dawnscanner 1.6.8 → 2.0.0.rc4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (387) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +1 -0
  3. data/.ruby-version +1 -1
  4. data/Changelog.md +27 -1
  5. data/LICENSE.txt +1 -1
  6. data/README.md +59 -57
  7. data/Rakefile +10 -242
  8. data/Roadmap.md +15 -23
  9. data/VERSION +1 -1
  10. data/bin/dawn +17 -273
  11. data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
  12. data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
  13. data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
  14. data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
  15. data/dawnscanner.gemspec +10 -9
  16. data/doc/change.sh +13 -0
  17. data/doc/kickstart_kb.tar.gz +0 -0
  18. data/doc/knowledge_base.rb +650 -0
  19. data/docs/.placeholder +0 -0
  20. data/docs/CNAME +1 -0
  21. data/docs/_config.yml +1 -0
  22. data/lib/dawn/cli/dawn_cli.rb +139 -0
  23. data/lib/dawn/core.rb +8 -7
  24. data/lib/dawn/engine.rb +93 -34
  25. data/lib/dawn/gemfile_lock.rb +2 -2
  26. data/lib/dawn/kb/basic_check.rb +1 -2
  27. data/lib/dawn/kb/combo_check.rb +1 -1
  28. data/lib/dawn/kb/dependency_check.rb +1 -1
  29. data/lib/dawn/kb/operating_system_check.rb +1 -1
  30. data/lib/dawn/kb/pattern_match_check.rb +10 -9
  31. data/lib/dawn/kb/ruby_version_check.rb +11 -10
  32. data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
  33. data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
  34. data/lib/dawn/kb/version_check.rb +41 -24
  35. data/lib/dawn/knowledge_base.rb +259 -595
  36. data/lib/dawn/reporter.rb +2 -1
  37. data/lib/dawn/utils.rb +5 -2
  38. data/lib/dawn/version.rb +5 -5
  39. data/lib/dawnscanner.rb +7 -6
  40. data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
  41. data/spec/lib/kb/dependency_check.yml +29 -0
  42. metadata +30 -496
  43. checksums.yaml.gz.sig +0 -0
  44. data.tar.gz.sig +0 -0
  45. data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
  46. data/lib/dawn/kb/cve_2004_0755.rb +0 -33
  47. data/lib/dawn/kb/cve_2004_0983.rb +0 -31
  48. data/lib/dawn/kb/cve_2005_1992.rb +0 -31
  49. data/lib/dawn/kb/cve_2005_2337.rb +0 -33
  50. data/lib/dawn/kb/cve_2006_1931.rb +0 -30
  51. data/lib/dawn/kb/cve_2006_2582.rb +0 -28
  52. data/lib/dawn/kb/cve_2006_3694.rb +0 -31
  53. data/lib/dawn/kb/cve_2006_4112.rb +0 -27
  54. data/lib/dawn/kb/cve_2006_5467.rb +0 -28
  55. data/lib/dawn/kb/cve_2006_6303.rb +0 -28
  56. data/lib/dawn/kb/cve_2006_6852.rb +0 -27
  57. data/lib/dawn/kb/cve_2006_6979.rb +0 -29
  58. data/lib/dawn/kb/cve_2007_0469.rb +0 -29
  59. data/lib/dawn/kb/cve_2007_5162.rb +0 -28
  60. data/lib/dawn/kb/cve_2007_5379.rb +0 -27
  61. data/lib/dawn/kb/cve_2007_5380.rb +0 -29
  62. data/lib/dawn/kb/cve_2007_5770.rb +0 -30
  63. data/lib/dawn/kb/cve_2007_6077.rb +0 -31
  64. data/lib/dawn/kb/cve_2007_6612.rb +0 -30
  65. data/lib/dawn/kb/cve_2008_1145.rb +0 -38
  66. data/lib/dawn/kb/cve_2008_1891.rb +0 -38
  67. data/lib/dawn/kb/cve_2008_2376.rb +0 -30
  68. data/lib/dawn/kb/cve_2008_2662.rb +0 -33
  69. data/lib/dawn/kb/cve_2008_2663.rb +0 -32
  70. data/lib/dawn/kb/cve_2008_2664.rb +0 -33
  71. data/lib/dawn/kb/cve_2008_2725.rb +0 -31
  72. data/lib/dawn/kb/cve_2008_3655.rb +0 -37
  73. data/lib/dawn/kb/cve_2008_3657.rb +0 -37
  74. data/lib/dawn/kb/cve_2008_3790.rb +0 -30
  75. data/lib/dawn/kb/cve_2008_3905.rb +0 -36
  76. data/lib/dawn/kb/cve_2008_4094.rb +0 -27
  77. data/lib/dawn/kb/cve_2008_4310.rb +0 -100
  78. data/lib/dawn/kb/cve_2008_5189.rb +0 -27
  79. data/lib/dawn/kb/cve_2008_7248.rb +0 -27
  80. data/lib/dawn/kb/cve_2009_4078.rb +0 -29
  81. data/lib/dawn/kb/cve_2009_4124.rb +0 -30
  82. data/lib/dawn/kb/cve_2009_4214.rb +0 -27
  83. data/lib/dawn/kb/cve_2010_1330.rb +0 -28
  84. data/lib/dawn/kb/cve_2010_2489.rb +0 -60
  85. data/lib/dawn/kb/cve_2010_3933.rb +0 -27
  86. data/lib/dawn/kb/cve_2011_0188.rb +0 -67
  87. data/lib/dawn/kb/cve_2011_0446.rb +0 -28
  88. data/lib/dawn/kb/cve_2011_0447.rb +0 -28
  89. data/lib/dawn/kb/cve_2011_0739.rb +0 -28
  90. data/lib/dawn/kb/cve_2011_0995.rb +0 -61
  91. data/lib/dawn/kb/cve_2011_1004.rb +0 -34
  92. data/lib/dawn/kb/cve_2011_1005.rb +0 -31
  93. data/lib/dawn/kb/cve_2011_2197.rb +0 -27
  94. data/lib/dawn/kb/cve_2011_2686.rb +0 -29
  95. data/lib/dawn/kb/cve_2011_2705.rb +0 -32
  96. data/lib/dawn/kb/cve_2011_2929.rb +0 -27
  97. data/lib/dawn/kb/cve_2011_2930.rb +0 -28
  98. data/lib/dawn/kb/cve_2011_2931.rb +0 -30
  99. data/lib/dawn/kb/cve_2011_2932.rb +0 -27
  100. data/lib/dawn/kb/cve_2011_3009.rb +0 -28
  101. data/lib/dawn/kb/cve_2011_3186.rb +0 -29
  102. data/lib/dawn/kb/cve_2011_3187.rb +0 -29
  103. data/lib/dawn/kb/cve_2011_4319.rb +0 -30
  104. data/lib/dawn/kb/cve_2011_4815.rb +0 -28
  105. data/lib/dawn/kb/cve_2011_5036.rb +0 -26
  106. data/lib/dawn/kb/cve_2012_1098.rb +0 -30
  107. data/lib/dawn/kb/cve_2012_1099.rb +0 -27
  108. data/lib/dawn/kb/cve_2012_1241.rb +0 -27
  109. data/lib/dawn/kb/cve_2012_2139.rb +0 -26
  110. data/lib/dawn/kb/cve_2012_2140.rb +0 -27
  111. data/lib/dawn/kb/cve_2012_2660.rb +0 -28
  112. data/lib/dawn/kb/cve_2012_2661.rb +0 -27
  113. data/lib/dawn/kb/cve_2012_2671.rb +0 -28
  114. data/lib/dawn/kb/cve_2012_2694.rb +0 -30
  115. data/lib/dawn/kb/cve_2012_2695.rb +0 -27
  116. data/lib/dawn/kb/cve_2012_3424.rb +0 -29
  117. data/lib/dawn/kb/cve_2012_3463.rb +0 -27
  118. data/lib/dawn/kb/cve_2012_3464.rb +0 -27
  119. data/lib/dawn/kb/cve_2012_3465.rb +0 -26
  120. data/lib/dawn/kb/cve_2012_4464.rb +0 -27
  121. data/lib/dawn/kb/cve_2012_4466.rb +0 -27
  122. data/lib/dawn/kb/cve_2012_4481.rb +0 -26
  123. data/lib/dawn/kb/cve_2012_4522.rb +0 -27
  124. data/lib/dawn/kb/cve_2012_5370.rb +0 -27
  125. data/lib/dawn/kb/cve_2012_5371.rb +0 -27
  126. data/lib/dawn/kb/cve_2012_5380.rb +0 -28
  127. data/lib/dawn/kb/cve_2012_6109.rb +0 -25
  128. data/lib/dawn/kb/cve_2012_6134.rb +0 -27
  129. data/lib/dawn/kb/cve_2012_6496.rb +0 -28
  130. data/lib/dawn/kb/cve_2012_6497.rb +0 -28
  131. data/lib/dawn/kb/cve_2012_6684.rb +0 -28
  132. data/lib/dawn/kb/cve_2013_0155.rb +0 -29
  133. data/lib/dawn/kb/cve_2013_0156.rb +0 -27
  134. data/lib/dawn/kb/cve_2013_0162.rb +0 -28
  135. data/lib/dawn/kb/cve_2013_0175.rb +0 -27
  136. data/lib/dawn/kb/cve_2013_0183.rb +0 -25
  137. data/lib/dawn/kb/cve_2013_0184.rb +0 -25
  138. data/lib/dawn/kb/cve_2013_0233.rb +0 -26
  139. data/lib/dawn/kb/cve_2013_0256.rb +0 -59
  140. data/lib/dawn/kb/cve_2013_0262.rb +0 -26
  141. data/lib/dawn/kb/cve_2013_0263.rb +0 -26
  142. data/lib/dawn/kb/cve_2013_0269.rb +0 -27
  143. data/lib/dawn/kb/cve_2013_0276.rb +0 -28
  144. data/lib/dawn/kb/cve_2013_0277.rb +0 -25
  145. data/lib/dawn/kb/cve_2013_0284.rb +0 -27
  146. data/lib/dawn/kb/cve_2013_0285.rb +0 -27
  147. data/lib/dawn/kb/cve_2013_0333.rb +0 -28
  148. data/lib/dawn/kb/cve_2013_0334.rb +0 -25
  149. data/lib/dawn/kb/cve_2013_1607.rb +0 -25
  150. data/lib/dawn/kb/cve_2013_1655.rb +0 -65
  151. data/lib/dawn/kb/cve_2013_1656.rb +0 -28
  152. data/lib/dawn/kb/cve_2013_1756.rb +0 -26
  153. data/lib/dawn/kb/cve_2013_1800.rb +0 -26
  154. data/lib/dawn/kb/cve_2013_1801.rb +0 -27
  155. data/lib/dawn/kb/cve_2013_1802.rb +0 -27
  156. data/lib/dawn/kb/cve_2013_1812.rb +0 -27
  157. data/lib/dawn/kb/cve_2013_1821.rb +0 -28
  158. data/lib/dawn/kb/cve_2013_1854.rb +0 -26
  159. data/lib/dawn/kb/cve_2013_1855.rb +0 -25
  160. data/lib/dawn/kb/cve_2013_1856.rb +0 -26
  161. data/lib/dawn/kb/cve_2013_1857.rb +0 -27
  162. data/lib/dawn/kb/cve_2013_1875.rb +0 -27
  163. data/lib/dawn/kb/cve_2013_1898.rb +0 -27
  164. data/lib/dawn/kb/cve_2013_1911.rb +0 -28
  165. data/lib/dawn/kb/cve_2013_1933.rb +0 -27
  166. data/lib/dawn/kb/cve_2013_1947.rb +0 -27
  167. data/lib/dawn/kb/cve_2013_1948.rb +0 -27
  168. data/lib/dawn/kb/cve_2013_2065.rb +0 -29
  169. data/lib/dawn/kb/cve_2013_2090.rb +0 -28
  170. data/lib/dawn/kb/cve_2013_2105.rb +0 -26
  171. data/lib/dawn/kb/cve_2013_2119.rb +0 -27
  172. data/lib/dawn/kb/cve_2013_2512.rb +0 -26
  173. data/lib/dawn/kb/cve_2013_2513.rb +0 -25
  174. data/lib/dawn/kb/cve_2013_2516.rb +0 -26
  175. data/lib/dawn/kb/cve_2013_2615.rb +0 -27
  176. data/lib/dawn/kb/cve_2013_2616.rb +0 -27
  177. data/lib/dawn/kb/cve_2013_2617.rb +0 -28
  178. data/lib/dawn/kb/cve_2013_3221.rb +0 -27
  179. data/lib/dawn/kb/cve_2013_4164.rb +0 -30
  180. data/lib/dawn/kb/cve_2013_4203.rb +0 -25
  181. data/lib/dawn/kb/cve_2013_4389.rb +0 -26
  182. data/lib/dawn/kb/cve_2013_4413.rb +0 -27
  183. data/lib/dawn/kb/cve_2013_4457.rb +0 -29
  184. data/lib/dawn/kb/cve_2013_4478.rb +0 -26
  185. data/lib/dawn/kb/cve_2013_4479.rb +0 -26
  186. data/lib/dawn/kb/cve_2013_4489.rb +0 -28
  187. data/lib/dawn/kb/cve_2013_4491.rb +0 -29
  188. data/lib/dawn/kb/cve_2013_4492.rb +0 -29
  189. data/lib/dawn/kb/cve_2013_4562.rb +0 -27
  190. data/lib/dawn/kb/cve_2013_4593.rb +0 -27
  191. data/lib/dawn/kb/cve_2013_5647.rb +0 -29
  192. data/lib/dawn/kb/cve_2013_5671.rb +0 -26
  193. data/lib/dawn/kb/cve_2013_6414.rb +0 -30
  194. data/lib/dawn/kb/cve_2013_6415.rb +0 -29
  195. data/lib/dawn/kb/cve_2013_6416.rb +0 -29
  196. data/lib/dawn/kb/cve_2013_6417.rb +0 -30
  197. data/lib/dawn/kb/cve_2013_6421.rb +0 -28
  198. data/lib/dawn/kb/cve_2013_6459.rb +0 -28
  199. data/lib/dawn/kb/cve_2013_6460.rb +0 -53
  200. data/lib/dawn/kb/cve_2013_6461.rb +0 -57
  201. data/lib/dawn/kb/cve_2013_7086.rb +0 -27
  202. data/lib/dawn/kb/cve_2014_0036.rb +0 -27
  203. data/lib/dawn/kb/cve_2014_0080.rb +0 -29
  204. data/lib/dawn/kb/cve_2014_0081.rb +0 -27
  205. data/lib/dawn/kb/cve_2014_0082.rb +0 -27
  206. data/lib/dawn/kb/cve_2014_0130.rb +0 -27
  207. data/lib/dawn/kb/cve_2014_1233.rb +0 -27
  208. data/lib/dawn/kb/cve_2014_1234.rb +0 -26
  209. data/lib/dawn/kb/cve_2014_2322.rb +0 -28
  210. data/lib/dawn/kb/cve_2014_2525.rb +0 -59
  211. data/lib/dawn/kb/cve_2014_2538.rb +0 -26
  212. data/lib/dawn/kb/cve_2014_3482.rb +0 -28
  213. data/lib/dawn/kb/cve_2014_3483.rb +0 -28
  214. data/lib/dawn/kb/cve_2014_3916.rb +0 -29
  215. data/lib/dawn/kb/cve_2014_4975.rb +0 -28
  216. data/lib/dawn/kb/cve_2014_7818.rb +0 -27
  217. data/lib/dawn/kb/cve_2014_7819.rb +0 -31
  218. data/lib/dawn/kb/cve_2014_7829.rb +0 -30
  219. data/lib/dawn/kb/cve_2014_8090.rb +0 -30
  220. data/lib/dawn/kb/cve_2014_9490.rb +0 -29
  221. data/lib/dawn/kb/cve_2015_1819.rb +0 -34
  222. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
  223. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
  224. data/lib/dawn/kb/cve_2015_2963.rb +0 -27
  225. data/lib/dawn/kb/cve_2015_3224.rb +0 -26
  226. data/lib/dawn/kb/cve_2015_3225.rb +0 -28
  227. data/lib/dawn/kb/cve_2015_3226.rb +0 -27
  228. data/lib/dawn/kb/cve_2015_3227.rb +0 -28
  229. data/lib/dawn/kb/cve_2015_3448.rb +0 -29
  230. data/lib/dawn/kb/cve_2015_4020.rb +0 -34
  231. data/lib/dawn/kb/cve_2015_5312.rb +0 -30
  232. data/lib/dawn/kb/cve_2015_7497.rb +0 -32
  233. data/lib/dawn/kb/cve_2015_7498.rb +0 -32
  234. data/lib/dawn/kb/cve_2015_7499.rb +0 -32
  235. data/lib/dawn/kb/cve_2015_7500.rb +0 -32
  236. data/lib/dawn/kb/cve_2015_7519.rb +0 -31
  237. data/lib/dawn/kb/cve_2015_7541.rb +0 -31
  238. data/lib/dawn/kb/cve_2015_7576.rb +0 -35
  239. data/lib/dawn/kb/cve_2015_7577.rb +0 -34
  240. data/lib/dawn/kb/cve_2015_7578.rb +0 -30
  241. data/lib/dawn/kb/cve_2015_7579.rb +0 -30
  242. data/lib/dawn/kb/cve_2015_7581.rb +0 -33
  243. data/lib/dawn/kb/cve_2015_8241.rb +0 -32
  244. data/lib/dawn/kb/cve_2015_8242.rb +0 -32
  245. data/lib/dawn/kb/cve_2015_8317.rb +0 -32
  246. data/lib/dawn/kb/cve_2016_0751.rb +0 -32
  247. data/lib/dawn/kb/cve_2016_0752.rb +0 -35
  248. data/lib/dawn/kb/cve_2016_0753.rb +0 -31
  249. data/lib/dawn/kb/cve_2016_2097.rb +0 -35
  250. data/lib/dawn/kb/cve_2016_2098.rb +0 -35
  251. data/lib/dawn/kb/cve_2016_5697.rb +0 -30
  252. data/lib/dawn/kb/cve_2016_6316.rb +0 -33
  253. data/lib/dawn/kb/cve_2016_6317.rb +0 -32
  254. data/lib/dawn/kb/cve_2016_6582.rb +0 -43
  255. data/lib/dawn/kb/not_revised_code.rb +0 -22
  256. data/lib/dawn/kb/osvdb_105971.rb +0 -29
  257. data/lib/dawn/kb/osvdb_108530.rb +0 -27
  258. data/lib/dawn/kb/osvdb_108563.rb +0 -28
  259. data/lib/dawn/kb/osvdb_108569.rb +0 -28
  260. data/lib/dawn/kb/osvdb_108570.rb +0 -27
  261. data/lib/dawn/kb/osvdb_115654.rb +0 -33
  262. data/lib/dawn/kb/osvdb_116010.rb +0 -30
  263. data/lib/dawn/kb/osvdb_117903.rb +0 -30
  264. data/lib/dawn/kb/osvdb_118579.rb +0 -31
  265. data/lib/dawn/kb/osvdb_118830.rb +0 -32
  266. data/lib/dawn/kb/osvdb_118954.rb +0 -33
  267. data/lib/dawn/kb/osvdb_119878.rb +0 -32
  268. data/lib/dawn/kb/osvdb_119927.rb +0 -33
  269. data/lib/dawn/kb/osvdb_120415.rb +0 -31
  270. data/lib/dawn/kb/osvdb_120857.rb +0 -34
  271. data/lib/dawn/kb/osvdb_121701.rb +0 -30
  272. data/lib/dawn/kb/osvdb_132234.rb +0 -34
  273. data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
  274. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
  275. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
  276. data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
  277. data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
  278. data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
  279. data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
  280. data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
  281. data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
  282. data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
  283. data/lib/dawn/knowledge_base_experimental.rb +0 -245
  284. data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
  285. data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
  286. data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
  287. data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
  288. data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
  289. data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
  290. data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
  291. data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
  292. data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
  293. data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
  294. data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
  295. data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
  296. data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
  297. data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
  298. data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
  299. data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
  300. data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
  301. data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
  302. data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
  303. data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
  304. data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
  305. data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
  306. data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
  307. data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
  308. data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
  309. data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
  310. data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
  311. data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
  312. data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
  313. data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
  314. data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
  315. data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
  316. data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
  317. data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
  318. data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
  319. data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
  320. data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
  321. data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
  322. data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
  323. data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
  324. data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
  325. data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
  326. data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
  327. data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
  328. data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
  329. data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
  330. data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
  331. data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
  332. data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
  333. data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
  334. data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
  335. data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
  336. data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
  337. data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
  338. data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
  339. data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
  340. data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
  341. data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
  342. data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
  343. data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
  344. data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
  345. data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
  346. data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
  347. data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
  348. data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
  349. data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
  350. data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
  351. data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
  352. data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
  353. data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
  354. data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
  355. data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
  356. data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
  357. data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
  358. data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
  359. data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
  360. data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
  361. data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
  362. data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
  363. data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
  364. data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
  365. data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
  366. data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
  367. data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
  368. data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
  369. data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
  370. data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
  371. data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
  372. data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
  373. data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
  374. data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
  375. data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
  376. data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
  377. data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
  378. data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
  379. data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
  380. data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
  381. data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
  382. data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
  383. data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
  384. data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
  385. data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
  386. data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
  387. metadata.gz.sig +0 -0
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-02-05
4
- class CVE_2014_1233
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process."
9
-
10
- super({
11
- :name=>"CVE-2014-1233",
12
- :cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
13
- :release_date => Date.new(2014, 01, 10),
14
- :cwe=>"200",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade paratrooper-pingdom version up to version 1.0.0.",
20
- :aux_links=>["http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"paratrooper-pingdom", :version=>['1.0.1']}]
24
- end
25
- end
26
- end
27
- end
@@ -1,26 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-02-05
4
- class CVE_2014_1234
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process."
9
- super({
10
- :name=>"CVE-2014-1234",
11
- :cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
12
- :release_date => Date.new(2014, 01, 10),
13
- :cwe=>"200",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade paratrooper-newrelic version up to version 1.0.1.",
19
- :aux_links=>["http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"paratrooper-newrelic", :version=>['1.0.2']}]
23
- end
24
- end
25
- end
26
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-03-14
4
- class CVE_2014_2322
5
- # Include the testing skeleton for this CVE
6
- include DependencyCheck
7
-
8
- def initialize
9
- message = "Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands."
10
-
11
- super({
12
- :name=>"CVE-2014-2322",
13
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
14
- :release_date => Date.new(2014, 3, 10),
15
- :cwe=>"",
16
- :owasp=>"A9",
17
- :applies=>["sinatra", "padrino", "rails"],
18
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
- :message=>message,
20
- :mitigation=>"At March, 14 2014 a fixed Arabic-Prawn release is not available. Please sanitize your input before passing it to this gem and upgrade to higher versions as soon as possible",
21
- :aux_links=>["http://packetstormsecurity.com/files/125679/Ruby-Gem-Arabic-Prawn-0.0.1-Command-Injection.html"]
22
- })
23
-
24
- self.safe_dependencies = [{:name=>"Arabic-Prawn", :version=>['0.0.2']}]
25
- end
26
- end
27
- end
28
- end
@@ -1,59 +0,0 @@
1
- module Dawn
2
- module Kb
3
- class CVE_2014_2525_a
4
- include BasicCheck
5
-
6
- def initialize
7
- message = "When relying on system wide libyaml, this must be > 0.1.5"
8
- super({
9
- :name=>"CVE-2014-2525-a",
10
- :kind=>Dawn::KnowledgeBase::CUSTOM_CHECK,
11
- })
12
- end
13
- def vuln?
14
- require 'yaml'
15
- lyv = Psych.libyaml_version.join(".")
16
- c = Dawn::Kb::VersionCheck.new
17
- return c.is_vulnerable_version?('0.1.6', lyv)
18
- end
19
- end
20
- class CVE_2014_2525_b
21
- include DependencyCheck
22
-
23
- def initialize
24
- message = "When non relying on system wide libyaml, psych gem must be > 2.0.5"
25
- super({
26
- :name=>"CVE-2014-2525-b",
27
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
28
- })
29
- self.safe_dependencies = [{:name=>"psych", :version=>['2.0.5']}]
30
- end
31
-
32
- end
33
-
34
- # Automatically created with rake on 2014-03-31
35
- class CVE_2014_2525
36
- include ComboCheck
37
-
38
- def initialize
39
- message = ""
40
-
41
- super({
42
- :name=>"CVE-2014-2525",
43
- :cvss=>"",
44
- :release_date => Date.new(2014, 3, 28),
45
- :cwe=>"",
46
- :owasp=>"A9",
47
- :applies=>["rails", "sinatra", "padrino"],
48
- :kind=>Dawn::KnowledgeBase::COMBO_CHECK,
49
- :message=>message,
50
- :mitigation=>"Please upgrade your system libyaml or upgrade psych gem to version 2.0.5 or higher that is linked with a safe libyaml version.",
51
- :aux_links=>["https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525"],
52
- :severity=>:high,
53
- :prority=>:high,
54
- :checks=>[CVE_2014_2525_a.new, CVE_2014_2525_b.new]
55
- })
56
- end
57
- end
58
- end
59
- end
@@ -1,26 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-03-23
4
- class CVE_2014_2538
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server."
9
- super({
10
- :name=>"CVE-2014-2538",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2014, 3, 25),
13
- :cwe=>"79",
14
- :owasp=>"A3",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.3.4 or higher.",
19
- :aux_links=>["http://seclists.org/oss-sec/2014/q1/594"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.3.4']}]
23
- end
24
- end
25
- end
26
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-07-04
4
- class CVE_2014_3482
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."
9
- super({
10
- :name=> "CVE-2014-3482",
11
- :cve=>"CVE-2014-3482",
12
- :osvdb=>"108664",
13
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
14
- :release_date => Date.new(2014, 7, 2),
15
- :cwe=>"",
16
- :owasp=>"A1",
17
- :applies=>["rails"],
18
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
- :message=>message,
20
- :mitigation=>"Please upgrade rails version at least to 3.2.19. As a general rule, using the latest stable version is recommended.",
21
- :aux_links=>["http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/"]
22
- })
23
- self.safe_dependencies = [{:name=>"rails", :version=>['3.2.19']}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-07-07
4
- class CVE_2014_3483
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."
9
- super({
10
- :name=>"CVE-2014-3483",
11
- :cve=>"2014-3483",
12
- :osvdb=>"108665",
13
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
14
- :release_date => Date.new(2014, 7, 2),
15
- :cwe=>"",
16
- :owasp=>"A1",
17
- :applies=>["rails"],
18
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
- :message=>message,
20
- :mitigation=>"Please upgrade rails at least to version 4.0.7 or 4.1.3. As a general rule, using the latest stable rails version is recommended.",
21
- :aux_links=>["http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/"]
22
- })
23
- self.save_major=true
24
- self.safe_dependencies = [{:name=>"rails", :version=>['4.0.7', '4.1.3']}]
25
- end
26
- end
27
- end
28
- end
@@ -1,29 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-08-03
4
- class CVE_2014_3916
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string."
9
- super({
10
- :name=>"CVE-2014-3916",
11
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
12
- :release_date => Date.new(2014, 11, 16),
13
- :cwe=>"19",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade ruby interpreter to 2.2.x or later.",
19
- :aux_links=>["https://bugs.ruby-lang.org/issues/9709", "http://www.securityfocus.com/bid/67705"]
20
- })
21
-
22
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
23
- {:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
24
- {:engine=>"ruby", :version=>"2.1.99", :patchlevel=>"p999"}]
25
-
26
- end
27
- end
28
- end
29
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-08-03
4
- class CVE_2014_4975
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow."
9
- super({
10
- :name=>"CVE-2014-4975",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
12
- :release_date => Date.new(2014, 11, 15),
13
- :cwe=>"119",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade ruby interpreter to 2.1.3 or later. Please note that latest 2.2.x version is suggested.",
19
- :aux_links=>["http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=46778", "https://bugs.ruby-lang.org/issues/10019"]
20
- })
21
-
22
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
23
- {:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
24
- {:engine=>"ruby", :version=>"2.1.2", :patchlevel=>"p999"}]
25
- end
26
- end
27
- end
28
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-09-02
4
- class CVE_2014_7818
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
9
- super({
10
- :name=>"CVE-2014-7818",
11
- :cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:N",
12
- :release_date => Date.new(2014, 11, 8),
13
- :cwe=>"22",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rails gem to latest version or at least 3.2.20, 4.0.11, 4.1.7 or 4.2.0.beta3. If unsure upgrade to the latest available version.",
19
- :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rails", :version=>['3.2.20', '4.0.11', '4.1.7', '4.2.0.beta3']}]
23
- self.save_major = true
24
- end
25
- end
26
- end
27
- end
@@ -1,31 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-08-31
4
- class CVE_2014_7819
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding."
9
-
10
- super({
11
- :name=>"CVE-2014-7819",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N)",
13
- :release_date => Date.new(2014, 11, 8),
14
- :cwe=>"22",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade rails gem to latest version or at least 3.2.18 or 4.1.8. If you're using sprockets standalone, please upgrade it to the latest version.",
20
- :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"]
21
- })
22
-
23
- self.save_major = true
24
- self.save_minor = true
25
- self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.1.8']},
26
- {:name=>"sprockets", :version=>['2.0.6', '2.1.4', '2.2.3', '2.3.3', '2.4.6', '2.5.1', '2.6.1', '2.7.1', '2.8.3', '2.9.4', '2.10.2', '2.11.3', '2.12.3', '3.0.0.beta3']}]
27
-
28
- end
29
- end
30
- end
31
- end
@@ -1,30 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-31
4
- class CVE_2014_7829
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818."
9
-
10
- super({
11
- :name=>"CVE-2014-7829",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
13
- :release_date => Date.new(2014, 11, 18),
14
- :cwe=>"22",
15
- :owasp=>"A9",
16
- :applies=>["rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade rails gem to latest version or at least 3.2.21, 4.0.12, 4.1.8 or 4.2.0.beta4.",
20
- :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"rails", :version=>['3.2.21', '4.0.12', '4.1.8', '4.2.0.beta4']}]
24
- self.save_major = true
25
- self.save_minor = false
26
-
27
- end
28
- end
29
- end
30
- end
@@ -1,30 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-31
4
- class CVE_2014_8090
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080."
9
-
10
- super({
11
- :name=>"CVE-2014-8090",
12
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
- :release_date => Date.new(2014, 11, 21),
14
- :cwe=>"611",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade ruby interpreter to 1.9.3-p551 or 2.0.0-p598 or 2.1.5. Please note that latest 2.2.x version is suggested.",
20
- :aux_links=>["https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/"]
21
- })
22
-
23
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p551"},
24
- {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p598"},
25
- {:engine=>"ruby", :version=>"2.1.5", :patchlevel=>"p0"}]
26
-
27
- end
28
- end
29
- end
30
- end
@@ -1,29 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-30
4
- class CVE_2014_9490
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number."
9
-
10
- super({
11
- :name=>"CVE-2014-9490",
12
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
- :release_date => Date.new(2015, 1, 20),
14
- :cwe=>"399",
15
- :owasp=>"A9",
16
- :osvdb=>"115654",
17
- :applies=>["sinatra", "padrino", "rails"],
18
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
- :message=>message,
20
- :mitigation=>"Please upgrade raven-ruby gem to the latest version",
21
- :aux_links=>["https://github.com/getsentry/raven-ruby/commit/477ee93a3f735be33bc1e726820654cdf6e22d8f", "http://seclists.org/oss-sec/2015/q1/26"]
22
- })
23
-
24
- self.safe_dependencies = [{:name=>"raven-ruby", :version=>['0.12.2']}]
25
-
26
- end
27
- end
28
- end
29
- end