dawnscanner 1.6.8 → 2.0.0.rc4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (387) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +1 -0
  3. data/.ruby-version +1 -1
  4. data/Changelog.md +27 -1
  5. data/LICENSE.txt +1 -1
  6. data/README.md +59 -57
  7. data/Rakefile +10 -242
  8. data/Roadmap.md +15 -23
  9. data/VERSION +1 -1
  10. data/bin/dawn +17 -273
  11. data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
  12. data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
  13. data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
  14. data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
  15. data/dawnscanner.gemspec +10 -9
  16. data/doc/change.sh +13 -0
  17. data/doc/kickstart_kb.tar.gz +0 -0
  18. data/doc/knowledge_base.rb +650 -0
  19. data/docs/.placeholder +0 -0
  20. data/docs/CNAME +1 -0
  21. data/docs/_config.yml +1 -0
  22. data/lib/dawn/cli/dawn_cli.rb +139 -0
  23. data/lib/dawn/core.rb +8 -7
  24. data/lib/dawn/engine.rb +93 -34
  25. data/lib/dawn/gemfile_lock.rb +2 -2
  26. data/lib/dawn/kb/basic_check.rb +1 -2
  27. data/lib/dawn/kb/combo_check.rb +1 -1
  28. data/lib/dawn/kb/dependency_check.rb +1 -1
  29. data/lib/dawn/kb/operating_system_check.rb +1 -1
  30. data/lib/dawn/kb/pattern_match_check.rb +10 -9
  31. data/lib/dawn/kb/ruby_version_check.rb +11 -10
  32. data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
  33. data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
  34. data/lib/dawn/kb/version_check.rb +41 -24
  35. data/lib/dawn/knowledge_base.rb +259 -595
  36. data/lib/dawn/reporter.rb +2 -1
  37. data/lib/dawn/utils.rb +5 -2
  38. data/lib/dawn/version.rb +5 -5
  39. data/lib/dawnscanner.rb +7 -6
  40. data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
  41. data/spec/lib/kb/dependency_check.yml +29 -0
  42. metadata +30 -496
  43. checksums.yaml.gz.sig +0 -0
  44. data.tar.gz.sig +0 -0
  45. data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
  46. data/lib/dawn/kb/cve_2004_0755.rb +0 -33
  47. data/lib/dawn/kb/cve_2004_0983.rb +0 -31
  48. data/lib/dawn/kb/cve_2005_1992.rb +0 -31
  49. data/lib/dawn/kb/cve_2005_2337.rb +0 -33
  50. data/lib/dawn/kb/cve_2006_1931.rb +0 -30
  51. data/lib/dawn/kb/cve_2006_2582.rb +0 -28
  52. data/lib/dawn/kb/cve_2006_3694.rb +0 -31
  53. data/lib/dawn/kb/cve_2006_4112.rb +0 -27
  54. data/lib/dawn/kb/cve_2006_5467.rb +0 -28
  55. data/lib/dawn/kb/cve_2006_6303.rb +0 -28
  56. data/lib/dawn/kb/cve_2006_6852.rb +0 -27
  57. data/lib/dawn/kb/cve_2006_6979.rb +0 -29
  58. data/lib/dawn/kb/cve_2007_0469.rb +0 -29
  59. data/lib/dawn/kb/cve_2007_5162.rb +0 -28
  60. data/lib/dawn/kb/cve_2007_5379.rb +0 -27
  61. data/lib/dawn/kb/cve_2007_5380.rb +0 -29
  62. data/lib/dawn/kb/cve_2007_5770.rb +0 -30
  63. data/lib/dawn/kb/cve_2007_6077.rb +0 -31
  64. data/lib/dawn/kb/cve_2007_6612.rb +0 -30
  65. data/lib/dawn/kb/cve_2008_1145.rb +0 -38
  66. data/lib/dawn/kb/cve_2008_1891.rb +0 -38
  67. data/lib/dawn/kb/cve_2008_2376.rb +0 -30
  68. data/lib/dawn/kb/cve_2008_2662.rb +0 -33
  69. data/lib/dawn/kb/cve_2008_2663.rb +0 -32
  70. data/lib/dawn/kb/cve_2008_2664.rb +0 -33
  71. data/lib/dawn/kb/cve_2008_2725.rb +0 -31
  72. data/lib/dawn/kb/cve_2008_3655.rb +0 -37
  73. data/lib/dawn/kb/cve_2008_3657.rb +0 -37
  74. data/lib/dawn/kb/cve_2008_3790.rb +0 -30
  75. data/lib/dawn/kb/cve_2008_3905.rb +0 -36
  76. data/lib/dawn/kb/cve_2008_4094.rb +0 -27
  77. data/lib/dawn/kb/cve_2008_4310.rb +0 -100
  78. data/lib/dawn/kb/cve_2008_5189.rb +0 -27
  79. data/lib/dawn/kb/cve_2008_7248.rb +0 -27
  80. data/lib/dawn/kb/cve_2009_4078.rb +0 -29
  81. data/lib/dawn/kb/cve_2009_4124.rb +0 -30
  82. data/lib/dawn/kb/cve_2009_4214.rb +0 -27
  83. data/lib/dawn/kb/cve_2010_1330.rb +0 -28
  84. data/lib/dawn/kb/cve_2010_2489.rb +0 -60
  85. data/lib/dawn/kb/cve_2010_3933.rb +0 -27
  86. data/lib/dawn/kb/cve_2011_0188.rb +0 -67
  87. data/lib/dawn/kb/cve_2011_0446.rb +0 -28
  88. data/lib/dawn/kb/cve_2011_0447.rb +0 -28
  89. data/lib/dawn/kb/cve_2011_0739.rb +0 -28
  90. data/lib/dawn/kb/cve_2011_0995.rb +0 -61
  91. data/lib/dawn/kb/cve_2011_1004.rb +0 -34
  92. data/lib/dawn/kb/cve_2011_1005.rb +0 -31
  93. data/lib/dawn/kb/cve_2011_2197.rb +0 -27
  94. data/lib/dawn/kb/cve_2011_2686.rb +0 -29
  95. data/lib/dawn/kb/cve_2011_2705.rb +0 -32
  96. data/lib/dawn/kb/cve_2011_2929.rb +0 -27
  97. data/lib/dawn/kb/cve_2011_2930.rb +0 -28
  98. data/lib/dawn/kb/cve_2011_2931.rb +0 -30
  99. data/lib/dawn/kb/cve_2011_2932.rb +0 -27
  100. data/lib/dawn/kb/cve_2011_3009.rb +0 -28
  101. data/lib/dawn/kb/cve_2011_3186.rb +0 -29
  102. data/lib/dawn/kb/cve_2011_3187.rb +0 -29
  103. data/lib/dawn/kb/cve_2011_4319.rb +0 -30
  104. data/lib/dawn/kb/cve_2011_4815.rb +0 -28
  105. data/lib/dawn/kb/cve_2011_5036.rb +0 -26
  106. data/lib/dawn/kb/cve_2012_1098.rb +0 -30
  107. data/lib/dawn/kb/cve_2012_1099.rb +0 -27
  108. data/lib/dawn/kb/cve_2012_1241.rb +0 -27
  109. data/lib/dawn/kb/cve_2012_2139.rb +0 -26
  110. data/lib/dawn/kb/cve_2012_2140.rb +0 -27
  111. data/lib/dawn/kb/cve_2012_2660.rb +0 -28
  112. data/lib/dawn/kb/cve_2012_2661.rb +0 -27
  113. data/lib/dawn/kb/cve_2012_2671.rb +0 -28
  114. data/lib/dawn/kb/cve_2012_2694.rb +0 -30
  115. data/lib/dawn/kb/cve_2012_2695.rb +0 -27
  116. data/lib/dawn/kb/cve_2012_3424.rb +0 -29
  117. data/lib/dawn/kb/cve_2012_3463.rb +0 -27
  118. data/lib/dawn/kb/cve_2012_3464.rb +0 -27
  119. data/lib/dawn/kb/cve_2012_3465.rb +0 -26
  120. data/lib/dawn/kb/cve_2012_4464.rb +0 -27
  121. data/lib/dawn/kb/cve_2012_4466.rb +0 -27
  122. data/lib/dawn/kb/cve_2012_4481.rb +0 -26
  123. data/lib/dawn/kb/cve_2012_4522.rb +0 -27
  124. data/lib/dawn/kb/cve_2012_5370.rb +0 -27
  125. data/lib/dawn/kb/cve_2012_5371.rb +0 -27
  126. data/lib/dawn/kb/cve_2012_5380.rb +0 -28
  127. data/lib/dawn/kb/cve_2012_6109.rb +0 -25
  128. data/lib/dawn/kb/cve_2012_6134.rb +0 -27
  129. data/lib/dawn/kb/cve_2012_6496.rb +0 -28
  130. data/lib/dawn/kb/cve_2012_6497.rb +0 -28
  131. data/lib/dawn/kb/cve_2012_6684.rb +0 -28
  132. data/lib/dawn/kb/cve_2013_0155.rb +0 -29
  133. data/lib/dawn/kb/cve_2013_0156.rb +0 -27
  134. data/lib/dawn/kb/cve_2013_0162.rb +0 -28
  135. data/lib/dawn/kb/cve_2013_0175.rb +0 -27
  136. data/lib/dawn/kb/cve_2013_0183.rb +0 -25
  137. data/lib/dawn/kb/cve_2013_0184.rb +0 -25
  138. data/lib/dawn/kb/cve_2013_0233.rb +0 -26
  139. data/lib/dawn/kb/cve_2013_0256.rb +0 -59
  140. data/lib/dawn/kb/cve_2013_0262.rb +0 -26
  141. data/lib/dawn/kb/cve_2013_0263.rb +0 -26
  142. data/lib/dawn/kb/cve_2013_0269.rb +0 -27
  143. data/lib/dawn/kb/cve_2013_0276.rb +0 -28
  144. data/lib/dawn/kb/cve_2013_0277.rb +0 -25
  145. data/lib/dawn/kb/cve_2013_0284.rb +0 -27
  146. data/lib/dawn/kb/cve_2013_0285.rb +0 -27
  147. data/lib/dawn/kb/cve_2013_0333.rb +0 -28
  148. data/lib/dawn/kb/cve_2013_0334.rb +0 -25
  149. data/lib/dawn/kb/cve_2013_1607.rb +0 -25
  150. data/lib/dawn/kb/cve_2013_1655.rb +0 -65
  151. data/lib/dawn/kb/cve_2013_1656.rb +0 -28
  152. data/lib/dawn/kb/cve_2013_1756.rb +0 -26
  153. data/lib/dawn/kb/cve_2013_1800.rb +0 -26
  154. data/lib/dawn/kb/cve_2013_1801.rb +0 -27
  155. data/lib/dawn/kb/cve_2013_1802.rb +0 -27
  156. data/lib/dawn/kb/cve_2013_1812.rb +0 -27
  157. data/lib/dawn/kb/cve_2013_1821.rb +0 -28
  158. data/lib/dawn/kb/cve_2013_1854.rb +0 -26
  159. data/lib/dawn/kb/cve_2013_1855.rb +0 -25
  160. data/lib/dawn/kb/cve_2013_1856.rb +0 -26
  161. data/lib/dawn/kb/cve_2013_1857.rb +0 -27
  162. data/lib/dawn/kb/cve_2013_1875.rb +0 -27
  163. data/lib/dawn/kb/cve_2013_1898.rb +0 -27
  164. data/lib/dawn/kb/cve_2013_1911.rb +0 -28
  165. data/lib/dawn/kb/cve_2013_1933.rb +0 -27
  166. data/lib/dawn/kb/cve_2013_1947.rb +0 -27
  167. data/lib/dawn/kb/cve_2013_1948.rb +0 -27
  168. data/lib/dawn/kb/cve_2013_2065.rb +0 -29
  169. data/lib/dawn/kb/cve_2013_2090.rb +0 -28
  170. data/lib/dawn/kb/cve_2013_2105.rb +0 -26
  171. data/lib/dawn/kb/cve_2013_2119.rb +0 -27
  172. data/lib/dawn/kb/cve_2013_2512.rb +0 -26
  173. data/lib/dawn/kb/cve_2013_2513.rb +0 -25
  174. data/lib/dawn/kb/cve_2013_2516.rb +0 -26
  175. data/lib/dawn/kb/cve_2013_2615.rb +0 -27
  176. data/lib/dawn/kb/cve_2013_2616.rb +0 -27
  177. data/lib/dawn/kb/cve_2013_2617.rb +0 -28
  178. data/lib/dawn/kb/cve_2013_3221.rb +0 -27
  179. data/lib/dawn/kb/cve_2013_4164.rb +0 -30
  180. data/lib/dawn/kb/cve_2013_4203.rb +0 -25
  181. data/lib/dawn/kb/cve_2013_4389.rb +0 -26
  182. data/lib/dawn/kb/cve_2013_4413.rb +0 -27
  183. data/lib/dawn/kb/cve_2013_4457.rb +0 -29
  184. data/lib/dawn/kb/cve_2013_4478.rb +0 -26
  185. data/lib/dawn/kb/cve_2013_4479.rb +0 -26
  186. data/lib/dawn/kb/cve_2013_4489.rb +0 -28
  187. data/lib/dawn/kb/cve_2013_4491.rb +0 -29
  188. data/lib/dawn/kb/cve_2013_4492.rb +0 -29
  189. data/lib/dawn/kb/cve_2013_4562.rb +0 -27
  190. data/lib/dawn/kb/cve_2013_4593.rb +0 -27
  191. data/lib/dawn/kb/cve_2013_5647.rb +0 -29
  192. data/lib/dawn/kb/cve_2013_5671.rb +0 -26
  193. data/lib/dawn/kb/cve_2013_6414.rb +0 -30
  194. data/lib/dawn/kb/cve_2013_6415.rb +0 -29
  195. data/lib/dawn/kb/cve_2013_6416.rb +0 -29
  196. data/lib/dawn/kb/cve_2013_6417.rb +0 -30
  197. data/lib/dawn/kb/cve_2013_6421.rb +0 -28
  198. data/lib/dawn/kb/cve_2013_6459.rb +0 -28
  199. data/lib/dawn/kb/cve_2013_6460.rb +0 -53
  200. data/lib/dawn/kb/cve_2013_6461.rb +0 -57
  201. data/lib/dawn/kb/cve_2013_7086.rb +0 -27
  202. data/lib/dawn/kb/cve_2014_0036.rb +0 -27
  203. data/lib/dawn/kb/cve_2014_0080.rb +0 -29
  204. data/lib/dawn/kb/cve_2014_0081.rb +0 -27
  205. data/lib/dawn/kb/cve_2014_0082.rb +0 -27
  206. data/lib/dawn/kb/cve_2014_0130.rb +0 -27
  207. data/lib/dawn/kb/cve_2014_1233.rb +0 -27
  208. data/lib/dawn/kb/cve_2014_1234.rb +0 -26
  209. data/lib/dawn/kb/cve_2014_2322.rb +0 -28
  210. data/lib/dawn/kb/cve_2014_2525.rb +0 -59
  211. data/lib/dawn/kb/cve_2014_2538.rb +0 -26
  212. data/lib/dawn/kb/cve_2014_3482.rb +0 -28
  213. data/lib/dawn/kb/cve_2014_3483.rb +0 -28
  214. data/lib/dawn/kb/cve_2014_3916.rb +0 -29
  215. data/lib/dawn/kb/cve_2014_4975.rb +0 -28
  216. data/lib/dawn/kb/cve_2014_7818.rb +0 -27
  217. data/lib/dawn/kb/cve_2014_7819.rb +0 -31
  218. data/lib/dawn/kb/cve_2014_7829.rb +0 -30
  219. data/lib/dawn/kb/cve_2014_8090.rb +0 -30
  220. data/lib/dawn/kb/cve_2014_9490.rb +0 -29
  221. data/lib/dawn/kb/cve_2015_1819.rb +0 -34
  222. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
  223. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
  224. data/lib/dawn/kb/cve_2015_2963.rb +0 -27
  225. data/lib/dawn/kb/cve_2015_3224.rb +0 -26
  226. data/lib/dawn/kb/cve_2015_3225.rb +0 -28
  227. data/lib/dawn/kb/cve_2015_3226.rb +0 -27
  228. data/lib/dawn/kb/cve_2015_3227.rb +0 -28
  229. data/lib/dawn/kb/cve_2015_3448.rb +0 -29
  230. data/lib/dawn/kb/cve_2015_4020.rb +0 -34
  231. data/lib/dawn/kb/cve_2015_5312.rb +0 -30
  232. data/lib/dawn/kb/cve_2015_7497.rb +0 -32
  233. data/lib/dawn/kb/cve_2015_7498.rb +0 -32
  234. data/lib/dawn/kb/cve_2015_7499.rb +0 -32
  235. data/lib/dawn/kb/cve_2015_7500.rb +0 -32
  236. data/lib/dawn/kb/cve_2015_7519.rb +0 -31
  237. data/lib/dawn/kb/cve_2015_7541.rb +0 -31
  238. data/lib/dawn/kb/cve_2015_7576.rb +0 -35
  239. data/lib/dawn/kb/cve_2015_7577.rb +0 -34
  240. data/lib/dawn/kb/cve_2015_7578.rb +0 -30
  241. data/lib/dawn/kb/cve_2015_7579.rb +0 -30
  242. data/lib/dawn/kb/cve_2015_7581.rb +0 -33
  243. data/lib/dawn/kb/cve_2015_8241.rb +0 -32
  244. data/lib/dawn/kb/cve_2015_8242.rb +0 -32
  245. data/lib/dawn/kb/cve_2015_8317.rb +0 -32
  246. data/lib/dawn/kb/cve_2016_0751.rb +0 -32
  247. data/lib/dawn/kb/cve_2016_0752.rb +0 -35
  248. data/lib/dawn/kb/cve_2016_0753.rb +0 -31
  249. data/lib/dawn/kb/cve_2016_2097.rb +0 -35
  250. data/lib/dawn/kb/cve_2016_2098.rb +0 -35
  251. data/lib/dawn/kb/cve_2016_5697.rb +0 -30
  252. data/lib/dawn/kb/cve_2016_6316.rb +0 -33
  253. data/lib/dawn/kb/cve_2016_6317.rb +0 -32
  254. data/lib/dawn/kb/cve_2016_6582.rb +0 -43
  255. data/lib/dawn/kb/not_revised_code.rb +0 -22
  256. data/lib/dawn/kb/osvdb_105971.rb +0 -29
  257. data/lib/dawn/kb/osvdb_108530.rb +0 -27
  258. data/lib/dawn/kb/osvdb_108563.rb +0 -28
  259. data/lib/dawn/kb/osvdb_108569.rb +0 -28
  260. data/lib/dawn/kb/osvdb_108570.rb +0 -27
  261. data/lib/dawn/kb/osvdb_115654.rb +0 -33
  262. data/lib/dawn/kb/osvdb_116010.rb +0 -30
  263. data/lib/dawn/kb/osvdb_117903.rb +0 -30
  264. data/lib/dawn/kb/osvdb_118579.rb +0 -31
  265. data/lib/dawn/kb/osvdb_118830.rb +0 -32
  266. data/lib/dawn/kb/osvdb_118954.rb +0 -33
  267. data/lib/dawn/kb/osvdb_119878.rb +0 -32
  268. data/lib/dawn/kb/osvdb_119927.rb +0 -33
  269. data/lib/dawn/kb/osvdb_120415.rb +0 -31
  270. data/lib/dawn/kb/osvdb_120857.rb +0 -34
  271. data/lib/dawn/kb/osvdb_121701.rb +0 -30
  272. data/lib/dawn/kb/osvdb_132234.rb +0 -34
  273. data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
  274. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
  275. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
  276. data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
  277. data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
  278. data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
  279. data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
  280. data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
  281. data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
  282. data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
  283. data/lib/dawn/knowledge_base_experimental.rb +0 -245
  284. data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
  285. data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
  286. data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
  287. data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
  288. data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
  289. data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
  290. data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
  291. data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
  292. data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
  293. data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
  294. data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
  295. data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
  296. data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
  297. data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
  298. data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
  299. data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
  300. data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
  301. data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
  302. data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
  303. data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
  304. data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
  305. data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
  306. data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
  307. data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
  308. data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
  309. data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
  310. data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
  311. data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
  312. data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
  313. data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
  314. data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
  315. data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
  316. data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
  317. data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
  318. data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
  319. data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
  320. data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
  321. data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
  322. data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
  323. data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
  324. data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
  325. data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
  326. data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
  327. data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
  328. data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
  329. data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
  330. data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
  331. data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
  332. data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
  333. data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
  334. data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
  335. data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
  336. data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
  337. data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
  338. data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
  339. data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
  340. data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
  341. data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
  342. data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
  343. data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
  344. data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
  345. data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
  346. data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
  347. data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
  348. data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
  349. data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
  350. data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
  351. data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
  352. data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
  353. data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
  354. data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
  355. data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
  356. data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
  357. data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
  358. data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
  359. data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
  360. data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
  361. data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
  362. data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
  363. data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
  364. data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
  365. data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
  366. data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
  367. data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
  368. data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
  369. data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
  370. data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
  371. data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
  372. data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
  373. data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
  374. data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
  375. data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
  376. data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
  377. data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
  378. data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
  379. data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
  380. data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
  381. data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
  382. data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
  383. data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
  384. data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
  385. data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
  386. data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
  387. metadata.gz.sig +0 -0
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-31
4
- class CVE_2012_6684
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI."
9
- super({
10
- :name=>"CVE-2012-6684",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2015, 1, 7),
13
- :cwe=>"79",
14
- :owasp=>"A1",
15
- :osvdb=>"",
16
- :applies=>["sinatra", "padrino", "rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade RedCloth gem to the latest version",
20
- :aux_links=>["https://gist.github.com/co3k/75b3cb416c342aa1414c", "http://co3k.org/blog/redcloth-unfixed-xss-en"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"RedCloth", :version=>['4.2.10']}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,29 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-10
4
- class CVE_2013_0155
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request, as demonstrated by certain \"[nil]\" values, a related issue to CVE-2012-2660 and CVE-2012-2694."
9
-
10
- super({
11
- :name=>"CVE-2013-0155",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
13
- :release_date => Date.new(2013, 1, 13),
14
- :cwe=>"",
15
- :owasp=>"A9",
16
- :applies=>["rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade rails version at least to 3.0.19, 3.1.10 and 3.2.11. As a general rule, using the latest stable rails version is recommended.",
20
- :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/c7jT-EeN9eI/discussion"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"rails", :version=>['3.0.19', '3.1.10', '3.2.11']}]
24
-
25
-
26
- end
27
- end
28
- end
29
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-17
4
- class CVE_2013_0156
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion."
9
-
10
- super({
11
- :name=>'CVE-2013-0156',
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
13
- :release_date => Date.new(2013, 1, 13),
14
- :cwe=>"20",
15
- :owasp=>"A9",
16
- :applies=>["rails"],
17
- :kind => Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message => message,
19
- :mitigation=>"Please upgrade rails version at least to 2.3.15, 3.0.19, 3.1.10 and 3.2.11. As a general rule, using the latest stable rails version is recommended.",
20
- :aux_links => ["https://groups.google.com/group/rubyonrails-security/msg/c1432d0f8c70e89d?dmode=source&output=gplain"]
21
- })
22
- self.safe_dependencies = [{:name=>"rails", :version=>['2.3.15', '3.0.19', '3.2.11', '3.1.10']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-14
4
- class CVE_2013_0162
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp."
9
-
10
- super({
11
- :name=>"CVE-2013-0162",
12
- :cvss=>"AV:L/AC:L/Au:N/C:N/I:P/A:N",
13
- :release_date => Date.new(2013, 3, 1),
14
- :cwe=>"264",
15
- :owasp=>"A9",
16
- :applies=>["sinatra", "padrino", "rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade ruby_parser version to 3.1.1. As a general rule, using the latest stable version is recommended.",
20
- :aux_links=>["https://bugzilla.redhat.com/show_bug.cgi?id=892806"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"ruby_parser", :version=>['1.9999.9999', '2.9999.9999', '3.1.1']}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-21
4
- class CVE_2013_0175
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "multi_xml gem 0.5.2 for Ruby, as used in Grape before 0.2.6 and possibly other products, does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging support for (1) YAML type conversion or (2) Symbol type conversion, a similar vulnerability to CVE-2013-0156."
9
-
10
- super({
11
- :name=>'CVE-2013-0175',
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
13
- :release_date => Date.new(2013, 4, 25),
14
- :cwe=>"20",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind => Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message => message,
19
- :mitigation=>"Please upgrade multi_xml gem or grape gem",
20
- :aux_links => ["https://groups.google.com/forum/?fromgroups=#%21topic/ruby-grape/fthDkMgIOa0"]
21
- })
22
- self.safe_dependencies = [{:name=>"multi_xml", :version=>['0.5.3']}, {:name=>"grape", :version=>['0.2.6']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,25 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-02-06
4
- class CVE_2013_0183
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet."
9
- super({
10
- :name=>"CVE-2013-0183",
11
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
12
- :release_date => Date.new(2013, 3, 1),
13
- :cwe=>"119",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rack version up to version 1.3.8 or 1.4.3 or higher.",
19
- :aux_links=>["https://groups.google.com/forum/#%21topic/rack-devel/7ZKPNAjgRSs"]
20
- })
21
- self.safe_dependencies = [{:name=>"rack", :version=>['1.4.3', '1.3.8']}]
22
- end
23
- end
24
- end
25
- end
@@ -1,25 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-02-06
4
- class CVE_2013_0184
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to \"symbolized arbitrary strings.\""
9
- super({
10
- :name=>"CVE-2013-0184",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",
12
- :release_date => Date.new(2013, 3, 1),
13
- :cwe=>"",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rack version up to version 1.4.4, 1.3.9, 1.2.7, 1.1.5 or higher.",
19
- :aux_links=>["https://bugzilla.redhat.com/show_bug.cgi?id=895384"]
20
- })
21
- self.safe_dependencies = [{:name=>"rack", :version=>['1.4.4', '1.3.9', '1.2.7', '1.1.5']}]
22
- end
23
- end
24
- end
25
- end
@@ -1,26 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-21
4
- class CVE_2013_0233
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Devise gem 2.2.x before 2.2.3, 2.1.x before 2.1.3, 2.0.x before 2.0.5, and 1.5.x before 1.5.4 for Ruby, when using certain databases, does not properly perform type conversion when performing database queries, which might allow remote attackers to cause incorrect results to be returned and bypass security checks via unknown vectors, as demonstrated by resetting passwords of arbitrary accounts."
9
- super({
10
- :name=>"CVE-2013-0233",
11
- :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2013, 4, 25),
13
- :cwe=>"399",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade Devise gem to version 2.2.3, 2.1.3, 2.0.5, 1.5.4 or latest version available",
19
- :aux_links=>["http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"devise", :version=>['1.5.4', '2.0.5', '2.1.3', '2.2.3']}]
23
- end
24
- end
25
- end
26
- end
@@ -1,59 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-14
4
- class CVE_2013_0256_a
5
-
6
- include DependencyCheck
7
-
8
- def initialize
9
- message = "CVE_2013_0256_b: rdoc gem is vulnerable"
10
-
11
- super({
12
- :name=>"CVE-2013-0256-b",
13
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
14
- })
15
-
16
- self.safe_dependencies = [{:name=>"rdoc", :version=>['2.3.1', '3.13', '4.0.0']}]
17
-
18
- end
19
- end
20
- class CVE_2013_0256_b
21
- include RubyVersionCheck
22
- def initialize
23
- message = "CVE_2013_0256_b: ruby 1.9.x before 1.9.3-p383 and 2.0.0 before rc2 have problems"
24
- super({
25
- :name=>"CVE-2013-0256-b",
26
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
27
- })
28
- self.safe_rubies = [
29
- {:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p383"},
30
- {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p0"}
31
- ]
32
- end
33
-
34
-
35
- end
36
-
37
- class CVE_2013_0256
38
- include ComboCheck
39
-
40
- def initialize
41
- message = "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL."
42
- super({
43
- :name=>"CVE-2013-0256",
44
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
45
- :release_date => Date.new(2013, 3, 1),
46
- :cwe=>"79",
47
- :owasp=>"A3",
48
- :applies=>["sinatra", "padrino", "rails"],
49
- :kind=>Dawn::KnowledgeBase::COMBO_CHECK,
50
- :message=>message,
51
- :mitigation=>"Please upgrade rdoc version at least to 2.3.1, 3.13 or 4.0.0. As a general rule, using the latest stable version is recommended.",
52
- :aux_links=>["http://blog.segment7.net/2013/02/06/rdoc-xss-vulnerability-cve-2013-0256-releases-3-9-5-3-12-1-4-0-0-rc-2"],
53
- :checks=>[CVE_2013_0256_a.new, CVE_2013_0256_b.new]
54
- })
55
-
56
- end
57
- end
58
- end
59
- end
@@ -1,26 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-02-06
4
- class CVE_2013_0262
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\""
9
- super({
10
- :name=>"CVE-2013-0262",
11
- :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:N",
12
- :release_date => Date.new(2013, 2, 8),
13
- :cwe=>"22",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rack version up to version 1.5.2 or 1.4.5 or higher.",
19
- :aux_links=>["https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ"]
20
- })
21
- self.save_minor = true
22
- self.safe_dependencies = [{:name=>"rack", :version=>['1.5.2', '1.4.5']}]
23
- end
24
- end
25
- end
26
- end
@@ -1,26 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-14
4
- class CVE_2013_0263
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time."
9
- super({
10
- :name=>"CVE-2013-0263",
11
- :cvss=>"AV:N/AC:H/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2013, 8, 2),
13
- :cwe=>"",
14
- :owasp=>"A9",
15
- :applies=>["sinatra", "padrino", "rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rack version to 1.5.2, 1.4.5, 1.3.10, 1.2.8, 1.1.6. As a general rule, using the latest stable version is recommended.",
19
- :aux_links=>["https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ"]
20
- })
21
- self.save_minor = true
22
- self.safe_dependencies = [{:name=>"rack", :version=>['1.5.2', '1.4.5', '1.3.10', '1.2.8', '1.1.6']}]
23
- end
24
- end
25
- end
26
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-10
4
- class CVE_2013_0269
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 for Ruby allows remote attackers to cause a denial of service (resource consumption) or bypass the mass assignment protection mechanism via a crafted JSON document that triggers the creation of arbitrary Ruby symbols or certain internal objects, as demonstrated by conducting a SQL injection attack against Ruby on Rails, aka \"Unsafe Object Creation Vulnerability.\""
9
-
10
- super({
11
- :name=>"CVE-2013-0269",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
13
- :release_date => Date.new(2013, 2, 13),
14
- :cwe=>"",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade JSON gem to version 1.5.5, 1.6.8 or 1.7.7 or latest version available",
20
- :aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/4_YvCpLzL58/discussion"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"json", :version=>['1.5.5', '1.6.8', '1.7.7']}]
24
- end
25
- end
26
- end
27
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-16
4
- class CVE_2013_0276
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection mechanism and modify protected model attributes via a crafted request."
9
-
10
- super({
11
- :name=>'CVE-2013-0276',
12
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
13
- :release_date => Date.new(2013, 2, 13),
14
- :cwe=>"264",
15
- :owasp=>"A9",
16
- :applies=>["rails"],
17
- :kind => Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message => message,
19
- :mitigation=>"Please upgrade rails version at least to 2.3.17, 3.1.11 and 3.2.12. As a general rule, using the latest stable rails version is recommended.",
20
- :aux_links => ["https://groups.google.com/group/rubyonrails-security/msg/bb44b98a73ef1a06?dmode=source&output=gplain"]
21
- })
22
- self.safe_dependencies = [{:name=>"rails", :version=>['2.3.17', '3.2.12', '3.1.11']}]
23
-
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,25 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-17
4
- class CVE_2013_0277
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute arbitrary code via crafted serialized attributes that cause the +serialize+ helper to deserialize arbitrary YAML."
9
- super({
10
- :name=>'CVE-2013-0277',
11
- :cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
12
- :release_date => Date.new(2013, 2, 13),
13
- :cwe=>"",
14
- :owasp=>"A9",
15
- :applies=>["rails"],
16
- :kind => Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message => message,
18
- :mitigation=>"Please upgrade rails version at least to 2.3.17 and 3.1.0. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links => ["https://groups.google.com/group/ruby-security-ann/msg/34e0d780b04308de?dmode=source&output=gplain"]
20
- })
21
- self.safe_dependencies = [{:name=>"rails", :version=>['2.3.17', '3.0.9999999', '3.1.0']}]
22
- end
23
- end
24
- end
25
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-05-21
4
- class CVE_2013_0284
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Ruby agent 3.2.0 through 3.5.2 serializes sensitive data when communicating with servers operated by New Relic, which allows remote attackers to obtain sensitive information (database credentials and SQL statements) by sniffing the network and deserializing the data."
9
- super({
10
- :name=>"CVE-2013-0284",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
12
- :release_date => Date.new(2013, 4, 9),
13
- :cwe=>"200",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade ruby_agent gem to version 3.5.2 or latest version available",
19
- :aux_links=>["https://newrelic.com/docs/ruby/ruby-agent-security-notification"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"ruby_agent", :version=>['3.5.2']}]
23
-
24
- end
25
- end
26
- end
27
- end