dawnscanner 1.2.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +7 -0
- checksums.yaml.gz.sig +4 -0
- data.tar.gz.sig +0 -0
- data/.gitignore +19 -0
- data/.ruby-gemset +1 -0
- data/.ruby-version +1 -0
- data/.travis.yml +8 -0
- data/Changelog.md +412 -0
- data/Gemfile +4 -0
- data/KnowledgeBase.md +213 -0
- data/LICENSE.txt +22 -0
- data/README.md +354 -0
- data/Rakefile +250 -0
- data/Roadmap.md +59 -0
- data/bin/dawn +210 -0
- data/certs/paolo_at_codesake_dot_com.pem +21 -0
- data/checksum/.placeholder +0 -0
- data/checksum/codesake-dawn-1.1.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.0.rc1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.1.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.2.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.1.3.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.0.gem.sha512 +1 -0
- data/checksum/codesake-dawn-1.2.99.gem.sha512 +1 -0
- data/dawnscanner.gemspec +43 -0
- data/doc/codesake-dawn.yaml.sample +26 -0
- data/doc/dawn_1_0_announcement.md +139 -0
- data/doc/dawn_1_1_announcement.md +67 -0
- data/doc/dawn_1_2_announcement.md +69 -0
- data/features/dawn_complains_about_an_incorrect_command_line.feature.disabled +21 -0
- data/features/dawn_scan_a_secure_sinatra_app.feature.disabled +31 -0
- data/features/dawn_scan_a_vulnerable_sinatra_app.feature.disabled +36 -0
- data/features/step_definition/dawn_steps.rb +19 -0
- data/features/support/env.rb +1 -0
- data/lib/codesake-dawn.rb +12 -0
- data/lib/codesake/dawn/core.rb +175 -0
- data/lib/codesake/dawn/engine.rb +380 -0
- data/lib/codesake/dawn/gemfile_lock.rb +12 -0
- data/lib/codesake/dawn/kb/basic_check.rb +228 -0
- data/lib/codesake/dawn/kb/combo_check.rb +64 -0
- data/lib/codesake/dawn/kb/cve_2004_0755.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2004_0983.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_1992.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2005_2337.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_1931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2006_2582.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_3694.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2006_4112.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_5467.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6303.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2006_6852.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2006_6979.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_0469.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2007_5379.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5380.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2007_5770.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2007_6077.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2007_6612.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2008_1145.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_1891.rb +40 -0
- data/lib/codesake/dawn/kb/cve_2008_2376.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_2662.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2663.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2008_2664.rb +35 -0
- data/lib/codesake/dawn/kb/cve_2008_2725.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2008_3655.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3657.rb +39 -0
- data/lib/codesake/dawn/kb/cve_2008_3790.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2008_3905.rb +38 -0
- data/lib/codesake/dawn/kb/cve_2008_4094.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_4310.rb +103 -0
- data/lib/codesake/dawn/kb/cve_2008_5189.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2008_7248.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2009_4078.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2009_4124.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2009_4214.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2010_1330.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2010_2489.rb +62 -0
- data/lib/codesake/dawn/kb/cve_2010_3933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_0188.rb +69 -0
- data/lib/codesake/dawn/kb/cve_2011_0446.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0447.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0739.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_0995.rb +63 -0
- data/lib/codesake/dawn/kb/cve_2011_1004.rb +36 -0
- data/lib/codesake/dawn/kb/cve_2011_1005.rb +33 -0
- data/lib/codesake/dawn/kb/cve_2011_2197.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2686.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_2705.rb +34 -0
- data/lib/codesake/dawn/kb/cve_2011_2929.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_2930.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_2931.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2011_2932.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2011_3009.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_3186.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_3187.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4319.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2011_4815.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2011_5036.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_1098.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_1099.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_1241.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2139.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_2140.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2660.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2661.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_2671.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_2694.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2012_2695.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3424.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2012_3463.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_3465.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4464.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4466.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_4481.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2012_4522.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5370.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5371.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_5380.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6109.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2012_6134.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2012_6496.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2012_6497.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0155.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_0156.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0162.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0175.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0183.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0184.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0233.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0256.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2013_0262.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0263.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_0269.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0276.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_0277.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_0284.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0285.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_0333.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1607.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1655.rb +67 -0
- data/lib/codesake/dawn/kb/cve_2013_1656.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1756.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1800.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1801.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1802.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1812.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1821.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1854.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1855.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_1856.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_1857.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1875.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1898.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1911.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_1933.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1947.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_1948.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2065.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_2090.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_2105.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2119.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2512.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2513.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_2516.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_2615.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2616.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_2617.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_3221.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4164.rb +32 -0
- data/lib/codesake/dawn/kb/cve_2013_4203.rb +27 -0
- data/lib/codesake/dawn/kb/cve_2013_4389.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4413.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4457.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4478.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4479.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_4489.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4491.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_4492.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_4562.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_4593.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2013_5647.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_5671.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2013_6414.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6415.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6416.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6417.rb +31 -0
- data/lib/codesake/dawn/kb/cve_2013_6421.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6459.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2013_6460.rb +55 -0
- data/lib/codesake/dawn/kb/cve_2013_6461.rb +59 -0
- data/lib/codesake/dawn/kb/cve_2013_7086.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0036.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0080.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_0081.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_0082.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_0130.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_1233.rb +29 -0
- data/lib/codesake/dawn/kb/cve_2014_1234.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_2322.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_2525.rb +61 -0
- data/lib/codesake/dawn/kb/cve_2014_2538.rb +28 -0
- data/lib/codesake/dawn/kb/cve_2014_3482.rb +30 -0
- data/lib/codesake/dawn/kb/cve_2014_3483.rb +29 -0
- data/lib/codesake/dawn/kb/dependency_check.rb +86 -0
- data/lib/codesake/dawn/kb/deprecation_check.rb +40 -0
- data/lib/codesake/dawn/kb/not_revised_code.rb +24 -0
- data/lib/codesake/dawn/kb/operating_system_check.rb +98 -0
- data/lib/codesake/dawn/kb/osvdb_105971.rb +31 -0
- data/lib/codesake/dawn/kb/osvdb_108530.rb +29 -0
- data/lib/codesake/dawn/kb/osvdb_108563.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108569.rb +30 -0
- data/lib/codesake/dawn/kb/osvdb_108570.rb +29 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet.rb +41 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +22 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +59 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +30 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/csrf.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +35 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +38 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +31 -0
- data/lib/codesake/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +33 -0
- data/lib/codesake/dawn/kb/pattern_match_check.rb +129 -0
- data/lib/codesake/dawn/kb/ruby_version_check.rb +91 -0
- data/lib/codesake/dawn/kb/simpleform_xss_20131129.rb +30 -0
- data/lib/codesake/dawn/kb/version_check.rb +418 -0
- data/lib/codesake/dawn/knowledge_base.rb +513 -0
- data/lib/codesake/dawn/padrino.rb +82 -0
- data/lib/codesake/dawn/rails.rb +17 -0
- data/lib/codesake/dawn/railtie.rb +9 -0
- data/lib/codesake/dawn/reporter.rb +280 -0
- data/lib/codesake/dawn/sinatra.rb +129 -0
- data/lib/codesake/dawn/tasks.rb +27 -0
- data/lib/codesake/dawn/utils.rb +21 -0
- data/lib/codesake/dawn/version.rb +28 -0
- data/lib/tasks/codesake-dawn_tasks.rake +1 -0
- data/spec/lib/dawn/codesake_core_spec.rb +9 -0
- data/spec/lib/dawn/codesake_knowledgebase_spec.rb +940 -0
- data/spec/lib/dawn/codesake_padrino_engine_disabled.rb +45 -0
- data/spec/lib/dawn/codesake_rails_engine_disabled.rb +12 -0
- data/spec/lib/dawn/codesake_sinatra_engine_disabled.rb +128 -0
- data/spec/lib/kb/codesake_cve_2013_0175_spec.rb +35 -0
- data/spec/lib/kb/codesake_cve_2013_4457_spec.rb +41 -0
- data/spec/lib/kb/codesake_dependency_version_check_spec.rb +76 -0
- data/spec/lib/kb/codesake_deprecation_check_spec.rb +56 -0
- data/spec/lib/kb/codesake_ruby_version_check_spec.rb +40 -0
- data/spec/lib/kb/codesake_version_check_spec.rb +165 -0
- data/spec/lib/kb/cve_2011_2705_spec.rb +35 -0
- data/spec/lib/kb/cve_2011_2930_spec.rb +31 -0
- data/spec/lib/kb/cve_2011_3009_spec.rb +25 -0
- data/spec/lib/kb/cve_2011_3187_spec.rb +24 -0
- data/spec/lib/kb/cve_2011_4319_spec.rb +44 -0
- data/spec/lib/kb/cve_2011_5036_spec.rb +95 -0
- data/spec/lib/kb/cve_2012_1098_spec.rb +36 -0
- data/spec/lib/kb/cve_2012_2139_spec.rb +20 -0
- data/spec/lib/kb/cve_2012_2671_spec.rb +23 -0
- data/spec/lib/kb/cve_2012_6109_spec.rb +112 -0
- data/spec/lib/kb/cve_2013_0162_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_0183_spec.rb +54 -0
- data/spec/lib/kb/cve_2013_0184_spec.rb +115 -0
- data/spec/lib/kb/cve_2013_0256_spec.rb +34 -0
- data/spec/lib/kb/cve_2013_0262_spec.rb +44 -0
- data/spec/lib/kb/cve_2013_0263_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_1607_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_1655_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_1756_spec.rb +23 -0
- data/spec/lib/kb/cve_2013_2090_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2105_spec.rb +11 -0
- data/spec/lib/kb/cve_2013_2119_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_2512_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2513_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_2516_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4203_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_4413_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_4489_spec.rb +63 -0
- data/spec/lib/kb/cve_2013_4593_spec.rb +16 -0
- data/spec/lib/kb/cve_2013_5647_spec.rb +19 -0
- data/spec/lib/kb/cve_2013_5671_spec.rb +27 -0
- data/spec/lib/kb/cve_2013_6416_spec.rb +31 -0
- data/spec/lib/kb/cve_2013_6459_spec.rb +15 -0
- data/spec/lib/kb/cve_2013_7086_spec.rb +22 -0
- data/spec/lib/kb/cve_2014_0036_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_0080_spec.rb +28 -0
- data/spec/lib/kb/cve_2014_0081_spec.rb +68 -0
- data/spec/lib/kb/cve_2014_0082_spec.rb +52 -0
- data/spec/lib/kb/cve_2014_0130_spec.rb +19 -0
- data/spec/lib/kb/cve_2014_1233_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_1234_spec.rb +16 -0
- data/spec/lib/kb/cve_2014_2322_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_2538_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3482_spec.rb +15 -0
- data/spec/lib/kb/cve_2014_3483_spec.rb +23 -0
- data/spec/lib/kb/osvdb_105971_spec.rb +15 -0
- data/spec/lib/kb/osvdb_108530_spec.rb +22 -0
- data/spec/lib/kb/osvdb_108563_spec.rb +18 -0
- data/spec/lib/kb/osvdb_108569_spec.rb +17 -0
- data/spec/lib/kb/osvdb_108570_spec.rb +17 -0
- data/spec/lib/kb/owasp_ror_cheatsheet_disabled.rb +56 -0
- data/spec/spec_helper.rb +11 -0
- data/support/bootstrap.js +2027 -0
- data/support/bootstrap.min.css +9 -0
- data/support/codesake.css +63 -0
- metadata +659 -0
- metadata.gz.sig +0 -0
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_5189
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2008-5189",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
|
13
|
+
:release_date => Date.new(2008, 11, 21),
|
|
14
|
+
:cwe=>"352",
|
|
15
|
+
:owasp=>"A8",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.0.5 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.0.5', '1.9.999', '1.2.999', '1.1.999', '0.999.999']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2008_7248
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2008-7248",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2009, 12, 16),
|
|
14
|
+
:cwe=>"20",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.1.3 or 2.2.2 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.1.3', '2.2.2']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2009_4078
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2009-4078",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
13
|
+
:release_date => Date.new(2009, 11, 25),
|
|
14
|
+
:cwe=>"79",
|
|
15
|
+
:owasp=>"A3",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade redmine version at least to 0.8.6 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://www.redmine.org/wiki/redmine/Changelog#v086-2009-11-04"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [
|
|
24
|
+
{:name=>"redmine", :version=>['0.8.5', '0.7.999', '0.6.999', '0.5.999', '0.4.999', '0.3.999', '0.2.999', '0.1.999']}
|
|
25
|
+
]
|
|
26
|
+
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
@@ -0,0 +1,32 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2009_4124
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2009-4124",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
|
13
|
+
:release_date => Date.new(2009, 12, 11),
|
|
14
|
+
:cwe=>"119",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your ruby interpreter",
|
|
20
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [
|
|
24
|
+
{:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p376"},
|
|
25
|
+
]
|
|
26
|
+
|
|
27
|
+
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
31
|
+
end
|
|
32
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2009_4214
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2009-4214",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
13
|
+
:release_date => Date.new(2009, 12, 7),
|
|
14
|
+
:cwe=>"79",
|
|
15
|
+
:owasp=>"A3",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.5 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.3.5', '2.2.999', '2.1.999', '1.999.999', '0.999.999']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2013-07-09
|
|
5
|
+
class CVE_2010_1330
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message="The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2010-1330",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
13
|
+
:release_date => Date.new(2012, 11, 23),
|
|
14
|
+
:cwe=>"79",
|
|
15
|
+
:owasp=>"A3",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Upgrade your jruby interpreter",
|
|
20
|
+
:aux_links=>["http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_rubies = [{:engine=>"jruby", :version=>"1.4.2", :patchlevel=>"p0"}]
|
|
24
|
+
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-09
|
|
5
|
+
class CVE_2010_2489_a
|
|
6
|
+
include RubyVersionCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "CVE_2010_2489_a: ruby 1.9.2-p429 has problems"
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE_2010_2489_a",
|
|
12
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
13
|
+
})
|
|
14
|
+
self.safe_rubies = [
|
|
15
|
+
{:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p430"},
|
|
16
|
+
{:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p999"},
|
|
17
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p999"}
|
|
18
|
+
]
|
|
19
|
+
end
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
class CVE_2010_2489_b
|
|
23
|
+
include OperatingSystemCheck
|
|
24
|
+
def initialize
|
|
25
|
+
message = "CVE_2010_2489_a: Only on Windows"
|
|
26
|
+
super({
|
|
27
|
+
:name=>"CVE_2010_2489_ab",
|
|
28
|
+
:kind=>Codesake::Dawn::KnowledgeBase::OS_CHECK,
|
|
29
|
+
})
|
|
30
|
+
|
|
31
|
+
self.safe_os = [
|
|
32
|
+
{:family=>"windows", :vendor=>"microsoft", :version=>['none']}
|
|
33
|
+
]
|
|
34
|
+
|
|
35
|
+
end
|
|
36
|
+
|
|
37
|
+
end
|
|
38
|
+
|
|
39
|
+
class CVE_2010_2489
|
|
40
|
+
include ComboCheck
|
|
41
|
+
|
|
42
|
+
def initialize
|
|
43
|
+
message = "Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files"
|
|
44
|
+
super({
|
|
45
|
+
:name=>"CVE-2010-2489",
|
|
46
|
+
:cvss=>"AV:L/AC:L/Au:N/C:C/I:C/A:C",
|
|
47
|
+
:release_date => Date.new(2010, 7, 10),
|
|
48
|
+
:cwe=>"119",
|
|
49
|
+
:owasp=>"A9",
|
|
50
|
+
:applies=>["sinatra", "padrino", "rails"],
|
|
51
|
+
:kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
|
|
52
|
+
:message=>message,
|
|
53
|
+
:mitigation=>"Please upgrade your ruby interpreter",
|
|
54
|
+
:aux_links=>["http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-1-p429-is-released/"],
|
|
55
|
+
:checks=>[CVE_2010_2489_a.new, CVE_2010_2489_b.new]
|
|
56
|
+
})
|
|
57
|
+
|
|
58
|
+
end
|
|
59
|
+
end
|
|
60
|
+
end
|
|
61
|
+
end
|
|
62
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-08
|
|
5
|
+
class CVE_2010_3933
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2010-3933",
|
|
12
|
+
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2010, 10, 28),
|
|
14
|
+
:cwe=>"20",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.10, 3.0.1 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
20
|
+
:aux_links=>["ttp://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.3.10', '3.0.1']}]
|
|
24
|
+
|
|
25
|
+
end
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-08
|
|
5
|
+
|
|
6
|
+
class CVE_2011_0188_a
|
|
7
|
+
include RubyVersionCheck
|
|
8
|
+
|
|
9
|
+
def initialize
|
|
10
|
+
|
|
11
|
+
message = "CVE_2011_0188_a: ruby 1.9.2-p136 and earlier has problems"
|
|
12
|
+
|
|
13
|
+
super({
|
|
14
|
+
:name=>"CVE-2011-0995_a",
|
|
15
|
+
:kind=>Codesake::Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
|
16
|
+
})
|
|
17
|
+
|
|
18
|
+
self.safe_rubies = [
|
|
19
|
+
{:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p137"},
|
|
20
|
+
{:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p999"},
|
|
21
|
+
{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p999"}
|
|
22
|
+
]
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
|
|
26
|
+
class CVE_2011_0188_b
|
|
27
|
+
include OperatingSystemCheck
|
|
28
|
+
def initialize
|
|
29
|
+
|
|
30
|
+
message = "CVE_2011_0188_b: Only on Mac OS X 10.6.7 and earlier"
|
|
31
|
+
|
|
32
|
+
super({
|
|
33
|
+
:name=>"CVE-2011-0188_b",
|
|
34
|
+
:kind=>Codesake::Dawn::KnowledgeBase::OS_CHECK,
|
|
35
|
+
})
|
|
36
|
+
|
|
37
|
+
self.safe_os = [
|
|
38
|
+
{:family=>"osx", :vendor=>"apple", :version=>['10.6.8']},
|
|
39
|
+
{:family=>"osx", :vendor=>"apple", :version=>['10.5.9']}
|
|
40
|
+
]
|
|
41
|
+
|
|
42
|
+
end
|
|
43
|
+
|
|
44
|
+
end
|
|
45
|
+
class CVE_2011_0188
|
|
46
|
+
include ComboCheck
|
|
47
|
+
|
|
48
|
+
def initialize
|
|
49
|
+
message = "The VpMemAlloc function in bigdecimal.c in the BigDecimal class in Ruby 1.9.2-p136 and earlier, as used on Apple Mac OS X before 10.6.7 and other platforms, does not properly allocate memory, which allows context-dependent attackers to execute arbitrary code or cause a denial of service (application crash) via vectors involving creation of a large BigDecimal value within a 64-bit process, related to an \"integer truncation issue.\""
|
|
50
|
+
|
|
51
|
+
super({
|
|
52
|
+
:name=>"CVE-2011-0188",
|
|
53
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
54
|
+
:release_date => Date.new(2011, 3, 23),
|
|
55
|
+
:cwe=>"189",
|
|
56
|
+
:owasp=>"A9",
|
|
57
|
+
:applies=>["sinatra", "padrino", "rails"],
|
|
58
|
+
:kind=>Codesake::Dawn::KnowledgeBase::COMBO_CHECK,
|
|
59
|
+
:message=>message,
|
|
60
|
+
:mitigation=>"Please upgrade your ruby interpreter",
|
|
61
|
+
:aux_links=>["https://bugzilla.redhat.com/show_bug.cgi?id=682332"],
|
|
62
|
+
:checks=>[CVE_2011_0188_a.new, CVE_2011_0188_b.new]
|
|
63
|
+
})
|
|
64
|
+
|
|
65
|
+
end
|
|
66
|
+
end
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2013-07-09
|
|
5
|
+
class CVE_2011_0446
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when javascript encoding is used, allow remote attackers to inject arbitrary web script or HTML via a crafted (1) name or (2) email value. Please note that victim must voluntarily interact with attack mechanism"
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2011-0446",
|
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
14
|
+
:release_date => Date.new(2011, 2, 14),
|
|
15
|
+
:cwe=>"79",
|
|
16
|
+
:owasp=>"A3",
|
|
17
|
+
:applies=>["rails"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.11 or 3.0.4 or higher. As a general rule, using the latest stable rails version is recommended.",
|
|
21
|
+
:aux_links=>["http://groups.google.com/group/rubyonrails-security/msg/365b8a23b76a6b4a?dmode=source&output=gplain"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.3.12', '3.0.5']}]
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2013-05-29
|
|
5
|
+
class CVE_2011_0447
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an X-Requested-With header, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via forged (1) AJAX or (2) API requests that leverage \"combinations of browser plugins and HTTP redirects,\" a related issue to CVE-2011-0696."
|
|
10
|
+
|
|
11
|
+
super({
|
|
12
|
+
:name=>"CVE-2011-0447",
|
|
13
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
14
|
+
:release_date => Date.new(2011, 2, 14),
|
|
15
|
+
:cwe=>"352",
|
|
16
|
+
:owasp=>"A9",
|
|
17
|
+
:applies=>["rails"],
|
|
18
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
19
|
+
:message=>message,
|
|
20
|
+
:mitigation=>"Please upgrade rails version at least to 2.3.11 or 3.0.4. As a general rule, using the latest stable rails version is recommended.",
|
|
21
|
+
:aux_links=>["http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails"]
|
|
22
|
+
})
|
|
23
|
+
|
|
24
|
+
self.safe_dependencies = [{:name=>"rails", :version=>['2.1.9999', '2.2.9999', '2.3.11', '3.0.4']}]
|
|
25
|
+
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
module Codesake
|
|
2
|
+
module Dawn
|
|
3
|
+
module Kb
|
|
4
|
+
# Automatically created with rake on 2014-01-08
|
|
5
|
+
class CVE_2011_0739
|
|
6
|
+
include DependencyCheck
|
|
7
|
+
|
|
8
|
+
def initialize
|
|
9
|
+
message = "The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address."
|
|
10
|
+
super({
|
|
11
|
+
:name=>"CVE-2011-0739",
|
|
12
|
+
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
13
|
+
:release_date => Date.new(2011, 2, 2),
|
|
14
|
+
:cwe=>"20",
|
|
15
|
+
:owasp=>"A9",
|
|
16
|
+
:applies=>["rails", "sinatra", "padrino"],
|
|
17
|
+
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
|
18
|
+
:message=>message,
|
|
19
|
+
:mitigation=>"Please upgrade mail to version 2.2.15. As a general rule, using the latest stable version is recommended.",
|
|
20
|
+
:aux_links=>["http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1"]
|
|
21
|
+
})
|
|
22
|
+
|
|
23
|
+
self.safe_dependencies = [
|
|
24
|
+
{:name=>"mail", :version=>['1.99.99', '2.2.15']}
|
|
25
|
+
]
|
|
26
|
+
end
|
|
27
|
+
end
|
|
28
|
+
end
|
|
29
|
+
end
|
|
30
|
+
end
|