codesake-dawn 1.0.0.rc2 → 1.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ead6f235a382b5141ff5b4deb9c378820bac7c9f
-  data.tar.gz: 1e4aa5deac922e50082aed79bae96206316da310
+  metadata.gz: 11a7412929a49ef9ba3ba1abad00d6ae8fe80341
+  data.tar.gz: 844716c3213283dfbe5786d5cbdc684f5719ed84
 SHA512:
-  metadata.gz: b3e0e711990a83280b447c164592644cd2844ff32ca4feecc391a33a849b6baee36162e09996e01c82a4974eadc082e27560e3c5f85cbf64c58971610d27e68e
-  data.tar.gz: f24b24415371c204bccf23dcb975b7a795dc228738256f40324c95455e966d0f8d4dd8f981e84b6bddebc12cc0c6330eb3e29124739d5679087f79ed3ed69028
+  metadata.gz: 63a503f4dc8c18d3cdb6430e9000b91a86cbfb69cf0196ec26d48c4f48ab6343ecfdf80ac6d9d392bc1b9ab112d850c563bcb2b8d46ad13adf893d47620d4595
+  data.tar.gz: a789b7c768a07192fa6d5357009b153b3b700588a44b359696e28111adcc45ae25aeadfc3b612d5c4831fd708830651167ddf5644d339bac6204e54b49470b24

data/.gitignore

@@ -10,7 +10,6 @@ Gemfile.lock
 InstalledFiles
 _yardoc
 coverage
-doc/
 lib/bundler/man
 pkg
 rdoc

data/Changelog.md

@@ -1,13 +1,13 @@
 # Codesake Dawn - changelog
 
-Dawn is a static analysis security scanner for ruby written web applications.
+Codesake::Dawn is a static analysis security scanner for ruby written web applications.
 It supports [Sinatra](http://www.sinatrarb.com),
 [Padrino](http://www.padrinorb.com) and [Ruby on Rails](http://rubyonrails.org)
 frameworks. 
 
-_latest update: Fri Jan 10 08:53:06 CET 2014_
+_latest update: Tue Jan 21 08:13:32 CET 2014_
 
-## Version 1.0.0 - codename: Lightning McQueen (2014-01-xx)
+## Version 1.0.0 - codename: Lightning McQueen (2014-01-21)
 
 * Fixing issue #19 (https://github.com/codesake/codesake-dawn/issues/19). There
   was a problem on ```is_a_vulnerable_version?``` routine that flags a security
@@ -21,8 +21,31 @@ _latest update: Fri Jan 10 08:53:06 CET 2014_
 * Added a rake task to better integrate codesake-dawn in a continous
   development workflow. Now when you install codesake-dawn you have a 'rake
   dawn' task executing the tool on the current directory.
-* In BasicCheck::is_vulnerable_version? Added support for the fourth version
+* In BasicCheck::is_vulnerable_version? added support for the fourth version
   number. We needed this to implement check for CVE-2013-7086
+* Fixing issue #20. is_vulnerable_version? has a problem when the patchlevel is
+  the same but there are only three different version numbers (x.y.z format).
+  The last change introduces this vuln. Thank you Florin for opening the issue.
+* Created a dedicated web site: [dawn.codesake.com](http://dawn.codesake.com)
+* Fixing issue #8. The omniauth-oauth2 version 1.1.1 has a CSRF vulnerability
+  (CVE-2012-6134). The patch is already merged in the git repository but there
+  are no further gem releases. The suggested mitigation is to tell your Gemfile
+  to fetch the code directly from github rather then using rubygems.org
+* Fixing issue #18. Owasp RoR Cheatsheet check was missing of message and
+  mitigation step.
+* Fixing issue #17 with some more directories to be in whitelist in pattern
+  matching check. More exclusions will be added in further releases
+* Added spec files for almost all security checks after 2008. Almost all kind
+  of checks (dependency, pattern matching, combo, ruby version) are covered by
+  a test.
+* DependencyCheck assumes that if x.y.z version fixes an issue, every minor
+  version in the same major are affected as well. This assumption is risky, so
+  we introduced an attribute saying that the previous minor versions are
+  affected or not. This attribute is automagically set to true in dependencies
+  check when dealing with the rails gem.  This assumption is not done for
+  previous major versions. Let's say a gem version 1.2.3 has a problem,
+  DependencyCheck doesn't say nothing about 0.9.3, but it thinks 1.1.9 is
+  vulnerable.
 * Added a check for CVE-2004-0755
 * Added a check for CVE-2004-0983
 * Added a check for CVE-2005-1992
@@ -72,8 +95,13 @@ _latest update: Fri Jan 10 08:53:06 CET 2014_
 * Added a check for CVE-2011-3009
 * Added a check for CVE-2011-3187
 * Added a check for CVE-2011-4319
+* Added a check for CVE-2012-1098
+* Added a check for CVE-2012-2139
+* Added a check for CVE-2012-2671
+* Added a check for CVE-2013-0162
 * Added a check for CVE-2013-0256
 * Added a check for CVE-2013-0263
+* Added a check for CVE-2013-1756
 * Added a check for CVE-2013-2090
 * Added a check for CVE-2013-2119
 * Added a check for CVE-2013-5647
@@ -94,7 +122,6 @@ _latest update: Fri Jan 10 08:53:06 CET 2014_
 * Added a check for CVE-2013-6421 (sprout remote code execution)
 
 
-
 ## Version 0.80 - codename: elevator (2013-12-12)
 
 * adding test for CVE-2013-4164
@@ -109,6 +136,7 @@ _latest update: Fri Jan 10 08:53:06 CET 2014_
 * adding test for CVE-2013-6416
 * adding test for CVE-2013-6417
 
+
 ## Version 0.79.99 - codename:oddity (2013-11-14)
 
 This is the first codesake-dawn version making codesake.com web application
@@ -131,6 +159,7 @@ able to scan something. It deserves a special release.
 * Fix issue #1. You can read more about it in TODO.md
 * Added API to scan a single Gemfile.lock using -G flag
 
+
 ## Version 0.70 (2013-06-19)
 
 * adding test for CVE-2011-0447
@@ -157,6 +186,7 @@ able to scan something. It deserves a special release.
 * detect sinks for XSS in Sinatra applications
 * detect reflected XSS in Sinatra applications
 
+
 ## Version 0.60 (2013-05-28)
 
 * adding cucumber dependency
@@ -190,6 +220,7 @@ able to scan something. It deserves a special release.
 * adding a '--count-only' option
 * support JSON output
 
+
 ## Version 0.50 (2013-05-13) - First public release
 
 * adding test for CVE\_2013\_0269

data/KnowledgeBase.md

@@ -0,0 +1,153 @@
+# Codesake::Dawn Knowledge base
+
+The knowledge base library for Codesake::Dawn version 1.0.0.rc2 contains 142 security checks.
+---
+* Not revised code: Analyzing comments, it seems your code is waiting from some review from you. Please consider take action before putting it in production.
+This check will analyze the source code looking for the following patterns: XXX, TO_CHECK, CHECKME, CHECK and FIXME
+* Owasp Ror Cheatsheet: This Cheatsheet intends to provide quick basic Ruby on Rails security tips for developers. It complements, augments or emphasizes points brought up in the rails security guide from rails core.  The Rails framework abstracts developers from quite a bit of tedious work and provides the means to accomplish complex tasks quickly and with ease. New developers, those unfamiliar with the inner-workings of Rails, likely need a basic set of guidelines to secure fundamental aspects of their application. The intended purpose of this doc is to be that guide.
+* Simple Form XSS - 20131129: There is a XSS vulnerability on Simple Form's label, hint and error options. When Simple Form creates a label, hint or error message it marks the text as being HTML safe, even though it may contain HTML tags. In applications where the text of these helpers can be provided by the users, malicious values can be provided and Simple Form will mark it as safe.
+* Nokogiri - Denial of service - 20131217: There is a vulnerability in Nokogiri when using JRuby where the parser can enter an infinite loop and exhaust the process memory. Nokogiri users on JRuby using the native Java extension.  Attackers can send XML documents with carefully crafted documents which can cause the XML processor to enter an infinite loop, causing the server to run out of memory and crash.
+* Nokogiri - Entity expasion denial of service - 20131217: There is an entity expansion vulnerability in Nokogiri when using JRuby. Nokogiri users on JRuby using the native Java extension.  Attackers can send
+XML documents with carefully crafted entity expansion strings which can cause the server to run out of memory and crash.
+* [CVE-2004-0755](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0755): The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.
+* [CVE-2004-0983](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0983): The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request.
+* [CVE-2005-1992](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1992): The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands.
+* [CVE-2005-2337](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2337): Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin).
+* [CVE-2006-1931](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1931): The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data.
+* [CVE-2006-2582](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2582): The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to execute arbitrary Ruby code via unknown attack vectors.
+* [CVE-2006-3694](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3694): Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass "safe level" checks via unspecified vectors involving (1) the alias function and (2) "directory operations".
+* [CVE-2006-4112](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4112): Unspecified vulnerability in the "dependency resolution mechanism" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or "data loss," a different vulnerability than CVE-2006-4111.
+* [CVE-2006-5467](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5467): The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a "-" instead of "--" and contains an inconsistent ID.
+* [CVE-2006-6303](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6303): The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467.
+* [CVE-2006-6852](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6852): Eval injection vulnerability in tDiary 2.0.3 and 2.1.4.20061127 allows remote authenticated users to execute arbitrary Ruby code via unspecified vectors, possibly related to incorrect input validation by (1) conf.rhtml and (2) i.conf.rhtml. NOTE: some of these details are obtained from third party information.
+* [CVE-2006-6979](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6979): The ruby handlers in the Magnatune component in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters.
+* [CVE-2007-0469](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0469): The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages.
+* [CVE-2007-5162](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5162): The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site.
+* [CVE-2007-5379](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5379): Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers and ActiveResource servers to determine the existence of arbitrary files and read arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) .purple/accounts.xml file.
+* [CVE-2007-5380](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5380): Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."
+* [CVE-2007-5770](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5770): The (1) Net::ftptls, (2) Net::telnets, (3) Net::imap, (4) Net::pop, and (5) Net::smtp libraries in Ruby 1.8.5 and 1.8.6 do not verify that the commonName (CN) field in a server certificate matches the domain name in a request sent over SSL, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site, different components than CVE-2007-5162.
+* [CVE-2007-6077](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6077): The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380. It has been reviewed in 2012 and it affects also 2.3.x, 3.0.x and 3.1.x.
+* [CVE-2007-6612](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6612): Directory traversal vulnerability in DirHandler (lib/mongrel/handlers.rb) in Mongrel 1.0.4 and 1.1.x before 1.1.3 allows remote attackers to read arbitrary files via an HTTP request containing double-encoded sequences (".%252e").
+* [CVE-2008-1145](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1145): Directory traversal vulnerability in WEBrick in Ruby 1.8 before 1.8.5-p115 and 1.8.6-p114, and 1.9 through 1.9.0-1, when running on systems that support backslash () path separators or case-insensitive file names, allows remote attackers to access arbitrary files via (1) "..%5c" (encoded backslash) sequences or (2) filenames that match patterns in the :NondisclosureName option.
+* [CVE-2008-1891](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1891): Directory traversal vulnerability in WEBrick in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2, when using NTFS or FAT filesystems, allows remote attackers to read arbitrary CGI files via a trailing (1) + (plus), (2) %2b (encoded plus), (3) . (dot), (4) %2e (encoded dot), or (5) %20 (encoded space) character in the URI, possibly related to the WEBrick::HTTPServlet::FileHandler and WEBrick::HTTPServer.new functionality and the :DocumentRoot option.
+* [CVE-2008-2376](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2376): Integer overflow in the rb_ary_fill function in array.c in Ruby before revision 17756 allows context-dependent attackers to cause a denial of service (crash) or possibly have unspecified other impact via a call to the Array#fill method with a start (aka beg) argument greater than ARY_MAX_SIZE. NOTE: this issue exists because of an incomplete fix for other closely related integer overflows.
+* [CVE-2008-2662](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2662): Multiple integer overflows in the rb_str_buf_append function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors that trigger memory corruption, a different issue than CVE-2008-2663, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. This CVE description should be regarded as authoritative, although it is likely to change.
+* [CVE-2008-2663](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2663): Multiple integer overflows in the rb_ary_store function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22 allow context-dependent attackers to execute arbitrary code or cause a denial of service via unknown vectors, a different issue than CVE-2008-2662, CVE-2008-2664, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
+* [CVE-2008-2664](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2664): The rb_str_format function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, 1.8.7 before 1.8.7-p22, and 1.9.0 before 1.9.0-2 allows context-dependent attackers to trigger memory corruption via unspecified vectors related to alloca, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2725. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
+* [CVE-2008-2725](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2725): Integer overflow in the (1) rb_ary_splice function in Ruby 1.8.4 and earlier, 1.8.5 before 1.8.5-p231, 1.8.6 before 1.8.6-p230, and 1.8.7 before 1.8.7-p22; and (2) the rb_ary_replace function in 1.6.x allows context-dependent attackers to trigger memory corruption via unspecified vectors, aka the "REALLOC_N" variant, a different issue than CVE-2008-2662, CVE-2008-2663, and CVE-2008-2664. NOTE: as of 20080624, there has been inconsistent usage of multiple CVE identifiers related to Ruby. The CVE description should be regarded as authoritative, although it is likely to change.
+* [CVE-2008-3655](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3655): Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not properly restrict access to critical variables and methods at various safe levels, which allows context-dependent attackers to bypass intended access restrictions via (1) untrace_var, (2) $PROGRAM_NAME, and (3) syslog at safe level 4, and (4) insecure methods at safe levels 1 through 3.
+* [CVE-2008-3657](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3657): The dl module in Ruby 1.8.5 and earlier, 1.8.6 through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 does not check "taintness" of inputs, which allows context-dependent attackers to bypass safe levels and execute dangerous functions by accessing a library using DL.dlopen.
+* [CVE-2008-3790](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3790): The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an "XML entity explosion."
+* [CVE-2008-3905](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3905): resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447.
+* [CVE-2008-4094](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4094): Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer.
+* [CVE-2008-4310](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4310): httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656.
+* [CVE-2008-5189](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5189): CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.
+* [CVE-2008-7248](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7248): Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain.
+* [CVE-2009-4078](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4078): Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
+* [CVE-2009-4124](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4124): Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information.
+* [CVE-2009-4214](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4214): Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb.
+* [CVE-2010-1330](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1330): The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string.
+* [CVE-2010-2489](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2489): Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files
+* [CVE-2010-3933](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3933): Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs.
+* [CVE-2011-0188](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0188): The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an "integer truncation issue."
+* [CVE-2011-0446](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0446): Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Please note that victim must voluntarily interact with attack mechanism
+* [CVE-2011-0447](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0447): Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage "combinations of browser plugins and HTTP redirects," a related issue to CVE-2011-0696.
+* [CVE-2011-0739](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0739): The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address.
+* [CVE-2011-0995](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0995): The sqlite3-ruby gem in the rubygem-sqlite3 package before 1.2.4-0.5.1 in SUSE Linux Enterprise (SLE) 11 SP1 uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors.
+* [CVE-2011-1004](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1004): The FileUtils.remove_entry_secure method in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, 1.8.8dev, 1.9.1 through 1.9.1-430, 1.9.2 through 1.9.2-136, and 1.9.3dev allows local users to delete arbitrary files via a symlink attack.
+* [CVE-2011-1005](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1005): The safe-level feature in Ruby 1.8.6 through 1.8.6-420, 1.8.7 through 1.8.7-330, and 1.8.8dev allows context-dependent attackers to modify strings via the Exception#to_s method, as demonstrated by changing an intended pathname.
+* [CVE-2011-2197](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2197): The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does not properly handle mutation of safe buffers, which makes it easier for remote attackers to conduct XSS attacks via crafted strings to an application that uses a problematic string method, as demonstrated by the sub method.
+* [CVE-2011-2686](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2686): Ruby before 1.8.7-p352 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900. NOTE: this issue exists because of a regression during Ruby 1.8.6 development.
+* [CVE-2011-2705](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2705): The SecureRandom.random_bytes function in lib/securerandom.rb in Ruby before 1.8.7-p352 and 1.9.x before 1.9.2-p290 relies on PID values for initialization, which makes it easier for context-dependent attackers to predict the result string by leveraging knowledge of random strings obtained in an earlier process with the same PID.
+* [CVE-2011-2929](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2929): The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly handle glob characters, which allows remote attackers to render arbitrary views via a crafted URL, related to a "filter skipping vulnerability."
+* [CVE-2011-2930](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2930): Multiple SQL injection vulnerabilities in the quote_table_name method in the ActiveRecord adapters in activerecord/lib/active_record/connection_adapters/ in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow remote attackers to execute arbitrary SQL commands via a crafted column name.
+* [CVE-2011-2931](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2931): Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a tag with an invalid name.
+* [CVE-2011-2932](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2932): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability."
+* [CVE-2011-3009](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3009): Ruby before 1.8.6-p114 does not reset the random seed upon forking, which makes it easier for context-dependent attackers to predict the values of random numbers by leveraging knowledge of the number sequence obtained in a different child process, a related issue to CVE-2003-0900.
+* [CVE-2011-3186](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3186): CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.
+* [CVE-2011-3187](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3187): The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header in requests from IP addresses on a Class C network, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
+* [CVE-2011-4319](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4319): Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote attackers to inject arbitrary web script or HTML via vectors related to a translations string whose name ends with an "html" substring.
+* [CVE-2011-4815](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4815): Ruby (aka CRuby) before 1.8.7-p357 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
+* [CVE-2012-1098](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1098): Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated through certain methods.
+* [CVE-2012-1099](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1099): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML via vectors involving certain generation of OPTION elements within SELECT elements.
+* [CVE-2012-1241](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1241): GRScript18.dll before 1.2.2.0 in ActiveScriptRuby (ASR) before 1.8.7 does not properly restrict interaction with an Internet Explorer ActiveX environment, which allows remote attackers to execute arbitrary Ruby code via a crafted HTML document.
+* [CVE-2012-2139](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2139): Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
+* [CVE-2012-2140](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2140): The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.
+* [CVE-2012-2660](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2660): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2694.
+* [CVE-2012-2661](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2661): The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.
+* [CVE-2012-2671](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2671): The Rack::Cache rubygem 0.3.0 through 1.1 caches Set-Cookie and other sensitive headers, which allows attackers to obtain sensitive cookie information, hijack web sessions, or have other unspecified impact by accessing the cache.
+* [CVE-2012-2694](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2694): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly consider differences in parameter handling between the Active Record component and the Rack interface, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks via a crafted request, as demonstrated by certain "['xyz', nil]" values, a related issue to CVE-2012-2660.
+* [CVE-2012-2695](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695): The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.
+* [CVE-2012-3424](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3424): The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
+* [CVE-2012-3463](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3463): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper.
+* [CVE-2012-3464](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3464): Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character.
+* [CVE-2012-3465](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3465): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup.
+* [CVE-2012-4464](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4464): Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression.
+* [CVE-2012-4466](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4466): Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005.
+* [CVE-2012-4481](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4481): The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005.
+* [CVE-2012-4522](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4522): The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path.
+* [CVE-2012-5370](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5370): JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838.
+* [CVE-2012-5371](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5371): Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815.
+* [CVE-2012-5380](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5380): ** DISPUTED ** Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C: directory, might allow local users to gain privileges via a Trojan horse DLL in the C:Ruby193in directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the "IKE and AuthIP IPsec Keying Modules" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the Ruby installation.
+* [CVE-2012-6134](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6134): Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state.
+* [CVE-2012-6496](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6496): SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls.
+* [CVE-2012-6497](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6497): The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product.
+* [CVE-2013-0155](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0155): Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" values, a related issue to CVE-2012-2660 and CVE-2012-2694.
+* [CVE-2013-0156](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0156): active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
+* [CVE-2013-0162](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0162): The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.
+* [CVE-2013-0175](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0175): multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+* [CVE-2013-0233](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0233): Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts.
+* [CVE-2013-0256](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0256): darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.
+* [CVE-2013-0263](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263): Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
+* [CVE-2013-0269](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0269): The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe Object Creation Vulnerability."
+* [CVE-2013-0276](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0276): ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request.
+* [CVE-2013-0277](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0277): ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML.
+* [CVE-2013-0284](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0284): Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data.
+* [CVE-2013-0285](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0285): The nori gem 2.0.x before 2.0.2, 1.1.x before 1.1.4, and 1.0.x before 1.0.3 for Ruby does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+* [CVE-2013-0333](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0333): lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data for processing by a YAML parser, which allows remote attackers to execute arbitrary code, conduct SQL injection attacks, or bypass authentication via crafted data that triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
+* [CVE-2013-1655](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1655): Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when
+          running Ruby 1.9.3 or later, allows remote attackers to execute
+          arbitrary code via vectors related to "serialized attributes."
+* [CVE-2013-1656](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1656): Spree Commerce 1.0.x through 1.3.2 allow remote authenticated administrators to instantiate arbitrary Ruby objects and execute arbitrary commands via the (1) payment_method parameter to core/app/controllers/spree/admin/payment_methods_controller.rb; and the (2) promotion_action parameter to promotion_actions_controller.rb, (3) promotion_rule parameter to promotion_rules_controller.rb, and (4) calculator_type parameter to promotions_controller.rb in promo/app/controllers/spree/admin/, related to unsafe use of the constantize function.
+* [CVE-2013-1756](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1756): Dragonfly Gem for Ruby contains a flaw that is triggered during the parsing of a specially crafted request. This may allow a remote attacker to execute arbitrary code.
+* [CVE-2013-1800](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1800): The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+* [CVE-2013-1801](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1801): The httparty gem 0.9.0 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for YAML type conversion, a similar vulnerability to CVE-2013-0156.
+* [CVE-2013-1802](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1802): The extlib gem 0.9.15 and earlier for Ruby does not properly restrict casts of string values, which might allow remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156.
+* [CVE-2013-1812](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1812): The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML Entity Expansion (XEE) attack.
+* [CVE-2013-1821](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1821): lib/rexml/text.rb in the REXML parser in Ruby before 1.9.3-p392 and 2.0.0-p0 allows remote attackers to cause a denial of service (memory consumption and crash) via crafted text nodes in an XML document, aka an XML Entity Expansion (XEE) attack.
+* [CVE-2013-1854](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1854): The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash keys to symbols, which allows remote attackers to cause a denial of service via crafted input to a where method.
+* [CVE-2013-1855](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1855): The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via crafted Cascading Style Sheets (CSS) token sequences.
+* [CVE-2013-1856](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1856): The ActiveSupport::XmlMini_JDOM backend in lib/active_support/xml_mini/jdom.rb in the Active Support component in Ruby on Rails 3.0.x and 3.1.x before 3.1.12 and 3.2.x before 3.2.13, when JRuby is used, does not properly restrict the capabilities of the XML parser, which allows remote attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving (1) an external DTD or (2) an external entity declaration in conjunction with an entity reference.
+* [CVE-2013-1857](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1857): The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence.
+* [CVE-2013-1875](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1875): command_wrap.rb in the command_wrap Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL or filename.
+* [CVE-2013-1898](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1898): lib/thumbshooter.rb in the Thumbshooter 0.1.5 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
+* [CVE-2013-1911](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1911): lib/ldoce/word.rb in the ldoce 0.0.2 gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in (1) an mp3 URL or (2) file name.
+* [CVE-2013-1933](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1933): The extract_from_ocr function in lib/docsplit/text_extractor.rb in the Karteek Docsplit (karteek-docsplit) gem 0.5.4 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a PDF filename.
+* [CVE-2013-1947](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1947): kelredd-pruview gem 0.3.8 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename argument to (1) document.rb, (2) video.rb, or (3) video_image.rb.
+* [CVE-2013-1948](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1948): converter.rb in the md2pdf gem 0.0.1 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a filename.
+* [CVE-2013-2065](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2065): Native functions exposed to Ruby with DL or Fiddle do not check the taint values set on the objects passed in. This can result in tainted objects being accepted as input when a SecurityError exception should be raised.
+* [CVE-2013-2090](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2090): Ruby Gem Creme Fraiche version 0.6 suffers from a remote command injection vulnerability due to unsanitized input.
+* [CVE-2013-2119](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2119): Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows local users to cause a denial of service (prevent application start) or gain privileges by pre-creating a temporary "config" file in a directory with a predictable name in /tmp/ before it is used by the gem.
+* [CVE-2013-2615](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2615): lib/entry_controller.rb in the fastreader Gem 1.0.8 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
+* [CVE-2013-2616](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2616): lib/mini_magick.rb in the MiniMagick Gem 1.3.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
+* [CVE-2013-2617](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2617): lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.
+* [CVE-2013-3221](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3221): The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, and 3.2.x does not ensure that the declared data type of a database column is used during comparisons of input values to stored values in that column, which makes it easier for remote attackers to conduct data-type injection attacks against Ruby on Rails applications via a crafted value, as demonstrated by unintended interaction between the "typed XML" feature and a MySQL database.
+* [CVE-2013-4164](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4164): Any time a string is converted to a floating point value, a specially crafted string can cause a heap overflow. This can lead to a denial of service attack via segmentation faults and possibly arbitrary code execution. Any program that converts input of unknown origin to floating point values (especially common when accepting JSON) are vulnerable.
+* [CVE-2013-4389](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389): Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.
+* [CVE-2013-4457](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4457): The Cocaine gem 0.4.0 through 0.5.2 for Ruby allows context-dependent attackers to execute arbitrary commands via a crafted has object, related to recursive variable interpolation.
+* [CVE-2013-4478](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4478): Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of an email attachment.
+* [CVE-2013-4479](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4479): lib/sup/message_chunks.rb in Sup before 0.13.2.1 and 0.14.x before 0.14.1.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the content_type of an email attachment.
+* [CVE-2013-4491](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
+* [CVE-2013-4492](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4492): Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call.
+* [CVE-2013-4562](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4562): Because of the way that omniauth-facebook supports setting a per-request state parameter by storing it in the session, it is possible to circumvent the automatic CSRF protection. Therefore the CSRF added in 1.4.1 should be considered broken. If you are currently providing a custom state, you will need to store and retrieve this yourself (for example, by using the session store) to use 1.5.0.
+* [CVE-2013-5647](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5647): lib/sounder/sound.rb in the sounder gem 1.0.1 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a filename.
+* [CVE-2013-6414](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414): actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.
+* [CVE-2013-6415](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415): Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the unit parameter.
+* [CVE-2013-6416](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6416): Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted HTML attribute.
+* [CVE-2013-6417](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
+* [CVE-2013-6421](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6421): The unpack_zip function in archive_unpacker.rb in the sprout gem 0.7.246 for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a (1) filename or (2) path.
+* [CVE-2013-6459](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6459): Cross-site scripting (XSS) vulnerability in the will_paginate gem before 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors involving generated pagination links.
+* [CVE-2013-7086](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7086): The message function in lib/webbynode/notify.rb in the Webbynode gem 1.0.5.3 and earlier for Ruby allows context-dependent attackers to execute arbitrary commands via shell metacharacters in a growlnotify message.
+
+
+_Last updated: Thu 16 Jan 08:38:28 CET 2014_

data/README.md

@@ -20,17 +20,29 @@ MVC (Model View Controller) frameworks, like:
 
 ---
 
-Codesake::Dawn version 1.0 has 131 security checks loaded in its knowledge
+Codesake::Dawn version 1.0 has 142 security checks loaded in its knowledge
 base. Most of them are CVE bulletins, that applies to gems, framework or the
 ruby interpreter itself.
 
-You candump all security checks in the knowledge base by using the -k
+You can dump all security checks in the knowledge base by using the -k
 flag:
 
 ```
 $ dawn -k|--list-knowledge-base 
 ```
 
+Useful in scripts, you can even supply a parameter to ```-k``` flag to check if
+a security control has been implemented or not.
+
+```
+$ dawn -k CVE-2013-6421
+07:59:30 [*] dawn v1.0.0 is starting up
+CVE-2013-6421 found in knowledgebase.
+
+$ dawn -k this_test_does_not_exist
+08:02:17 [*] dawn v1.0.0 is starting up
+this_test_does_not_exist not found in knowledgebase
+```
 
 When you run Codesake::Dawn on your code it parses your project Gemfile.lock
 looking for the gems used and it tries to detect the ruby interpreter version
@@ -52,10 +64,16 @@ application.
 
 ## Installation
 
-You can install dawn, directly using [Rubygems](https://rubygems.org) by typing:
+You can install latest Codesake::Dawn version, using [Rubygems](https://rubygems.org) by typing:
 
     gem install codesake-dawn
 
+In order to install a release candidate version, the gem install command line is the following:
+
+```
+$ gem install codesake-dawn --pre
+```
+
 If you want to add dawn to your project Gemfile, you must add the following:
     
     group :development do
@@ -79,10 +97,10 @@ that.
 
 ## Usage
 
-You can start your code review with dawn very easily. Simply tell the tool
+You can start your code review with Codesake::Dawn very easily. Simply tell the tool
 where the project root directory. 
 
-Underlying MVC framework is autodetected by dawn using target Gemfile.lock
+Underlying MVC framework is autodetected by Codesake::Dawn using target Gemfile.lock
 file. If autodetect fails for some reason, the tool will complain about it and
 you have to specify if it's a rails, sinatra or padrino web application by
 hand.
@@ -98,7 +116,7 @@ In case of need, there is a quick command line option reference running ```dawn
 
 ```
 $ bundle exec dawn -h
-08:05:21 [*] dawn v1.0.0.rc1 is starting up
+08:05:21 [*] dawn v1.0.0 is starting up
 Usage: dawn [options] target_directory
 
 
@@ -123,7 +141,7 @@ $ dawn -C --output json a_sinatra_webapp_directory
 
 ### Codesake::Dawn security scan in action
 
-As output, dawn will put all security checks that are failed during the scan.
+As output, Codesake::Dawn will put all security checks that are failed during the scan.
 
 This the result of Codedake::Dawn running against a 
 [Sinatra 1.4.2 web application](https://github.com/thesp0nge/railsberry2013) wrote for a talk I
@@ -136,7 +154,7 @@ Rails) and it applies them.
 
 ``` 
 $ bundle exec dawn ~/src/hacking/railsberry2013
-08:09:47 [*] dawn v1.0.0.rc1 is starting up
+08:09:47 [*] dawn v1.0.0 is starting up
 08:09:47 [$] dawn: scanning /Users/thesp0nge/src/hacking/railsberry2013
 08:09:47 [$] dawn: sinatra v1.4.2 detected
 08:09:47 [$] dawn: applying all security checks
@@ -161,7 +179,7 @@ scorecard quiz game about application security](http://scorecard.armoredcode.com
 Italian language only. Sorry.
 
 ```
-08:17:09 [*] dawn v1.0.0.rc1 is starting up
+08:17:09 [*] dawn v1.0.0 is starting up
 08:17:09 [$] dawn: scanning /Users/thesp0nge/src/CORE_PROJECTS/scorecard
 08:17:09 [$] dawn: padrino v0.11.2 detected
 08:17:09 [$] dawn: applying all security checks
@@ -177,7 +195,7 @@ designed to be buggy:
 
 ```
 $ dawn target
-08:28:18 [*] dawn v1.0.0.rc1 is starting up
+08:28:18 [*] dawn v1.0.0 is starting up
 08:28:18 [$] dawn: scanning /Users/thesp0nge/tmp/sinatra-vulnerable
 08:28:18 [$] dawn: sinatra v1.2.6 detected
 08:28:18 [$] dawn: applying all security checks
@@ -219,10 +237,11 @@ Twitter progile:  [@dawnscanner](https://twitter.com/dawnscanner)
 
 Github repository:   [https://github.com/codesake/codesake\-dawn](https://github.com/codesake/codesake-dawn)
 
+The list of knowledge base content: [http://dawn.codesake.com/knowledge-base](http://dawn.codesake.com/knowledge-base)
+
 ## Supporters
 
-To me as project leader it's very important to have feedbacks. I really want to
-ear your voice. 
+To me as project leader it's very important to have feedbacks. 
 
 If you're a proud codesake-dawn user, if you find it useful, if you integrated
 it in your release process and if you want to openly support the project you
@@ -232,7 +251,11 @@ You can support the project by forking the repo, adding a success story, a
 statement saying how do you feel the tool or your company logo as well and then
 submitting a pull request.
 
-Thank you for your support.
+More easily you can drop an email to [me](mailto:thesp0nge@gmail.com) sending a
+statement about your success story and I'll put on the
+[website](http://dawn.codesake.com/success-stories).
+
+Thank you.
 
 ## Thanks to
 

data/Rakefile

@@ -19,7 +19,7 @@ RSpec::Core::RakeTask.new do |t|
 end
 
 
-task :default => [ :spec, :features ]
+task :default => [ :spec, :features, :kb ]
 task :test => :spec
 
 desc "Create a new CVE test"
@@ -67,7 +67,7 @@ task :cve, :name do |t,args|
     file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
     file.puts "\t\t# @check.debug = true"
     file.puts "\tend"
-    file.puts "\tit \"needs some test...\""
+    file.puts "\tit \"is reported when...\""
     file.puts "end"
   end
   puts "#{spec_filename} created"
@@ -130,7 +130,7 @@ task :check, :name do |t,args|
     file.puts "\t\t@check = Codesake::Dawn::Kb::#{class_name}.new"
     file.puts "\t\t# @check.debug = true"
     file.puts "\tend"
-    file.puts "\tit \"needs some test...\""
+    file.puts "\tit \"is reported when...\""
     file.puts "end"
   end
   puts "#{spec_filename} created"
@@ -147,3 +147,21 @@ task :check, :name do |t,args|
 
 
 end
+
+desc 'Creates a KnowledgeBase.md file'
+task :kb do
+  checks = Codesake::Dawn::KnowledgeBase.new.all
+  open("KnowledgeBase.md", "w") do |file|
+    file.puts "# Codesake::Dawn Knowledge base"
+    file.puts "\nThe knowledge base library for Codesake::Dawn version #{Codesake::Dawn::VERSION} contains #{checks.count} security checks."
+    file.puts "---"
+    checks.each do |c|
+      file.puts "* [#{c.name}](#{c.cve_link}): #{c.message}" if c.name.start_with?('CVE')
+      file.puts "* #{c.name}: #{c.message}" unless c.name.start_with?('CVE')
+    end
+
+    file.puts "\n\n_Last updated: #{Time.now.strftime("%a %d %b %T %Z %Y")}_"
+  end
+  puts "KnowledgeBase.md file successfully generated"
+
+end