RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.8.0.rc1 - Mend

bundler-audit 0.7.0.1 → 0.8.0.rc1

Files changed (597) hide show

data/data/ruby-advisory-db/gems/actionpack/CVE-2020-8166.yml DELETED

@@ -1,31 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2020-8166
-date: 2020-05-18
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw
-title: Ability to forge per-form CSRF tokens given a global CSRF token
-description: |
-  It is possible to possible to, given a global CSRF token such as the one
-  present in the authenticity_token meta tag, forge a per-form CSRF token for
-  any action for that session.
-  Versions Affected:  rails < 5.2.5, rails < 6.0.4
-  Not affected:       Applications without existing HTML injection vulnerabilities.
-  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
-  Impact
-  ------
-  Given the ability to extract the global CSRF token, an attacker would be able to
-  construct a per-form CSRF token for that session.
-  Workarounds
-  -----------
-  This is a low-severity security issue. As such, no workaround is necessarily
-  until such time as the application can be upgraded.
-patched_versions:
-  - "~> 5.2.4.3"
-  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100524.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6415
-osvdb: 100524
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
-title: XSS Vulnerability in number_to_currency
-date: 2013-12-03
-description: |
-  There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile.
-  The number_to_currency helper allows users to nicely format a numeric value. One
-  of the parameters to the helper (unit) is not escaped correctly.  Applications
-  which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100525.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6414
-osvdb: 100525
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
-title: Denial of Service Vulnerability in Action View
-date: 2013-12-03
-description: |
-  There is a denial of service vulnerability in the header handling component of
-  Action View.
-cvss_v2: 5.0
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100526.yml DELETED

@@ -1,27 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6416
-osvdb: 100526
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
-title: XSS Vulnerability in simple_format helper
-date: 2013-12-03
-description: |
-  There is a vulnerability in the simple_format helper in Ruby on Rails.
-  The simple_format helper converts user supplied text into html text
-  which is intended to be safe for display. A change made to the
-  implementation of this helper means that any user provided HTML
-  attributes will not be escaped correctly. As a result of this error,
-  applications which pass user-controlled data to be included as html
-  attributes will be vulnerable to an XSS attack.
-cvss_v2: 4.3
-unaffected_versions:
-  - ~> 2.3.0
-  - ~> 3.1.0
-  - ~> 3.2.0
-patched_versions:
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100527.yml DELETED

@@ -1,24 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-6417
-osvdb: 100527
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
-title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
-date: 2013-12-03
-description: |
-  The prior fix to CVE-2013-0155 was incomplete and the use of common
-  3rd party libraries can accidentally circumvent the protection. Due
-  to the way that Rack::Request and Rails::Request interact, it is
-  possible for a 3rd party or custom rack middleware to parse the
-  parameters insecurely and store them in the same key that Rails uses
-  for its own parameters.  In the event that happens the application
-  will receive unsafe parameters and could be vulnerable to the earlier
-  vulnerability.
-cvss_v2: 6.4
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-100528.yml DELETED

@@ -1,22 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2013-4491
-osvdb: 100528
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
-title: Reflective XSS Vulnerability in Ruby on Rails
-date: 2013-12-03
-description: |
-  There is a vulnerability in the internationalization component of Ruby on
-  Rails. Under certain common configurations an attacker can provide specially
-  crafted input which will execute a reflective XSS attack.
-  The root cause of this issue is a vulnerability in the i18n gem which has
-  been assigned the identifier CVE-2013-4492.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.2.16
-  - ">= 4.0.2"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-74616.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2011-3186
-osvdb: 74616
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g
-title: Response Splitting Vulnerability in Ruby on Rails
-date: 2011-08-16
-description: |
-  A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow
-  a remote attacker to inject arbitrary HTTP headers into a response due to
-  insufficient sanitization of the values provided for response content types.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.3.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-77199.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: actionpack
-framework: rails
-cve: 2011-4319
-osvdb: 77199
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/K2HXD7c8fMU
-title: XSS vulnerability in the translate helper method in Ruby on Rails
-date: 2011-11-17
-description: |
-  A cross-site scripting (XSS) flaw was found in the way the 'translate' helper
-  method of the Ruby on Rails performed HTML escaping of interpolated user
-  input, when interpolation in combination with HTML-safe translations were
-  used. A remote attacker could use this flaw to execute arbitrary HTML or web
-  script by providing a specially-crafted input to Ruby on Rails application,
-  using the ActionPack module and its 'translate' helper method without explicit
-  (application specific) sanitization of user provided input.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 3.0.11"
-  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-0752.yml DELETED

@@ -1,95 +0,0 @@
----
-gem: actionview
-framework: rails
-cve: 2016-0752
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00"
-title: Possible Information Leak Vulnerability in Action View
-description: |
-  There is a possible directory traversal and information leak vulnerability in
-  Action View. This vulnerability has been assigned the CVE identifier
-  CVE-2016-0752.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-  Impact
-  ------
-  Applications that pass unverified user input to the `render` method in a
-  controller may be vulnerable to an information leak vulnerability.
-  Impacted code will look something like this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  Carefully crafted requests can cause the above code to render files from
-  unexpected places like outside the application's view directory, and can
-  possibly escalate this to a remote code execution attack.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  A workaround to this issue is to not pass arbitrary user input to the `render`
-  method.  Instead, verify that data before passing it to the `render` method.
-  For example, change this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  To this:
-  ```ruby
-  def index
-    render verify_template(params[:id])
-  end
-  private
-  def verify_template(name)
-    # add verification logic particular to your application here
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 3-2-render_data_leak.patch - Patch for 3.2 series
-  * 4-1-render_data_leak.patch - Patch for 4.1 series
-  * 4-2-render_data_leak.patch - Patch for 4.2 series
-  * 5-0-render_data_leak.patch - Patch for 5.0 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-  of earlier unsupported releases are advised to upgrade as soon as possible as we
-  cannot guarantee the continued availability of security fixes for unsupported
-  releases.
-  Credits
-  -------
-  Thanks John Poulin for reporting this!
-cvss_v2: 5.0
-cvss_v3: 7.5
-# "~> 3.2.22.1" is found in gems/actionpack/CVE-2016-0752.yml
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-2097.yml DELETED

@@ -1,89 +0,0 @@
----
-gem: actionview
-framework: rails
-cve: 2016-2097
-date: 2016-02-29
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4"
-title: Possible Information Leak Vulnerability in Action View
-description: |
-  There is a possible directory traversal and information leak vulnerability
-  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
-  patch was not covering all the scenarios. This vulnerability has been
-  assigned the CVE identifier CVE-2016-2097.
-  Versions Affected:  3.2.x, 4.0.x, 4.1.x
-  Not affected:       4.2+
-  Fixed Versions:     3.2.22.2, 4.1.14.2
-  Impact
-  ------
-  Applications that pass unverified user input to the `render` method in a
-  controller may be vulnerable to an information leak vulnerability.
-  Impacted code will look something like this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  Carefully crafted requests can cause the above code to render files from
-  unexpected places like outside the application's view directory, and can
-  possibly escalate this to a remote code execution attack.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  A workaround to this issue is to not pass arbitrary user input to the `render`
-  method. Instead, verify that data before passing it to the `render` method.
-  For example, change this:
-  ```ruby
-  def index
-    render params[:id]
-  end
-  ```
-  To this:
-  ```ruby
-  def index
-    render verify_template(params[:id])
-  end
-  private
-  def verify_template(name)
-    # add verification logic particular to your application here
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches
-  for it. It is in git-am format and consist of a single changeset.
-  * 3-2-render_data_leak_2.patch - Patch for 3.2 series
-  * 4-1-render_data_leak_2.patch - Patch for 4.1 series
-  Credits
-  -------
-  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
-  and working with us in the patch!
-unaffected_versions:
-  - ">= 4.2.0"
-# "~> 3.2.22.2"  is found in gems/actionpack/CVE-2016-2097.yml
-patched_versions:
-  - "~> 4.1.14, >= 4.1.14.2"

data/data/ruby-advisory-db/gems/actionview/CVE-2016-6316.yml DELETED

@@ -1,56 +0,0 @@
----
-gem: actionview
-framework: rails
-cve: 2016-6316
-date: 2016-08-11
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk
-title: Possible XSS Vulnerability in Action View
-description: |
-  There is a possible XSS vulnerability in Action View.  Text declared as "HTML
-  safe" will not have quotes escaped when used as attribute values in tag
-  helpers.
-  Impact
-  ------
-  Text declared as "HTML safe" when passed as an attribute value to a tag helper
-  will not have quotes escaped which can lead to an XSS attack.  Impacted code
-  looks something like this:
-  ```ruby
-  content_tag(:div, "hi", title: user_input.html_safe)
-  ```
-  Some helpers like the `sanitize` helper will automatically mark strings as
-  "HTML safe", so impacted code could also look something like this:
-  ```ruby
-  content_tag(:div, "hi", title: sanitize(user_input))
-  ```
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Workarounds
-  -----------
-  You can work around this issue by either *not* marking arbitrary user input as
-  safe, or by manually escaping quotes like this:
-  ```ruby
-  def escape_quotes(value)
-    value.gsub(/"/, '&quot;'.freeze)
-  end
-  content_tag(:div, "hi", title: escape_quotes(sanitize(user_input)))
-  ```
-unaffected_versions:
-  - "< 3.0.0"
-# "~> 3.2.22.3" is found in gems/actionpack/CVE-2016-6316.yml
-patched_versions:
-  - "~> 4.2.7.1"
-  - "~> 4.2.8"
-  - ">= 5.0.0.1"

data/data/ruby-advisory-db/gems/actionview/CVE-2019-5418.yml DELETED

@@ -1,98 +0,0 @@
----
-gem: actionview
-framework: rails
-cve: 2019-5418
-date: 2019-03-13
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
-title: File Content Disclosure in Action View
-description: |
-  There is a possible file content disclosure vulnerability in Action View. This
-  vulnerability has been assigned the CVE identifier CVE-2019-5418.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1
-  Impact
-  ------
-  There is a possible file content disclosure vulnerability in Action View.
-  Specially crafted accept headers in combination with calls to `render file:`
-  can cause arbitrary files on the target server to be rendered, disclosing the
-  file contents.
-  The impact is limited to calls to `render` which render file contents without
-  a specified accept format.  Impacted code in a controller looks something like
-  this:
-  ```
-  class UserController < ApplicationController
-    def index
-      render file: "#{Rails.root}/some/file"
-    end
-  end
-  ```
-  Rendering templates as opposed to files is not impacted by this vulnerability.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are
-  available at the normal locations.
-  Workarounds
-  -----------
-  This vulnerability can be mitigated by specifying a format for file rendering,
-  like this:
-  ```
-  class UserController < ApplicationController
-    def index
-      render file: "#{Rails.root}/some/file", formats: [:html]
-    end
-  end
-  ```
-  In summary, impacted calls to `render` look like this:
-  ```
-  render file: "#{Rails.root}/some/file"
-  ```
-  The vulnerability can be mitigated by changing to this:
-  ```
-  render file: "#{Rails.root}/some/file", formats: [:html]
-  ```
-  Other calls to `render` are not impacted.
-  Alternatively, the following monkey patch can be applied in an initializer:
-  ```
-  $ cat config/initializers/formats_filter.rb
-  # frozen_string_literal: true
-  ActionDispatch::Request.prepend(Module.new do
-    def formats
-      super().select do |format|
-        format.symbol || format.ref == "*/*"
-      end
-    end
-  end)
-  ```
-  Credits
-  -------
-  Thanks to John Hawthorn <john@hawthorn.email> of GitHub
-patched_versions:
-  - "~> 4.2.11, >= 4.2.11.1"
-  - "~> 5.0.7, >= 5.0.7.2"
-  - "~> 5.1.6, >= 5.1.6.2"
-  - "~> 5.2.2, >= 5.2.2.1"
-  - ">= 6.0.0.beta3"