RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.9.0 - Mend

bundler-audit 0.7.0.1 → 0.9.0

Files changed (612) hide show

data/data/ruby-advisory-db/gems/activerecord/CVE-2016-6317.yml DELETED Viewed

@@ -1,73 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2016-6317
-date: 2016-08-11
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s
-title: Unsafe Query Generation Risk in Active Record
-description: |
-  There is a vulnerability when Active Record is used in conjunction with JSON
-  parameter parsing. This vulnerability is similar to CVE-2012-2660,
-  CVE-2012-2694 and CVE-2013-0155.
-  Impact
-  ------
-  Due to the way Active Record interprets parameters in combination with the way
-  that JSON parameters are parsed, it is possible for an attacker to issue
-  unexpected database queries with "IS NULL" or empty where clauses.  This issue
-  does *not* let an attacker insert arbitrary values into an SQL query, however
-  they can cause the query to check for NULL or eliminate a WHERE clause when
-  most users wouldn't expect it.
-  For example, a system has password reset with token functionality:
-  ```ruby
-      unless params[:token].nil?
-        user = User.find_by_token(params[:token])
-        user.reset_password!
-      end
-  ```
-  An attacker can craft a request such that `params[:token]` will return
-  `[nil]`.  The `[nil]` value will bypass the test for nil, but will still add
-  an "IN ('xyz', NULL)" clause to the SQL query.
-  Similarly, an attacker can craft a request such that `params[:token]` will
-  return an empty hash.  An empty hash will eliminate the WHERE clause of the
-  query, but can bypass the `nil?` check.
-  Note that this impacts not only dynamic finders (`find_by_*`) but also
-  relations (`User.where(:name => params[:name])`).
-  All users running an affected release should either upgrade or use one of the
-  work arounds immediately. All users running an affected release should upgrade
-  immediately. Please note, this vulnerability is a variant of CVE-2012-2660,
-  CVE-2012-2694, and CVE-2013-0155.  Even if you upgraded to address those
-  issues, you must take action again.
-  If this chance in behavior impacts your application, you can manually decode
-  the original values from the request like so:
-      `ActiveSupport::JSON.decode(request.body)`
-  Workarounds
-  -----------
-  This problem can be mitigated by casting the parameter to a string before
-  passing it to Active Record.  For example:
-    ```ruby
-      unless params[:token].nil? || params[:token].to_s.empty?
-        user = User.find_by_token(params[:token].to_s)
-        user.reset_password!
-      end
-    ```
-unaffected_versions:
-  - "< 4.2.0"
-  - ">= 5.0.0"
-patched_versions:
-  - ">= 4.2.7.1"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-88661.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: activerecord
-framework: rails
-cve: 2012-6496
-osvdb: 88661
-url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM
-title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass
-date: 2012-12-22
-description: |
-  Due to the way dynamic finders in Active Record extract options from method
-  parameters, a method parameter can mistakenly be used as a scope.  Carefully
-  crafted requests can use the scope to inject arbitrary SQL.
-cvss_v2: 6.4
-patched_versions:
-  - ~> 3.0.18
-  - ~> 3.1.9
-  - ">= 3.2.10"

data/data/ruby-advisory-db/gems/activerecord-jdbc-adapter/OSVDB-114854.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: activerecord-jdbc-adapter
-platform: jruby
-osvdb: 114854
-url: http://osvdb.org/show/osvdb/114854
-title: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub()
-  Function SQL Injection
-date: 2013-02-25
-description: |
-  ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying
-  out an SQL injection attack. The issue is due to the sql.gsub() function in
-  lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before
-  using it in SQL queries. This may allow a remote attacker to inject or
-  manipulate SQL queries in the back-end database, allowing for the
-  manipulation or disclosure of arbitrary data.
-unaffected_versions:
-  - "< 1.2.6"
-patched_versions:
-  - ">= 1.2.8"

data/data/ruby-advisory-db/gems/activerecord-oracle_enhanced-adapter/OSVDB-95376.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: activerecord-oracle_enhanced-adapter
-osvdb: 95376
-url: http://osvdb.org/show/osvdb/95376
-title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection
-date: 2008-10-10
-description: |
-  Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an
-  attacker to carry out an SQL injection attack. The issue is due to the
-  program not properly sanitizing user-supplied input related to the :limit and
-  :offset functions. This may allow an attacker to inject or manipulate SQL
-  queries in the back-end database, allowing for the manipulation or disclosure
-  of arbitrary data.
-patched_versions:
-  - ">= 1.1.8"

data/data/ruby-advisory-db/gems/activeresource/CVE-2020-8151.yml DELETED Viewed

@@ -1,48 +0,0 @@
----
-gem: activeresource
-cve: 2020-8151
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/pktoF4VmiM8
-title: activeresource Gem for Ruby lib/active_resource/base.rb element_path Lack of Encoding
-date: 2020-05-05
-description: |
-  activeresource contains a lack of encoding flaw in the element_path function of
-  lib/active_resource/base.rb.
-  There is an issue with the way Active Resource encodes data before querying the back end server.  This encoding mechanism can allow specially crafted requests to possibly access data that may not be expected.
-  Impacted code will look something like this:
-  ```
-  require 'activeresource'
-  class Test < ActiveResource::Base
-    self.site = 'http://127.0.0.1:3000'
-  end
-  Test.exists?(untrusted_user_input)
-  ```
-  Where untrusted user input is passed to an Active Resource model.  Specially crafted untrusted input can cause Active Resource to access data in an unexpected way and possibly leak information.
-  Workarounds
-  -------------
-  For those that can't upgrade, the following monkey patch can be applied:
-  ```
-  module ActiveResource
-   class Base
-     class << self
-       def element_path(id, prefix_options = {}, query_options = nil)
-         check_prefix_options(prefix_options)
-         prefix_options, query_options = split_options(prefix_options) if query_options.nil?
-         "#{prefix(prefix_options)}#{collection_name}/#{URI.encode_www_form_component(id.to_s)}#{format_extension}#{query_string(query_options)}"
-       end
-     end
-   end
-  end
-  ```
-patched_versions:
-  - ">= 5.1.1"

data/data/ruby-advisory-db/gems/activeresource/OSVDB-95749.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: activeresource
-osvdb: 95749
-url: http://osvdb.org/show/osvdb/95749
-title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function Multiple Variable Format String
-date: 2008-08-15
-description: |
-  activeresource contains a format string flaw in the request function of
-  lib/active_resource/connection.rb. The issue is triggered as format string
-  specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input
-  when passed via the 'result.code' and 'result.message' variables. This may
-  allow a remote attacker to cause a denial of service or potentially execute
-  arbitrary code.
-patched_versions:
-  - ">= 2.2.0"

data/data/ruby-advisory-db/gems/activestorage/CVE-2018-16477.yml DELETED Viewed

@@ -1,43 +0,0 @@
----
-gem: activestorage
-framework: rails
-cve: 2018-16477
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
-title: Bypass vulnerability in Active Storage
-date: 2018-11-27
-description: |
-  There is a vulnerability in Active Storage. This vulnerability has been
-  assigned the CVE identifier CVE-2018-16477.
-  Versions Affected:  >= 5.2.0
-  Not affected:       < 5.2.0
-  Fixed Versions:     5.2.1.1
-  Impact
-  ------
-  Signed download URLs generated by `ActiveStorage` for Google Cloud Storage
-  service and Disk service include `content-disposition` and `content-type`
-  parameters that an attacker can modify. This can be used to upload specially
-  crafted HTML files and have them served and executed inline. Combined with
-  other techniques such as cookie bombing and specially crafted AppCache manifests,
-  an attacker can gain access to private signed URLs within a specific storage path.
-  Vulnerable apps are those using either GCS or the Disk service in production.
-  Other storage services such as S3 or Azure aren't affected.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately. For those using GCS, it's also recommended to run the
-  following to update existing blobs:
-  ```
-  ActiveStorage::Blob.find_each do |blob|
-    blob.send :update_service_metadata
-  end
-  ```
-unaffected_versions:
-  - "< 5.2.0"
-patched_versions:
-  - ">= 5.2.1.1"

data/data/ruby-advisory-db/gems/activestorage/CVE-2020-8162.yml DELETED Viewed

@@ -1,31 +0,0 @@
----
-gem: activestorage
-framework: rails
-cve: 2020-8162
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ
-title: Circumvention of file size limits in ActiveStorage
-date: 2020-05-18
-description: |
-  There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a
-  direct file upload to be modified by an end user.
-  Versions Affected:  rails < 5.2.4.2, rails < 6.0.3.1
-  Not affected:       Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.
-  Fixed Versions:     rails >= 5.2.4.3, rails >= 6.0.3.1
-  Impact
-  ------
-  Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a
-  new signature from the server. This could be used to bypass controls in place on the server to limit upload size.
-  Workarounds
-  -----------
-  This is a low-severity security issue. As such, no workaround is necessarily
-  until such time as the application can be upgraded.
-patched_versions:
-  - "~> 5.2.4.3"
-  - ">= 6.0.3.1"

data/data/ruby-advisory-db/gems/activesupport/CVE-2012-1098.yml DELETED Viewed

@@ -1,26 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-1098
-osvdb: 79726
-url: https://nvd.nist.gov/vuln/detail/CVE-2012-1098
-title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
-date: 2012-03-01
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because athe application does not validate direct
-  manipulations of SafeBuffer objects via '[]' and other methods. This may
-  allow a user to create a specially crafted request that would execute
-  arbitrary script code in a user's browser within the trust relationship
-  between their browser and the server.
-cvss_v2: 4.3
-unaffected_versions:
-  - "< 3.0.0"
-patched_versions:
-  - ~> 3.0.12
-  - ~> 3.1.4
-  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/activesupport/CVE-2012-3464.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2012-3464
-osvdb: 84516
-url: https://nvd.nist.gov/vuln/detail/CVE-2012-3464
-title: Ruby on Rails HTML Escaping Code XSS
-date: 2012-08-09
-description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
-  attack. This flaw exists because the HTML escaping code functionality does
-  not properly escape a single quote character. This may allow a user to create
-  a specially crafted request that would execute arbitrary script code in a
-  user's browser within the trust relationship between their browser and the
-  server.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.0.17
-  - ~> 3.1.8
-  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/activesupport/CVE-2013-0333.yml DELETED Viewed

@@ -1,25 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2013-0333
-osvdb: 89594
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-0333
-title:
-  Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
-  Execution
-date: 2013-01-28
-description: |
-  Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple
-  parsing backends, one of which involves transforming JSON into YAML via the
-  YAML parser. With a specially crafted payload, an attacker can subvert the
-  backend into decoding a subset of YAML. This may allow a remote attacker to
-  bypass restrictions, allowing them to bypass authentication systems, inject
-  arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on
-  a Rails application.
-cvss_v2: 9.3
-patched_versions:
-  - ~> 2.3.16
-  - ">= 3.0.20"

data/data/ruby-advisory-db/gems/activesupport/CVE-2013-1856.yml DELETED Viewed

@@ -1,28 +0,0 @@
----
-gem: activesupport
-framework: rails
-platform: jruby
-cve: 2013-1856
-osvdb: 91451
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-1856
-title: XML Parsing Vulnerability affecting JRuby users
-date: 2013-03-19
-description: |
- The ActiveSupport XML parsing functionality supports multiple
- pluggable backends. One backend supported for JRuby users is
- ActiveSupport::XmlMini_JDOM which makes use of the
- javax.xml.parsers.DocumentBuilder class. In some JVM configurations
- the default settings of that class can allow an attacker to construct
- XML which, when parsed, will contain the contents of arbitrary URLs
- including files from the application server. They may also allow for
- various denial of service attacks. Action Pack
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.1.12
-  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3226.yml DELETED Viewed

@@ -1,55 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2015-3226
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU
-title: |
-  XSS Vulnerability in ActiveSupport::JSON.encode
-date: 2015-06-16
-description: |
-  When a `Hash` containing user-controlled data is encode as JSON (either through
-  `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate
-  escaping that matches the guarantee implied by the `escape_html_entities_in_json`
-  option (which is enabled by default). If this resulting JSON string is subsequently
-  inserted directly into an HTML page, the page will be vulnerable to XSS attacks.
-  For example, the following code snippet is vulnerable to this attack:
-      <%= javascript_tag "var data = #{user_supplied_data.to_json};" %>
-  Similarly, the following is also vulnerable:
-      <script>
-        var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>;
-      </script>
-  All applications that renders JSON-encoded strings that contains user-controlled
-  data in their views should either upgrade to one of the FIXED versions or use
-  the suggested workaround immediately.
-  Workarounds
-  -----------
-  To work around this problem add an initializer with the following code:
-    module ActiveSupport
-      module JSON
-        module Encoding
-          private
-          class EscapedString
-            def to_s
-              self
-            end
-          end
-        end
-      end
-    end
-unaffected_versions:
-  - "< 4.1.0"
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"

data/data/ruby-advisory-db/gems/activesupport/CVE-2015-3227.yml DELETED Viewed

@@ -1,33 +0,0 @@
----
-gem: activesupport
-framework: rails
-cve: 2015-3227
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
-title: |
-  Possible Denial of Service attack in Active Support
-date: 2015-06-16
-description: |
-  Specially crafted XML documents can cause applications to raise a
-  `SystemStackError` and potentially cause a denial of service attack.  This
-  only impacts applications using REXML or JDOM as their XML processor.  Other
-  XML processors that Rails supports are not impacted.
-  All users running an affected release should either upgrade or use one of the work arounds immediately.
-  Workarounds
-  -----------
-  Use an XML parser that is not impacted by this problem, such as Nokogiri or
-  LibXML.  You can change the processor like this:
-    ActiveSupport::XmlMini.backend = 'Nokogiri'
-  If you cannot change XML parsers, then adjust
-  `RUBY_THREAD_MACHINE_STACK_SIZE`.
-patched_versions:
-  - ">= 4.2.2"
-  - "~> 4.1.11"
-  - "~> 3.2.22"