RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.9.0.1 - Mend

bundler-audit 0.7.0.1 → 0.9.0.1

Files changed (612) hide show

data/data/ruby-advisory-db/gems/chartkick/CVE-2019-12732.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: chartkick
-cve: 2019-12732
-url: https://github.com/ankane/chartkick/issues/488
-title: XSS Vulnerability in Chartkick Ruby Gem
-date: 2019-06-04
-description: |
-  Chartkick is vulnerable to a cross-site scripting (XSS) attack if
-  both the following conditions are met:
-  Condition 1:
-    It's used with `ActiveSupport.escape_html_entities_in_json = false`
-    (this is not the default for Rails)
-    OR used with a non-Rails framework like Sinatra.
-  Condition 2:
-    Untrusted data or options are passed to a chart.
-    <%= line_chart params[:data], min: params[:min] %>
-patched_versions:
-  - ">= 3.2.0"

data/data/ruby-advisory-db/gems/chartkick/CVE-2019-18841.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: chartkick
-cve: 2019-18841
-url: https://github.com/ankane/chartkick.js/issues/117
-title: Prototype Pollution in Chartkick.js 3.1.x
-date: 2019-11-09
-description: |
-  A specially crafted response in data loaded via URL
-  can cause prototype pollution in JavaScript.
-unaffected_versions:
-  - "< 3.1.0"
-patched_versions:
-  - ">= 3.3.0"

data/data/ruby-advisory-db/gems/chloride/CVE-2018-6517.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: chloride
-cve: 2018-6517
-url: https://puppet.com/security/cve/CVE-2018-6517
-date: 2019-03-08
-title: Improper handling of ssh known_hosts file with Chloride
-description: |
-  Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints
-  for previously unknown hosts getting added to the user's known_hosts file without
-  confirmation. In version 0.3.0 this is updated so that the user's known_hosts file
-  is not updated by chloride.
-cvss_v3: 5.0
-patched_versions:
-  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/ciborg/CVE-2014-5003.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: ciborg
-cve: 2014-5003
-osvdb: 108586
-url: https://nvd.nist.gov/vuln/detail/CVE-2014-5003
-title: ciborg Gem for Ruby default.rb /tmp/perlbrew-installer Local Symlink File Overwrite
-date: 2014-06-30
-description: ciborg Gem for Ruby contains a flaw as default.rb creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against the /tmp/perlbrew-installer file to cause the program to unexpectedly overwrite an arbitrary file.

data/data/ruby-advisory-db/gems/cocaine/CVE-2013-4457.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: cocaine
-cve: 2013-4457
-osvdb: 98835
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-4457
-title: Cocaine Gem for Ruby contains a flaw
-date: 2013-10-22
-description: Cocaine Gem for Ruby contains a flaw that is due to the method
-  of variable interpolation used by the program. With a specially crafted
-  object, a context-dependent attacker can execute arbitrary commands.
-cvss_v2: 6.8
-unaffected_versions:
-  - < 0.4.0
-patched_versions:
-  - '>= 0.5.3'

data/data/ruby-advisory-db/gems/codders-dataset/CVE-2014-4991.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: codders-dataset
-cve: 2014-4991
-osvdb: 108582
-url: https://nvd.nist.gov/vuln/detail/CVE-2014-4991
-title: codders-dataset Gem for Ruby lib/dataset/database/mysql.rb and lib/dataset/database/postgresql.rb Process Table Local Plaintext Credential Disclosure
-date: 2014-06-30
-description: (1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command line, which allows local users to obtain sensitive information by listing the process.

data/data/ruby-advisory-db/gems/coin_base/CVE-2019-15224.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: coin_base
-cve: 2019-15224
-ghsa: 333g-rpr4-7hxq
-url: https://github.com/rubygems.org/issues/2097
-date: 2019-08-20
-title: Code execution backdoor in coin_base
-description: |
-  The coin_base gem 4.2.1 through 4.2.2 for Ruby, as distributed on RubyGems.org, included a
-  code-execution backdoor inserted by a third party.
-  No unaffected version is known to exist, as the gem appears to have been entirely removed.
-unaffected_versions:
-  - "< 4.2.1"
-  - "> 4.2.2"
-related:
-  url:
-    - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

data/data/ruby-advisory-db/gems/colorscore/CVE-2015-7541.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: colorscore
-cve: 2015-7541
-osvdb: 132516
-url: http://seclists.org/oss-sec/2016/q1/17
-title: colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection
-date: 2016-01-04
-description: |
-  The contents of the `image_path`, `colors`, and `depth` variables generated
-  from possibly user-supplied input are passed directly to the shell via
-  `convert ...`.
-  If a user supplies a value that includes shell metacharacters such as ';', an
-  attacker may be able to execute shell commands on the remote system as the
-  user id of the Ruby process.
-  To resolve this issue, the aforementioned variables (especially `image_path`)
-  must be sanitized for shell metacharacters.
-patched_versions:
-  - '>= 0.0.5'

data/data/ruby-advisory-db/gems/coming-soon/CVE-2019-15224.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: coming-soon
-cve: 2019-15224
-ghsa: 333g-rpr4-7hxq
-url: https://github.com/rubygems.org/issues/2097
-date: 2019-08-20
-title: Code execution backdoor in coming-soon
-description: |
-  The coming-soon gem 0.2.8 for Ruby, as distributed on RubyGems.org, included a code-execution
-  backdoor inserted by a third party.
-  No unaffected version is known to exist, as the gem appears to have been entirely removed.
-unaffected_versions:
-  - "< 0.2.8"
-  - "> 0.2.8"
-related:
-  url:
-    - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

data/data/ruby-advisory-db/gems/command_wrap/CVE-2013-1875.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: command_wrap
-cve: 2013-1875
-osvdb: 91450
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-1875
-title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-18
-description: command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/consul/CVE-2019-16377.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: consul
-cve: 2019-16377
-url: https://github.com/makandra/consul/issues/49
-title: |
-  Consul gem insufficient authentication check: Multiple powers in one controller are not always checked correctly
-date: 2019-09-23
-description: |
-  With the consul ruby gem before 1.0.3, if a controller checks multiple powers
-  using `:if` or `:except` conditions, these conditions are erroneously applied
-  to all power checks in that controller. This can lead to skipped power checks
-  and hence unauthenticated access to certain controller actions.
-patched_versions:
-  - ">= 1.0.3"

data/data/ruby-advisory-db/gems/crack/CVE-2013-1800.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: crack
-cve: 2013-1800
-osvdb: 90742
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-1800
-title: crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
-description: |
-  crack Gem for Ruby contains a flaw that is triggered when a type casting
-  error occurs during the parsing of parameters. This may allow a
-  context-dependent attacker to potentially execute arbitrary code.
-date: 2013-01-09
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.3.2"

data/data/ruby-advisory-db/gems/cremefraiche/CVE-2013-2090.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: cremefraiche
-cve: 2013-2090
-osvdb: 93395
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-2090
-title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-05-14
-description: Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2: 9.3
-patched_versions:
-  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/cron_parser/CVE-2019-15224.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: cron_parser
-cve: 2019-15224
-ghsa: 333g-rpr4-7hxq
-url: https://github.com/rubygems.org/issues/2097
-date: 2019-08-20
-title: Code execution backdoor in cron_parser
-description: |
-  The cron_parser gem 0.1.4, 1.0.12, and 1.0.13 as distributed on RubyGems.org, included a
-  code-execution backdoor inserted by a third party.
-  No unaffected version is known to exist, as the gem appears to have been entirely removed.
-unaffected_versions:
-  - "< 1.0.12"
-  - "> 1.0.13"
-  - "< 0.1.4"
-  - "> 0.1.4"
-related:
-  url:
-    - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

data/data/ruby-advisory-db/gems/curb/OSVDB-114600.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: curb
-osvdb: 114600
-url: http://osvdb.org/show/osvdb/114600
-title: curb Gem for Ruby Empty http_put Body Handling Remote DoS
-date: 2010-08-12
-description: |
-  curb Gem for Ruby contains a flaw that is triggered when handling an empty
-  http_put body. This may allow a remote attacker to crash an application
-  linked against the library.
-patched_versions:
-  - ">= 0.7.8"

data/data/ruby-advisory-db/gems/curl/CVE-2013-2617.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: curl
-cve: 2013-2617
-osvdb: 91230
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-2617
-title: Curl Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-12
-description: Curl Gem for Ruby contains a flaw that is triggered during the
-  handling of specially crafted input passed via the URL.  This may allow
-  a context-dependent attacker to potentially execute arbitrary commands by
-  injecting them via a semi-colon (;).
-cvss_v2: 7.5
-patched_versions:

data/data/ruby-advisory-db/gems/datagrid/CVE-2019-14281.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: datagrid
-cve: 2019-14281
-ghsa: rqp5-pg7w-832p
-url: https://github.com/rubygems/rubygems.org/issues/2072
-date: 2019-07-31
-title: Code execution backdoor in datagrid
-description: |
-  The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included
-  a code-execution backdoor inserted by a third party.
-unaffected_versions:
-  - "< 1.0.6"
-  - "> 1.0.6"
-cvss_v3: 9.8

data/data/ruby-advisory-db/gems/delayed_job_web/CVE-2017-12097.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: delayed_job_web
-cve: 2017-12097
-url: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0449
-date: 2018-01-10
-title: delayed_job_web ruby gem XSS vulnerability via `queues` parameter
-description: |
-  An exploitable cross site scripting (XSS) vulnerability exists in the
-  filter functionality of the delayed_job_web ruby gem. A specially crafted
-  URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary
-  javascript on the victim's browser. An attacker can phish an authenticated user
-  to trigger this vulnerability.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 1.4.2"

data/data/ruby-advisory-db/gems/devise/CVE-2013-0233.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: devise
-cve: 2013-0233
-osvdb: 89642
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-0233
-title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
-date: 2013-01-28
-description: |
-  Devise contains a flaw that is triggered during when a type conversion error
-  occurs during the parsing of a malformed request. With a specially crafted
-  request, a remote attacker can bypass security restrictions.
-cvss_v2: 6.8
-patched_versions:
-  - ~> 1.5.4
-  - ~> 2.0.5
-  - ~> 2.1.3
-  - ">= 2.2.3"

data/data/ruby-advisory-db/gems/devise/CVE-2015-8314.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: devise
-cve: 2015-8314
-url: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/
-title: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie
-date: 2016-01-18
-description: |
-  Devise version before 3.5.4 uses cookies to implement a "Remember me"
-  functionality. However, it generates the same cookie for all devices. If an
-  attacker manages to steal a remember me cookie and the user does not change
-  the password frequently, the cookie can be used to gain access to the
-  application indefinitely.
-patched_versions:
-  - ">= 3.5.4"

data/data/ruby-advisory-db/gems/devise/CVE-2019-16109.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: devise
-cve: 2019-16109
-url: https://github.com/plataformatec/devise/issues/5071
-title: Devise Gem for Ruby confirmation token validation with a blank string
-date: 2019-09-08
-description: |
-  Devise before 4.7.1 confirms accounts upon receiving a request with a blank
-  confirmation_token, if a database record has a blank value in the confirmation_token column.
-  However, there is no scenario within Devise itself in which such database records would exist.
-patched_versions:
-  - ">= 4.7.1"

data/data/ruby-advisory-db/gems/devise/CVE-2019-5421.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: devise
-cve: 2019-5421
-url: https://github.com/plataformatec/devise/issues/4981
-title: Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable module
-date: 2019-02-07
-description: |
-  Devise ruby gem before 4.6.0 when the `lockable` module is used is vulnerable to a
-  time-of-check time-of-use (TOCTOU) race condition due to `increment_failed_attempts`
-  within the `Devise::Models::Lockable` class not being concurrency safe.
-patched_versions:
-  - ">= 4.6.0"
-cvss_v2: 7.5
-cvss_v3: 9.8

data/data/ruby-advisory-db/gems/devise/OSVDB-114435.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: devise
-osvdb: 114435
-url: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/
-title: CSRF token fixation attacks in Devise
-date: 2013-08-02
-description: |
-  Devise contains a flaw that allows a remote, user-assisted attacker to
-  conduct a CSRF token fixation attack. This issue is triggered as previous
-  CSRF tokens are not properly invalidated when a new token is created.
-  If an attacker has knowledge of said token, a specially crafted request can
-  be made to it, allowing the attacker to conduct CSRF attacks.
-patched_versions:
-  - ~> 2.2.5
-  - ">= 3.0.1"

data/data/ruby-advisory-db/gems/devise-two-factor/CVE-2015-7225.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: devise-two-factor
-cve: 2015-7225
-url: http://www.openwall.com/lists/oss-security/2015/09/06/2
-title: |
-  devise-two-factor 1.1.0 and earlier vulnerable to replay attacks
-date: 2015-09-17
-description: |
-  A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local
-  attackers to shoulder-surf a user's TOTP verification code and use it to
-  login after the user has authenticated.
-  By not "burning" a previously used TOTP, devise-two-factor allows a narrow
-  window of opportunity (aka the timestep period) where an attacker can re-use a
-  verification code.
-  Should an attacker possess a given user's authentication
-  credentials, this flaw effectively defeats two-factor authentication for the
-  duration of the timestep.
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/doge-coin/CVE-2019-15224.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: doge-coin
-cve: 2019-15224
-ghsa: 333g-rpr4-7hxq
-url: https://github.com/rubygems.org/issues/2097
-date: 2019-08-20
-title: Code execution backdoor in doge-coin
-description: |
-  The doge-coin gem 1.0.2 for Ruby, as distributed on RubyGems.org, included a code-execution
-  backdoor inserted by a third party.
-  Users of an affected version should consider downgrading to the last non-affected version of
-  1.0.1.
-unaffected_versions:
-  - "< 1.0.2"
-  - "> 1.0.2"
-related:
-  url:
-    - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2014-8144.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: doorkeeper
-cve: 2014-8144
-osvdb: 116010
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw
-title: |
-  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
-  and earlier.
-date: 2014-12-18
-description: |
-  Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0
-  and earlier allows remote attackers to hijack the user's OAuth
-  autorization code. This vulnerability has been assigned the CVE
-  identifier CVE-2014-8144.
-  Doorkeeper's endpoints didn't have CSRF protection. Any HTML document
-  on the Internet can then read a user's authorization code with
-  arbitrary scope from any Doorkeeper-compatible Rails app you are
-  logged in.
-cvss_v2: 6.8
-patched_versions:
-  - ~> 1.4.1
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2016-6582.yml DELETED Viewed

@@ -1,43 +0,0 @@
----
-gem: doorkeeper
-cve: 2016-6582
-date: 2016-08-18
-url: "http://www.openwall.com/lists/oss-security/2016/08/19/2"
-title: Doorkeeper gem does not revoke tokens & uses wrong auth/auth method
-description: |
-  Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the
-  following ways:
-  1. Public clients making valid, unauthenticated calls to revoke a token
-     would not have their token revoked
-  2. Requests were not properly authenticating the *client credentials* but
-     were, instead, looking at the access token in a second location
-  3. Because of 2, the requests were also not authorizing confidential
-     clients' ability to revoke a given token. It should only revoke tokens
-     that belong to it.
-  The security implication is: OAuth 2.0 clients who "log out" a user expect
-  to have the corresponding access & refresh tokens revoked, preventing an
-  attacker who may have already hijacked the session from continuing to
-  impersonate the victim. Because of the bug described above, this is not the
-  case. As far as OWASP is concerned, this counts as broken authentication
-  design.
-  MITRE has assigned CVE-2016-6582 due to the security issues raised. An
-  attacker, thanks to 1, can replay a hijacked session after a victim logs
-  out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a
-  compromised confidential client could "grief" other clients by revoking
-  their tokens (albeit this is an exceptionally narrow attack with little
-  value).
-unaffected_versions:
-  - "< 1.2.0"
-patched_versions:
-  - ">= 4.2.0"
-related:
-  url:
-    - https://github.com/doorkeeper-gem/doorkeeper/commit/fb938051777a3c9cb071e96fc66458f8f615bd53

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2018-1000088.yml DELETED Viewed

@@ -1,39 +0,0 @@
----
-gem: doorkeeper
-cve: 2018-1000088
-date: 2018-02-21
-url: "https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/"
-title: Doorkeeper gem has stored XSS on authorization consent view
-description: |
-  Stored XSS on the OAuth Client's name will cause users being prompted for
-  consent via the "implicit" grant type to execute the XSS payload.
-  The XSS attack could gain access to the user's active session, resulting in
-  account compromise.
-  Any user is susceptible if they click the authorization link for the
-  malicious OAuth client. Because of how the links work, a user cannot tell if
-  a link is malicious or not without first visiting the page with the XSS
-  payload.
-  If 3rd parties are allowed to create OAuth clients in the app using
-  Doorkeeper, upgrade to the patched versions immediately.
-  Additionally there is stored XSS in the native_redirect_uri form element.
-  DWF has assigned CVE-2018-1000088.
-cvss_v3: 7.6
-unaffected_versions:
-  - "< 2.1.0"
-patched_versions:
-  - ">= 4.2.6"
-related:
-  url:
-    - https://github.com/doorkeeper-gem/doorkeeper/issues/969
-    - https://github.com/doorkeeper-gem/doorkeeper/issues/970

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2018-1000211.yml DELETED Viewed

@@ -1,39 +0,0 @@
----
-gem: doorkeeper
-cve: 2018-1000211
-date: 2018-07-11
-url: "https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/"
-title: Doorkeeper gem does not revoke token for public clients
-description: |
-  Any OAuth application that uses public/non-confidential authentication when
-  interacting with Doorkeeper is unable to revoke its tokens when calling the
-  revocation endpoint.
-  A bug in the token revocation API would cause it to attempt to authenticate
-  the public OAuth client as if it was a confidential app. Because of this, the
-  token is never revoked.
-  The impact of this is the access or refresh token is not revoked, leaking
-  access to protected resources for the remainder of that token's lifetime.
-  If Doorkeeper is used to facilitate public OAuth apps and leverage token
-  revocation functionality, upgrade to the patched versions immediately.
-  Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes.
-  DWF has assigned CVE-2018-1000211.
-unaffected_versions:
-  - "< 4.2.0"
-patched_versions:
-  - ">= 4.4.0"
-  - ">= 5.0.0.rc2"
-related:
-  url:
-    - https://github.com/doorkeeper-gem/doorkeeper/issues/891
-    - https://github.com/doorkeeper-gem/doorkeeper/pull/1119
-    - https://github.com/doorkeeper-gem/doorkeeper/pull/1120

data/data/ruby-advisory-db/gems/doorkeeper/CVE-2020-10187.yml DELETED Viewed

@@ -1,34 +0,0 @@
----
-gem: doorkeeper
-ghsa: j7vx-8mqj-cqp9
-cve: 2020-10187
-date: 2020-05-02
-url: https://github.com/doorkeeper-gem/doorkeeper/security/advisories/GHSA-j7vx-8mqj-cqp9
-title: Doorkeeper application secret information disclosure vulnerability
-description: |
-  Information disclosure vulnerability. Allows an attacker to see all
-  Doorkeeper::Application model attribute values (including secrets) after
-  authorizing an application to their user.
-  An application is vulnerable if the authorized applications controller is
-  enabled (GET /oauth/authorized_applications.json).
-  Recommended additional hardening for >= 5.1 is to enable application secrets
-  hashing. This would render the exposed secret useless.
-unaffected_versions:
-  - "< 5.0.0"
-patched_versions:
-  - "~> 5.0.3"
-  - "~> 5.1.1"
-  - "~> 5.2.5"
-  - ">= 5.3.2"
-cvss_v2: 5.5
-cvss_v3: 5.4
-related:
-  url:
-    - https://github.com/doorkeeper-gem/doorkeeper/commit/25d038022c2fcad45af5b73f9d003cf38ff491f6

data/data/ruby-advisory-db/gems/doorkeeper/OSVDB-118830.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: doorkeeper
-osvdb: 118830
-url: http://www.osvdb.org/show/osvdb/118830
-title: |
-  Doorkeeper Gem for Ruby stores sensitive information
-  in production logs
-date: 2015-02-10
-description: |
-  Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb.
-  The issue is due to the program storing sensitive information in
-  production logs. This may allow a local attacker to gain access to
-  sensitive information.
-cvss_v2:
-patched_versions:
-  - "~> 1.4.2"
-  - ">= 2.1.2"

data/data/ruby-advisory-db/gems/doorkeeper-openid_connect/CVE-2019-9837.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: doorkeeper-openid_connect
-cve: 2019-9837
-date: 2019-03-25
-url: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md#v154-2019-02-15
-title: Doorkeeper::OpenidConnect Open Redirect
-description: Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper)
-  1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in
-  an OAuth authorization request (that results in an error response) with the 'openid'
-  scope and a prompt=none value. This allows phishing attacks against the authorization
-  flow.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 1.5.4"
-unaffected_versions:
-  - "< 1.4.0"