RubyGems - bundler-budit - Versions diffs - 0.6.2 → 0.6.3 - Mend

bundler-budit 0.6.2 → 0.6.3

Files changed (446) hide show

data/data/ruby-advisory-db/gems/private_address_check/CVE-2017-0904.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: private_address_check
-cve: 2017-0904
-url: https://github.com/jtdowney/private_address_check/issues/1
-title: private_address_check Ruby Gem Resolv.getaddresses Server-Side Request Forgery
-date: 2017-11-07
-description: |
-  The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's
-  Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security
-  measures, such as when used to blacklist private network addresses to prevent server-side
-  request forgery.
-cvss_v2: 6.8
-cvss_v3: 8.1
-patched_versions:
-  - ">= 0.4.0"

data/data/ruby-advisory-db/gems/private_address_check/CVE-2017-0909.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: private_address_check
-cve: 2017-0909
-url: https://github.com/jtdowney/private_address_check/pull/3
-title: private_address_check Ruby Gem Blacklist Bypass privilege escalation
-date: 2017-11-09
-description: |
-  The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete
-  blacklist of common private/local network addresses used to prevent server-side request forgery.
-cvss_v2: 7.5
-cvss_v3: 9.8
-patched_versions:
-  - ">= 0.4.1"

data/data/ruby-advisory-db/gems/private_address_check/CVE-2018-3759.yml DELETED

@@ -1,14 +0,0 @@
----
-gem: private_address_check
-cve: 2018-3759
-url: https://github.com/jtdowney/private_address_check/commit/4068228187db87fea7577f7020099399772bb147
-title: private_address_check Ruby Gem Time-of-check Time-of-use race condition
-date: 2018-05-03
-description: |
-  private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU)
-  race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0
-  can trigger this case where the initial resolution is a public address by the subsequent
-  resolution is a private address.
-patched_versions:
-  - ">= 0.5.0"

data/data/ruby-advisory-db/gems/quick_magick/OSVDB-106954.yml DELETED

@@ -1,7 +0,0 @@
----
-gem: quick_magick
-osvdb: 106954
-url: http://osvdb.org/show/osvdb/106954
-title: quick_magick Gem for Ruby QuickMagick::Image.read Function Crafted String Handling Remote Command Injection
-date: 2011-01-12
-description: quick_magick Gem for Ruby contains a flaw in the QuickMagick::Image.read function. The issue is triggered when handling a specially crafted string. This may allow a remote attacker to inject arbitrary commands.

data/data/ruby-advisory-db/gems/rack-attack/OSVDB-132234.yml DELETED

@@ -1,26 +0,0 @@
----
-gem: rack-attack
-osvdb: 132234
-url: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1
-title: |
-  rack-attack Gem for Ruby missing normalization before request path
-  processing
-date: 2015-12-18
-description: |
-  When using rack-attack with a rails app, developers expect the request
-  path to be normalized. In particular, trailing slashes are stripped so
-  a request path "/login/" becomes "/login" by the time you're in
-  ActionController.
-  Since Rack::Attack runs before ActionDispatch, the request path is not
-  yet normalized. This can cause throttles and blacklists to not work as
-  expected.
-  E.g., a throttle:
-  `throttle('logins', ...) {|req| req.path == "/login" }`
-  would not match a request to '/login/', though Rails would route
-  '/login/' to the same '/login' action.
-patched_versions:
-  - ">= 4.3.1"

data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: rack-cache
-cve: 2012-2671
-osvdb: 83077
-url: http://osvdb.org/83077
-title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
-date: 2012-06-06
-description: |
-  Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
-  sensitive HTTP headers. This will result in a weakness that may make it
-  easier for an attacker to gain access to a user's session via a specially
-  crafted header.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 1.2"

data/data/ruby-advisory-db/gems/rack-cors/CVE-2017-11173.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: rack-cors
-cve: 2017-11173
-date: 2015-07-13
-url: https://github.com/cyu/rack-cors/issues/86
-title: rack-cors Gem Missing Anchor permits unauthorized CORS requests
-description: |
-  Missing anchor in generated regex for rack-cors before 0.4.1
-  allows a malicious third-party site to perform CORS requests.
-  If the configuration were intended to allow only the trusted
-  example.com domain name and not the malicious example.net domain name,
-  then example.com.example.net (as well as example.com-example.net) would
-  be inadvertently allowed.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 0.4.1"
-related:
-  url:
-    - https://github.com/cyu/rack-cors/issues/86
-    - http://seclists.org/fulldisclosure/2017/Jul/22

data/data/ruby-advisory-db/gems/rack-mini-profiler/CVE-2016-4442.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: rack-mini-profiler
-cve: 2016-4442
-url: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c
-title: rack-mini-profiler may disclose information to unauthorized users
-date: 2016-05-18
-description: >-
-  Carefully crafted requests can expose information about
-  strings and objects allocated during the request for unauthorised
-  users.
-patched_versions:
-  - ">= 0.10.1"
-related:
-  url:
-    - http://seclists.org/oss-sec/2016/q2/516

data/data/ruby-advisory-db/gems/rack-protection/CVE-2018-7212.yml DELETED

@@ -1,12 +0,0 @@
----
-gem: rack-protection
-cve: 2018-7212
-url: https://github.com/sinatra/sinatra/pull/1379
-title: Path traversal is possible via backslash characters on Windows.
-date: 2018-02-18
-description: |
-  An issue was discovered in rack-protection 2.x before 2.0.1 on Windows. Path traversal
-  is possible via backslash characters.
-patched_versions:
-  - ">= 2.0.1"
-  - "~> 1.5.4"

data/data/ruby-advisory-db/gems/rack-ssl/OSVDB-104734.yml DELETED

@@ -1,11 +0,0 @@
----
-gem: rack-ssl
-cve: 2014-2538
-osvdb: 104734
-url: http://osvdb.org/show/osvdb/104734
-title: rack-ssl Gem for Ruby Error Message Reflected XSS
-date: 2013-07-09
-description: rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server.
-cvss_v2: 4.3
-patched_versions:
-  - ">= 1.3.4"

data/data/ruby-advisory-db/gems/rack/CVE-2015-3225.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: rack
-cve: 2015-3225
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
-title: |
-  Potential Denial of Service Vulnerability in Rack
-date: 2015-06-16
-description: |
-  Carefully crafted requests can cause a `SystemStackError` and potentially
-  cause a denial of service attack.
-  All users running an affected release should upgrade.
-patched_versions:
-  - ">= 1.6.2"
-  - "~> 1.5.4"
-  - "~> 1.4.6"

data/data/ruby-advisory-db/gems/rack/CVE-2018-16470.yml DELETED

@@ -1,56 +0,0 @@
----
-gem: rack
-cve: 2018-16470
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
-title: Possible DoS vulnerability in Rack
-date: 2018-11-05
-description: |
-  There is a possible DoS vulnerability in the multipart parser in Rack. This
-  vulnerability has been assigned the CVE identifier CVE-2018-16470.
-  Versions Affected:  2.0.4, 2.0.5
-  Not affected:       <= 2.0.3
-  Fixed Versions:     2.0.6
-  Impact
-  ------
-  There is a possible DoS vulnerability in the multipart parser in Rack.
-  Carefully crafted requests can cause the multipart parser to enter a
-  pathological state, causing the parser to use CPU resources disproportionate to
-  the request size.
-  Impacted code can look something like this:
-  ```
-  Rack::Request.new(env).params
-  ```
-  But any code that uses the multi-part parser may be vulnerable.
-  Rack users that have manually adjusted the buffer size in the multipart parser
-  may be vulnerable as well.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The 2.0.6 release is available at the normal locations.
-  Workarounds
-  -----------
-  To work around this issue, the following code can be used:
-  ```
-  require "rack/multipart/parser"
-  Rack::Multipart::Parser.send :remove_const, :BUFSIZE
-  Rack::Multipart::Parser.const_set :BUFSIZE, 16384
-  ```
-unaffected_versions:
-  - "<= 2.0.3"
-patched_versions:
-  - ">= 2.0.6"

data/data/ruby-advisory-db/gems/rack/CVE-2018-16471.yml DELETED

@@ -1,80 +0,0 @@
----
-gem: rack
-cve: 2018-16471
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
-title: Possible XSS vulnerability in Rack
-date: 2018-11-05
-description: |
-  There is a possible vulnerability in Rack. This vulnerability has been
-  assigned the CVE identifier CVE-2018-16471.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     2.0.6, 1.6.11
-  Impact
-  ------
-  There is a possible XSS vulnerability in Rack.  Carefully crafted requests can
-  impact the data returned by the `scheme` method on `Rack::Request`.
-  Applications that expect the scheme to be limited to "http" or "https" and do
-  not escape the return value could be vulnerable to an XSS attack.
-  Vulnerable code looks something like this:
-  ```
-  <%= request.scheme.html_safe %>
-  ```
-  Note that applications using the normal escaping mechanisms provided by Rails
-  may not impacted, but applications that bypass the escaping mechanisms, or do
-  not use them may be vulnerable.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The 2.0.6 and 1.6.11 releases are available at the normal locations.
-  Workarounds
-  -----------
-  The following monkey patch can be applied to work around this issue:
-  ```
-  require "rack"
-  require "rack/request"
-  class Rack::Request
-  SCHEME_WHITELIST = %w(https http).freeze
-  def scheme
-    if get_header(Rack::HTTPS) == 'on'
-      'https'
-    elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
-      'https'
-    elsif forwarded_scheme
-      forwarded_scheme
-    else
-      get_header(Rack::RACK_URL_SCHEME)
-    end
-  end
-  def forwarded_scheme
-    scheme_headers = [
-      get_header(HTTP_X_FORWARDED_SCHEME),
-      get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
-    ]
-    scheme_headers.each do |header|
-      return header if SCHEME_WHITELIST.include?(header)
-    end
-    nil
-  end
-  end
-  ```
-patched_versions:
-  - "~> 1.6.11"
-  - ">= 2.0.6"

data/data/ruby-advisory-db/gems/rack/OSVDB-78121.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: rack
-cve: 2011-5036
-osvdb: 78121
-url: http://osvdb.org/show/osvdb/78121
-title: |
-  Rack Hash Collision Form Parameter Parsing Remote DoS
-date: 2011-12-28
-description: |
-  Rack contains a flaw that may allow a remote denial of service. The issue is
-  triggered when an attacker sends multiple crafted parameters which trigger
-  hash collisions, and will result in loss of availability for the program via
-  CPU consumption.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 1.1.3"
-  - "~> 1.2.5"
-  - "~> 1.3.6"
-  - ">= 1.4.0"

data/data/ruby-advisory-db/gems/rack/OSVDB-89317.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: rack
-cve: 2012-6109
-osvdb: 89317
-url: http://osvdb.org/show/osvdb/89317
-title: |
-  Rack Regular Expressions Engine Content-Disposition Header Parsing Infinite Loop Remote DoS
-date: 2012-05-04
-description: |
-  Rack contains a flaw in the Regular Expressions Engine that may allow a remote
-  denial of service. The issue is triggered when parsing context-disposition
-  headers. With a specially crafted header, a remote attacker can cause an
-  infinite loop, which will result in a loss of availability for the webserver.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.1.4"
-  - "~> 1.2.6"
-  - "~> 1.3.7"
-  - ">= 1.4.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89320.yml DELETED

@@ -1,19 +0,0 @@
----
-gem: rack
-cve: 2013-0183
-osvdb: 89320
-url: http://osvdb.org/show/osvdb/89320
-title: |
-  Rack Long String Parsing Memory Consumption Remote DoS
-date: 2013-01-07
-description: |
-  Rack contains a flaw that may allow a remote denial of service. The issue is
-  triggered when parsing an overly long string. With a specially crafted string,
-  a remote attacker can cause a consumption of memory. This will result in a
-  loss of availability for the webserver.
-cvss_v2: 5.0
-patched_versions:
-  - "~> 1.3.8"
-  - ">= 1.4.3"

data/data/ruby-advisory-db/gems/rack/OSVDB-89327.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: rack
-cve: 2013-0184
-osvdb: 89327
-url: http://osvdb.org/show/osvdb/89327
-title: |
-  Rack Rack::Auth::AbstractRequest Class Unspecified Remote DoS
-date: 2013-01-13
-description: |
-  Rack contains a flaw in the Rack::Auth::AbstractRequest class that may allow
-  a remote denial of service. The issue is triggered when an unspecified error
-  occurs, which will result in a loss of availability for the webserver.
-cvss_v2: 4.3
-patched_versions:
-  - "~> 1.1.5"
-  - "~> 1.2.7"
-  - "~> 1.3.9"
-  - ">= 1.4.4"

data/data/ruby-advisory-db/gems/rack/OSVDB-89938.yml DELETED

@@ -1,18 +0,0 @@
----
-gem: rack
-cve: 2013-0262
-osvdb: 89938
-url: http://osvdb.org/show/osvdb/89938
-title: |
-  Rack Rack::File Function Symlink Traversal Arbitrary File Disclosure
-date: 2013-02-07
-description: |
-  Rack contains a flaw as the Rack::File function creates temporary files
-  insecurely. It is possible for a local attacker to use a symlink attack to
-  traverse to an arbitrary file and disclose its contents
-cvss_v2: 4.3
-patched_versions:
-- "~> 1.4.5"
-- ">= 1.5.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml DELETED

@@ -1,23 +0,0 @@
----
-gem: rack
-cve: 2013-0263
-osvdb: 89939
-url: http://osvdb.org/show/osvdb/89939
-title: |
-  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
-date: 2013-02-07
-description: |
-  Rack contains a flaw that is due to an error in the Rack::Session::Cookie
-  function. Users of the Marshal session cookie encoding (the default), are
-  subject to a timing attack that may lead an attacker to execute arbitrary
-  code. This attack is more practical against 'cloud' users as intra-cloud
-  latencies are sufficiently low to make the attack viable.
-cvss_v2: 5.1
-patched_versions:
-  - ~> 1.1.6
-  - ~> 1.2.8
-  - ~> 1.3.10
-  - ~> 1.4.5
-  - ">= 1.5.2"