dawnscanner 1.6.8 → 2.0.0.rc4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.gitignore +1 -0
- data/.ruby-version +1 -1
- data/Changelog.md +27 -1
- data/LICENSE.txt +1 -1
- data/README.md +59 -57
- data/Rakefile +10 -242
- data/Roadmap.md +15 -23
- data/VERSION +1 -1
- data/bin/dawn +17 -273
- data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
- data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
- data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
- data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
- data/dawnscanner.gemspec +10 -9
- data/doc/change.sh +13 -0
- data/doc/kickstart_kb.tar.gz +0 -0
- data/doc/knowledge_base.rb +650 -0
- data/docs/.placeholder +0 -0
- data/docs/CNAME +1 -0
- data/docs/_config.yml +1 -0
- data/lib/dawn/cli/dawn_cli.rb +139 -0
- data/lib/dawn/core.rb +8 -7
- data/lib/dawn/engine.rb +93 -34
- data/lib/dawn/gemfile_lock.rb +2 -2
- data/lib/dawn/kb/basic_check.rb +1 -2
- data/lib/dawn/kb/combo_check.rb +1 -1
- data/lib/dawn/kb/dependency_check.rb +1 -1
- data/lib/dawn/kb/operating_system_check.rb +1 -1
- data/lib/dawn/kb/pattern_match_check.rb +10 -9
- data/lib/dawn/kb/ruby_version_check.rb +11 -10
- data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
- data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
- data/lib/dawn/kb/version_check.rb +41 -24
- data/lib/dawn/knowledge_base.rb +259 -595
- data/lib/dawn/reporter.rb +2 -1
- data/lib/dawn/utils.rb +5 -2
- data/lib/dawn/version.rb +5 -5
- data/lib/dawnscanner.rb +7 -6
- data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
- data/spec/lib/kb/dependency_check.yml +29 -0
- metadata +30 -496
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
- data/lib/dawn/kb/cve_2004_0755.rb +0 -33
- data/lib/dawn/kb/cve_2004_0983.rb +0 -31
- data/lib/dawn/kb/cve_2005_1992.rb +0 -31
- data/lib/dawn/kb/cve_2005_2337.rb +0 -33
- data/lib/dawn/kb/cve_2006_1931.rb +0 -30
- data/lib/dawn/kb/cve_2006_2582.rb +0 -28
- data/lib/dawn/kb/cve_2006_3694.rb +0 -31
- data/lib/dawn/kb/cve_2006_4112.rb +0 -27
- data/lib/dawn/kb/cve_2006_5467.rb +0 -28
- data/lib/dawn/kb/cve_2006_6303.rb +0 -28
- data/lib/dawn/kb/cve_2006_6852.rb +0 -27
- data/lib/dawn/kb/cve_2006_6979.rb +0 -29
- data/lib/dawn/kb/cve_2007_0469.rb +0 -29
- data/lib/dawn/kb/cve_2007_5162.rb +0 -28
- data/lib/dawn/kb/cve_2007_5379.rb +0 -27
- data/lib/dawn/kb/cve_2007_5380.rb +0 -29
- data/lib/dawn/kb/cve_2007_5770.rb +0 -30
- data/lib/dawn/kb/cve_2007_6077.rb +0 -31
- data/lib/dawn/kb/cve_2007_6612.rb +0 -30
- data/lib/dawn/kb/cve_2008_1145.rb +0 -38
- data/lib/dawn/kb/cve_2008_1891.rb +0 -38
- data/lib/dawn/kb/cve_2008_2376.rb +0 -30
- data/lib/dawn/kb/cve_2008_2662.rb +0 -33
- data/lib/dawn/kb/cve_2008_2663.rb +0 -32
- data/lib/dawn/kb/cve_2008_2664.rb +0 -33
- data/lib/dawn/kb/cve_2008_2725.rb +0 -31
- data/lib/dawn/kb/cve_2008_3655.rb +0 -37
- data/lib/dawn/kb/cve_2008_3657.rb +0 -37
- data/lib/dawn/kb/cve_2008_3790.rb +0 -30
- data/lib/dawn/kb/cve_2008_3905.rb +0 -36
- data/lib/dawn/kb/cve_2008_4094.rb +0 -27
- data/lib/dawn/kb/cve_2008_4310.rb +0 -100
- data/lib/dawn/kb/cve_2008_5189.rb +0 -27
- data/lib/dawn/kb/cve_2008_7248.rb +0 -27
- data/lib/dawn/kb/cve_2009_4078.rb +0 -29
- data/lib/dawn/kb/cve_2009_4124.rb +0 -30
- data/lib/dawn/kb/cve_2009_4214.rb +0 -27
- data/lib/dawn/kb/cve_2010_1330.rb +0 -28
- data/lib/dawn/kb/cve_2010_2489.rb +0 -60
- data/lib/dawn/kb/cve_2010_3933.rb +0 -27
- data/lib/dawn/kb/cve_2011_0188.rb +0 -67
- data/lib/dawn/kb/cve_2011_0446.rb +0 -28
- data/lib/dawn/kb/cve_2011_0447.rb +0 -28
- data/lib/dawn/kb/cve_2011_0739.rb +0 -28
- data/lib/dawn/kb/cve_2011_0995.rb +0 -61
- data/lib/dawn/kb/cve_2011_1004.rb +0 -34
- data/lib/dawn/kb/cve_2011_1005.rb +0 -31
- data/lib/dawn/kb/cve_2011_2197.rb +0 -27
- data/lib/dawn/kb/cve_2011_2686.rb +0 -29
- data/lib/dawn/kb/cve_2011_2705.rb +0 -32
- data/lib/dawn/kb/cve_2011_2929.rb +0 -27
- data/lib/dawn/kb/cve_2011_2930.rb +0 -28
- data/lib/dawn/kb/cve_2011_2931.rb +0 -30
- data/lib/dawn/kb/cve_2011_2932.rb +0 -27
- data/lib/dawn/kb/cve_2011_3009.rb +0 -28
- data/lib/dawn/kb/cve_2011_3186.rb +0 -29
- data/lib/dawn/kb/cve_2011_3187.rb +0 -29
- data/lib/dawn/kb/cve_2011_4319.rb +0 -30
- data/lib/dawn/kb/cve_2011_4815.rb +0 -28
- data/lib/dawn/kb/cve_2011_5036.rb +0 -26
- data/lib/dawn/kb/cve_2012_1098.rb +0 -30
- data/lib/dawn/kb/cve_2012_1099.rb +0 -27
- data/lib/dawn/kb/cve_2012_1241.rb +0 -27
- data/lib/dawn/kb/cve_2012_2139.rb +0 -26
- data/lib/dawn/kb/cve_2012_2140.rb +0 -27
- data/lib/dawn/kb/cve_2012_2660.rb +0 -28
- data/lib/dawn/kb/cve_2012_2661.rb +0 -27
- data/lib/dawn/kb/cve_2012_2671.rb +0 -28
- data/lib/dawn/kb/cve_2012_2694.rb +0 -30
- data/lib/dawn/kb/cve_2012_2695.rb +0 -27
- data/lib/dawn/kb/cve_2012_3424.rb +0 -29
- data/lib/dawn/kb/cve_2012_3463.rb +0 -27
- data/lib/dawn/kb/cve_2012_3464.rb +0 -27
- data/lib/dawn/kb/cve_2012_3465.rb +0 -26
- data/lib/dawn/kb/cve_2012_4464.rb +0 -27
- data/lib/dawn/kb/cve_2012_4466.rb +0 -27
- data/lib/dawn/kb/cve_2012_4481.rb +0 -26
- data/lib/dawn/kb/cve_2012_4522.rb +0 -27
- data/lib/dawn/kb/cve_2012_5370.rb +0 -27
- data/lib/dawn/kb/cve_2012_5371.rb +0 -27
- data/lib/dawn/kb/cve_2012_5380.rb +0 -28
- data/lib/dawn/kb/cve_2012_6109.rb +0 -25
- data/lib/dawn/kb/cve_2012_6134.rb +0 -27
- data/lib/dawn/kb/cve_2012_6496.rb +0 -28
- data/lib/dawn/kb/cve_2012_6497.rb +0 -28
- data/lib/dawn/kb/cve_2012_6684.rb +0 -28
- data/lib/dawn/kb/cve_2013_0155.rb +0 -29
- data/lib/dawn/kb/cve_2013_0156.rb +0 -27
- data/lib/dawn/kb/cve_2013_0162.rb +0 -28
- data/lib/dawn/kb/cve_2013_0175.rb +0 -27
- data/lib/dawn/kb/cve_2013_0183.rb +0 -25
- data/lib/dawn/kb/cve_2013_0184.rb +0 -25
- data/lib/dawn/kb/cve_2013_0233.rb +0 -26
- data/lib/dawn/kb/cve_2013_0256.rb +0 -59
- data/lib/dawn/kb/cve_2013_0262.rb +0 -26
- data/lib/dawn/kb/cve_2013_0263.rb +0 -26
- data/lib/dawn/kb/cve_2013_0269.rb +0 -27
- data/lib/dawn/kb/cve_2013_0276.rb +0 -28
- data/lib/dawn/kb/cve_2013_0277.rb +0 -25
- data/lib/dawn/kb/cve_2013_0284.rb +0 -27
- data/lib/dawn/kb/cve_2013_0285.rb +0 -27
- data/lib/dawn/kb/cve_2013_0333.rb +0 -28
- data/lib/dawn/kb/cve_2013_0334.rb +0 -25
- data/lib/dawn/kb/cve_2013_1607.rb +0 -25
- data/lib/dawn/kb/cve_2013_1655.rb +0 -65
- data/lib/dawn/kb/cve_2013_1656.rb +0 -28
- data/lib/dawn/kb/cve_2013_1756.rb +0 -26
- data/lib/dawn/kb/cve_2013_1800.rb +0 -26
- data/lib/dawn/kb/cve_2013_1801.rb +0 -27
- data/lib/dawn/kb/cve_2013_1802.rb +0 -27
- data/lib/dawn/kb/cve_2013_1812.rb +0 -27
- data/lib/dawn/kb/cve_2013_1821.rb +0 -28
- data/lib/dawn/kb/cve_2013_1854.rb +0 -26
- data/lib/dawn/kb/cve_2013_1855.rb +0 -25
- data/lib/dawn/kb/cve_2013_1856.rb +0 -26
- data/lib/dawn/kb/cve_2013_1857.rb +0 -27
- data/lib/dawn/kb/cve_2013_1875.rb +0 -27
- data/lib/dawn/kb/cve_2013_1898.rb +0 -27
- data/lib/dawn/kb/cve_2013_1911.rb +0 -28
- data/lib/dawn/kb/cve_2013_1933.rb +0 -27
- data/lib/dawn/kb/cve_2013_1947.rb +0 -27
- data/lib/dawn/kb/cve_2013_1948.rb +0 -27
- data/lib/dawn/kb/cve_2013_2065.rb +0 -29
- data/lib/dawn/kb/cve_2013_2090.rb +0 -28
- data/lib/dawn/kb/cve_2013_2105.rb +0 -26
- data/lib/dawn/kb/cve_2013_2119.rb +0 -27
- data/lib/dawn/kb/cve_2013_2512.rb +0 -26
- data/lib/dawn/kb/cve_2013_2513.rb +0 -25
- data/lib/dawn/kb/cve_2013_2516.rb +0 -26
- data/lib/dawn/kb/cve_2013_2615.rb +0 -27
- data/lib/dawn/kb/cve_2013_2616.rb +0 -27
- data/lib/dawn/kb/cve_2013_2617.rb +0 -28
- data/lib/dawn/kb/cve_2013_3221.rb +0 -27
- data/lib/dawn/kb/cve_2013_4164.rb +0 -30
- data/lib/dawn/kb/cve_2013_4203.rb +0 -25
- data/lib/dawn/kb/cve_2013_4389.rb +0 -26
- data/lib/dawn/kb/cve_2013_4413.rb +0 -27
- data/lib/dawn/kb/cve_2013_4457.rb +0 -29
- data/lib/dawn/kb/cve_2013_4478.rb +0 -26
- data/lib/dawn/kb/cve_2013_4479.rb +0 -26
- data/lib/dawn/kb/cve_2013_4489.rb +0 -28
- data/lib/dawn/kb/cve_2013_4491.rb +0 -29
- data/lib/dawn/kb/cve_2013_4492.rb +0 -29
- data/lib/dawn/kb/cve_2013_4562.rb +0 -27
- data/lib/dawn/kb/cve_2013_4593.rb +0 -27
- data/lib/dawn/kb/cve_2013_5647.rb +0 -29
- data/lib/dawn/kb/cve_2013_5671.rb +0 -26
- data/lib/dawn/kb/cve_2013_6414.rb +0 -30
- data/lib/dawn/kb/cve_2013_6415.rb +0 -29
- data/lib/dawn/kb/cve_2013_6416.rb +0 -29
- data/lib/dawn/kb/cve_2013_6417.rb +0 -30
- data/lib/dawn/kb/cve_2013_6421.rb +0 -28
- data/lib/dawn/kb/cve_2013_6459.rb +0 -28
- data/lib/dawn/kb/cve_2013_6460.rb +0 -53
- data/lib/dawn/kb/cve_2013_6461.rb +0 -57
- data/lib/dawn/kb/cve_2013_7086.rb +0 -27
- data/lib/dawn/kb/cve_2014_0036.rb +0 -27
- data/lib/dawn/kb/cve_2014_0080.rb +0 -29
- data/lib/dawn/kb/cve_2014_0081.rb +0 -27
- data/lib/dawn/kb/cve_2014_0082.rb +0 -27
- data/lib/dawn/kb/cve_2014_0130.rb +0 -27
- data/lib/dawn/kb/cve_2014_1233.rb +0 -27
- data/lib/dawn/kb/cve_2014_1234.rb +0 -26
- data/lib/dawn/kb/cve_2014_2322.rb +0 -28
- data/lib/dawn/kb/cve_2014_2525.rb +0 -59
- data/lib/dawn/kb/cve_2014_2538.rb +0 -26
- data/lib/dawn/kb/cve_2014_3482.rb +0 -28
- data/lib/dawn/kb/cve_2014_3483.rb +0 -28
- data/lib/dawn/kb/cve_2014_3916.rb +0 -29
- data/lib/dawn/kb/cve_2014_4975.rb +0 -28
- data/lib/dawn/kb/cve_2014_7818.rb +0 -27
- data/lib/dawn/kb/cve_2014_7819.rb +0 -31
- data/lib/dawn/kb/cve_2014_7829.rb +0 -30
- data/lib/dawn/kb/cve_2014_8090.rb +0 -30
- data/lib/dawn/kb/cve_2014_9490.rb +0 -29
- data/lib/dawn/kb/cve_2015_1819.rb +0 -34
- data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
- data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
- data/lib/dawn/kb/cve_2015_2963.rb +0 -27
- data/lib/dawn/kb/cve_2015_3224.rb +0 -26
- data/lib/dawn/kb/cve_2015_3225.rb +0 -28
- data/lib/dawn/kb/cve_2015_3226.rb +0 -27
- data/lib/dawn/kb/cve_2015_3227.rb +0 -28
- data/lib/dawn/kb/cve_2015_3448.rb +0 -29
- data/lib/dawn/kb/cve_2015_4020.rb +0 -34
- data/lib/dawn/kb/cve_2015_5312.rb +0 -30
- data/lib/dawn/kb/cve_2015_7497.rb +0 -32
- data/lib/dawn/kb/cve_2015_7498.rb +0 -32
- data/lib/dawn/kb/cve_2015_7499.rb +0 -32
- data/lib/dawn/kb/cve_2015_7500.rb +0 -32
- data/lib/dawn/kb/cve_2015_7519.rb +0 -31
- data/lib/dawn/kb/cve_2015_7541.rb +0 -31
- data/lib/dawn/kb/cve_2015_7576.rb +0 -35
- data/lib/dawn/kb/cve_2015_7577.rb +0 -34
- data/lib/dawn/kb/cve_2015_7578.rb +0 -30
- data/lib/dawn/kb/cve_2015_7579.rb +0 -30
- data/lib/dawn/kb/cve_2015_7581.rb +0 -33
- data/lib/dawn/kb/cve_2015_8241.rb +0 -32
- data/lib/dawn/kb/cve_2015_8242.rb +0 -32
- data/lib/dawn/kb/cve_2015_8317.rb +0 -32
- data/lib/dawn/kb/cve_2016_0751.rb +0 -32
- data/lib/dawn/kb/cve_2016_0752.rb +0 -35
- data/lib/dawn/kb/cve_2016_0753.rb +0 -31
- data/lib/dawn/kb/cve_2016_2097.rb +0 -35
- data/lib/dawn/kb/cve_2016_2098.rb +0 -35
- data/lib/dawn/kb/cve_2016_5697.rb +0 -30
- data/lib/dawn/kb/cve_2016_6316.rb +0 -33
- data/lib/dawn/kb/cve_2016_6317.rb +0 -32
- data/lib/dawn/kb/cve_2016_6582.rb +0 -43
- data/lib/dawn/kb/not_revised_code.rb +0 -22
- data/lib/dawn/kb/osvdb_105971.rb +0 -29
- data/lib/dawn/kb/osvdb_108530.rb +0 -27
- data/lib/dawn/kb/osvdb_108563.rb +0 -28
- data/lib/dawn/kb/osvdb_108569.rb +0 -28
- data/lib/dawn/kb/osvdb_108570.rb +0 -27
- data/lib/dawn/kb/osvdb_115654.rb +0 -33
- data/lib/dawn/kb/osvdb_116010.rb +0 -30
- data/lib/dawn/kb/osvdb_117903.rb +0 -30
- data/lib/dawn/kb/osvdb_118579.rb +0 -31
- data/lib/dawn/kb/osvdb_118830.rb +0 -32
- data/lib/dawn/kb/osvdb_118954.rb +0 -33
- data/lib/dawn/kb/osvdb_119878.rb +0 -32
- data/lib/dawn/kb/osvdb_119927.rb +0 -33
- data/lib/dawn/kb/osvdb_120415.rb +0 -31
- data/lib/dawn/kb/osvdb_120857.rb +0 -34
- data/lib/dawn/kb/osvdb_121701.rb +0 -30
- data/lib/dawn/kb/osvdb_132234.rb +0 -34
- data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
- data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
- data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
- data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
- data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
- data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
- data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
- data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
- data/lib/dawn/knowledge_base_experimental.rb +0 -245
- data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
- data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
- data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
- data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
- data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
- data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
- data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
- data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
- data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
- data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
- data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
- data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
- data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
- data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
- data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
- data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
- data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
- data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
- data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
- data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
- data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
- data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
- data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
- data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
- data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
- data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
- data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
- data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
- data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
- data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
- data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
- data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
- data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
- data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
- data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
- data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
- data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
- data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
- data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
- data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
- data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
- data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
- data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
- data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
- data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
- data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
- data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
- data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
- data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
- data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
- data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
- data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
- data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
- data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
- data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
- data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
- data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
- data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
- data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
- data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
- data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
- data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
- data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
- data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
- data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
- data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
- data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
- data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
- data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
- data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
- data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
- data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
- data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
- data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
- data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
- data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
- metadata.gz.sig +0 -0
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2014-02-05
|
4
|
-
class CVE_2014_1233
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The paratrooper-pingdom gem 1.0.0 for Ruby allows local users to obtain the App-Key, username, and password values by listing the curl process."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2014-1233",
|
12
|
-
:cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
|
13
|
-
:release_date => Date.new(2014, 01, 10),
|
14
|
-
:cwe=>"200",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails", "sinatra", "padrino"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade paratrooper-pingdom version up to version 1.0.0.",
|
20
|
-
:aux_links=>["http://www.vapid.dhs.org/advisories/paratrooper-api-key-pingdom.html"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.safe_dependencies = [{:name=>"paratrooper-pingdom", :version=>['1.0.1']}]
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,26 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2014-02-05
|
4
|
-
class CVE_2014_1234
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The paratrooper-newrelic gem 1.0.1 for Ruby allows local users to obtain the X-Api-Key value by listing the curl process."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2014-1234",
|
11
|
-
:cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
|
12
|
-
:release_date => Date.new(2014, 01, 10),
|
13
|
-
:cwe=>"200",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade paratrooper-newrelic version up to version 1.0.1.",
|
19
|
-
:aux_links=>["http://www.vapid.dhs.org/advisories/paratrooper-newrelic-api.html"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_dependencies = [{:name=>"paratrooper-newrelic", :version=>['1.0.2']}]
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2014-03-14
|
4
|
-
class CVE_2014_2322
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "Arabic Prawn Gem for Ruby contains a flaw in the ib/string_utf_support.rb file. The issue is due to the program failing to sanitize user input. This may allow a remote attacker to inject arbitrary commands."
|
10
|
-
|
11
|
-
super({
|
12
|
-
:name=>"CVE-2014-2322",
|
13
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
14
|
-
:release_date => Date.new(2014, 3, 10),
|
15
|
-
:cwe=>"",
|
16
|
-
:owasp=>"A9",
|
17
|
-
:applies=>["sinatra", "padrino", "rails"],
|
18
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
-
:message=>message,
|
20
|
-
:mitigation=>"At March, 14 2014 a fixed Arabic-Prawn release is not available. Please sanitize your input before passing it to this gem and upgrade to higher versions as soon as possible",
|
21
|
-
:aux_links=>["http://packetstormsecurity.com/files/125679/Ruby-Gem-Arabic-Prawn-0.0.1-Command-Injection.html"]
|
22
|
-
})
|
23
|
-
|
24
|
-
self.safe_dependencies = [{:name=>"Arabic-Prawn", :version=>['0.0.2']}]
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,59 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
class CVE_2014_2525_a
|
4
|
-
include BasicCheck
|
5
|
-
|
6
|
-
def initialize
|
7
|
-
message = "When relying on system wide libyaml, this must be > 0.1.5"
|
8
|
-
super({
|
9
|
-
:name=>"CVE-2014-2525-a",
|
10
|
-
:kind=>Dawn::KnowledgeBase::CUSTOM_CHECK,
|
11
|
-
})
|
12
|
-
end
|
13
|
-
def vuln?
|
14
|
-
require 'yaml'
|
15
|
-
lyv = Psych.libyaml_version.join(".")
|
16
|
-
c = Dawn::Kb::VersionCheck.new
|
17
|
-
return c.is_vulnerable_version?('0.1.6', lyv)
|
18
|
-
end
|
19
|
-
end
|
20
|
-
class CVE_2014_2525_b
|
21
|
-
include DependencyCheck
|
22
|
-
|
23
|
-
def initialize
|
24
|
-
message = "When non relying on system wide libyaml, psych gem must be > 2.0.5"
|
25
|
-
super({
|
26
|
-
:name=>"CVE-2014-2525-b",
|
27
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
28
|
-
})
|
29
|
-
self.safe_dependencies = [{:name=>"psych", :version=>['2.0.5']}]
|
30
|
-
end
|
31
|
-
|
32
|
-
end
|
33
|
-
|
34
|
-
# Automatically created with rake on 2014-03-31
|
35
|
-
class CVE_2014_2525
|
36
|
-
include ComboCheck
|
37
|
-
|
38
|
-
def initialize
|
39
|
-
message = ""
|
40
|
-
|
41
|
-
super({
|
42
|
-
:name=>"CVE-2014-2525",
|
43
|
-
:cvss=>"",
|
44
|
-
:release_date => Date.new(2014, 3, 28),
|
45
|
-
:cwe=>"",
|
46
|
-
:owasp=>"A9",
|
47
|
-
:applies=>["rails", "sinatra", "padrino"],
|
48
|
-
:kind=>Dawn::KnowledgeBase::COMBO_CHECK,
|
49
|
-
:message=>message,
|
50
|
-
:mitigation=>"Please upgrade your system libyaml or upgrade psych gem to version 2.0.5 or higher that is linked with a safe libyaml version.",
|
51
|
-
:aux_links=>["https://www.ruby-lang.org/en/news/2014/03/29/heap-overflow-in-yaml-uri-escape-parsing-cve-2014-2525"],
|
52
|
-
:severity=>:high,
|
53
|
-
:prority=>:high,
|
54
|
-
:checks=>[CVE_2014_2525_a.new, CVE_2014_2525_b.new]
|
55
|
-
})
|
56
|
-
end
|
57
|
-
end
|
58
|
-
end
|
59
|
-
end
|
@@ -1,26 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2014-03-23
|
4
|
-
class CVE_2014_2538
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "rack-ssl Gem for Ruby contains a flaw that allows a reflected cross-site scripting (XSS) attack. This flaw exists because the program does not validate input passed via error messages before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2014-2538",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2014, 3, 25),
|
13
|
-
:cwe=>"79",
|
14
|
-
:owasp=>"A3",
|
15
|
-
:applies=>["rails"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"A new version for rack-ssl version it has been released. Pleas upgrade at least to version 1.3.4 or higher.",
|
19
|
-
:aux_links=>["http://seclists.org/oss-sec/2014/q1/594"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_dependencies = [{:name=>"rack-ssl", :version=>['1.3.4']}]
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2014-07-04
|
4
|
-
class CVE_2014_3482
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting bitstrings. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."
|
9
|
-
super({
|
10
|
-
:name=> "CVE-2014-3482",
|
11
|
-
:cve=>"CVE-2014-3482",
|
12
|
-
:osvdb=>"108664",
|
13
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
14
|
-
:release_date => Date.new(2014, 7, 2),
|
15
|
-
:cwe=>"",
|
16
|
-
:owasp=>"A1",
|
17
|
-
:applies=>["rails"],
|
18
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
-
:message=>message,
|
20
|
-
:mitigation=>"Please upgrade rails version at least to 3.2.19. As a general rule, using the latest stable version is recommended.",
|
21
|
-
:aux_links=>["http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/"]
|
22
|
-
})
|
23
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.19']}]
|
24
|
-
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2014-07-07
|
4
|
-
class CVE_2014_3483
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Ruby on Rails contains a flaw that may allow carrying out an SQL injection attack. The issue is due to the PostgreSQL adapter for Active Record not properly sanitizing user-supplied input when quoting ranges. This may allow a remote attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2014-3483",
|
11
|
-
:cve=>"2014-3483",
|
12
|
-
:osvdb=>"108665",
|
13
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
14
|
-
:release_date => Date.new(2014, 7, 2),
|
15
|
-
:cwe=>"",
|
16
|
-
:owasp=>"A1",
|
17
|
-
:applies=>["rails"],
|
18
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
-
:message=>message,
|
20
|
-
:mitigation=>"Please upgrade rails at least to version 4.0.7 or 4.1.3. As a general rule, using the latest stable rails version is recommended.",
|
21
|
-
:aux_links=>["http://weblog.rubyonrails.org/2014/7/2/Rails_3_2_19_4_0_7_and_4_1_3_have_been_released/"]
|
22
|
-
})
|
23
|
-
self.save_major=true
|
24
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['4.0.7', '4.1.3']}]
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,29 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2015-08-03
|
4
|
-
class CVE_2014_3916
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The str_buf_cat function in string.c in Ruby 1.9.3, 2.0.0, and 2.1 allows context-dependent attackers to cause a denial of service (segmentation fault and crash) via a long string."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2014-3916",
|
11
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
12
|
-
:release_date => Date.new(2014, 11, 16),
|
13
|
-
:cwe=>"19",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade ruby interpreter to 2.2.x or later.",
|
19
|
-
:aux_links=>["https://bugs.ruby-lang.org/issues/9709", "http://www.securityfocus.com/bid/67705"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
|
23
|
-
{:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
|
24
|
-
{:engine=>"ruby", :version=>"2.1.99", :patchlevel=>"p999"}]
|
25
|
-
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2015-08-03
|
4
|
-
class CVE_2014_4975
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Off-by-one error in the encodes function in pack.c in Ruby 1.9.3 and earlier, and 2.x through 2.1.2, when using certain format string specifiers, allows context-dependent attackers to cause a denial of service (segmentation fault) via vectors that trigger a stack-based buffer overflow."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2014-4975",
|
11
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
12
|
-
:release_date => Date.new(2014, 11, 15),
|
13
|
-
:cwe=>"119",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade ruby interpreter to 2.1.3 or later. Please note that latest 2.2.x version is suggested.",
|
19
|
-
:aux_links=>["http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=46778", "https://bugs.ruby-lang.org/issues/10019"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.99", :patchlevel=>"p999"},
|
23
|
-
{:engine=>"ruby", :version=>"2.0.99", :patchlevel=>"p999"},
|
24
|
-
{:engine=>"ruby", :version=>"2.1.2", :patchlevel=>"p999"}]
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2015-09-02
|
4
|
-
class CVE_2014_7818
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via a /..%2F sequence."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2014-7818",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:N",
|
12
|
-
:release_date => Date.new(2014, 11, 8),
|
13
|
-
:cwe=>"22",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade rails gem to latest version or at least 3.2.20, 4.0.11, 4.1.7 or 4.2.0.beta3. If unsure upgrade to the latest available version.",
|
19
|
-
:aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.20', '4.0.11', '4.1.7', '4.2.0.beta3']}]
|
23
|
-
self.save_major = true
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,31 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2015-08-31
|
4
|
-
class CVE_2014_7819
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Multiple directory traversal vulnerabilities in server.rb in Sprockets before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow remote attackers to determine the existence of files outside the application root via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2014-7819",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N)",
|
13
|
-
:release_date => Date.new(2014, 11, 8),
|
14
|
-
:cwe=>"22",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails", "sinatra", "padrino"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade rails gem to latest version or at least 3.2.18 or 4.1.8. If you're using sprockets standalone, please upgrade it to the latest version.",
|
20
|
-
:aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/wQBeGXqGs3E/JqUMB6fhh3gJ"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.save_major = true
|
24
|
-
self.save_minor = true
|
25
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.18', '4.1.8']},
|
26
|
-
{:name=>"sprockets", :version=>['2.0.6', '2.1.4', '2.2.3', '2.3.3', '2.4.6', '2.5.1', '2.6.1', '2.7.1', '2.8.3', '2.9.4', '2.10.2', '2.11.3', '2.12.3', '3.0.0.beta3']}]
|
27
|
-
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
@@ -1,30 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2015-07-31
|
4
|
-
class CVE_2014_7829
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21, 4.0.x before 4.0.12, 4.1.x before 4.1.8, and 4.2.x before 4.2.0.beta4, when serve_static_assets is enabled, allows remote attackers to determine the existence of files outside the application root via vectors involving a \ (backslash) character, a similar issue to CVE-2014-7818."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2014-7829",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
13
|
-
:release_date => Date.new(2014, 11, 18),
|
14
|
-
:cwe=>"22",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade rails gem to latest version or at least 3.2.21, 4.0.12, 4.1.8 or 4.2.0.beta4.",
|
20
|
-
:aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/rMTQy4oRCGk/loS_CRS8mNEJ"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.2.21', '4.0.12', '4.1.8', '4.2.0.beta4']}]
|
24
|
-
self.save_major = true
|
25
|
-
self.save_minor = false
|
26
|
-
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
@@ -1,30 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2015-07-31
|
4
|
-
class CVE_2014_8090
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nested entity references, aka an XML Entity Expansion (XEE) attack. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1821 and CVE-2014-8080."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2014-8090",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
13
|
-
:release_date => Date.new(2014, 11, 21),
|
14
|
-
:cwe=>"611",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails", "sinatra", "padrino"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade ruby interpreter to 1.9.3-p551 or 2.0.0-p598 or 2.1.5. Please note that latest 2.2.x version is suggested.",
|
20
|
-
:aux_links=>["https://www.ruby-lang.org/en/news/2014/11/13/rexml-dos-cve-2014-8090/"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p551"},
|
24
|
-
{:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p598"},
|
25
|
-
{:engine=>"ruby", :version=>"2.1.5", :patchlevel=>"p0"}]
|
26
|
-
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
@@ -1,29 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2015-07-30
|
4
|
-
class CVE_2014_9490
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The numtok function in lib/raven/okjson.rb in the raven-ruby gem before 0.12.2 for Ruby allows remote attackers to cause a denial of service via a large exponent value in a scientific number."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2014-9490",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
13
|
-
:release_date => Date.new(2015, 1, 20),
|
14
|
-
:cwe=>"399",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:osvdb=>"115654",
|
17
|
-
:applies=>["sinatra", "padrino", "rails"],
|
18
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
19
|
-
:message=>message,
|
20
|
-
:mitigation=>"Please upgrade raven-ruby gem to the latest version",
|
21
|
-
:aux_links=>["https://github.com/getsentry/raven-ruby/commit/477ee93a3f735be33bc1e726820654cdf6e22d8f", "http://seclists.org/oss-sec/2015/q1/26"]
|
22
|
-
})
|
23
|
-
|
24
|
-
self.safe_dependencies = [{:name=>"raven-ruby", :version=>['0.12.2']}]
|
25
|
-
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|