dawnscanner 1.6.8 → 2.0.0.rc4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (387) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +1 -0
  3. data/.ruby-version +1 -1
  4. data/Changelog.md +27 -1
  5. data/LICENSE.txt +1 -1
  6. data/README.md +59 -57
  7. data/Rakefile +10 -242
  8. data/Roadmap.md +15 -23
  9. data/VERSION +1 -1
  10. data/bin/dawn +17 -273
  11. data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
  12. data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
  13. data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
  14. data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
  15. data/dawnscanner.gemspec +10 -9
  16. data/doc/change.sh +13 -0
  17. data/doc/kickstart_kb.tar.gz +0 -0
  18. data/doc/knowledge_base.rb +650 -0
  19. data/docs/.placeholder +0 -0
  20. data/docs/CNAME +1 -0
  21. data/docs/_config.yml +1 -0
  22. data/lib/dawn/cli/dawn_cli.rb +139 -0
  23. data/lib/dawn/core.rb +8 -7
  24. data/lib/dawn/engine.rb +93 -34
  25. data/lib/dawn/gemfile_lock.rb +2 -2
  26. data/lib/dawn/kb/basic_check.rb +1 -2
  27. data/lib/dawn/kb/combo_check.rb +1 -1
  28. data/lib/dawn/kb/dependency_check.rb +1 -1
  29. data/lib/dawn/kb/operating_system_check.rb +1 -1
  30. data/lib/dawn/kb/pattern_match_check.rb +10 -9
  31. data/lib/dawn/kb/ruby_version_check.rb +11 -10
  32. data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
  33. data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
  34. data/lib/dawn/kb/version_check.rb +41 -24
  35. data/lib/dawn/knowledge_base.rb +259 -595
  36. data/lib/dawn/reporter.rb +2 -1
  37. data/lib/dawn/utils.rb +5 -2
  38. data/lib/dawn/version.rb +5 -5
  39. data/lib/dawnscanner.rb +7 -6
  40. data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
  41. data/spec/lib/kb/dependency_check.yml +29 -0
  42. metadata +30 -496
  43. checksums.yaml.gz.sig +0 -0
  44. data.tar.gz.sig +0 -0
  45. data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
  46. data/lib/dawn/kb/cve_2004_0755.rb +0 -33
  47. data/lib/dawn/kb/cve_2004_0983.rb +0 -31
  48. data/lib/dawn/kb/cve_2005_1992.rb +0 -31
  49. data/lib/dawn/kb/cve_2005_2337.rb +0 -33
  50. data/lib/dawn/kb/cve_2006_1931.rb +0 -30
  51. data/lib/dawn/kb/cve_2006_2582.rb +0 -28
  52. data/lib/dawn/kb/cve_2006_3694.rb +0 -31
  53. data/lib/dawn/kb/cve_2006_4112.rb +0 -27
  54. data/lib/dawn/kb/cve_2006_5467.rb +0 -28
  55. data/lib/dawn/kb/cve_2006_6303.rb +0 -28
  56. data/lib/dawn/kb/cve_2006_6852.rb +0 -27
  57. data/lib/dawn/kb/cve_2006_6979.rb +0 -29
  58. data/lib/dawn/kb/cve_2007_0469.rb +0 -29
  59. data/lib/dawn/kb/cve_2007_5162.rb +0 -28
  60. data/lib/dawn/kb/cve_2007_5379.rb +0 -27
  61. data/lib/dawn/kb/cve_2007_5380.rb +0 -29
  62. data/lib/dawn/kb/cve_2007_5770.rb +0 -30
  63. data/lib/dawn/kb/cve_2007_6077.rb +0 -31
  64. data/lib/dawn/kb/cve_2007_6612.rb +0 -30
  65. data/lib/dawn/kb/cve_2008_1145.rb +0 -38
  66. data/lib/dawn/kb/cve_2008_1891.rb +0 -38
  67. data/lib/dawn/kb/cve_2008_2376.rb +0 -30
  68. data/lib/dawn/kb/cve_2008_2662.rb +0 -33
  69. data/lib/dawn/kb/cve_2008_2663.rb +0 -32
  70. data/lib/dawn/kb/cve_2008_2664.rb +0 -33
  71. data/lib/dawn/kb/cve_2008_2725.rb +0 -31
  72. data/lib/dawn/kb/cve_2008_3655.rb +0 -37
  73. data/lib/dawn/kb/cve_2008_3657.rb +0 -37
  74. data/lib/dawn/kb/cve_2008_3790.rb +0 -30
  75. data/lib/dawn/kb/cve_2008_3905.rb +0 -36
  76. data/lib/dawn/kb/cve_2008_4094.rb +0 -27
  77. data/lib/dawn/kb/cve_2008_4310.rb +0 -100
  78. data/lib/dawn/kb/cve_2008_5189.rb +0 -27
  79. data/lib/dawn/kb/cve_2008_7248.rb +0 -27
  80. data/lib/dawn/kb/cve_2009_4078.rb +0 -29
  81. data/lib/dawn/kb/cve_2009_4124.rb +0 -30
  82. data/lib/dawn/kb/cve_2009_4214.rb +0 -27
  83. data/lib/dawn/kb/cve_2010_1330.rb +0 -28
  84. data/lib/dawn/kb/cve_2010_2489.rb +0 -60
  85. data/lib/dawn/kb/cve_2010_3933.rb +0 -27
  86. data/lib/dawn/kb/cve_2011_0188.rb +0 -67
  87. data/lib/dawn/kb/cve_2011_0446.rb +0 -28
  88. data/lib/dawn/kb/cve_2011_0447.rb +0 -28
  89. data/lib/dawn/kb/cve_2011_0739.rb +0 -28
  90. data/lib/dawn/kb/cve_2011_0995.rb +0 -61
  91. data/lib/dawn/kb/cve_2011_1004.rb +0 -34
  92. data/lib/dawn/kb/cve_2011_1005.rb +0 -31
  93. data/lib/dawn/kb/cve_2011_2197.rb +0 -27
  94. data/lib/dawn/kb/cve_2011_2686.rb +0 -29
  95. data/lib/dawn/kb/cve_2011_2705.rb +0 -32
  96. data/lib/dawn/kb/cve_2011_2929.rb +0 -27
  97. data/lib/dawn/kb/cve_2011_2930.rb +0 -28
  98. data/lib/dawn/kb/cve_2011_2931.rb +0 -30
  99. data/lib/dawn/kb/cve_2011_2932.rb +0 -27
  100. data/lib/dawn/kb/cve_2011_3009.rb +0 -28
  101. data/lib/dawn/kb/cve_2011_3186.rb +0 -29
  102. data/lib/dawn/kb/cve_2011_3187.rb +0 -29
  103. data/lib/dawn/kb/cve_2011_4319.rb +0 -30
  104. data/lib/dawn/kb/cve_2011_4815.rb +0 -28
  105. data/lib/dawn/kb/cve_2011_5036.rb +0 -26
  106. data/lib/dawn/kb/cve_2012_1098.rb +0 -30
  107. data/lib/dawn/kb/cve_2012_1099.rb +0 -27
  108. data/lib/dawn/kb/cve_2012_1241.rb +0 -27
  109. data/lib/dawn/kb/cve_2012_2139.rb +0 -26
  110. data/lib/dawn/kb/cve_2012_2140.rb +0 -27
  111. data/lib/dawn/kb/cve_2012_2660.rb +0 -28
  112. data/lib/dawn/kb/cve_2012_2661.rb +0 -27
  113. data/lib/dawn/kb/cve_2012_2671.rb +0 -28
  114. data/lib/dawn/kb/cve_2012_2694.rb +0 -30
  115. data/lib/dawn/kb/cve_2012_2695.rb +0 -27
  116. data/lib/dawn/kb/cve_2012_3424.rb +0 -29
  117. data/lib/dawn/kb/cve_2012_3463.rb +0 -27
  118. data/lib/dawn/kb/cve_2012_3464.rb +0 -27
  119. data/lib/dawn/kb/cve_2012_3465.rb +0 -26
  120. data/lib/dawn/kb/cve_2012_4464.rb +0 -27
  121. data/lib/dawn/kb/cve_2012_4466.rb +0 -27
  122. data/lib/dawn/kb/cve_2012_4481.rb +0 -26
  123. data/lib/dawn/kb/cve_2012_4522.rb +0 -27
  124. data/lib/dawn/kb/cve_2012_5370.rb +0 -27
  125. data/lib/dawn/kb/cve_2012_5371.rb +0 -27
  126. data/lib/dawn/kb/cve_2012_5380.rb +0 -28
  127. data/lib/dawn/kb/cve_2012_6109.rb +0 -25
  128. data/lib/dawn/kb/cve_2012_6134.rb +0 -27
  129. data/lib/dawn/kb/cve_2012_6496.rb +0 -28
  130. data/lib/dawn/kb/cve_2012_6497.rb +0 -28
  131. data/lib/dawn/kb/cve_2012_6684.rb +0 -28
  132. data/lib/dawn/kb/cve_2013_0155.rb +0 -29
  133. data/lib/dawn/kb/cve_2013_0156.rb +0 -27
  134. data/lib/dawn/kb/cve_2013_0162.rb +0 -28
  135. data/lib/dawn/kb/cve_2013_0175.rb +0 -27
  136. data/lib/dawn/kb/cve_2013_0183.rb +0 -25
  137. data/lib/dawn/kb/cve_2013_0184.rb +0 -25
  138. data/lib/dawn/kb/cve_2013_0233.rb +0 -26
  139. data/lib/dawn/kb/cve_2013_0256.rb +0 -59
  140. data/lib/dawn/kb/cve_2013_0262.rb +0 -26
  141. data/lib/dawn/kb/cve_2013_0263.rb +0 -26
  142. data/lib/dawn/kb/cve_2013_0269.rb +0 -27
  143. data/lib/dawn/kb/cve_2013_0276.rb +0 -28
  144. data/lib/dawn/kb/cve_2013_0277.rb +0 -25
  145. data/lib/dawn/kb/cve_2013_0284.rb +0 -27
  146. data/lib/dawn/kb/cve_2013_0285.rb +0 -27
  147. data/lib/dawn/kb/cve_2013_0333.rb +0 -28
  148. data/lib/dawn/kb/cve_2013_0334.rb +0 -25
  149. data/lib/dawn/kb/cve_2013_1607.rb +0 -25
  150. data/lib/dawn/kb/cve_2013_1655.rb +0 -65
  151. data/lib/dawn/kb/cve_2013_1656.rb +0 -28
  152. data/lib/dawn/kb/cve_2013_1756.rb +0 -26
  153. data/lib/dawn/kb/cve_2013_1800.rb +0 -26
  154. data/lib/dawn/kb/cve_2013_1801.rb +0 -27
  155. data/lib/dawn/kb/cve_2013_1802.rb +0 -27
  156. data/lib/dawn/kb/cve_2013_1812.rb +0 -27
  157. data/lib/dawn/kb/cve_2013_1821.rb +0 -28
  158. data/lib/dawn/kb/cve_2013_1854.rb +0 -26
  159. data/lib/dawn/kb/cve_2013_1855.rb +0 -25
  160. data/lib/dawn/kb/cve_2013_1856.rb +0 -26
  161. data/lib/dawn/kb/cve_2013_1857.rb +0 -27
  162. data/lib/dawn/kb/cve_2013_1875.rb +0 -27
  163. data/lib/dawn/kb/cve_2013_1898.rb +0 -27
  164. data/lib/dawn/kb/cve_2013_1911.rb +0 -28
  165. data/lib/dawn/kb/cve_2013_1933.rb +0 -27
  166. data/lib/dawn/kb/cve_2013_1947.rb +0 -27
  167. data/lib/dawn/kb/cve_2013_1948.rb +0 -27
  168. data/lib/dawn/kb/cve_2013_2065.rb +0 -29
  169. data/lib/dawn/kb/cve_2013_2090.rb +0 -28
  170. data/lib/dawn/kb/cve_2013_2105.rb +0 -26
  171. data/lib/dawn/kb/cve_2013_2119.rb +0 -27
  172. data/lib/dawn/kb/cve_2013_2512.rb +0 -26
  173. data/lib/dawn/kb/cve_2013_2513.rb +0 -25
  174. data/lib/dawn/kb/cve_2013_2516.rb +0 -26
  175. data/lib/dawn/kb/cve_2013_2615.rb +0 -27
  176. data/lib/dawn/kb/cve_2013_2616.rb +0 -27
  177. data/lib/dawn/kb/cve_2013_2617.rb +0 -28
  178. data/lib/dawn/kb/cve_2013_3221.rb +0 -27
  179. data/lib/dawn/kb/cve_2013_4164.rb +0 -30
  180. data/lib/dawn/kb/cve_2013_4203.rb +0 -25
  181. data/lib/dawn/kb/cve_2013_4389.rb +0 -26
  182. data/lib/dawn/kb/cve_2013_4413.rb +0 -27
  183. data/lib/dawn/kb/cve_2013_4457.rb +0 -29
  184. data/lib/dawn/kb/cve_2013_4478.rb +0 -26
  185. data/lib/dawn/kb/cve_2013_4479.rb +0 -26
  186. data/lib/dawn/kb/cve_2013_4489.rb +0 -28
  187. data/lib/dawn/kb/cve_2013_4491.rb +0 -29
  188. data/lib/dawn/kb/cve_2013_4492.rb +0 -29
  189. data/lib/dawn/kb/cve_2013_4562.rb +0 -27
  190. data/lib/dawn/kb/cve_2013_4593.rb +0 -27
  191. data/lib/dawn/kb/cve_2013_5647.rb +0 -29
  192. data/lib/dawn/kb/cve_2013_5671.rb +0 -26
  193. data/lib/dawn/kb/cve_2013_6414.rb +0 -30
  194. data/lib/dawn/kb/cve_2013_6415.rb +0 -29
  195. data/lib/dawn/kb/cve_2013_6416.rb +0 -29
  196. data/lib/dawn/kb/cve_2013_6417.rb +0 -30
  197. data/lib/dawn/kb/cve_2013_6421.rb +0 -28
  198. data/lib/dawn/kb/cve_2013_6459.rb +0 -28
  199. data/lib/dawn/kb/cve_2013_6460.rb +0 -53
  200. data/lib/dawn/kb/cve_2013_6461.rb +0 -57
  201. data/lib/dawn/kb/cve_2013_7086.rb +0 -27
  202. data/lib/dawn/kb/cve_2014_0036.rb +0 -27
  203. data/lib/dawn/kb/cve_2014_0080.rb +0 -29
  204. data/lib/dawn/kb/cve_2014_0081.rb +0 -27
  205. data/lib/dawn/kb/cve_2014_0082.rb +0 -27
  206. data/lib/dawn/kb/cve_2014_0130.rb +0 -27
  207. data/lib/dawn/kb/cve_2014_1233.rb +0 -27
  208. data/lib/dawn/kb/cve_2014_1234.rb +0 -26
  209. data/lib/dawn/kb/cve_2014_2322.rb +0 -28
  210. data/lib/dawn/kb/cve_2014_2525.rb +0 -59
  211. data/lib/dawn/kb/cve_2014_2538.rb +0 -26
  212. data/lib/dawn/kb/cve_2014_3482.rb +0 -28
  213. data/lib/dawn/kb/cve_2014_3483.rb +0 -28
  214. data/lib/dawn/kb/cve_2014_3916.rb +0 -29
  215. data/lib/dawn/kb/cve_2014_4975.rb +0 -28
  216. data/lib/dawn/kb/cve_2014_7818.rb +0 -27
  217. data/lib/dawn/kb/cve_2014_7819.rb +0 -31
  218. data/lib/dawn/kb/cve_2014_7829.rb +0 -30
  219. data/lib/dawn/kb/cve_2014_8090.rb +0 -30
  220. data/lib/dawn/kb/cve_2014_9490.rb +0 -29
  221. data/lib/dawn/kb/cve_2015_1819.rb +0 -34
  222. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
  223. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
  224. data/lib/dawn/kb/cve_2015_2963.rb +0 -27
  225. data/lib/dawn/kb/cve_2015_3224.rb +0 -26
  226. data/lib/dawn/kb/cve_2015_3225.rb +0 -28
  227. data/lib/dawn/kb/cve_2015_3226.rb +0 -27
  228. data/lib/dawn/kb/cve_2015_3227.rb +0 -28
  229. data/lib/dawn/kb/cve_2015_3448.rb +0 -29
  230. data/lib/dawn/kb/cve_2015_4020.rb +0 -34
  231. data/lib/dawn/kb/cve_2015_5312.rb +0 -30
  232. data/lib/dawn/kb/cve_2015_7497.rb +0 -32
  233. data/lib/dawn/kb/cve_2015_7498.rb +0 -32
  234. data/lib/dawn/kb/cve_2015_7499.rb +0 -32
  235. data/lib/dawn/kb/cve_2015_7500.rb +0 -32
  236. data/lib/dawn/kb/cve_2015_7519.rb +0 -31
  237. data/lib/dawn/kb/cve_2015_7541.rb +0 -31
  238. data/lib/dawn/kb/cve_2015_7576.rb +0 -35
  239. data/lib/dawn/kb/cve_2015_7577.rb +0 -34
  240. data/lib/dawn/kb/cve_2015_7578.rb +0 -30
  241. data/lib/dawn/kb/cve_2015_7579.rb +0 -30
  242. data/lib/dawn/kb/cve_2015_7581.rb +0 -33
  243. data/lib/dawn/kb/cve_2015_8241.rb +0 -32
  244. data/lib/dawn/kb/cve_2015_8242.rb +0 -32
  245. data/lib/dawn/kb/cve_2015_8317.rb +0 -32
  246. data/lib/dawn/kb/cve_2016_0751.rb +0 -32
  247. data/lib/dawn/kb/cve_2016_0752.rb +0 -35
  248. data/lib/dawn/kb/cve_2016_0753.rb +0 -31
  249. data/lib/dawn/kb/cve_2016_2097.rb +0 -35
  250. data/lib/dawn/kb/cve_2016_2098.rb +0 -35
  251. data/lib/dawn/kb/cve_2016_5697.rb +0 -30
  252. data/lib/dawn/kb/cve_2016_6316.rb +0 -33
  253. data/lib/dawn/kb/cve_2016_6317.rb +0 -32
  254. data/lib/dawn/kb/cve_2016_6582.rb +0 -43
  255. data/lib/dawn/kb/not_revised_code.rb +0 -22
  256. data/lib/dawn/kb/osvdb_105971.rb +0 -29
  257. data/lib/dawn/kb/osvdb_108530.rb +0 -27
  258. data/lib/dawn/kb/osvdb_108563.rb +0 -28
  259. data/lib/dawn/kb/osvdb_108569.rb +0 -28
  260. data/lib/dawn/kb/osvdb_108570.rb +0 -27
  261. data/lib/dawn/kb/osvdb_115654.rb +0 -33
  262. data/lib/dawn/kb/osvdb_116010.rb +0 -30
  263. data/lib/dawn/kb/osvdb_117903.rb +0 -30
  264. data/lib/dawn/kb/osvdb_118579.rb +0 -31
  265. data/lib/dawn/kb/osvdb_118830.rb +0 -32
  266. data/lib/dawn/kb/osvdb_118954.rb +0 -33
  267. data/lib/dawn/kb/osvdb_119878.rb +0 -32
  268. data/lib/dawn/kb/osvdb_119927.rb +0 -33
  269. data/lib/dawn/kb/osvdb_120415.rb +0 -31
  270. data/lib/dawn/kb/osvdb_120857.rb +0 -34
  271. data/lib/dawn/kb/osvdb_121701.rb +0 -30
  272. data/lib/dawn/kb/osvdb_132234.rb +0 -34
  273. data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
  274. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
  275. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
  276. data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
  277. data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
  278. data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
  279. data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
  280. data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
  281. data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
  282. data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
  283. data/lib/dawn/knowledge_base_experimental.rb +0 -245
  284. data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
  285. data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
  286. data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
  287. data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
  288. data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
  289. data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
  290. data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
  291. data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
  292. data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
  293. data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
  294. data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
  295. data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
  296. data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
  297. data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
  298. data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
  299. data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
  300. data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
  301. data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
  302. data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
  303. data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
  304. data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
  305. data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
  306. data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
  307. data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
  308. data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
  309. data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
  310. data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
  311. data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
  312. data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
  313. data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
  314. data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
  315. data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
  316. data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
  317. data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
  318. data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
  319. data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
  320. data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
  321. data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
  322. data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
  323. data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
  324. data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
  325. data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
  326. data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
  327. data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
  328. data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
  329. data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
  330. data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
  331. data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
  332. data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
  333. data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
  334. data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
  335. data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
  336. data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
  337. data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
  338. data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
  339. data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
  340. data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
  341. data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
  342. data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
  343. data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
  344. data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
  345. data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
  346. data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
  347. data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
  348. data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
  349. data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
  350. data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
  351. data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
  352. data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
  353. data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
  354. data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
  355. data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
  356. data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
  357. data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
  358. data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
  359. data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
  360. data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
  361. data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
  362. data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
  363. data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
  364. data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
  365. data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
  366. data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
  367. data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
  368. data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
  369. data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
  370. data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
  371. data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
  372. data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
  373. data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
  374. data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
  375. data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
  376. data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
  377. data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
  378. data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
  379. data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
  380. data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
  381. data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
  382. data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
  383. data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
  384. data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
  385. data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
  386. data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
  387. metadata.gz.sig +0 -0
@@ -1,34 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-12-03
4
- class CVE_2015_1819
5
- # Include the testing skeleton for this CVE
6
- # include PatternMatchCheck
7
- include DependencyCheck
8
- # include RubyVersionCheck
9
-
10
- def initialize
11
- title="Nokogiri denial of service (DoS) Memory Consumption"
12
- message="Nokogiri versions before 1.6.6.4 contain a vulnerable version of libxml2 as a C extension. The vulnerability allows for memory consumption denial of service."
13
- super({
14
- :title=>title,
15
- :name=> "CVE-2015-1819",
16
- :cve=>"2015-1819",
17
- :osvdb=>"",
18
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
19
- :release_date => Date.new(2015, 8, 14),
20
- :cwe=>"",
21
- :owasp=>"A9",
22
- :applies=>["rails", "sinatra", "padrino"],
23
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
24
- :message=>message,
25
- :mitigation=>"Please upgrade nokogiri gem to version 1.6.6.4 or later.",
26
- :aux_links=>[""]
27
- })
28
- self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.6.4']}]
29
-
30
-
31
- end
32
- end
33
- end
34
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-29
4
- class CVE_2015_1840_a
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
9
-
10
- super({
11
- :name=>"CVE-2015-1840",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
13
- :release_date => Date.new(2015, 7, 26),
14
- :cwe=>"200",
15
- :owasp=>"A8",
16
- :applies=>["rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade jquery-ujs and jquery-rails gems to latest version.",
20
- :aux_links=>["https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md", "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md"]
21
- })
22
- self.save_major = true
23
- self.safe_dependencies = [{:name=>"jquery-rails", :version=>['4.0.2', '3.1.3']}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-29
4
- class CVE_2015_1840_b
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "jquery_ujs.js in jquery-rails before 3.1.3 and 4.x before 4.0.4 and rails.js in jquery-ujs before 1.0.4, as used with Ruby on Rails 3.x and 4.x, allow remote attackers to bypass the Same Origin Policy, and trigger transmission of a CSRF token to a different-domain web server, via a leading space character in a URL within an attribute value."
9
-
10
- super({
11
- :name=>"CVE-2015-1840",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
13
- :release_date => Date.new(2015, 7, 26),
14
- :cwe=>"200",
15
- :owasp=>"A8",
16
- :applies=>["rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade jquery-ujs and jquery-rails gems to latest version.",
20
- :aux_links=>["https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md", "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"jquery-ujs", :version=>['1.0.4']}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-29
4
- class CVE_2015_2963
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg."
9
- super({
10
- :name=>"CVE-2015-2963",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2015, 7, 10),
13
- :cwe=>"79",
14
- :owasp=>"A1",
15
- :applies=>["sinatra", "padrino", "rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade paperclip gem to latest version.",
19
- :aux_links=>["https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57","https://robots.thoughtbot.com/paperclip-security-release"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"paperclip", :version=>['4.2.2']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,26 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-29
4
- class CVE_2015_3224
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "request.rb in Web Console before 2.1.3, as used with Ruby on Rails 3.x and 4.x, does not properly restrict the use of X-Forwarded-For headers in determining a client's IP address, which allows remote attackers to bypass the whitelisted_ips protection mechanism via a crafted request."
9
- super({
10
- :name=>"CVE-2015-3224",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2015, 7, 26),
13
- :cwe=>"284",
14
- :owasp=>"A9",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade web-console gem to latest version.",
19
- :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/lzmz9_ijUFw/HBMPi4zp5NAJ"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"web-console", :version=>['2.1.3']}]
23
- end
24
- end
25
- end
26
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-29
4
- class CVE_2015_3225
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth."
9
-
10
- super({
11
- :name=>"CVE-2015-3225",
12
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
- :release_date => Date.new(2015, 7, 26),
14
- :cwe=>"",
15
- :owasp=>"A9",
16
- :applies=>["sinatra", "padrino", "rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade rack gem to latest version or at least 1.5.4 or 1.6.2.",
20
- :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJ"]
21
- })
22
- self.save_minor = true
23
- self.safe_dependencies = [{:name=>"rack", :version=>['1.5.4', '1.6.2']}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-29
4
- class CVE_2015_3226
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Cross-site scripting (XSS) vulnerability in json/encoding.rb in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding."
9
- super({
10
- :name=>"CVE-2015-3226",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2015, 7, 26),
13
- :cwe=>"79",
14
- :owasp=>"A3",
15
- :applies=>["sinatra", "padrino", "rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade activesupport gem to latest version or at least 4.1.12 or 4.2.3. This is automatically done by upgrading your Rails environment if you are using it.",
19
- :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"]
20
- })
21
- self.save_minor = true
22
- self.safe_dependencies = [{:name=>"activesupport", :version=>['4.1.12', '4.2.3', '3.99.99']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-29
4
- class CVE_2015_3227
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The (1) jdom.rb and (2) rexml.rb components in Active Support in Ruby on Rails before 4.1.11 and 4.2.x before 4.2.2, when JDOM or REXML is enabled, allow remote attackers to cause a denial of service (SystemStackError) via a large XML document depth."
9
-
10
- super({
11
- :name=>"CVE-2015-3227",
12
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
- :release_date => Date.new(2015, 7, 26),
14
- :cwe=>"",
15
- :owasp=>"A9",
16
- :applies=>["sinatra", "padrino", "rails"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"Please upgrade activesupport gem to latest version or at least 4.1.12 or 4.2.3. This is automatically done by upgrading your Rails environment if you are using it.",
20
- :aux_links=>["https://groups.google.com/forum/message/raw?msg=rubyonrails-security/bahr2JLnxvk/x4EocXnHPp8J"]
21
- })
22
- self.save_minor = true
23
- self.safe_dependencies = [{:name=>"activesupport", :version=>['4.1.12', '4.2.3']}]
24
- self.save_major = true
25
- end
26
- end
27
- end
28
- end
@@ -1,29 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-07-30
4
- class CVE_2015_3448
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and passwords, which allows local users to obtain sensitive information by reading the log."
9
-
10
- super({
11
- :name=>"CVE-2015-3448",
12
- :cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
13
- :release_date => Date.new(2015, 4, 29),
14
- :cwe=>"200",
15
- :owasp=>"A9",
16
- :osvdb=>"117461",
17
- :applies=>["sinatra", "padrino", "rails"],
18
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
- :message=>message,
20
- :mitigation=>"Please upgrade rest-client gem to the latest version",
21
- :aux_links=>["https://github.com/rest-client/rest-client/issues/349","http://www.osvdb.org/117461"]
22
- })
23
-
24
- self.safe_dependencies = [{:name=>"rest-client", :version=>['1.7.3']}]
25
-
26
- end
27
- end
28
- end
29
- end
@@ -1,34 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2015-12-02
4
- class CVE_2015_4020
5
- # Include the testing skeleton for this CVE
6
- # include PatternMatchCheck
7
- # include DependencyCheck
8
- # include RubyVersionCheck
9
- include GemCheck
10
-
11
- def initialize
12
- title="RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname Validation Request Hijacking"
13
- message = "RubyGems 2.0.x before 2.0.17, 2.2.x before 2.2.5, and 2.4.x before 2.4.8 does not validate the hostname when fetching gems or making API request, which allows remote attackers to redirect requests to arbitrary domains via a crafted DNS SRV record with a domain that is suffixed with the original domain name, aka a 'DNS hijack attack.'"
14
- super({
15
- :title=>title,
16
- :name=> "CVE-2015-4020",
17
- :cve=>"2015-4020",
18
- :osvdb=>"122162",
19
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
20
- :release_date => Date.new(2015, 8, 25),
21
- :cwe=>"",
22
- :owasp=>"A9",
23
- :applies=>["rails", "sinatra", "padrino"],
24
- :kind=>Dawn::KnowledgeBase::GEM_CHECK,
25
- :message=>message,
26
- :mitigation=>"Please upgrade rubygem to version 3.2.3 or later.",
27
- :aux_links=>[""]
28
- })
29
-
30
- self.safe_versions = [{:version=>['2.0.17', '2.2.5', '2.4.8']}]
31
- end
32
- end
33
- end
34
- end
@@ -1,30 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2016-02-01
4
- class CVE_2015_5312
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The xmlStringLenDecodeEntities function in parser.c in libxml2 before 2.9.3 does not properly prevent entity expansion, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data, a different vulnerability than CVE-2014-3660."
9
- super({
10
- :title=>title,
11
- :name=> "CVE-2015-5312",
12
- :cve=>"2015-5312",
13
- :osvdb=>"",
14
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:C",
15
- :release_date => Date.new(2015, 12, 15),
16
- :cwe=>"119",
17
- :owasp=>"A9",
18
- :applies=>["rails", "sinatra", "padrino"],
19
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
20
- :message=>message,
21
- :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
22
- :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
23
- })
24
-
25
- self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
26
- self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
27
- end
28
- end
29
- end
30
- end
@@ -1,32 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2016-02-02
4
- class CVE_2015_7497
5
- # Include the testing skeleton for this CVE
6
- include DependencyCheck
7
-
8
- def initialize
9
- message ="Heap-based buffer overflow in the xmlDictComputeFastQKey function in dict.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors."
10
- super({
11
- :title=>title,
12
- :name=> "CVE-2015-7497",
13
- :cve=>"2015-7497",
14
- :osvdb=>"",
15
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
16
- :release_date => Date.new(2015, 12, 15),
17
- :cwe=>"119",
18
- :owasp=>"A9",
19
- :applies=>["rails", "sinatra", "padrino"],
20
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
21
- :message=>message,
22
- :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
23
- :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
24
- })
25
-
26
- self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
27
- self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
28
-
29
- end
30
- end
31
- end
32
- end
@@ -1,32 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2016-02-02
4
- class CVE_2015_7498
5
- # Include the testing skeleton for this CVE
6
- include DependencyCheck
7
-
8
- def initialize
9
- message = "Heap-based buffer overflow in the xmlParseXmlDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service via unspecified vectors related to extracting errors after an encoding conversion failure."
10
- super({
11
- :title=>title,
12
- :name=> "CVE-2015-7498",
13
- :cve=>"2015-7498",
14
- :osvdb=>"",
15
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
16
- :release_date => Date.new(2015, 12, 15),
17
- :cwe=>"119",
18
- :owasp=>"A9",
19
- :applies=>["rails", "sinatra", "padrino"],
20
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
21
- :message=>message,
22
- :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
23
- :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
24
- })
25
-
26
- self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
27
- self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
28
-
29
- end
30
- end
31
- end
32
- end
@@ -1,32 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2016-02-02
4
- class CVE_2015_7499
5
- # Include the testing skeleton for this CVE
6
- include DependencyCheck
7
-
8
- def initialize
9
- message="Heap-based buffer overflow in the xmlGROW function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive process memory information via unspecified vectors."
10
- super({
11
- :title=>title,
12
- :name=> "CVE-2015-7499",
13
- :cve=>"2015-7499",
14
- :osvdb=>"",
15
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
16
- :release_date => Date.new(2015, 12, 15),
17
- :cwe=>"119",
18
- :owasp=>"A9",
19
- :applies=>["rails", "sinatra", "padrino"],
20
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
21
- :message=>message,
22
- :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
23
- :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
24
- })
25
-
26
- self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
27
- self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
28
-
29
- end
30
- end
31
- end
32
- end
@@ -1,32 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2016-02-02
4
- class CVE_2015_7500
5
- # Include the testing skeleton for this CVE
6
- include DependencyCheck
7
-
8
- def initialize
9
- message = "The xmlParseMisc function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (out-of-bounds heap read) via unspecified vectors related to incorrect entities boundaries and start tags."
10
- super({
11
- :title=>title,
12
- :name=> "CVE-2015-7500",
13
- :cve=>"2015-7500",
14
- :osvdb=>"",
15
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
16
- :release_date => Date.new(2015, 12, 15),
17
- :cwe=>"119",
18
- :owasp=>"A9",
19
- :applies=>["rails", "sinatra", "padrino"],
20
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
21
- :message=>message,
22
- :mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
23
- :aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
24
- })
25
-
26
- self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
27
- self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
28
-
29
- end
30
- end
31
- end
32
- end