RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.9.0.1 - Mend

bundler-audit 0.7.0.1 → 0.9.0.1

Files changed (612) hide show

data/data/ruby-advisory-db/gems/rdoc/CVE-2013-0256.yml DELETED Viewed

@@ -1,27 +0,0 @@
----
-gem: rdoc
-cve: 2013-0256
-osvdb: 90004
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-0256
-title: RDoc 2.3.0 through 3.12 XSS Exploit
-date: 2013-02-06
-description: |
-  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
-  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
-  may lead to cookie disclosure to third parties.
-  The exploit exists in darkfish.js which is copied from the RDoc install
-  location to the generated documentation.
-  RDoc is a static documentation generation tool. Patching the library itself
-  is insufficient to correct this exploit.
-  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.9.5
-  - ~> 3.12.1
-  - ">= 4.0"

data/data/ruby-advisory-db/gems/recurly/CVE-2017-0905.yml DELETED Viewed

@@ -1,35 +0,0 @@
----
-gem: recurly
-cve: 2017-0905
-url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0905
-date: 2017-11-09
-title: SSRF vulnerability in Recurly gem's Resource#find.
-description: |
-  If you are using the #find method on any of the classes that are derived from
-  the Resource class and you are passing user input into that method, a
-  malicious user can force the http client to reach out to a server under their
-  control. This can lead to leakage of your private API key.
-  Because of the severity of impact, we are recommending that all users upgrade
-  to a patched version. We have provided a non-breaking patch for every 2.X
-  version of the client.
-patched_versions:
-  - ~> 2.0.13
-  - ~> 2.1.11
-  - ~> 2.2.5
-  - ~> 2.3.10
-  - ~> 2.4.11
-  - ~> 2.5.3
-  - ~> 2.6.3
-  - ~> 2.7.8
-  - ~> 2.8.2
-  - ~> 2.9.2
-  - ~> 2.10.4
-  - ~> 2.11.3
-  - ">= 2.12.0"
-related:
-  url:
-    - https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be

data/data/ruby-advisory-db/gems/redcarpet/CVE-2015-5147.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: redcarpet
-cve: 2015-5147
-osvdb: 123859
-url: http://seclists.org/oss-sec/2015/q2/818
-title: redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow
-date: 2015-06-22
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a stack overflow.
-  This flaw exists because the header_anchor() function in html.c uses
-  variable length arrays (VLA) without any range checking. This may
-  allow a remote attacker to execute arbitrary code.
-cvss_v2: 7.5
-unaffected_versions:
-  - "< 3.3.0"
-patched_versions:
-  - ">= 3.3.2"

data/data/ruby-advisory-db/gems/redcarpet/OSVDB-120415.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: redcarpet
-osvdb: 120415
-url: http://danlec.com/blog/bug-in-sundown-and-redcarpet
-title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
-date: 2015-04-07
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting
-  (XSS) attack. This flaw exists because the parse_inline() function in
-  markdown.c does not validate input before returning it to users. This may
-  allow a remote attacker to create a specially crafted request that would
-  execute arbitrary script code in a user's browser session within the trust
-  relationship between their browser and the server.
-cvss_v2:
-patched_versions:
-  - ">= 3.2.3"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: redis-namespace
-osvdb: 96425
-url: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
-title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
-date: 2013-08-03
-description: |
-  redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
-  The issue is triggered when handling exec commands called via send(). This may allow a
-  remote attacker to execute arbitrary commands.
-patched_versions:
-  - ">= 1.3.1"
-  - "~> 1.2.2"
-  - "~> 1.1.1"
-  - "~> 1.0.4"

data/data/ruby-advisory-db/gems/redis-store/CVE-2017-1000248.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: redis-store
-cve: 2017-1000248
-url: https://github.com/redis-store/redis-store/commit/ce13252c26fcc40ed4935c9abfeb0ee0761e5704
-date: 2017-11-16
-title: Unsafe objects can be loaded from Redis
-description: |
-  Redis-store <=v1.3.0 allows unsafe objects to be loaded from Redis via the
-  use of the Marshal serializer.
-patched_versions:
-  - ">= 1.4.0"
-related:
-  url:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000248

data/data/ruby-advisory-db/gems/refile/OSVDB-120857.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: refile
-osvdb: 120857
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/VIfMO2LvzNs
-title: refile Gem for Ruby contains a remote code execution vulnerability
-date: 2015-04-15
-description: |
-  refile Gem for Ruby contains a flaw that is triggered when input is not
-  sanitized when handling the 'remote_image_url' field in a form, where
-  'image' is the name of the attachment. This may allow a remote attacker
-  to execute arbitrary shell commands.
-cvss_v2:
-unaffected_versions:
-  - "< 0.5.0"
-patched_versions:
-  - '>= 0.5.4'

data/data/ruby-advisory-db/gems/rest-client/CVE-2015-1820.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: rest-client
-cve: 2015-1820
-osvdb: 119878
-url: https://github.com/rest-client/rest-client/issues/369
-title: 'rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses'
-date: 2015-03-24
-description: |
-  rest-client in abstract_response.rb improperly handles Set-Cookie headers on
-  HTTP 30x redirection responses. Any cookies will be forwarded to the
-  redirection target regardless of domain, path, or expiration.
-  If you control a redirection source, you can cause rest-client to perform a
-  request to any third-party domain with cookies of your choosing, which may be
-  useful in performing a session fixation attack.
-  If you control a redirection target, you can steal any cookies set by the
-  third-party redirection request.
-cvss_v2:
-unaffected_versions:
-  - "<= 1.6.0"
-patched_versions:
-  - ">= 1.8.0"

data/data/ruby-advisory-db/gems/rest-client/CVE-2015-3448.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: rest-client
-cve: 2015-3448
-url: https://github.com/rest-client/rest-client/issues/349
-date: 2015-04-29
-title: rest-client ruby gem logs sensitive information
-description: |
-  REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and
-  passwords, which allows local users to obtain sensitive information by reading the
-  log.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 1.7.3"

data/data/ruby-advisory-db/gems/rest-client/CVE-2019-15224.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: rest-client
-cve: 2019-15224
-url: https://github.com/rest-client/rest-client/issues/713
-date: 2019-08-19
-title: Code execution backdoor in rest-client
-description: |
-  The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org,
-  included a code-execution backdoor inserted by a third party.
-unaffected_versions:
-  - "<= 1.6.9"
-  - ">= 1.6.14"

data/data/ruby-advisory-db/gems/restforce/CVE-2018-3777.yml DELETED Viewed

@@ -1,36 +0,0 @@
----
-gem: restforce
-cve: 2018-3777
-date: 2018-07-27
-url: https://github.com/restforce/restforce/pull/392
-title: Insufficient URI encoding in restforce
-description: |
-  A flaw in how restforce constructs URL's may allow an attacker to inject
-  additional parameters into Salesforce API requests.
-  Impact
-  ------
-  This flaw is only exploitable in applications that pass user input directly
-  to restforce's select, find, describe, update, upsert, and destroy methods.
-  Vulnerable code might look like:
-  ```ruby
-  client.select('SomeSalesForceObject', params[:some-id],
-     ...)
-  ```
-  In such an application, attackers could pass `0016000000MRatd/describe`
-  as a request parameter, causing the server to make a request to a different
-  endpoint than the server is designed to handle. Since the Salesforce REST
-  API supports overriding HTTP methods via a request parameter, an attacker
-  could also cause the client's `select()` method to modify data, by passing
-  `0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`.
-  Workarounds
-  ------
-  If possible, applications should track salesforce IDs internally, rather than
-  passing user-supplied IDs to salesforce. Such practice mitigates this
-  vulnerability, and in general is desirable for ensuring strong access control.
-patched_versions:
-- ">= 3.0.0"

data/data/ruby-advisory-db/gems/rexical/CVE-2019-5477.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: rexical
-cve: 2019-5477
-date: 2019-08-11
-url: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926
-title: Rexical Command Injection Vulnerability
-description: |
-  A command injection vulnerability appears in code generated by the Rexical
-  gem versions v1.0.6 and earlier. It allows commands to be executed in a
-  subprocess by Ruby's `Kernel.open` method.
-patched_versions:
-  - ">= 1.0.7"
-cvss_v2: 7.5
-cvss_v3: 9.8
-related:
-  url:
-    - https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06
-    - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ

data/data/ruby-advisory-db/gems/rgpg/CVE-2013-4203.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: rgpg
-cve: 2013-4203
-osvdb: 95948
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-4203
-title: rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution
-date: 2013-08-02
-description: |
-  rgpg Gem for Ruby contains a flaw in the GpgHelper module
-  (lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly
-  sanitize user-supplied input before being used in the system() function for
-  execution. This may allow a remote attacker to execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.2.3"

data/data/ruby-advisory-db/gems/rubocop/CVE-2017-8418.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rubocop
-cve: 2017-8418
-url: https://github.com/bbatsov/rubocop/issues/4336
-date: 2017-05-01
-title: |
-  RuboCop: insecure use of /tmp
-description: |
-  RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local
-  users to exploit this to tamper with cache files belonging to other users.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 0.49.0"
-related:
-  url:
-    - http://www.openwall.com/lists/oss-security/2017/05/01/14

data/data/ruby-advisory-db/gems/ruby-openid/CVE-2019-11027.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: ruby-openid
-cve: 2019-11027
-ghsa: fqfj-cmh6-hj49
-url: https://github.com/openid/ruby-openid/issues/122
-date: 2019-06-13
-title: ruby-openid SSRF via claimed_id request
-description: |
-  Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable
-  flaw. This library is used by Rails web applications to integrate with OpenID Providers.
-  Severity can range from medium to critical, depending on how a web application developer
-  chose to employ the ruby-openid library. Developers who based their OpenID integration
-  heavily on the "example app" provided by the project are at highest risk.
-cvss_v3: 9.8
-patched_versions:
-- ">= 2.9.0"

data/data/ruby-advisory-db/gems/ruby-saml/CVE-2016-5697.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: ruby-saml
-cve: 2016-5697
-url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995
-title: XML signature wrapping attack
-date: 2016-06-24
-description: |
-  ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack
-  in the specific scenario where there was a signature that referenced at the same time
-  2 elements (but past the scheme validator process since 1 of the element was inside
-  the encrypted assertion).
-  ruby-saml users must update to 1.3.0, which implements 3 extra validations to
-  mitigate this kind of attack.
-cvss_v2: 5.0
-cvss_v3: 7.5
-patched_versions:
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/ruby-saml/CVE-2017-11428.yml DELETED Viewed

@@ -1,27 +0,0 @@
----
-gem: ruby-saml
-cve: 2017-11428
-url: https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f
-title: Authentication bypass via incorrect XML canonicalization and DOM traversal
-date: 2018-02-27
-description: |
-  ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect
-  XML canonicalization and DOM traversal. Specifically, there are inconsistencies in
-  handling of comments within XML nodes, resulting in incorrect parsing of the inner text
-  of XML nodes such that any inner text after the comment is lost prior to
-  cryptographically signing the SAML message. Text after the comment therefore has no
-  impact on the signature on the SAML message.
-  A remote attacker can modify SAML content for a SAML service provider without
-  invalidating the cryptographic signature, which may allow attackers to bypass
-  primary authentication for the affected SAML service provider.
-cvss_v2: 6.3
-patched_versions:
-  - ">= 1.7.0"
-related:
-  url:
-    - https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations
-    - https://www.kb.cert.org/vuls/id/475445

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-117903.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: ruby-saml
-osvdb: 117903
-url: http://www.osvdb.org/show/osvdb/117903
-title: Ruby-Saml Gem is vulnerable to arbitrary code execution
-date: 2015-02-03
-description: |
-  ruby-saml contains a flaw that is triggered as the URI value of a SAML response is
-  not properly sanitized through a prepared statement. This may allow a remote
-  attacker to execute arbitrary shell commands on the host machine.
-cvss_v2:
-patched_versions:
-  - ">= 0.8.2"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124383.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: ruby-saml
-osvdb: 124383
-url: https://github.com/onelogin/ruby-saml/pull/247
-title: Ruby-Saml Gem is vulnerable to entity expansion attacks
-date: 2015-06-30
-description: |
-  ruby-saml before 1.0.0 is vulnerable to entity expansion attacks.
-cvss_v2: 3.9
-patched_versions:
-  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/ruby-saml/OSVDB-124991.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: ruby-saml
-osvdb: 124991
-url: https://github.com/onelogin/ruby-saml/pull/225
-title: Ruby-Saml Gem is vulnerable to XPath Injection
-date: 2015-04-29
-description: |
-  ruby-saml before 1.0.0 is vulnerable to XPath injection on xml_security.rb. The
-  lack of prepared statements allows for possibly command injection, leading to
-  arbitrary code execution
-cvss_v2: 6.7
-patched_versions:
-  - ">= 1.0.0"

data/data/ruby-advisory-db/gems/ruby_parser/CVE-2013-0162.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: ruby_parser
-cve: 2013-0162
-osvdb: 90561
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-0162
-title: RubyGems ruby_parser (RP) Temporary File Symlink Arbitrary File Overwrite
-date: 2013-02-21
-description: RubyGems ruby_parser (RP) contains a flaw as rubygem-ruby_parser creates temporary files insecurely. It is possible for a local attacker to use a symlink attack to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2: 2.1
-patched_versions:
-  - ">= 3.1.2"

data/data/ruby-advisory-db/gems/ruby_parser-legacy/CVE-2019-18409.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: ruby_parser-legacy
-cve: 2019-18409
-date: 2019-10-24
-url: https://github.com/zenspider/ruby_parser-legacy/issues/1
-title: ruby_parser-legacy world writable files allow local privilege escalation
-description: |
-  The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local
-  privilege escalation because of world-writable files. For example,
-  if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used,
-  a local user can insert malicious code into the
-  ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file.
-cvss_v2: 4.6
-cvss_v3: 7.8

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2007-0469.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2007-0469
-osvdb: 33561
-url: https://nvd.nist.gov/vuln/detail/CVE-2007-0469
-title: |
-  RubyGems installer.rb extract_files Function Crafted GEM Package Arbitrary
-  File Overwrite
-date: 2007-01-22
-description: |
-  The extract_files function in installer.rb in RubyGems before 0.9.1 does not
-  check whether files exist before overwriting them, which allows user-assisted
-  remote attackers to overwrite arbitrary files, cause a denial of service, or
-  execute arbitrary code via crafted GEM packages.
-cvss_v2: 9.3
-patched_versions:
-  - ">= 0.9.1"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2012-2125.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2012-2125
-osvdb: 85809
-url: https://nvd.nist.gov/vuln/detail/CVE-2012-2125
-title: |
-  RubyGems HTTPS to HTTP Redirection MitM Downloaded Installation File
-  Manipulation
-date: 2012-09-25
-description: |
-  RubyGems contains a flaw that is triggered by the gem fetcher allowing for
-  redirection of HTTPS to HTTP. This may allow a remote attacker to conduct a
-  man-in-the-middle attack to alter downloaded gem installation files.
-cvss_v2: 5.8
-patched_versions:
-  - ">= 1.8.23"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2012-2126.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2012-2126
-osvdb: 81444
-url: https://nvd.nist.gov/vuln/detail/CVE-2012-2126
-title: RubyGems SSL Certificate Validation MitM Spoofing Weakness
-date: 2012-04-20
-description: |
-  RubyGems contains a flaw related to the validation of SSL certificates when
-  accessing certain services and APIs. This may allow a man-in-the-middle
-  attacker to spoof a valid server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 1.8.23"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2013-4287.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2013-4287
-osvdb: 97163
-url: http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html
-title: RubyGems Multiple API Call Version Validation CPU Consumption DoS
-date: 2013-09-09
-description: |
-  RubyGems contains a flaw that may allow a denial of service. The issue is
-  triggered when handling the gem build, Gem::Package, or Gem::PackageTask API
-  calls, which attempt to validate the version of the program. This may allow a
-  context-dependent attacker to cause a consumption of CPU resources and crash
-  the program.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 1.8.23.1
-  - ~> 1.8.26
-  - ~> 2.0.8
-  - ">= 2.1.0"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2013-4363.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2013-4363
-osvdb: 97163
-url: http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html
-title: RubyGems Multiple API Call Version Validation CPU Consumption DoS
-date: 2013-09-24
-description: |
-  RubyGems contains a flaw that may allow a denial of service. The issue is
-  triggered when handling the gem build, Gem::Package, or Gem::PackageTask API
-  calls, which attempt to validate the version of the program. This may allow a
-  context-dependent attacker to cause a consumption of CPU resources and crash
-  the program. This vulnerability is due to an incomplete fix for
-  CVE-2013-4287, which allowed a denial of service via improper validation.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 1.8.23.2
-  - ~> 1.8.27
-  - ~> 2.0.10
-  - ">= 2.1.5"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2015-3900.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2015-3900
-osvdb: 122162
-url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
-title: |
-  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
-  Hostname Validation Request Hijacking
-date: 2015-05-14
-description: |
-  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
-  that is triggered when handling hostnames in SRV records. With a specially
-  crafted response, a context-dependent attacker may conduct DNS hijacking
-  attacks.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 2.0.16
-  - ~> 2.2.4
-  - ">= 2.4.7"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2015-4020.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2015-4020
-url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478
-title: |
-  RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record
-  Hostname Validation Request Hijacking
-date: 2015-06-08
-description: |
-  RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb
-  that is triggered when handling hostnames in SRV records. With a specially
-  crafted response, a context-dependent attacker may conduct DNS hijacking
-  attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900,
-  which allowed redirection to an arbitrary gem server in any security domain.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 2.0.17
-  - ~> 2.2.5
-  - ">= 2.4.8"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0899.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2017-0899
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
-title: RubyGems ANSI escape sequence vulnerability
-date: 2017-08-29
-description: |
-  RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem
-  specifications that include terminal escape characters. Printing the gem
-  specification would execute terminal escape sequences.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 2.4.5.3"
-  - ">= 2.5.2.1"
-  - ">= 2.6.13"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0900.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2017-0900
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
-title: RubyGems DoS vulnerability in the query command
-date: 2017-08-29
-description: |
-  RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem
-  specifications to cause a denial of service attack against RubyGems clients
-  who have issued a `query` command.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 2.4.5.3"
-  - ">= 2.5.2.1"
-  - ">= 2.6.13"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0901.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2017-0901
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
-title: RubyGems vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
-date: 2017-08-29
-description: |
-  RubyGems version 2.6.12 and earlier fails to validate specification names,
-  allowing a maliciously crafted gem to potentially overwrite any file on the
-  filesystem.
-cvss_v2: 6.4
-patched_versions:
-  - ">= 2.4.5.3"
-  - ">= 2.5.2.1"
-  - ">= 2.6.13"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0902.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2017-0902
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
-title: RubyGems DNS request hijacking vulnerability
-date: 2017-08-29
-description: |
-  RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking
-  vulnerability that allows a MITM attacker to force the RubyGems client to
-  down load and install gems from a server that the attacker controls.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 2.4.5.3"
-  - ">= 2.5.2.1"
-  - ">= 2.6.13"