RubyGems - bundler-audit - Versions diffs - 0.6.1 → 0.9.0.1 - Mend

bundler-audit 0.6.1 → 0.9.0.1

Files changed (436) hide show

data/data/ruby-advisory-db/gems/rack/OSVDB-89317.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: rack
-cve: 2012-6109
-osvdb: 89317
-url: http://osvdb.org/show/osvdb/89317
-title: |
-  Rack Regular Expressions Engine Content-Disposition Header Parsing Infinite Loop Remote DoS
-date: 2012-05-04
-description: |
-  Rack contains a flaw in the Regular Expressions Engine that may allow a remote
-  denial of service. The issue is triggered when parsing context-disposition
-  headers. With a specially crafted header, a remote attacker can cause an
-  infinite loop, which will result in a loss of availability for the webserver.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.1.4"
-  - "~> 1.2.6"
-  - "~> 1.3.7"
-  - ">= 1.4.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89320.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: rack
-cve: 2013-0183
-osvdb: 89320
-url: http://osvdb.org/show/osvdb/89320
-title: |
-  Rack Long String Parsing Memory Consumption Remote DoS
-date: 2013-01-07
-description: |
-  Rack contains a flaw that may allow a remote denial of service. The issue is
-  triggered when parsing an overly long string. With a specially crafted string,
-  a remote attacker can cause a consumption of memory. This will result in a
-  loss of availability for the webserver.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 1.3.8"
-  - ">= 1.4.3"

data/data/ruby-advisory-db/gems/rack/OSVDB-89327.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rack
-cve: 2013-0184
-osvdb: 89327
-url: http://osvdb.org/show/osvdb/89327
-title: |
-  Rack Rack::Auth::AbstractRequest Class Unspecified Remote DoS
-date: 2013-01-13
-description: |
-  Rack contains a flaw in the Rack::Auth::AbstractRequest class that may allow
-  a remote denial of service. The issue is triggered when an unspecified error
-  occurs, which will result in a loss of availability for the webserver.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.1.5"
-  - "~> 1.2.7"
-  - "~> 1.3.9"
-  - ">= 1.4.4"

data/data/ruby-advisory-db/gems/rack/OSVDB-89938.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rack
-cve: 2013-0262
-osvdb: 89938
-url: http://osvdb.org/show/osvdb/89938
-title: |
-  Rack Rack::File Function Symlink Traversal Arbitrary File Disclosure
-date: 2013-02-07
-description: |
-  Rack contains a flaw as the Rack::File function creates temporary files
-  insecurely. It is possible for a local attacker to use a symlink attack to
-  traverse to an arbitrary file and disclose its contents
-cvss_v2: 4.3
-patched_versions:
-- "~> 1.4.5"
-- ">= 1.5.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: rack
-cve: 2013-0263
-osvdb: 89939
-url: http://osvdb.org/show/osvdb/89939
-title: |
-  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
-date: 2013-02-07
-description: |
-  Rack contains a flaw that is due to an error in the Rack::Session::Cookie
-  function. Users of the Marshal session cookie encoding (the default), are
-  subject to a timing attack that may lead an attacker to execute arbitrary
-  code. This attack is more practical against 'cloud' users as intra-cloud
-  latencies are sufficiently low to make the attack viable.
-cvss_v2: 5.1
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.8
-  - ~> 1.3.10
-  - ~> 1.4.5
-  - ">= 1.5.2"

data/data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: rack-attack
-osvdb: 132234
-url: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1
-title: |
-  rack-attack Gem for Ruby missing normalization before request path
-  processing
-date: 2015-12-18
-description: |
-  When using rack-attack with a rails app, developers expect the request
-  path to be normalized. In particular, trailing slashes are stripped so
-  a request path "/login/" becomes "/login" by the time you're in
-  ActionController.
-  Since Rack::Attack runs before ActionDispatch, the request path is not
-  yet normalized. This can cause throttles and blacklists to not work as
-  expected.
-  E.g., a throttle:
-  `throttle('logins', ...) {|req| req.path == "/login" }`
-  would not match a request to '/login/', though Rails would route
-  '/login/' to the same '/login' action.
-patched_versions:
-  - ">= 4.3.1"

data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rack-cache
-cve: 2012-2671
-osvdb: 83077
-url: http://osvdb.org/83077
-title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
-date: 2012-06-06
-description: |
-  Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
-  sensitive HTTP headers. This will result in a weakness that may make it
-  easier for an attacker to gain access to a user's session via a specially
-  crafted header.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 1.2"

data/data/ruby-advisory-db/gems/rack-mini-profiler/CVE-2016-4442.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: rack-mini-profiler
-cve: 2016-4442
-url: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c
-title: rack-mini-profiler may disclose information to unauthorized users
-date: 2016-05-18
-description: >-
-  Carefully crafted requests can expose information about
-  strings and objects allocated during the request for unauthorised
-  users.
-patched_versions:
-  - ">= 0.10.1"
-related:
-  url:
-    - http://seclists.org/oss-sec/2016/q2/516

data/data/ruby-advisory-db/gems/rack-ssl/OSVDB-104734.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: rack-ssl
-cve: 2014-2538
-osvdb: 104734
-url: http://osvdb.org/show/osvdb/104734
-title: rack-ssl Gem for Ruby Error Message Reflected XSS
-date: 2013-07-09
-description: rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 1.3.4"

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7578.yml DELETED Viewed

@@ -1,47 +0,0 @@
----
-gem: rails-html-sanitizer
-cve: 2015-7578
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI"
-title: Possible XSS vulnerability in rails-html-sanitizer
-description: |
-  There is a possible XSS vulnerability in rails-html-sanitizer. This
-  vulnerability has been assigned the CVE identifier CVE-2015-7578.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     1.0.3
-  Impact
-  ------
-  There is a possible XSS vulnerability in rails-html-sanitizer.  Certain
-  attributes are not removed from tags when they are sanitized, and these
-  attributes can lead to an XSS attack on target applications.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  There are no feasible workarounds for this issue.
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 1-0-sanitize_data_attributes.patch - Patch for 1.0 series
-  Credits
-  -------
-  Thanks to Ben Murphy and Marien for reporting this.
-patched_versions:
-  - "~> 1.0.3"

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7579.yml DELETED Viewed

@@ -1,75 +0,0 @@
----
-gem: rails-html-sanitizer
-cve: 2015-7579
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"
-title: XSS vulnerability in rails-html-sanitizer
-description: |
-  There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
-  This vulnerability has been assigned the CVE identifier CVE-2015-7579.
-  Versions Affected:  1.0.2
-  Not affected:       1.0.0, 1.0.1
-  Fixed Versions:     1.0.3
-  Impact
-  ------
-  Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
-  passes an already escaped HTML entity to the input of Action View's `strip_tags`
-  these entities will be unescaped what may cause a XSS attack if used in combination
-  with `raw` or `html_safe`.
-  For example:
-      strip_tags("&lt;script&gt;alert('XSS')&lt;/script&gt;")
-  Would generate:
-      <script>alert('XSS')</script>
-  After the fix it will generate:
-      &lt;script&gt;alert('XSS')&lt;/script&gt;
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  If you can't upgrade, please use the following monkey patch in an initializer
-  that is loaded before your application:
-  ```
-  $ cat config/initializers/strip_tags_fix.rb
-  class ActionView::Base
-    def strip_tags(html)
-      self.class.full_sanitizer.sanitize(html)
-    end
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches
-  for the two supported release series. They are in git-am format and consist
-  of a single changeset.
-  * Do-not-unescape-already-escaped-HTML-entities.patch
-  Credits
-  -------
-  Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
-  reporting the problem and working with us to fix it.
-unaffected_versions:
-  - "~> 1.0.0"
-  - "~> 1.0.1"
-patched_versions:
-  - "~> 1.0.3"

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7580.yml DELETED Viewed

@@ -1,70 +0,0 @@
----
-gem: rails-html-sanitizer
-cve: 2015-7580
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI"
-title: Possible XSS vulnerability in rails-html-sanitizer
-description: |
-  There is a possible XSS vulnerability in the white list sanitizer in the
-  rails-html-sanitizer gem. This vulnerability has been assigned the CVE
-  identifier CVE-2015-7580.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     v1.0.3
-  Impact
-  ------
-  Carefully crafted strings can cause user input to bypass the sanitization in
-  the white list sanitizer which will can lead to an XSS attack.
-  Vulnerable code will look something like this:
-    <%= sanitize user_input, tags: %w(em) %>
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  Putting the following monkey patch in an initializer can help to mitigate the
-  issue:
-  ```
-  class Rails::Html::PermitScrubber
-    alias :old_scrub :scrub
-    alias :old_skip_node? :skip_node?
-    def scrub(node)
-      if node.cdata?
-        text = node.document.create_text_node node.text
-        node.replace text
-        return CONTINUE
-      end
-      old_scrub node
-    end
-    def skip_node?(node); node.text?; end
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series
-  Credits
-  -------
-  Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.
-patched_versions:
-  - "~> 1.0.3"

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rbovirt
-cve: 2014-0036
-osvdb: 104080
-url: http://osvdb.org/show/osvdb/104080
-title: rbovirt Gem for Ruby contains a flaw
-date: 2014-03-05
-description: |
-  rbovirt Gem for Ruby contains a flaw related to certificate validation.
-  The issue is due to the program failing to validate SSL certificates. This may
-  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
-  poisoning) to spoof the SSL server via an arbitrary certificate that appears
-  valid. Such an attack would allow for the interception of sensitive traffic,
-  and potentially allow for the injection of content into the SSL stream.
-cvss_v2: 6.8
-patched_versions:
-  - '>= 0.0.24'

data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml DELETED Viewed

@@ -1,27 +0,0 @@
----
-gem: rdoc
-cve: 2013-0256
-osvdb: 90004
-url: http://www.osvdb.org/show/osvdb/90004
-title: RDoc 2.3.0 through 3.12 XSS Exploit
-date: 2013-02-06
-description: |
-  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
-  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
-  may lead to cookie disclosure to third parties.
-  The exploit exists in darkfish.js which is copied from the RDoc install
-  location to the generated documentation.
-  RDoc is a static documentation generation tool. Patching the library itself
-  is insufficient to correct this exploit.
-  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.9.5
-  - ~> 3.12.1
-  - ">= 4.0"

data/data/ruby-advisory-db/gems/redcarpet/CVE-2015-5147.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: redcarpet
-cve: 2015-5147
-osvdb: 123859
-url: http://seclists.org/oss-sec/2015/q2/818
-title: redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow
-date: 2015-06-22
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a stack overflow.
-  This flaw exists because the header_anchor() function in html.c uses
-  variable length arrays (VLA) without any range checking. This may
-  allow a remote attacker to execute arbitrary code.
-cvss_v2: 7.5
-unaffected_versions:
-  - "< 3.3.0"
-patched_versions:
-  - ">= 3.3.2"

data/data/ruby-advisory-db/gems/redcarpet/OSVDB-120415.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: redcarpet
-osvdb: 120415
-url: http://danlec.com/blog/bug-in-sundown-and-redcarpet
-title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
-date: 2015-04-07
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting
-  (XSS) attack. This flaw exists because the parse_inline() function in
-  markdown.c does not validate input before returning it to users. This may
-  allow a remote attacker to create a specially crafted request that would
-  execute arbitrary script code in a user's browser session within the trust
-  relationship between their browser and the server.
-cvss_v2:
-patched_versions:
-  - ">= 3.2.3"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: redis-namespace
-osvdb: 96425
-url: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
-title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
-date: 2013-08-03
-description: |
-  redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
-  The issue is triggered when handling exec commands called via send(). This may allow a
-  remote attacker to execute arbitrary commands.
-patched_versions:
-  - ">= 1.3.1"
-  - "~> 1.2.2"
-  - "~> 1.1.1"
-  - "~> 1.0.4"

data/data/ruby-advisory-db/gems/refile/OSVDB-120857.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: refile
-osvdb: 120857
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/VIfMO2LvzNs
-title: refile Gem for Ruby contains a remote code execution vulnerability
-date: 2015-04-15
-description: |
-  refile Gem for Ruby contains a flaw that is triggered when input is not
-  sanitized when handling the 'remote_image_url' field in a form, where
-  'image' is the name of the attachment. This may allow a remote attacker
-  to execute arbitrary shell commands.
-cvss_v2:
-unaffected_versions:
-  - "< 0.5.0"
-patched_versions:
-  - '>= 0.5.4'

data/data/ruby-advisory-db/gems/rest-client/CVE-2015-1820.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: rest-client
-cve: 2015-1820
-osvdb: 119878
-url: https://github.com/rest-client/rest-client/issues/369
-title: 'rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses'
-date: 2015-03-24
-description: |
-  rest-client in abstract_response.rb improperly handles Set-Cookie headers on
-  HTTP 30x redirection responses. Any cookies will be forwarded to the
-  redirection target regardless of domain, path, or expiration.
-  If you control a redirection source, you can cause rest-client to perform a
-  request to any third-party domain with cookies of your choosing, which may be
-  useful in performing a session fixation attack.
-  If you control a redirection target, you can steal any cookies set by the
-  third-party redirection request.
-cvss_v2:
-unaffected_versions:
-  - "<= 1.6.0"
-patched_versions:
-  - ">= 1.8.0"

data/data/ruby-advisory-db/gems/rest-client/OSVDB-117461.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: rest-client
-cve: 2015-3448
-osvdb: 117461
-url: http://www.osvdb.org/show/osvdb/117461
-title: Rest-Client Gem for Ruby logs password information in plaintext
-date: 2015-01-12
-description: Rest-Client Ruby Gem contains a flaw that is due to the application
-  logging password information in plaintext. This may allow a local attacker
-  to gain access to password information.
-cvss_v2:
-patched_versions:
-  - ">= 1.7.3"

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: rgpg
-cve: 2013-4203
-osvdb: 95948
-url: http://www.osvdb.org/show/osvdb/95948
-title: rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution
-date: 2013-08-02
-description: |
-  rgpg Gem for Ruby contains a flaw in the GpgHelper module
-  (lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly
-  sanitize user-supplied input before being used in the system() function for
-  execution. This may allow a remote attacker to execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: ruby-saml
-cve: 2016-5697
-url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995
-title: XML signature wrapping attack
-date: 2016-06-24
-description: |
-  ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
-  in the specific scenario where there was a signature that referenced at the same time
-  2 elements (but past the scheme validator process since 1 of the element was inside
-  the encrypted assertion).
-  ruby-saml users must update to 1.3.0, which implements 3 extra validations to
-  mitigate this kind of attack.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-117903.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: ruby-saml
-osvdb: 117903
-url: http://www.osvdb.org/show/osvdb/117903
-title: Ruby-Saml Gem is vulnerable to arbitrary code execution
-date: 2015-02-03
-description: |
-  ruby-saml contains a flaw that is triggered as the URI value of a SAML response is
-  not properly sanitized through a prepared statement. This may allow a remote
-  attacker to execute arbitrary shell commands on the host machine.
-cvss_v2:
-patched_versions:
-  - ">= 0.8.2"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124383.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: ruby-saml
-osvdb: 124383
-url: https://github.com/onelogin/ruby-saml/pull/247
-title: Ruby-Saml Gem is vulnerable to entity expansion attacks
-date: 2015-06-30
-description: |
-  ruby-saml before 1.0.0 is vulnerable to entity expansion attacks.
-cvss_v2: 3.9
-patched_versions:
-  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124991.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: ruby-saml
-osvdb: 124991
-url: https://github.com/onelogin/ruby-saml/pull/225
-title: Ruby-Saml Gem is vulnerable to XPath Injection
-date: 2015-04-29
-description: |
-  ruby-saml before 1.0.0 is vulnerable to XPath injection on xml_security.rb. The
-  lack of prepared statements allows for possibly command injection, leading to
-  arbitrary code execution
-cvss_v2: 6.7
-patched_versions:
-  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/ruby_parser/OSVDB-90561.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: ruby_parser
-cve: 2013-0162
-osvdb: 90561
-url: http://osvdb.org/show/osvdb/90561
-title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
-date: 2013-02-21
-description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: rubyzip
-cve: 2017-5946
-url: https://github.com/rubyzip/rubyzip/issues/315
-title: Directory traversal vulnerability in rubyzip
-date: 2017-02-27
-description: |
-  The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a directory
-  traversal vulnerability. If a site allows uploading of .zip files, an attacker
-  can upload a malicious file that uses "../" pathname substrings to write arbitrary
-  files to the filesystem.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 1.2.1"

data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: safemode
-cve: 2016-3693
-title: Safemode Gem for Ruby is vulnerable to information disclosure
-date: 2016-04-20
-url: http://seclists.org/oss-sec/2016/q2/119
-description: |
-  Safemode is initialised with an optional 'delegate' object.
-  If the delegated object is a Rails controller, 'inspect' could
-  be called which then exposes all informations about the App,
-  including routes, secret tokens, caches and so on.
-patched_versions:
-  - ">= 1.2.4"

data/data/ruby-advisory-db/gems/screen_capture/OSVDB-107783.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: screen_capture
-osvdb: 107783
-url: http://osvdb.org/show/osvdb/107783
-title: Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command Execution
-date: 2014-06-07
-description: Screen Capture Gem for Ruby contains a flaw in screen_capture.rb that is triggered when handling input passed via the URL. This may allow a context-dependent attacker to execute arbitrary commands.