RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.9.0.1 - Mend

bundler-audit 0.7.0.1 → 0.9.0.1

Files changed (612) hide show

data/data/ruby-advisory-db/gems/activerecord/CVE-2015-7577.yml DELETED Viewed

@@ -1,110 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2015-7577
-date: 2016-01-25
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g
-title: Nested attributes rejection proc bypass in Active Record
-description: |
-  There is a vulnerability in how the nested attributes feature in Active Record
-  handles updates in combination with destroy flags when destroying records is
-  disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577.
-  Versions Affected:  3.1.0 and newer
-  Not affected:       3.0.x and older
-  Fixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1
-  Impact
-  ------
-  When using the nested attributes feature in Active Record you can prevent the
-  destruction of associated records by passing the `allow_destroy: false` option
-  to the `accepts_nested_attributes_for` method. However due to a change in the
-  commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from
-  being called because it assumes that the record will be destroyed anyway.
-  However this isn't true if `:allow_destroy` is false so this leads to changes
-  that would have been rejected being applied to the record. Attackers could use
-  this do things like set attributes to invalid values and to clear all of the
-  attributes amongst other things. The severity will be dependent on how the
-  application has used this feature.
-  All users running an affected release should either upgrade or use one of
-  the workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  If you can't upgrade, please use the following monkey patch in an initializer
-  that is loaded before your application:
-  ```
-  $ cat config/initializers/nested_attributes_bypass_fix.rb
-  module ActiveRecord
-    module NestedAttributes
-      private
-      def reject_new_record?(association_name, attributes)
-        will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes)
-      end
-      def call_reject_if(association_name, attributes)
-        return false if will_be_destroyed?(association_name, attributes)
-        case callback = self.nested_attributes_options[association_name][:reject_if]
-        when Symbol
-          method(callback).arity == 0 ? send(callback) : send(callback, attributes)
-        when Proc
-          callback.call(attributes)
-        end
-      end
-      def will_be_destroyed?(association_name, attributes)
-        allow_destroy?(association_name) && has_destroy_flag?(attributes)
-      end
-      def allow_destroy?(association_name)
-        self.nested_attributes_options[association_name][:allow_destroy]
-      end
-    end
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series
-  * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series
-  * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series
-  * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series
-  Please note that only the 4.1.x and 4.2.x series are supported at present. Users
-  of earlier unsupported releases are advised to upgrade as soon as possible as we
-  cannot guarantee the continued availability of security fixes for unsupported
-  releases.
-  Credits
-  -------
-  Thank you to Justin Coyne for reporting the problem and working with us to fix it.
-  [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325
-cvss_v2: 5.0
-cvss_v3: 5.3
-unaffected_versions:
-  - "~> 3.0.0"
-  - "< 3.0.0"
-patched_versions:
-  - ">= 5.0.0.beta1.1"
-  - "~> 4.2.5, >= 4.2.5.1"
-  - "~> 4.1.14, >= 4.1.14.1"
-  - "~> 3.2.22.1"

data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml DELETED Viewed

@@ -1,73 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2016-6317
-date: 2016-08-11
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
-title: Unsafe Query Generation Risk in Active Record
-description: |
-  There is a vulnerability when Active Record is used in conjunction with JSON
-  parameter parsing. This vulnerability is similar to CVE-2012-2660,
-  CVE-2012-2694 and CVE-2013-0155.
-  Impact
-  ------
-  Due to the way Active Record interprets parameters in combination with the way
-  that JSON parameters are parsed, it is possible for an attacker to issue
-  unexpected database queries with "IS NULL" or empty where clauses.  This issue
-  does *not* let an attacker insert arbitrary values into an SQL query, however
-  they can cause the query to check for NULL or eliminate a WHERE clause when
-  most users wouldn't expect it.
-  For example, a system has password reset with token functionality:
-  ```ruby
-      unless params[:token].nil?
-        user = User.find_by_token(params[:token])
-        user.reset_password!
-      end
-  ```
-  An attacker can craft a request such that `params[:token]` will return
-  `[nil]`.  The `[nil]` value will bypass the test for nil, but will still add
-  an "IN ('xyz', NULL)" clause to the SQL query.
-  Similarly, an attacker can craft a request such that `params[:token]` will
-  return an empty hash.  An empty hash will eliminate the WHERE clause of the
-  query, but can bypass the `nil?` check.
-  Note that this impacts not only dynamic finders (`find_by_*`) but also
-  relations (`User.where(:name => params[:name])`).
-  All users running an affected release should either upgrade or use one of the
-  work arounds immediately. All users running an affected release should upgrade
-  immediately. Please note, this vulnerability is a variant of CVE-2012-2660,
-  CVE-2012-2694, and CVE-2013-0155.  Even if you upgraded to address those
-  issues, you must take action again.
-  If this chance in behavior impacts your application, you can manually decode
-  the original values from the request like so:
-      `ActiveSupport::JSON.decode(request.body)`
-  Workarounds
-  -----------
-  This problem can be mitigated by casting the parameter to a string before
-  passing it to Active Record.  For example:
-    ```ruby
-      unless params[:token].nil? || params[:token].to_s.empty?
-        user = User.find_by_token(params[:token].to_s)
-        user.reset_password!
-      end
-    ```
-unaffected_versions:
-  - "< 4.2.0"
-  - ">= 5.0.0"
-patched_versions:
-  - ">= 4.2.7.1"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-88661.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-6496
-osvdb: 88661
-url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
-title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass
-date: 2012-12-22
-description: |
-  Due to the way dynamic finders in Active Record extract options from method
-  parameters, a method parameter can mistakenly be used as a scope.  Carefully
-  crafted requests can use the scope to inject arbitrary SQL.
-cvss_v2: 6.4
-patched_versions:
-  - ~> 3.0.18
-  - ~> 3.1.9
-  - ">= 3.2.10"

data/data/ruby-advisory-db/gems/activerecord-jdbc-adapter/OSVDB-114854.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: activerecord-jdbc-adapter
-platform: jruby
-osvdb: 114854
-url: http://osvdb.org/show/osvdb/114854
-title: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub()
-  Function SQL Injection
-date: 2013-02-25
-description: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying
-  out an SQL injection attack. The issue is due to the sql.gsub() function in
-  lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before
-  using it in SQL queries. This may allow a remote attacker to inject or
-  manipulate SQL queries in the back-end database, allowing for the
-  manipulation or disclosure of arbitrary data.
-unaffected_versions:
-  - "< 1.2.6"
-patched_versions:
-  - ">= 1.2.8"

data/data/ruby-advisory-db/gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: activerecord-oracle_enhanced-adapter
-osvdb: 95376
-url: http://osvdb.org/show/osvdb/95376
-title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
-date: 2008-10-10
-description: |
-  Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an
-  attacker to carry out an SQL injection attack. The issue is due to the
-  program not properly sanitizing user-supplied input related to the :limit and
-  :offset functions. This may allow an attacker to inject or manipulate SQL
-  queries in the back-end database, allowing for the manipulation or disclosure
-  of arbitrary data.
-patched_versions:
-  - ">= 1.1.8"

data/data/ruby-advisory-db/gems/activeresource/CVE-2020-8151.yml DELETED Viewed

@@ -1,48 +0,0 @@
----
-gem: activeresource
-cve: 2020-8151
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
-title: activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding
-date: 2020-05-05
-description: |
-  activeresource contains a lack of encoding flaw in the element_path function of
-  lib/active_resource/base.rb.
-  There is an issue with the way Active Resource encodes data before querying the back end server.  This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.
-  Impacted code will look something like this:
-  ```
-  require 'activeresource'
-  class Test < ActiveResource::Base
-    self.site = 'http://127.0.0.1:3000'
-  end
-  Test.exists?(untrusted_user_input)
-  ```
-  Where untrusted user input is passed to an Active Resource model.  Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.
-  Workarounds
-  -------------
-  For those that can't upgrade, the following monkey patch can be applied:
-  ```
-  module ActiveResource
-   class Base
-     class << self
-       def element_path(id, prefix_options = {}, query_options = nil)
-         check_prefix_options(prefix_options)
-         prefix_options, query_options = split_options(prefix_options) if query_options.nil?
-         "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
-       end
-     end
-   end
-  end
-  ```
-patched_versions:
-  - ">= 5.1.1"

data/data/ruby-advisory-db/gems/activeresource/OSVDB-95749.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: activeresource
-osvdb: 95749
-url: http://osvdb.org/show/osvdb/95749
-title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
-date: 2008-08-15
-description: |
-  activeresource contains a format string flaw in the request function of
-  lib/active_resource/connection.rb. The issue is triggered as format string
-  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input
-  when passed via the 'result.code' and 'result.message' variables. This may
-  allow a remote attacker to cause a denial of service or potentially execute
-  arbitrary code.
-patched_versions:
-  - ">= 2.2.0"

data/data/ruby-advisory-db/gems/activestorage/CVE-2018-16477.yml DELETED Viewed

@@ -1,43 +0,0 @@
----
-gem: activestorage
-framework: rails
-cve: 2018-16477
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
-title: Bypass vulnerability in Active Storage
-date: 2018-11-27
-description: |
-  There is a vulnerability in Active Storage. This vulnerability has been
-  assigned the CVE identifier CVE-2018-16477.
-  Versions Affected:  >= 5.2.0
-  Not affected:       < 5.2.0
-  Fixed Versions:     5.2.1.1
-  Impact
-  ------
-  Signed download URLs generated by `ActiveStorage` for Google Cloud Storage
-  service and Disk service include `content-disposition` and `content-type`
-  parameters that an attacker can modify. This can be used to upload specially
-  crafted HTML files and have them served and executed inline. Combined with
-  other techniques such as cookie bombing and specially crafted AppCache manifests,
-  an attacker can gain access to private signed URLs within a specific storage path.
-  Vulnerable apps are those using either GCS or the Disk service in production.
-  Other storage services such as S3 or Azure aren't affected.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately. For those using GCS, it's also recommended to run the
-  following to update existing blobs:
-  ```
-  ActiveStorage::Blob.find_each do |blob|
-    blob.send :update_service_metadata
-  end
-  ```
-unaffected_versions:
-  - "< 5.2.0"
-patched_versions:
-  - ">= 5.2.1.1"

data/data/ruby-advisory-db/gems/activestorage/CVE-2020-8162.yml DELETED Viewed

@@ -1,31 +0,0 @@
----
-gem: activestorage
-framework: rails
-cve: 2020-8162
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
-title: Circumvention of file size limits in ActiveStorage
-date: 2020-05-18
-description: |
-  There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
-  direct file upload to be modified by an end user.
-  Versions Affected:  rails < 5.2.4.2, rails < 6.0.3.1
-  Not affected:       Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
-  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
-  Impact
-  ------
-  Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
-  new signature from the server. This could be used to bypass controls in place on the server to limit upload size.
-  Workarounds
-  -----------
-  This is a low-severity security issue. As such, no workaround is necessarily
-  until such time as the application can be upgraded.
-patched_versions:
-  - "~> 5.2.4.3"
-  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/activesupport/CVE-2012-1098.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-1098
-osvdb: 79726
-url: https://nvd.nist.gov/vuln/detail/CVE-2012-1098
-title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
-date: 2012-03-01
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because athe application does not validate direct
-  manipulations of SafeBuffer objects via '[]' and other methods. This may
-  allow a user to create a specially crafted request that would execute
-  arbitrary script code in a user's browser within the trust relationship
-  between their browser and the server.
-cvss_v2: 4.3
-unaffected_versions:
-  - "< 3.0.0"
-patched_versions:
-  - ~> 3.0.12
-  - ~> 3.1.4
-  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/activesupport/CVE-2012-3464.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-3464
-osvdb: 84516
-url: https://nvd.nist.gov/vuln/detail/CVE-2012-3464
-title: Ruby on Rails HTML Escaping Code XSS
-date: 2012-08-09
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because the HTML escaping code functionality does
-  not properly escape a single quote character. This may allow a user to create
-  a specially crafted request that would execute arbitrary script code in a
-  user's browser within the trust relationship between their browser and the
-  server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.0.17
-  - ~> 3.1.8
-  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/activesupport/CVE-2013-0333.yml DELETED Viewed

@@ -1,25 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2013-0333
-osvdb: 89594
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-0333
-title:
-  Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
-  Execution
-date: 2013-01-28
-description: |
-  Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple
-  parsing backends, one of which involves transforming JSON into YAML via the
-  YAML parser. With a specially crafted payload, an attacker can subvert the
-  backend into decoding a subset of YAML. This may allow a remote attacker to
-  bypass restrictions, allowing them to bypass authentication systems, inject
-  arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on
-  a Rails application.
-cvss_v2: 9.3
-patched_versions:
-  - ~> 2.3.16
-  - ">= 3.0.20"

data/data/ruby-advisory-db/gems/activesupport/CVE-2013-1856.yml DELETED Viewed

@@ -1,28 +0,0 @@
----
-gem: activesupport
-framework: rails
-platform: jruby
-cve: 2013-1856
-osvdb: 91451
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-1856
-title: XML Parsing Vulnerability affecting JRuby users
-date: 2013-03-19
-description: |
- The ActiveSupport XML parsing functionality supports multiple
- pluggable backends. One backend supported for JRuby users is
- ActiveSupport::XmlMini_JDOM which makes use of the
- javax.xml.parsers.DocumentBuilder class. In some JVM configurations
- the default settings of that class can allow an attacker to construct
- XML which, when parsed, will contain the contents of arbitrary URLs
- including files from the application server. They may also allow for
- various denial of service attacks. Action Pack
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.1.12
-  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml DELETED Viewed

@@ -1,55 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2015-3226
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
-title: |
-  XSS Vulnerability in ActiveSupport::JSON.encode
-date: 2015-06-16
-description: |
-  When a `Hash` containing user-controlled data is encode as JSON (either through
-  `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
-  escaping that matches the guarantee implied by the `escape_html_entities_in_json`
-  option (which is enabled by default). If this resulting JSON string is subsequently
-  inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
-  For example, the following code snippet is vulnerable to this attack:
-      <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
-  Similarly, the following is also vulnerable:
-      <script>
-        var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
-      </script>
-  All applications that renders JSON-encoded strings that contains user-controlled
-  data in their views should either upgrade to one of the FIXED versions or use
-  the suggested workaround immediately.
-  Workarounds
-  -----------
-  To work around this problem add an initializer with the following code:
-    module ActiveSupport
-      module JSON
-        module Encoding
-          private
-          class EscapedString
-            def to_s
-              self
-            end
-          end
-        end
-      end
-    end
-unaffected_versions:
-  - "< 4.1.0"
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml DELETED Viewed

@@ -1,33 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2015-3227
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
-title: |
-  Possible Denial of Service attack in Active Support
-date: 2015-06-16
-description: |
-  Specially crafted XML documents can cause applications to raise a
-  `SystemStackError` and potentially cause a denial of service attack.  This
-  only impacts applications using REXML or JDOM as their XML processor.  Other
-  XML processors that Rails supports are not impacted.
-  All users running an affected release should either upgrade or use one of the work arounds immediately.
-  Workarounds
-  -----------
-  Use an XML parser that is not impacted by this problem, such as Nokogiri or
-  LibXML.  You can change the processor like this:
-    ActiveSupport::XmlMini.backend = 'Nokogiri'
-  If you cannot change XML parsers, then adjust
-  `RUBY_THREAD_MACHINE_STACK_SIZE`.
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"
-  - "~> 3.2.22"

data/data/ruby-advisory-db/gems/activesupport/CVE-2020-8165.yml DELETED Viewed

@@ -1,41 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2020-8165
-date: 2020-05-18
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c
-title: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore
-description: |
-  There is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when
-  untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result
-  from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:
-  ```
-  data = cache.fetch("demo", raw: true) { untrusted_string }
-  ```
-  Versions Affected:  rails < 5.2.5, rails < 6.0.4
-  Not affected:       Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.
-  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
-  Impact
-  ------
-  Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,
-  this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.
-  In addition to upgrading to the latest versions of Rails, developers should ensure that whenever
-  they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both
-  reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,
-  detect if data was serialized using the raw option upon deserialization.
-  Workarounds
-  -----------
-  It is recommended that application developers apply the suggested patch or upgrade to the latest release as
-  soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using
-  the `raw` argument should be double-checked to ensure that they conform to the expected format.
-patched_versions:
-  - "~> 5.2.4.3"
-  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/administrate/CVE-2016-3098.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: administrate
-cve: 2016-3098
-title: Cross-site request forgery (CSRF) vulnerability in administrate gem
-date: 2016-04-01
-url: http://seclists.org/oss-sec/2016/q2/0
-description: >-
-  `Administrate::ApplicationController` actions didn't have CSRF
-  protection. Remote attackers can hijack user's sessions and use any
-  functionality that administrate exposes on their behalf.
-patched_versions:
-  - ">= 0.1.5"

data/data/ruby-advisory-db/gems/administrate/CVE-2020-5257.yml DELETED Viewed

@@ -1,24 +0,0 @@
----
-gem: administrate
-cve: 2020-5257
-ghsa: 2p5p-m353-833w
-title: Sort order SQL injection via `direction` parameter in administrate
-date: 2020-03-14
-url: https://github.com/advisories/GHSA-2p5p-m353-833w
-description: |
-  In Administrate (rubygem) before version 0.13.0, when sorting by attributes
-  on a dashboard, the direction parameter was not validated before being
-  interpolated into the SQL query.
-  This could present a SQL injection if the attacker were able to modify the
-  direction parameter and bypass ActiveRecord SQL protections.
-  Whilst this does have a high-impact, to exploit this you need access to the
-  Administrate dashboards, which should generally be behind authentication.
-patched_versions:
-  - ">= 0.13.0"
-related:
-  url:
-    - https://github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3

data/data/ruby-advisory-db/gems/aescrypt/CVE-2013-7463.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: aescrypt
-cve: 2013-7463
-date: 2013-10-01
-url: https://github.com/Gurpartap/aescrypt/issues/4
-title: Vulnerability in aescrypt because IV is not randomized
-description: |
-  The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the
-  AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to
-  defeat cryptographic protection mechanisms via a chosen plaintext attack.