RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.9.0.1 - Mend

bundler-audit 0.7.0.1 → 0.9.0.1

Files changed (612) hide show

data/data/ruby-advisory-db/gems/spree/OSVDB-119205.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: spree
-osvdb: 119205
-url: https://spreecommerce.com/blog/security-updates-2015-3-3
-title: Spree API Information Disclosure CSRF
-date: 2015-03-05
-description: |
-  Spree contains a flaw in the API as HTTP requests do not require multiple
-  steps, explicit confirmation, or a unique token when performing certain
-  sensitive actions. By tricking a user into following a specially crafted
-  link, a context-dependent attacker can perform a Cross-Site Request Forgery
-  (CSRF / XSRF) attack causing the victim to disclose potentially sensitive
-  information to attackers.
-patched_versions:
-  - ~> 2.2.10
-  - ~> 2.3.8
-  - ~> 2.4.5
-  - ">= 3.0.0.rc4"

data/data/ruby-advisory-db/gems/spree/OSVDB-125699.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: spree
-osvdb: 125699
-url: https://spreecommerce.com/blog/security-updates-2015-7-28
-title: |
-  Spree RABL templates rendering allows Arbitrary Code Execution and File
-  Disclosure
-date: 2015-07-28
-description: |
-  Spree contains a flaw where the rendering of arbitrary RABL templates allows
-  for execution arbitrary files on the host system, as well as disclosing the
-  existence of files on the system. This is a different issue than
-  OSVDB-125701.
-patched_versions:
-  - ~> 2.2.13
-  - ~> 2.3.12
-  - ~> 2.4.9
-  - ">= 3.0.3"

data/data/ruby-advisory-db/gems/spree/OSVDB-125701.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-osvdb: 125701
-url: https://spreecommerce.com/blog/security-updates-2015-7-20
-title: |
-  Spree RABL templates rendering allows Arbitrary Code Execution and File
-  Disclosure
-date: 2015-07-20
-description: |
-  Spree contains a flaw where the rendering of arbitrary RABL templates allows
-  for execution arbitrary files on the host system, as well as disclosing the
-  existence of files on the system.
-patched_versions:
-  - ~> 2.2.12
-  - ~> 2.3.11
-  - ~> 2.4.8
-  - ">= 3.0.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125712.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: spree
-osvdb: 125712
-url: https://spreecommerce.com/blog/security-issue-all-versions
-title: |
-  Product Scopes could allow for unauthenticated remote command execution
-date: 2012-07-02
-description: |
-  Product Scopes could allow for unauthenticated remote command execution.
-  This was corrected by removing conditions_any scope and use ARel query
-  building instead.
-patched_versions:
-  - ~> 0.11.4
-  - ~> 0.70.6
-  - ~> 1.0.5
-  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-125713.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: spree
-osvdb: 125713
-url: https://spreecommerce.com/blog/security-issue-all-versions
-title: |
-  Potential XSS vulnerability related to the analytics dashboard
-date: 2012-07-02
-description: |
-  Spree has a flaw in its analytics dashboard where keywords are not escaped,
-  leading to potential XSS.
-patched_versions:
-  - ~> 0.11.4
-  - ~> 0.70.6
-  - ~> 1.0.5
-  - ">= 1.1.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-69098.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: spree
-cve: 2010-3978
-osvdb: 69098
-url: https://spreecommerce.com/blog/json-hijacking-vulnerability
-title: |
-  Spree Multiple Script JSON Request Validation Weakness Remote Information
-  Disclosure
-date: 2010-11-02
-description: |
-  Spree contains a flaw that may lead to an unauthorized information
-  disclosure. The issue is triggered when the application exchanges data using
-  the JSON service without validating requests, which will disclose sensitive
-  user and order information to a context-dependent attacker when a logged-in
-  user visits a crafted website.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 0.11.2
-  - ">= 0.30.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-73751.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: spree
-osvdb: 73751
-url: https://spreecommerce.com/blog/security-fixes
-title: Spree Content Controller Unspecified Arbitrary File Disclosure
-date: 2011-04-19
-description: |
-  Spree Gem for Ruby would allow a user to request a specially crafted URL and
-  expose arbitrary files on the server
-patched_versions:
-  - ">= 0.50.1"

data/data/ruby-advisory-db/gems/spree/OSVDB-76011.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: spree
-osvdb: 76011
-url: https://spreecommerce.com/blog/remote-command-product-group
-title: |
-  Spree Search ProductScope Class search[send][] Parameter Arbitrary Command
-  Execution
-date: 2011-10-05
-description: |
-  The ProductScope class fails to properly sanitize user-supplied input via the
-  'search[send][]' parameter resulting in arbitrary command execution. With a
-  specially crafted request, a remote attacker can potentially cause arbitrary
-  command execution.
-patched_versions:
-  - ">= 0.60.2"

data/data/ruby-advisory-db/gems/spree/OSVDB-81505.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: spree
-cve: 2008-7310
-osvdb: 81505
-url: https://spreecommerce.com/blog/security-vulnerability-mass-assignment
-title: |
-  Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation
-date: 2008-09-22
-description: |
-  Spree contains a hash restriction weakness that occurs when parsing a
-  modified URL. This may allow an attacker to manipulate order state values.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-81506.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: spree
-cve: 2008-7311
-osvdb: 81506
-url: https://spreecommerce.com/blog/security-vulernability-session-cookie-store
-title: |
-  Spree Hardcoded config.action_controller_session Hash Value Cryptographic
-  Protection Weakness
-date: 2008-08-12
-description: |
-  Spree contains a hardcoded flaw related to the
-  config.action_controller_session hash value. This may allow an attacker to
-  more easily bypass cryptographic protection.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-90865.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: spree
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.0
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91216.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91216
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotion_actions_controller.rb promotion_action Parameter Arbitrary
-  Ruby Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'promotion_action' parameter to promotion_actions_controller.rb. This may
-  allow a remote authenticated attacker to instantiate arbitrary Ruby objects
-  and potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91217.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91217
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree payment_methods_controller.rb payment_method Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'payment_method' parameter to payment_methods_controller.rb. This may allow
-  a remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91218.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91218
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotions_controller.rb calculator_type Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'calculator_type' parameter to promotions_controller.rb. This may allow a
-  remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree/OSVDB-91219.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: spree
-cve: 2013-1656
-osvdb: 91219
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree promotion_rules_controller.rb promotion_rule Parameter Arbitrary Ruby
-  Object Instantiation Command Execution
-date: 2013-02-21
-description: |
-  Spree contains a flaw that is triggered when handling input passed via the
-  'promotion_rule' parameter to promotion_rules_controller.rb. This may allow
-  a remote authenticated attacker to instantiate arbitrary Ruby objects and
-  potentially execute arbitrary commands.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 2.0.0"

data/data/ruby-advisory-db/gems/spree_auth/OSVDB-90865.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: spree_auth
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0

data/data/ruby-advisory-db/gems/spree_auth_devise/OSVDB-90865.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: spree_auth_devise
-cve: 2013-2506
-osvdb: 90865
-url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed
-title: |
-  Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege
-  Escalation
-date: 2013-02-21
-description: |
-  Spree contains a flaw that leads to unauthorized privileges being gained. The
-  issue is triggered as certain input related to mass role assignment in
-  app/models/spree/user.rb is not properly verified before being used to update
-  a user. This may allow a remote attacker to assign arbitrary roles and gain
-  elevated administrative privileges.
-cvss_v2: 4.0
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.0
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/sprockets/CVE-2014-7819.yml DELETED Viewed

@@ -1,27 +0,0 @@
----
-gem: sprockets
-cve: 2014-7819
-osvdb: 113965
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY
-title: Arbitrary file existence disclosure in Sprockets
-date: 2014-10-30
-description: |
-  Specially crafted requests can be used to determine whether a file exists on
-  the filesystem that is outside an application's root directory.  The files
-  will not be served, but attackers can determine whether or not the file
-  exists.
-cvss_v2: 5.0
-patched_versions:
-  - ~> 2.0.5
-  - ~> 2.1.4
-  - ~> 2.2.3
-  - ~> 2.3.3
-  - ~> 2.4.6
-  - ~> 2.5.1
-  - ~> 2.7.1
-  - ~> 2.8.3
-  - ~> 2.9.4
-  - ~> 2.10.2
-  - ~> 2.11.3
-  - ~> 2.12.3
-  - ">= 3.0.0.beta.3"

data/data/ruby-advisory-db/gems/sprockets/CVE-2018-3760.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: sprockets
-cve: 2018-3760
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
-title: Path Traversal in Sprockets
-date: 2018-06-19
-description: |
-  Specially crafted requests can be used to access files that exist on
-  the filesystem that is outside an application's root directory, when the
-  Sprockets server is used in production.
-  All users running an affected release should either upgrade or use one of the work arounds immediately.
-  Workaround:
-  In Rails applications, work around this issue, set `config.assets.compile = false` and
-  `config.public_file_server.enabled = true` in an initializer and precompile the assets.
-   This work around will not be possible in all hosting environments and upgrading is advised.
-patched_versions:
-  - ">= 2.12.5, < 3.0.0"
-  - ">= 3.7.2, < 4.0.0"
-  - ">= 4.0.0.beta8"

data/data/ruby-advisory-db/gems/sprout/CVE-2013-6421.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: sprout
-cve: 2013-6421
-osvdb: 100598
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-6421
-title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter Arbitrary Code Execution
-date: 2013-12-02
-description: |
-  sprout Gem for Ruby contains a flaw in the unpack_zip() function in
-  archive_unpacker.rb. The issue is due to the program failing to properly
-  sanitize input passed via the 'zip_file', 'dir', 'zip_name', and 'output'
-  parameters. This may allow a context-dependent attacker to execute arbitrary
-  code.
-cvss_v2: 7.5
-unaffected_versions:
-  - '< 0.7.246'

data/data/ruby-advisory-db/gems/strong_password/CVE-2019-13354.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: strong_password
-cve: 2019-13354
-url: https://withatwist.dev/strong-password-rubygem-hijacked.html
-title: strong_password Ruby gem malicious version causing Remote Code Execution vulnerability
-date: 2019-07-05
-description: |
-  The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The
-  malicious actor published v0.0.7 containing malicious code that enables an attacker
-  to execute remote code in production.
-  Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible.
-patched_versions:
-  - ">= 0.0.8"
-unaffected_versions:
-  - "!= 0.0.7"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4478.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sup
-cve: 2013-4478
-osvdb: 99074
-url: http://www.phenoelit.org/stuff/whatsup.txt
-title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
-date: 2013-10-29
-description: Sup MUA contains a flaw that is triggered when handling email
-  attachment content. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 6.8
-patched_versions:
-  - "~> 0.13.2.1"
-  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/sup/CVE-2013-4479.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sup
-cve: 2013-4479
-osvdb: 99074
-url: http://www.phenoelit.org/stuff/whatsup.txt
-title:  Sup MUA Email Attachment Content Type Handling Arbitrary Command Execution
-date: 2013-10-29
-description: Sup MUA contains a flaw that is triggered when handling email
-  attachment content. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 6.8
-patched_versions:
-  - "~> 0.13.2.1"
-  - ">= 0.14.1.1"

data/data/ruby-advisory-db/gems/thumbshooter/CVE-2013-1898.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: thumbshooter
-cve: 2013-1898
-osvdb: 91839
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-1898
-title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-03-26
-description: Thumbshooter Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted URL that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/twitter-bootstrap-rails/OSVDB-109206.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: twitter-bootstrap-rails
-framework: rails
-cve: 2014-4920
-osvdb: 109206
-url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter
-title: Reflective XSS Vulnerability in twitter-bootstrap-rails
-date: 2014-03-25
-description: |
-  The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a
-  reflected cross-site scripting (XSS) attack. This flaw exists because the
-  bootstrap_flash helper method does not validate input when handling flash
-  messages before returning it to users. This may allow a context-dependent
-  attacker to create a specially crafted request that would execute arbitrary
-  script code in a user's browser session within the trust relationship between
-  their browser and the server.
-cvss_v2:
-patched_versions:
-  - ">= 3.2.0"

data/data/ruby-advisory-db/gems/uglifier/OSVDB-126747.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: uglifier
-osvdb: 126747
-url: https://github.com/mishoo/UglifyJS2/issues/751
-title: uglifier incorrectly handles non-boolean comparisons during minification
-date: 2015-07-21
-description: |
-  The upstream library for the Ruby uglifier gem, UglifyJS, is
-  affected by a vulnerability that allows a specially crafted
-  Javascript file to have altered functionality after minification.
-  This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated
-  to allow potentially malicious code to be hidden within secure code,
-  and activated by the minification process.
-  For more information, consult: https://zyan.scripts.mit.edu/blog/backdooring-js/
-patched_versions:
-  - ">= 2.7.2"

data/data/ruby-advisory-db/gems/user_agent_parser/CVE-2020-5243.yml DELETED Viewed

@@ -1,28 +0,0 @@
----
-gem: user_agent_parser
-cve: 2020-5243
-ghsa: pcqq-5962-hvcw
-url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
-date: 2020-03-10
-title: Denial of Service in uap-core when processing crafted User-Agent strings
-description: |-
-  ### Impact
-  Some regexes are vulnerable to regular expression denial of service (REDoS) due to
-  overlapping capture groups. This allows remote attackers to overload a server by
-  setting the User-Agent header in an HTTP(S) request to maliciously crafted long
-  strings.
-  ### Patches
-  Please update `uap-ruby` to &gt;= v2.6.0
-  ### For more information
-  https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
-cvss_v3: 5.7
-patched_versions:
-  - ">= 2.6.0"
-related:
-  ghsa:
-    - cmcx-xhr8-3w9p

data/data/ruby-advisory-db/gems/web-console/CVE-2015-3224.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: web-console
-cve: 2015-3224
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw
-title: |
-  IP whitelist bypass in Web Console
-date: 2015-06-16
-description: |
-  Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default).
-  Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved.
-  All affected users should either upgrade or use one of the work arounds immediately.
-  To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile.
-patched_versions:
-  - ">= 2.1.3"

data/data/ruby-advisory-db/gems/web-console/OSVDB-112346.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: web-console
-osvdb: 112346
-url: http://www.osvdb.org/show/osvdb/112346
-title: Web Console Gem for Ruby contains an unspecified flaw
-date: 2014-09-29
-description: The Web Console Gem for Ruby on Rails contains an unspecified flaw that
-  may allow an attacker to have an unspecified impact. No further details have been
-  provided by the vendor.
-cvss_v2:
-patched_versions:
-  - ">= 2.0.0.beta4"

data/data/ruby-advisory-db/gems/webbynode/CVE-2013-7086.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: webbynode
-cve: 2013-7086
-osvdb: 100920
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-7086
-title: Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command Execution
-date: 2013-12-12
-description: |
-  Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered
-  when handling a specially crafted growlnotify message. This may allow a
-  context-dependent attacker to execute arbitrary commands.
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/websocket-extensions/CVE-2020-7663.yml DELETED Viewed

@@ -1,35 +0,0 @@
----
-gem: websocket-extensions
-cve: 2020-7663
-ghsa: g6wq-qcwm-j5g2
-url: https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2
-date: 2020-06-05
-title: Regular Expression Denial of Service in websocket-extensions (RubyGem)
-description: |-
-  ### Impact
-  The ReDoS flaw allows an attacker to exhaust the server's capacity to process
-  incoming requests by sending a WebSocket handshake request containing a header
-  of the following form:
-      Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ...
-  That is, a header containing an unclosed string parameter value whose content is
-  a repeating two-byte sequence of a backslash and some other character. The
-  parser takes exponential time to reject this header as invalid, and this will
-  block the processing of any other work on the same thread. Thus if you are
-  running a single-threaded server, such a request can render your service
-  completely unavailable.
-  ### Workarounds
-  There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating.
-cvss_v3: 7.5
-patched_versions:
-  - ">= 0.1.5"
-related:
-  url:
-    - https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/

data/data/ruby-advisory-db/gems/wicked/CVE-2013-4413.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: wicked
-cve: 2013-4413
-osvdb: 98270
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-4413
-title: Wicked Gem for Ruby contains a flaw
-date: 2013-10-08
-description: Wicked Gem for Ruby contains a flaw that is due to the program
-  failing to properly sanitize input passed via the 'the_step' parameter
-  upon submission to the render_redirect.rb script.
-  This may allow a remote attacker to gain access to arbitrary files.
-cvss_v2: 5.0
-patched_versions:
-  - '>= 1.0.1'

data/data/ruby-advisory-db/gems/will_paginate/CVE-2013-6459.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: will_paginate
-osvdb: 101138
-cve: 2013-6459
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-6459
-title: will_paginate Gem for Ruby Generated Pagination Link Unspecified XSS
-date: 2013-09-19
-description: will_paginate Gem for Ruby contains a flaw that allows a cross-site scripting (XSS) attack.
-  This flaw exists because the application does not validate certain unspecified input related to
-  generated pagination links before returning it to the user. This may allow an attacker to create
-  a specially crafted request that would execute arbitrary script code in a users browser within the
-  trust relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 3.0.5"

data/data/ruby-advisory-db/gems/xaviershay-dm-rails/CVE-2015-2179.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: xaviershay-dm-rails
-cve: 2015-2179
-osvdb: 118579
-url: https://nvd.nist.gov/vuln/detail/CVE-2015-2179
-title: |
-  xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process table
-date: 2015-02-17
-description: |
-  xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function
-  in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is
-  due to the function exposing sensitive information via the process table.
-  This may allow a local attack to gain access to MySQL credential information.