ruby-advisory-db/gems/bson/CVE-2015-4412.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: bson
-cve: 2015-4412
-url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html
-title: Data Injection Vulnerability in bson Rubygem
-date: 2015-06-04
-description: >-
-  A flaw in the ObjectId validation regular expression can enable attackers to inject arbitrary information into a given BSON object.
-vendor_patch:
-  - https://github.com/mongodb/mongo-ruby-driver/compare/6ae981167759d5819ba3d41e374e5b2af5b79077~1...9859a3ab9773a8a883eb8438b665a921cc991c71
-  - https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7
-patched_versions:
-  - "~> 1.12.3"
-  - ">= 3.0.4"

data/data/ruby-advisory-db/gems/builder/OSVDB-95668.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: builder
-osvdb: 95668
-url: http://osvdb.org/show/osvdb/95668
-title: Builder Gem for Ruby Tag Name Handling Private Method Exposure
-date: 2007-06-15
-description: |
-  Builder Gem for Ruby contains a flaw in the handling of tag names. The issue
-  is triggered when the program reads tag names from XML data and then calls a
-  method with that name. With a specially crafted file, a context-dependent
-  attacker can call private methods and manipulate data.
-patched_versions:
-  - ">= 2.1.2"

data/data/ruby-advisory-db/gems/bundler/OSVDB-110004.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: bundler
-cve: 2013-0334
-osvdb: 110004
-url: http://www.osvdb.org/show/osvdb/110004
-title: Bundler Gem for Ruby Multiple Top-level Source Lines Gemfile Handling Gem Installation Spoofing
-date: 2014-08-13
-description: |
-  Bundler Gem for Ruby contains a flaw that is triggered when handling
-  a gemfile that contains multiple top-level source lines. This may allow a
-  context-dependent attacker to install specially crafted gems on a remote
-  system, leading to arbitrary code execution.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 1.7.0"

data/data/ruby-advisory-db/gems/bundler/OSVDB-115090.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: bundler
-osvdb: 115090
-url: http://www.osvdb.org/show/osvdb/115090
-title: Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing
-date: 2013-02-12
-description: |
-  Bundler Gem for Ruby contains a flaw as SSL certificates are not properly
-  validated. By spoofing the SSL server via a certificate that appears valid,
-  an attacker with the ability to intercept network traffic (e.g. MiTM, DNS
-  cache poisoning) can disclose and optionally manipulate transmitted data.
-patched_versions:
-  - ">= 1.3.0.pre.8"