RubyGems - bundler-budit - Versions diffs - 0.6.2 → 0.6.3 - Mend

bundler-budit 0.6.2 → 0.6.3

Files changed (446) hide show

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7578.yml DELETED

@@ -1,47 +0,0 @@
----
-gem: rails-html-sanitizer
-cve: 2015-7578
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI"
-title: Possible XSS vulnerability in rails-html-sanitizer
-description: |
-  There is a possible XSS vulnerability in rails-html-sanitizer. This
-  vulnerability has been assigned the CVE identifier CVE-2015-7578.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     1.0.3
-  Impact
-  ------
-  There is a possible XSS vulnerability in rails-html-sanitizer.  Certain
-  attributes are not removed from tags when they are sanitized, and these
-  attributes can lead to an XSS attack on target applications.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  There are no feasible workarounds for this issue.
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 1-0-sanitize_data_attributes.patch - Patch for 1.0 series
-  Credits
-  -------
-  Thanks to Ben Murphy and Marien for reporting this.
-patched_versions:
-  - ">= 1.0.3"

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7579.yml DELETED

@@ -1,75 +0,0 @@
----
-gem: rails-html-sanitizer
-cve: 2015-7579
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc"
-title: XSS vulnerability in rails-html-sanitizer
-description: |
-  There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`.
-  This vulnerability has been assigned the CVE identifier CVE-2015-7579.
-  Versions Affected:  1.0.2
-  Not affected:       1.0.0, 1.0.1
-  Fixed Versions:     1.0.3
-  Impact
-  ------
-  Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker
-  passes an already escaped HTML entity to the input of Action View's `strip_tags`
-  these entities will be unescaped what may cause a XSS attack if used in combination
-  with `raw` or `html_safe`.
-  For example:
-      strip_tags("&lt;script&gt;alert('XSS')&lt;/script&gt;")
-  Would generate:
-      <script>alert('XSS')</script>
-  After the fix it will generate:
-      &lt;script&gt;alert('XSS')&lt;/script&gt;
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  If you can't upgrade, please use the following monkey patch in an initializer
-  that is loaded before your application:
-  ```
-  $ cat config/initializers/strip_tags_fix.rb
-  class ActionView::Base
-    def strip_tags(html)
-      self.class.full_sanitizer.sanitize(html)
-    end
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches
-  for the two supported release series. They are in git-am format and consist
-  of a single changeset.
-  * Do-not-unescape-already-escaped-HTML-entities.patch
-  Credits
-  -------
-  Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for
-  reporting the problem and working with us to fix it.
-unaffected_versions:
-  - "~> 1.0.0"
-  - "~> 1.0.1"
-patched_versions:
-  - ">= 1.0.3"

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2015-7580.yml DELETED

@@ -1,70 +0,0 @@
----
-gem: rails-html-sanitizer
-cve: 2015-7580
-date: 2016-01-25
-url: "https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI"
-title: Possible XSS vulnerability in rails-html-sanitizer
-description: |
-  There is a possible XSS vulnerability in the white list sanitizer in the
-  rails-html-sanitizer gem. This vulnerability has been assigned the CVE
-  identifier CVE-2015-7580.
-  Versions Affected:  All.
-  Not affected:       None.
-  Fixed Versions:     v1.0.3
-  Impact
-  ------
-  Carefully crafted strings can cause user input to bypass the sanitization in
-  the white list sanitizer which will can lead to an XSS attack.
-  Vulnerable code will look something like this:
-    <%= sanitize user_input, tags: %w(em) %>
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The FIXED releases are available at the normal locations.
-  Workarounds
-  -----------
-  Putting the following monkey patch in an initializer can help to mitigate the
-  issue:
-  ```
-  class Rails::Html::PermitScrubber
-    alias :old_scrub :scrub
-    alias :old_skip_node? :skip_node?
-    def scrub(node)
-      if node.cdata?
-        text = node.document.create_text_node node.text
-        node.replace text
-        return CONTINUE
-      end
-      old_scrub node
-    end
-    def skip_node?(node); node.text?; end
-  end
-  ```
-  Patches
-  -------
-  To aid users who aren't able to upgrade immediately we have provided patches for
-  the two supported release series. They are in git-am format and consist of a
-  single changeset.
-  * 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series
-  Credits
-  -------
-  Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue.
-patched_versions:
-  - ">= 1.0.3"

data/data/ruby-advisory-db/gems/rails-html-sanitizer/CVE-2018-3741.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: rails-html-sanitizer
-cve: 2018-3741
-date: 2018-03-22
-url: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
-title: XSS vulnerability in rails-html-sanitizer
-description: |
-  There is a possible XSS vulnerability in rails-html-sanitizer.  The gem allows
-  non-whitelisted attributes to be present in sanitized output when input with
-  specially-crafted HTML fragments, and these attributes can lead to an XSS attack
-  on target applications.
-  This issue is similar to CVE-2018-8048 in Loofah.
-patched_versions:
-  - ">= 1.0.4"
-related:
-  cve:
-    - 2018-8048
-  url:
-    - https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae

data/data/ruby-advisory-db/gems/rails_admin/CVE-2016-10522.yml DELETED

@@ -1,21 +0,0 @@
----
-gem: rails_admin
-cve: 2016-10522
-date: 2016-12-21
-url: https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/
-title: CSRF vulnerability in rails_admin
-description: |
-  The rails_admin gem is vulnerable to cross-site request forgery (CSRF) attacks.
-  Due to a bug, non-GET methods were not validating CSRF tokens and, as a result,
-  an attacker could hypothetically gain access to the application administrative
-  endpoints exposed by the gem.
-cvss_v2: 5.5
-unaffected_versions:
-- "< 1.0.0"
-patched_versions:
-- ">= 1.1.1"
-related:
-  url:
-    - https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173
-    - https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a

data/data/ruby-advisory-db/gems/railties/CVE-2019-5420.yml DELETED

@@ -1,49 +0,0 @@
----
-gem: railties
-framework: rails
-cve: 2019-5420
-date: 2019-03-13
-url: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
-title: Possible Remote Code Execution Exploit in Rails Development Mode
-description: |
-  There is a possible a possible remote code executing exploit in Rails when in
-  development mode. This vulnerability has been assigned the CVE identifier
-  CVE-2019-5420.
-  Versions Affected:  6.0.0.X, 5.2.X.
-  Not affected:       < 5.2.0
-  Fixed Versions:     6.0.0.beta3, 5.2.2.1
-  Impact
-  ------
-  With some knowledge of a target application it is possible for an attacker to
-  guess the automatically generated development mode secret token.  This secret
-  token can be used in combination with other Rails internals to escalate to a
-  remote code execution exploit.
-  All users running an affected release should either upgrade or use one of the
-  workarounds immediately.
-  Releases
-  --------
-  The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations.
-  Workarounds
-  -----------
-  This issue can be mitigated by specifying a secret key in development mode.
-  In "config/environments/development.rb" add this:
-    config.secret_key_base = SecureRandom.hex(64)
-  Credits
-  -------
-  Thanks to ooooooo_q
-unaffected_versions:
-  - "< 5.2.0"
-patched_versions:
-  - "~> 5.2.2, >= 5.2.2.1"
-  - ">= 6.0.0.beta3"

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml DELETED

@@ -1,20 +0,0 @@
----
-gem: rbovirt
-cve: 2014-0036
-osvdb: 104080
-url: http://osvdb.org/show/osvdb/104080
-title: rbovirt Gem for Ruby contains a flaw
-date: 2014-03-05
-description: |
-  rbovirt Gem for Ruby contains a flaw related to certificate validation.
-  The issue is due to the program failing to validate SSL certificates. This may
-  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
-  poisoning) to spoof the SSL server via an arbitrary certificate that appears
-  valid. Such an attack would allow for the interception of sensitive traffic,
-  and potentially allow for the injection of content into the SSL stream.
-cvss_v2: 6.8
-patched_versions:
-  - '>= 0.0.24'

data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml DELETED

@@ -1,27 +0,0 @@
----
-gem: rdoc
-cve: 2013-0256
-osvdb: 90004
-url: http://www.osvdb.org/show/osvdb/90004
-title: RDoc 2.3.0 through 3.12 XSS Exploit
-date: 2013-02-06
-description: |
-  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
-  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
-  may lead to cookie disclosure to third parties.
-  The exploit exists in darkfish.js which is copied from the RDoc install
-  location to the generated documentation.
-  RDoc is a static documentation generation tool. Patching the library itself
-  is insufficient to correct this exploit.
-  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.9.5
-  - ~> 3.12.1
-  - ">= 4.0"

data/data/ruby-advisory-db/gems/recurly/CVE-2017-0905.yml DELETED

@@ -1,35 +0,0 @@
----
-gem: recurly
-cve: 2017-0905
-url: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0905
-date: 2017-11-09
-title: SSRF vulnerability in Recurly gem's Resource#find.
-description: |
-  If you are using the #find method on any of the classes that are derived from
-  the Resource class and you are passing user input into that method, a
-  malicious user can force the http client to reach out to a server under their
-  control. This can lead to leakage of your private API key.
-  Because of the severity of impact, we are recommending that all users upgrade
-  to a patched version. We have provided a non-breaking patch for every 2.X
-  version of the client.
-patched_versions:
-  - ~> 2.0.13
-  - ~> 2.1.11
-  - ~> 2.2.5
-  - ~> 2.3.10
-  - ~> 2.4.11
-  - ~> 2.5.3
-  - ~> 2.6.3
-  - ~> 2.7.8
-  - ~> 2.8.2
-  - ~> 2.9.2
-  - ~> 2.10.4
-  - ~> 2.11.3
-  - ">= 2.12.0"
-related:
-  url:
-    - https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be

data/data/ruby-advisory-db/gems/redcarpet/CVE-2015-5147.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: redcarpet
-cve: 2015-5147
-osvdb: 123859
-url: http://seclists.org/oss-sec/2015/q2/818
-title: redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow
-date: 2015-06-22
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a stack overflow.
-  This flaw exists because the header_anchor() function in html.c uses
-  variable length arrays (VLA) without any range checking. This may
-  allow a remote attacker to execute arbitrary code.
-cvss_v2: 7.5
-unaffected_versions:
-  - "< 3.3.0"
-patched_versions:
-  - ">= 3.3.2"

data/data/ruby-advisory-db/gems/redcarpet/OSVDB-120415.yml DELETED

@@ -1,16 +0,0 @@
----
-gem: redcarpet
-osvdb: 120415
-url: http://danlec.com/blog/bug-in-sundown-and-redcarpet
-title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS
-date: 2015-04-07
-description: |
-  redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting
-  (XSS) attack. This flaw exists because the parse_inline() function in
-  markdown.c does not validate input before returning it to users. This may
-  allow a remote attacker to create a specially crafted request that would
-  execute arbitrary script code in a user's browser session within the trust
-  relationship between their browser and the server.
-cvss_v2:
-patched_versions:
-  - ">= 3.2.3"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml DELETED

@@ -1,15 +0,0 @@
----
-gem: redis-namespace
-osvdb: 96425
-url: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release
-title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
-date: 2013-08-03
-description: |
-  redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
-  The issue is triggered when handling exec commands called via send(). This may allow a
-  remote attacker to execute arbitrary commands.
-patched_versions:
-  - ">= 1.3.1"
-  - "~> 1.2.2"
-  - "~> 1.1.1"
-  - "~> 1.0.4"

data/data/ruby-advisory-db/gems/redis-store/CVE-2017-1000248.yml DELETED

@@ -1,17 +0,0 @@
----
-gem: redis-store
-cve: 2017-1000248
-url: https://github.com/redis-store/redis-store/commit/ce13252c26fcc40ed4935c9abfeb0ee0761e5704
-date: 2017-11-16
-title: Unsafe objects can be loaded from Redis
-description: |
-  Redis-store <=v1.3.0 allows unsafe objects to be loaded from Redis via the
-  use of the Marshal serializer.
-patched_versions:
-  - ">= 1.4.0"
-related:
-  url:
-    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000248