RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.9.0.1 - Mend

bundler-audit 0.6.1 → 0.9.0.1

Files changed (436) hide show

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-5312.yml DELETED Viewed

@@ -1,92 +0,0 @@
----
-gem: nokogiri
-cve: 2015-5312
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
-title: Nokogiri gem contains several vulnerabilities in libxml2
-date: 2015-12-15
-description: |
-  Nokogiri version 1.6.7.1 has been released, pulling in several upstream
-  patches to the vendored libxml2 to address the following CVEs:
-  CVE-2015-5312
-  CVSS v2 Base Score: 7.1 (HIGH)
-  The xmlStringLenDecodeEntities function in parser.c in libxml2
-  before 2.9.3 does not properly prevent entity expansion, which
-  allows context-dependent attackers to cause a denial of
-  service (CPU consumption) via crafted XML data, a different
-  vulnerability than CVE-2014-3660.
-  CVE-2015-7497
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlDictComputeFastQKey
-  function in dict.c in libxml2 before 2.9.3 allows
-  context-dependent attackers to cause a denial of service via
-  unspecified vectors.
-  CVE-2015-7498
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlParseXmlDecl function in
-  parser.c in libxml2 before 2.9.3 allows context-dependent
-  attackers to cause a denial of service via unspecified vectors
-  related to extracting errors after an encoding conversion
-  failure.
-  CVE-2015-7499
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlGROW function in parser.c
-  in libxml2 before 2.9.3 allows context-dependent attackers to
-  obtain sensitive process memory information via unspecified
-  vectors.
-  CVE-2015-7500
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  The xmlParseMisc function in parser.c in libxml2 before 2.9.3
-  allows context-dependent attackers to cause a denial of
-  service (out-of-bounds heap read) via unspecified vectors
-  related to incorrect entities boundaries and start tags.
-  CVE-2015-8241
-  CVSS v2 Base Score: 6.4 (MEDIUM)
-  The xmlNextChar function in libxml2 2.9.2 does not properly
-  check the state, which allows context-dependent attackers to
-  cause a denial of service (heap-based buffer over-read and
-  application crash) or obtain sensitive information via crafted
-  XML data.
-  CVE-2015-8242
-  CVSS v2 Base Score: 5.8 (MEDIUM)
-  The xmlSAX2TextNode function in SAX2.c in the push interface in
-  the HTML parser in libxml2 before 2.9.3 allows
-  context-dependent attackers to cause a denial of
-  service (stack-based buffer over-read and application crash) or
-  obtain sensitive information via crafted XML data.
-  CVE-2015-8317
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  The xmlParseXMLDecl function in parser.c in libxml2 before
-  2.9.3 allows context-dependent attackers to obtain sensitive
-  information via an (1) unterminated encoding value or (2)
-  incomplete XML declaration in XML data, which triggers an
-  out-of-bounds heap read.
-cvss_v2: 7.1
-unaffected_versions:
-  - "< 1.6.0"
-patched_versions:
-  - ">= 1.6.7.1"
-related:
-  cve:
-    - 2015-7497
-    - 2015-7498
-    - 2015-7499
-    - 2015-7500
-    - 2015-8241
-    - 2015-8242
-    - 2015-8317
-  url:
-    - https://github.com/sparklemotion/nokogiri/pull/1378
-    - https://github.com/sparklemotion/nokogiri/commit/4205af1a2a546f79d1b48df2ad8b27299c0099c5

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-7499.yml DELETED Viewed

@@ -1,37 +0,0 @@
----
-gem: nokogiri
-cve: 2015-7499
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
-title: |
-  Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2
-date: 2016-01-19
-description: |
-  Nokogiri version 1.6.7.2 has been released, pulling in several upstream
-  patches to the vendored libxml2 to address the following CVE:
-  CVE-2015-7499
-  CVSS v2 Base Score: 5.0 (MEDIUM)
-  Heap-based buffer overflow in the xmlGROW function in parser.c
-  in libxml2 before 2.9.3 allows context-dependent attackers to
-  obtain sensitive process memory information via unspecified
-  vectors.
-  libxml2 could be made to crash if it opened a specially crafted
-  file. It was discovered that libxml2 incorrectly handled certain
-  malformed documents. If a user or automated system were tricked
-  into opening a specially crafted document, an attacker could
-  possibly cause libxml2 to crash, resulting in a denial of service.
-cvss_v2: 5.0
-unaffected_versions:
-  - "< 1.6.0"
-patched_versions:
-  - ">= 1.6.7.2"
-related:
-  url:
-    - https://github.com/sparklemotion/nokogiri/commit/9eb540e7c905924a42757bf0a34c2c00707d536c

data/data/ruby-advisory-db/gems/nokogiri/CVE-2015-8806.yml DELETED Viewed

@@ -1,42 +0,0 @@
----
-gem: nokogiri
-cve: 2015-8806
-url: https://github.com/sparklemotion/nokogiri/issues/1473
-title: Denial of service or RCE from libxml2 and libxslt
-date: 2016-06-07
-description: |
-  Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt,
-  which are libraries Nokogiri depends on. It was discovered that libxml2 and
-  libxslt incorrectly handled certain malformed documents, which can allow
-  malicious users to cause issues ranging from denial of service to remote code
-  execution attacks.
-  For more information, the Ubuntu Security Notice is a good start:
-  http://www.ubuntu.com/usn/usn-2994-1/
-patched_versions:
-  - ">= 1.6.8"
-unaffected_versions:
-  - "< 1.6.0"
-related:
-  cve:
-    - 2016-1762
-    - 2016-1833
-    - 2016-1834
-    - 2016-1835
-    - 2016-1836
-    - 2016-1837
-    - 2016-1838
-    - 2016-1839
-    - 2016-1840
-    - 2016-2073
-    - 2016-3627
-    - 2016-3705
-    - 2016-4447
-    - 2016-4449
-    - 2016-4483
-  url:
-    - https://github.com/sparklemotion/nokogiri/issues/1473
-    - https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028
-    - https://mail.gnome.org/archives/xml/2016-May/msg00023.html
-    - http://www.ubuntu.com/usn/usn-2994-1/

data/data/ruby-advisory-db/gems/nokogiri/CVE-2016-4658.yml DELETED Viewed

@@ -1,32 +0,0 @@
----
-gem: nokogiri
-cve: 2016-4658
-url: https://github.com/sparklemotion/nokogiri/issues/1615
-title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
-date: 2017-03-11
-description: |
-  Nokogiri version 1.7.1 has been released, pulling in several upstream
-  patches to the vendored libxml2 to address the following CVEs:
-  CVE-2016-4658
-  CVSS v3 Base Score: 9.8 (Critical)
-  libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and
-  watchOS before 3 allows remote attackers to execute arbitrary code or cause
-  a denial of service (memory corruption) via a crafted XML document.
-  CVE-2016-5131
-  CVSS v3 Base Score: 8.8 (HIGH)
-  Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google
-  Chrome before 52.0.2743.82, allows remote attackers to cause a denial of
-  service or possibly have unspecified other impact via vectors related to
-  the XPointer range-to function.
-cvss_v3: 9.8
-patched_versions:
-  - ">= 1.7.1"
-related:
-  cve:
-    - 2016-5131
-  url:
-    - https://github.com/sparklemotion/nokogiri/issues/1615

data/data/ruby-advisory-db/gems/nokogiri/CVE-2017-5029.yml DELETED Viewed

@@ -1,44 +0,0 @@
----
-gem: nokogiri
-cve: 2017-5029
-url: https://github.com/sparklemotion/nokogiri/issues/1634
-title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29
-date: 2017-05-09
-description: |
-    nokogiri version 1.7.2 has been released.
-    This is a security update based on 1.7.1, addressing two upstream
-    libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical
-    and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat.
-    These patches only apply when using Nokogiri's vendored libxslt
-    package. If you're using your distro's system libraries, there's no
-    need to upgrade from 1.7.0.1 or 1.7.1 at this time.
-    Full details are available at the github issue linked to in the
-    changelog below.
-    -----
-    # 1.7.2 / 2017-05-09
-    ## Security Notes
-    [MRI] Upstream libxslt patches are applied to the vendored libxslt
-    1.1.29 which address CVE-2017-5029 and CVE-2016-4738.
-    For more information:
-    * https://github.com/sparklemotion/nokogiri/issues/1634
-    * http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
-    * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html
-patched_versions:
-  - ">= 1.7.2"
-related:
-  cve:
-    - 2016-4738
-    - 2017-5029
-  url:
-    - http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html
-    - http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: nokogiri
-platform: jruby
-cve: 2013-6460
-osvdb: 101179
-url: http://osvdb.org/show/osvdb/101179
-title: |
-  Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
-date: 2013-12-14
-description: |
-  Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of
-  service. The issue is triggered when handling a specially crafted XML
-  document, which can result in an infinite loop. This may allow a
-  context-dependent attacker to crash the server.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.5.11"
-  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: nokogiri
-cve: 2013-6461
-osvdb: 101458
-url: http://www.osvdb.org/show/osvdb/101458
-title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS
-date: 2013-12-14
-description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.
-  The issue is due to an incorrectly configured XML parser accepting XML external entities from
-  an untrusted source. By sending specially crafted XML data, a remote attacker can cause an infinite
-  loop and crash the program.
-cvss_v2:
-patched_versions:
-  - ~> 1.5.11
-  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-118481.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: nokogiri
-platform: jruby
-osvdb: 118481
-url: https://github.com/sparklemotion/nokogiri/pull/1087
-title: |
-  Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption
-  Remote DoS
-date: 2014-04-30
-description: |
-  Nokogiri Gem for JRuby contains a flaw that is triggered when handling a root
-  element in an XML document. This may allow a remote attacker to cause a
-  consumption of memory resources.
-patched_versions:
-  - ">= 1.6.3"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-90946.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: nokogiri
-cve: 2012-6685
-osvdb: 90946
-url: http://www.osvdb.org/show/osvdb/90946
-title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Internal Network Response Remote Disclosure
-date: 2012-06-08
-description: libxml2 contains a flaw that may lead to unauthorized disclosure of
- potentially sensitive information. The issue is triggered when handling the
- expansion of XML external entities (XXE), which can be used to trigger URL's
- on an internal network and allow a remote attacker to gain access to their
- responses.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 1.5.4"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: nori
-cve: 2013-0285
-osvdb: 90196
-url: http://osvdb.org/show/osvdb/90196
-title: Ruby Gem nori Parameter Parsing Remote Code Execution
-date: 2013-01-10
-description: |
-  The Ruby Gem nori has a parameter parsing error that may allow an attacker
-  to execute arbitrary code. This vulnerability has to do with type casting
-  during parsing, and is related to CVE-2013-0156.
-cvss_v2: 7.5
-patched_versions:
-  - ~> 1.0.3
-  - ~> 1.1.4
-  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: omniauth-facebook
-cve: 2013-4562
-osvdb: 99693
-url: http://www.osvdb.org/show/osvdb/99693
-title: omniauth-facebook Gem for Ruby Unspecified CSRF
-date: 2013-11-12
-description: |
-  omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
-  require multiple steps, explicit confirmation, or a unique token when
-  performing certain sensitive actions. By tricking a user into following
-  a specially crafted link, a context-dependent attacker can perform a
-  Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
-  perform an unspecified action.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.5.0"
-unaffected_versions:
-  - "<= 1.4.0"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: omniauth-facebook
-cve: 2013-4593
-osvdb: 99888
-url: http://www.osvdb.org/show/osvdb/99888
-title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass
-date: 2013-11-14
-description: |
-  omniauth-facebook Gem for Ruby contains a flaw that is due to the application
-  supporting passing the access token via the URL. This may allow a remote
-  attacker to bypass authentication and authenticate as another user.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.5.1"

data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: omniauth-oauth2
-cve: 2012-6134
-osvdb: 90264
-url: http://www.osvdb.org/show/osvdb/90264
-title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
-date: 2012-09-08
-description: |
-  The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
-  inject values into a user's session through a CSRF attack.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.1.1"

data/data/ruby-advisory-db/gems/open-uri-cached/OSVDB-121701.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: open-uri-cached
-cve: 2015-3649
-osvdb: 121701
-url: http://seclists.org/oss-sec/2015/q2/373
-title: open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege Escalation
-date: 2015-05-05
-description: |
-  open-uri-cached Gem for Ruby contains a flaw that is due to the
-  program creating temporary files in a predictable, unsafe manner when using
-  YAML. This may allow a local attacker to gain elevated privileges.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/paperclip/CVE-2015-2963.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: paperclip
-cve: 2015-2963
-url: https://robots.thoughtbot.com/paperclip-security-release
-title: |
-  Paperclip Gem for Ruby vulnerable to content type spoofing
-date: 2015-06-05
-description: |
-  There is an issue where if an HTML file is uploaded with a .html
-  extension, but the content type is listed as being `image/jpeg`, this
-  will bypass a validation checking for images. But it will also pass the
-  spoof check, because a file named .html and containing actual HTML
-  passes the spoof check.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 4.2.2"

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paperclip
-osvdb: 103151
-url: http://osvdb.org/show/osvdb/103151
-title: Paperclip Gem for Ruby contains a flaw
-date: 2014-01-31
-description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
-  validate the file extension, instead only validating the Content-Type header during file uploads.
-  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
-  spoofing the content-type.
-cvss_v2:
-patched_versions:
-  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paratrooper-newrelic
-cve: 2014-1234
-osvdb: 101839
-url: http://www.osvdb.org/show/osvdb/101839
-title: Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure
-date: 2014-01-08
-description: |
-  Paratrooper-newrelic Gem for Ruby contains a flaw in
-  /lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes
-  the API key, allowing a local attacker to gain access to it by monitoring the
-  process tree.
-cvss_v2: 2.1

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paratrooper-pingdom
-cve: 2014-1233
-osvdb: 101847
-url: http://www.osvdb.org/show/osvdb/101847
-title: paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials Local Disclosure
-date: 2013-12-26
-description: |
-  paratrooper-pingdom Gem for Ruby contains a flaw in
-  /lib/paratrooper-pingdom.rb. The issue is triggered when the script exposes
-  API login credentials, allowing a local attacker to gain access to the API
-  key, username, and password for the API login by monitoring the process tree.
-cvss_v2: 2.1

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1831.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: passenger
-cve: 2014-1831
-osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
-title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
-date: 2014-01-28
-description: Phusion Passenger contains a flaw as the program creates the server instance
-  directory insecurely. It is possible for a local attacker to use a symlink attack against
-  the directory to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.37"

data/data/ruby-advisory-db/gems/passenger/CVE-2014-1832.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: passenger
-cve: 2014-1832
-osvdb: 102613
-url: http://osvdb.org/show/osvdb/102613
-title: Phusion Passenger Server Instance Directory Creation Local Symlink File Overwrite
-date: 2014-01-29
-description: Phusion Passenger contains a flaw as the program creates the server instance
-  directory insecurely. It is possible for a local attacker to use a symlink attack against
-  the directory to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.38"

data/data/ruby-advisory-db/gems/passenger/CVE-2015-7519.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: passenger
-cve: 2015-7519
-url: https://blog.phusion.nl/2015/12/07/cve-2015-7519/
-title: Phusion Passenger Server allows to overwrite headers in some cases
-date: 2015-11-23
-description: It is possible in some cases, for clients to overwrite headers
-  set by the server, resulting in a medium level security issue.
-  Passenger 5 uses an SCGI-inspired format to pass headers to Ruby/Python
-  applications, while Passenger 4 uses an SCGI-inspired format to pass
-  headers to all applications. This implies a conversion to
-  UPPER_CASE_WITH_UNDERSCORES whereby the difference between characters
-  like '-' and '_' is lost.
-patched_versions:
-  - "~> 4.0.60"
-  - ">= 5.0.22"

data/data/ruby-advisory-db/gems/passenger/CVE-2016-10345.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: passenger
-cve: 2016-10345
-url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/
-title:  Predictable tmp File Path Vulnerability in Phusion Passenger
-date: 2017-04-18
-description: >-
-  In Phusion Passenger before 5.1.0, a known /tmp filename was used during
-  passenger-install-nginx-module execution, which could allow local attackers
-  to gain the privileges of the passenger user.
-cvss_v3: 5.5
-patched_versions:
-  - ">= 5.1.0"

data/data/ruby-advisory-db/gems/passenger/OSVDB-90738.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: passenger
-cve: 2012-6135
-osvdb: 90738
-url: http://old.blog.phusion.nl/2013/03/05/phusion-passenger-4-0-beta-1-and-2-arbitrary-file-deletion-vulnerability/
-title: Phusion Passenger Gem for Ruby Arbitrary File Deletion
-date: 2012-02-01
-description: Phusion Passenger Gem for Ruby contains a flaw that is triggered
-  during application startup. This issue may allow a local attacker to delete
-  arbitrary files via an application process. If the program has completed the
-  start up process this vulnerability is no longer exploitable.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 4.0.0"
-unaffected_versions:
-  - "< 4.0.0"

data/data/ruby-advisory-db/gems/passenger/OSVDB-93752.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: passenger
-cve: 2013-2119
-osvdb: 93752
-url: http://osvdb.org/show/osvdb/93752
-title: Phusion Passenger Gem for Ruby Predictable Temporary Filename Generation Symlink Local Privilege Escalation
-date: 2013-05-29
-description: Phusion Passenger Gem for Ruby contains a flaw as the program creates
-  temporary files insecurely. It is possible for a local attacker to use a symlink
-  attack against the Nginx config file to cause the program to unexpectedly overwrite
-  the file, allowing a local attacker to execute code with elevated privileges.
-cvss_v2: 4.6
-patched_versions:
-  - "~> 3.0.21"
-  - ">= 4.0.5"

data/data/ruby-advisory-db/gems/passenger/OSVDB-94074.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: passenger
-cve: 2013-4136
-osvdb: 94074
-url: http://osvdb.org/show/osvdb/94074
-title: Phusion Passenger Gem for Ruby Utils.cpp Temporary Directory Creation Symlink Local Privilege Escalation
-date: 2013-06-10
-description: Phusion Passenger Gem for Ruby contains a flaw as the program creates
-  temporary directories insecurely. It is possible for a local attacker to use a
-  symlink attack against the Utils.cpp file to allow the attacker to gain elevated
-  privileges.
-cvss_v2: 4.6
-patched_versions:
-  - ">= 4.0.8"

data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: pdfkit
-cve: 2013-1607
-osvdb: 90867
-url: http://osvdb.org/show/osvdb/90867
-title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
-date: 2013-02-21
-description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.
-cvss_v2:
-patched_versions:
-  - ">= 0.5.3"

data/data/ruby-advisory-db/gems/point-cli/OSVDB-108577.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: point-cli
-cve: 2014-4997
-osvdb: 108577
-url: http://osvdb.org/show/osvdb/108577
-title: point-cli Gem for Ruby /lib/commands/setup.rb Process Table Local Plaintext Credential Disclosure
-date: 2014-06-30
-description: point-cli Gem for Ruby contains a flaw in /lib/commands/setup.rb that is due to the application exposing credential information in plaintext in the process table. This may allow a local attacker to gain access to credential information.

data/data/ruby-advisory-db/gems/quick_magick/OSVDB-106954.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: quick_magick
-osvdb: 106954
-url: http://osvdb.org/show/osvdb/106954
-title: quick_magick Gem for Ruby QuickMagick::Image.read Function Crafted String Handling Remote Command Injection
-date: 2011-01-12
-description: quick_magick Gem for Ruby contains a flaw in the QuickMagick::Image.read function. The issue is triggered when handling a specially crafted string. This may allow a remote attacker to inject arbitrary commands.

data/data/ruby-advisory-db/gems/rack/CVE-2015-3225.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rack
-cve: 2015-3225
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
-title: |
-  Potential Denial of Service Vulnerability in Rack
-date: 2015-06-16
-description: |
-  Carefully crafted requests can cause a `SystemStackError` and potentially
-  cause a denial of service attack.
-  All users running an affected release should upgrade.
-patched_versions:
-  - ">= 1.6.2"
-  - "~> 1.5.4"
-  - "~> 1.4.6"

data/data/ruby-advisory-db/gems/rack/OSVDB-78121.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: rack
-cve: 2011-5036
-osvdb: 78121
-url: http://osvdb.org/show/osvdb/78121
-title: |
-  Rack Hash Collision Form Parameter Parsing Remote DoS
-date: 2011-12-28
-description: |
-  Rack contains a flaw that may allow a remote denial of service. The issue is
-  triggered when an attacker sends multiple crafted parameters which trigger
-  hash collisions, and will result in loss of availability for the program via
-  CPU consumption.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 1.1.3"
-  - "~> 1.2.5"
-  - "~> 1.3.6"
-  - ">= 1.4.0"