dawnscanner 1.6.8 → 2.0.0.rc4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.gitignore +1 -0
- data/.ruby-version +1 -1
- data/Changelog.md +27 -1
- data/LICENSE.txt +1 -1
- data/README.md +59 -57
- data/Rakefile +10 -242
- data/Roadmap.md +15 -23
- data/VERSION +1 -1
- data/bin/dawn +17 -273
- data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
- data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
- data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
- data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
- data/dawnscanner.gemspec +10 -9
- data/doc/change.sh +13 -0
- data/doc/kickstart_kb.tar.gz +0 -0
- data/doc/knowledge_base.rb +650 -0
- data/docs/.placeholder +0 -0
- data/docs/CNAME +1 -0
- data/docs/_config.yml +1 -0
- data/lib/dawn/cli/dawn_cli.rb +139 -0
- data/lib/dawn/core.rb +8 -7
- data/lib/dawn/engine.rb +93 -34
- data/lib/dawn/gemfile_lock.rb +2 -2
- data/lib/dawn/kb/basic_check.rb +1 -2
- data/lib/dawn/kb/combo_check.rb +1 -1
- data/lib/dawn/kb/dependency_check.rb +1 -1
- data/lib/dawn/kb/operating_system_check.rb +1 -1
- data/lib/dawn/kb/pattern_match_check.rb +10 -9
- data/lib/dawn/kb/ruby_version_check.rb +11 -10
- data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
- data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
- data/lib/dawn/kb/version_check.rb +41 -24
- data/lib/dawn/knowledge_base.rb +259 -595
- data/lib/dawn/reporter.rb +2 -1
- data/lib/dawn/utils.rb +5 -2
- data/lib/dawn/version.rb +5 -5
- data/lib/dawnscanner.rb +7 -6
- data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
- data/spec/lib/kb/dependency_check.yml +29 -0
- metadata +30 -496
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
- data/lib/dawn/kb/cve_2004_0755.rb +0 -33
- data/lib/dawn/kb/cve_2004_0983.rb +0 -31
- data/lib/dawn/kb/cve_2005_1992.rb +0 -31
- data/lib/dawn/kb/cve_2005_2337.rb +0 -33
- data/lib/dawn/kb/cve_2006_1931.rb +0 -30
- data/lib/dawn/kb/cve_2006_2582.rb +0 -28
- data/lib/dawn/kb/cve_2006_3694.rb +0 -31
- data/lib/dawn/kb/cve_2006_4112.rb +0 -27
- data/lib/dawn/kb/cve_2006_5467.rb +0 -28
- data/lib/dawn/kb/cve_2006_6303.rb +0 -28
- data/lib/dawn/kb/cve_2006_6852.rb +0 -27
- data/lib/dawn/kb/cve_2006_6979.rb +0 -29
- data/lib/dawn/kb/cve_2007_0469.rb +0 -29
- data/lib/dawn/kb/cve_2007_5162.rb +0 -28
- data/lib/dawn/kb/cve_2007_5379.rb +0 -27
- data/lib/dawn/kb/cve_2007_5380.rb +0 -29
- data/lib/dawn/kb/cve_2007_5770.rb +0 -30
- data/lib/dawn/kb/cve_2007_6077.rb +0 -31
- data/lib/dawn/kb/cve_2007_6612.rb +0 -30
- data/lib/dawn/kb/cve_2008_1145.rb +0 -38
- data/lib/dawn/kb/cve_2008_1891.rb +0 -38
- data/lib/dawn/kb/cve_2008_2376.rb +0 -30
- data/lib/dawn/kb/cve_2008_2662.rb +0 -33
- data/lib/dawn/kb/cve_2008_2663.rb +0 -32
- data/lib/dawn/kb/cve_2008_2664.rb +0 -33
- data/lib/dawn/kb/cve_2008_2725.rb +0 -31
- data/lib/dawn/kb/cve_2008_3655.rb +0 -37
- data/lib/dawn/kb/cve_2008_3657.rb +0 -37
- data/lib/dawn/kb/cve_2008_3790.rb +0 -30
- data/lib/dawn/kb/cve_2008_3905.rb +0 -36
- data/lib/dawn/kb/cve_2008_4094.rb +0 -27
- data/lib/dawn/kb/cve_2008_4310.rb +0 -100
- data/lib/dawn/kb/cve_2008_5189.rb +0 -27
- data/lib/dawn/kb/cve_2008_7248.rb +0 -27
- data/lib/dawn/kb/cve_2009_4078.rb +0 -29
- data/lib/dawn/kb/cve_2009_4124.rb +0 -30
- data/lib/dawn/kb/cve_2009_4214.rb +0 -27
- data/lib/dawn/kb/cve_2010_1330.rb +0 -28
- data/lib/dawn/kb/cve_2010_2489.rb +0 -60
- data/lib/dawn/kb/cve_2010_3933.rb +0 -27
- data/lib/dawn/kb/cve_2011_0188.rb +0 -67
- data/lib/dawn/kb/cve_2011_0446.rb +0 -28
- data/lib/dawn/kb/cve_2011_0447.rb +0 -28
- data/lib/dawn/kb/cve_2011_0739.rb +0 -28
- data/lib/dawn/kb/cve_2011_0995.rb +0 -61
- data/lib/dawn/kb/cve_2011_1004.rb +0 -34
- data/lib/dawn/kb/cve_2011_1005.rb +0 -31
- data/lib/dawn/kb/cve_2011_2197.rb +0 -27
- data/lib/dawn/kb/cve_2011_2686.rb +0 -29
- data/lib/dawn/kb/cve_2011_2705.rb +0 -32
- data/lib/dawn/kb/cve_2011_2929.rb +0 -27
- data/lib/dawn/kb/cve_2011_2930.rb +0 -28
- data/lib/dawn/kb/cve_2011_2931.rb +0 -30
- data/lib/dawn/kb/cve_2011_2932.rb +0 -27
- data/lib/dawn/kb/cve_2011_3009.rb +0 -28
- data/lib/dawn/kb/cve_2011_3186.rb +0 -29
- data/lib/dawn/kb/cve_2011_3187.rb +0 -29
- data/lib/dawn/kb/cve_2011_4319.rb +0 -30
- data/lib/dawn/kb/cve_2011_4815.rb +0 -28
- data/lib/dawn/kb/cve_2011_5036.rb +0 -26
- data/lib/dawn/kb/cve_2012_1098.rb +0 -30
- data/lib/dawn/kb/cve_2012_1099.rb +0 -27
- data/lib/dawn/kb/cve_2012_1241.rb +0 -27
- data/lib/dawn/kb/cve_2012_2139.rb +0 -26
- data/lib/dawn/kb/cve_2012_2140.rb +0 -27
- data/lib/dawn/kb/cve_2012_2660.rb +0 -28
- data/lib/dawn/kb/cve_2012_2661.rb +0 -27
- data/lib/dawn/kb/cve_2012_2671.rb +0 -28
- data/lib/dawn/kb/cve_2012_2694.rb +0 -30
- data/lib/dawn/kb/cve_2012_2695.rb +0 -27
- data/lib/dawn/kb/cve_2012_3424.rb +0 -29
- data/lib/dawn/kb/cve_2012_3463.rb +0 -27
- data/lib/dawn/kb/cve_2012_3464.rb +0 -27
- data/lib/dawn/kb/cve_2012_3465.rb +0 -26
- data/lib/dawn/kb/cve_2012_4464.rb +0 -27
- data/lib/dawn/kb/cve_2012_4466.rb +0 -27
- data/lib/dawn/kb/cve_2012_4481.rb +0 -26
- data/lib/dawn/kb/cve_2012_4522.rb +0 -27
- data/lib/dawn/kb/cve_2012_5370.rb +0 -27
- data/lib/dawn/kb/cve_2012_5371.rb +0 -27
- data/lib/dawn/kb/cve_2012_5380.rb +0 -28
- data/lib/dawn/kb/cve_2012_6109.rb +0 -25
- data/lib/dawn/kb/cve_2012_6134.rb +0 -27
- data/lib/dawn/kb/cve_2012_6496.rb +0 -28
- data/lib/dawn/kb/cve_2012_6497.rb +0 -28
- data/lib/dawn/kb/cve_2012_6684.rb +0 -28
- data/lib/dawn/kb/cve_2013_0155.rb +0 -29
- data/lib/dawn/kb/cve_2013_0156.rb +0 -27
- data/lib/dawn/kb/cve_2013_0162.rb +0 -28
- data/lib/dawn/kb/cve_2013_0175.rb +0 -27
- data/lib/dawn/kb/cve_2013_0183.rb +0 -25
- data/lib/dawn/kb/cve_2013_0184.rb +0 -25
- data/lib/dawn/kb/cve_2013_0233.rb +0 -26
- data/lib/dawn/kb/cve_2013_0256.rb +0 -59
- data/lib/dawn/kb/cve_2013_0262.rb +0 -26
- data/lib/dawn/kb/cve_2013_0263.rb +0 -26
- data/lib/dawn/kb/cve_2013_0269.rb +0 -27
- data/lib/dawn/kb/cve_2013_0276.rb +0 -28
- data/lib/dawn/kb/cve_2013_0277.rb +0 -25
- data/lib/dawn/kb/cve_2013_0284.rb +0 -27
- data/lib/dawn/kb/cve_2013_0285.rb +0 -27
- data/lib/dawn/kb/cve_2013_0333.rb +0 -28
- data/lib/dawn/kb/cve_2013_0334.rb +0 -25
- data/lib/dawn/kb/cve_2013_1607.rb +0 -25
- data/lib/dawn/kb/cve_2013_1655.rb +0 -65
- data/lib/dawn/kb/cve_2013_1656.rb +0 -28
- data/lib/dawn/kb/cve_2013_1756.rb +0 -26
- data/lib/dawn/kb/cve_2013_1800.rb +0 -26
- data/lib/dawn/kb/cve_2013_1801.rb +0 -27
- data/lib/dawn/kb/cve_2013_1802.rb +0 -27
- data/lib/dawn/kb/cve_2013_1812.rb +0 -27
- data/lib/dawn/kb/cve_2013_1821.rb +0 -28
- data/lib/dawn/kb/cve_2013_1854.rb +0 -26
- data/lib/dawn/kb/cve_2013_1855.rb +0 -25
- data/lib/dawn/kb/cve_2013_1856.rb +0 -26
- data/lib/dawn/kb/cve_2013_1857.rb +0 -27
- data/lib/dawn/kb/cve_2013_1875.rb +0 -27
- data/lib/dawn/kb/cve_2013_1898.rb +0 -27
- data/lib/dawn/kb/cve_2013_1911.rb +0 -28
- data/lib/dawn/kb/cve_2013_1933.rb +0 -27
- data/lib/dawn/kb/cve_2013_1947.rb +0 -27
- data/lib/dawn/kb/cve_2013_1948.rb +0 -27
- data/lib/dawn/kb/cve_2013_2065.rb +0 -29
- data/lib/dawn/kb/cve_2013_2090.rb +0 -28
- data/lib/dawn/kb/cve_2013_2105.rb +0 -26
- data/lib/dawn/kb/cve_2013_2119.rb +0 -27
- data/lib/dawn/kb/cve_2013_2512.rb +0 -26
- data/lib/dawn/kb/cve_2013_2513.rb +0 -25
- data/lib/dawn/kb/cve_2013_2516.rb +0 -26
- data/lib/dawn/kb/cve_2013_2615.rb +0 -27
- data/lib/dawn/kb/cve_2013_2616.rb +0 -27
- data/lib/dawn/kb/cve_2013_2617.rb +0 -28
- data/lib/dawn/kb/cve_2013_3221.rb +0 -27
- data/lib/dawn/kb/cve_2013_4164.rb +0 -30
- data/lib/dawn/kb/cve_2013_4203.rb +0 -25
- data/lib/dawn/kb/cve_2013_4389.rb +0 -26
- data/lib/dawn/kb/cve_2013_4413.rb +0 -27
- data/lib/dawn/kb/cve_2013_4457.rb +0 -29
- data/lib/dawn/kb/cve_2013_4478.rb +0 -26
- data/lib/dawn/kb/cve_2013_4479.rb +0 -26
- data/lib/dawn/kb/cve_2013_4489.rb +0 -28
- data/lib/dawn/kb/cve_2013_4491.rb +0 -29
- data/lib/dawn/kb/cve_2013_4492.rb +0 -29
- data/lib/dawn/kb/cve_2013_4562.rb +0 -27
- data/lib/dawn/kb/cve_2013_4593.rb +0 -27
- data/lib/dawn/kb/cve_2013_5647.rb +0 -29
- data/lib/dawn/kb/cve_2013_5671.rb +0 -26
- data/lib/dawn/kb/cve_2013_6414.rb +0 -30
- data/lib/dawn/kb/cve_2013_6415.rb +0 -29
- data/lib/dawn/kb/cve_2013_6416.rb +0 -29
- data/lib/dawn/kb/cve_2013_6417.rb +0 -30
- data/lib/dawn/kb/cve_2013_6421.rb +0 -28
- data/lib/dawn/kb/cve_2013_6459.rb +0 -28
- data/lib/dawn/kb/cve_2013_6460.rb +0 -53
- data/lib/dawn/kb/cve_2013_6461.rb +0 -57
- data/lib/dawn/kb/cve_2013_7086.rb +0 -27
- data/lib/dawn/kb/cve_2014_0036.rb +0 -27
- data/lib/dawn/kb/cve_2014_0080.rb +0 -29
- data/lib/dawn/kb/cve_2014_0081.rb +0 -27
- data/lib/dawn/kb/cve_2014_0082.rb +0 -27
- data/lib/dawn/kb/cve_2014_0130.rb +0 -27
- data/lib/dawn/kb/cve_2014_1233.rb +0 -27
- data/lib/dawn/kb/cve_2014_1234.rb +0 -26
- data/lib/dawn/kb/cve_2014_2322.rb +0 -28
- data/lib/dawn/kb/cve_2014_2525.rb +0 -59
- data/lib/dawn/kb/cve_2014_2538.rb +0 -26
- data/lib/dawn/kb/cve_2014_3482.rb +0 -28
- data/lib/dawn/kb/cve_2014_3483.rb +0 -28
- data/lib/dawn/kb/cve_2014_3916.rb +0 -29
- data/lib/dawn/kb/cve_2014_4975.rb +0 -28
- data/lib/dawn/kb/cve_2014_7818.rb +0 -27
- data/lib/dawn/kb/cve_2014_7819.rb +0 -31
- data/lib/dawn/kb/cve_2014_7829.rb +0 -30
- data/lib/dawn/kb/cve_2014_8090.rb +0 -30
- data/lib/dawn/kb/cve_2014_9490.rb +0 -29
- data/lib/dawn/kb/cve_2015_1819.rb +0 -34
- data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
- data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
- data/lib/dawn/kb/cve_2015_2963.rb +0 -27
- data/lib/dawn/kb/cve_2015_3224.rb +0 -26
- data/lib/dawn/kb/cve_2015_3225.rb +0 -28
- data/lib/dawn/kb/cve_2015_3226.rb +0 -27
- data/lib/dawn/kb/cve_2015_3227.rb +0 -28
- data/lib/dawn/kb/cve_2015_3448.rb +0 -29
- data/lib/dawn/kb/cve_2015_4020.rb +0 -34
- data/lib/dawn/kb/cve_2015_5312.rb +0 -30
- data/lib/dawn/kb/cve_2015_7497.rb +0 -32
- data/lib/dawn/kb/cve_2015_7498.rb +0 -32
- data/lib/dawn/kb/cve_2015_7499.rb +0 -32
- data/lib/dawn/kb/cve_2015_7500.rb +0 -32
- data/lib/dawn/kb/cve_2015_7519.rb +0 -31
- data/lib/dawn/kb/cve_2015_7541.rb +0 -31
- data/lib/dawn/kb/cve_2015_7576.rb +0 -35
- data/lib/dawn/kb/cve_2015_7577.rb +0 -34
- data/lib/dawn/kb/cve_2015_7578.rb +0 -30
- data/lib/dawn/kb/cve_2015_7579.rb +0 -30
- data/lib/dawn/kb/cve_2015_7581.rb +0 -33
- data/lib/dawn/kb/cve_2015_8241.rb +0 -32
- data/lib/dawn/kb/cve_2015_8242.rb +0 -32
- data/lib/dawn/kb/cve_2015_8317.rb +0 -32
- data/lib/dawn/kb/cve_2016_0751.rb +0 -32
- data/lib/dawn/kb/cve_2016_0752.rb +0 -35
- data/lib/dawn/kb/cve_2016_0753.rb +0 -31
- data/lib/dawn/kb/cve_2016_2097.rb +0 -35
- data/lib/dawn/kb/cve_2016_2098.rb +0 -35
- data/lib/dawn/kb/cve_2016_5697.rb +0 -30
- data/lib/dawn/kb/cve_2016_6316.rb +0 -33
- data/lib/dawn/kb/cve_2016_6317.rb +0 -32
- data/lib/dawn/kb/cve_2016_6582.rb +0 -43
- data/lib/dawn/kb/not_revised_code.rb +0 -22
- data/lib/dawn/kb/osvdb_105971.rb +0 -29
- data/lib/dawn/kb/osvdb_108530.rb +0 -27
- data/lib/dawn/kb/osvdb_108563.rb +0 -28
- data/lib/dawn/kb/osvdb_108569.rb +0 -28
- data/lib/dawn/kb/osvdb_108570.rb +0 -27
- data/lib/dawn/kb/osvdb_115654.rb +0 -33
- data/lib/dawn/kb/osvdb_116010.rb +0 -30
- data/lib/dawn/kb/osvdb_117903.rb +0 -30
- data/lib/dawn/kb/osvdb_118579.rb +0 -31
- data/lib/dawn/kb/osvdb_118830.rb +0 -32
- data/lib/dawn/kb/osvdb_118954.rb +0 -33
- data/lib/dawn/kb/osvdb_119878.rb +0 -32
- data/lib/dawn/kb/osvdb_119927.rb +0 -33
- data/lib/dawn/kb/osvdb_120415.rb +0 -31
- data/lib/dawn/kb/osvdb_120857.rb +0 -34
- data/lib/dawn/kb/osvdb_121701.rb +0 -30
- data/lib/dawn/kb/osvdb_132234.rb +0 -34
- data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
- data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
- data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
- data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
- data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
- data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
- data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
- data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
- data/lib/dawn/knowledge_base_experimental.rb +0 -245
- data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
- data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
- data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
- data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
- data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
- data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
- data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
- data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
- data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
- data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
- data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
- data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
- data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
- data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
- data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
- data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
- data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
- data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
- data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
- data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
- data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
- data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
- data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
- data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
- data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
- data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
- data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
- data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
- data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
- data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
- data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
- data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
- data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
- data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
- data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
- data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
- data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
- data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
- data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
- data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
- data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
- data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
- data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
- data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
- data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
- data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
- data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
- data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
- data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
- data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
- data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
- data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
- data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
- data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
- data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
- data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
- data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
- data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
- data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
- data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
- data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
- data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
- data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
- data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
- data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
- data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
- data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
- data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
- data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
- data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
- data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
- data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
- data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
- data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
- data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
- data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
- metadata.gz.sig +0 -0
@@ -1,31 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-02
|
4
|
-
class CVE_2015_7519
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message ="agent/Core/Controller/SendRequest.cpp in Phusion Passenger before 4.0.60 and 5.0.x before 5.0.22, when used in Apache integration mode or in standalone mode without a filtering proxy, allows remote attackers to spoof headers passed to applications by using an _ (underscore) character instead of a - (dash) character in an HTTP header, as demonstrated by an X_User header."
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-7519",
|
13
|
-
:cve=>"2015-7519",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
16
|
-
:release_date => Date.new(2016, 1, 8),
|
17
|
-
:cwe=>"119",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade passenger gem to version 4.0.60, 5.0.22 or later.",
|
23
|
-
:aux_links=>["https://blog.phusion.nl/2015/12/07/cve-2015-7519/"]
|
24
|
-
})
|
25
|
-
|
26
|
-
self.safe_dependencies = [{:name=>"passenger", :version=>['4.0.60', '5.0.22']}]
|
27
|
-
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
@@ -1,31 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-02
|
4
|
-
class CVE_2015_7541
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "The initialize method in the Histogram class in lib/colorscore/histogram.rb in the colorscore gem before 0.0.5 for Ruby allows context-dependent attackers to execute arbitrary code via shell metacharacters in the (1) image_path, (2) colors, or (3) depth variable."
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-7541",
|
13
|
-
:cve=>"2015-7541",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
|
16
|
-
:release_date => Date.new(2016, 1, 8),
|
17
|
-
:cwe=>"77",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade colorscore gem to version 0.0.5 or later.",
|
23
|
-
:aux_links=>["http://seclists.org/oss-sec/2016/q1/17"]
|
24
|
-
})
|
25
|
-
|
26
|
-
self.safe_dependencies = [{:name=>"colorscore", :version=>['0.0.5']}]
|
27
|
-
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
@@ -1,35 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-01-28
|
4
|
-
class CVE_2015_7576
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
# include PatternMatchCheck
|
7
|
-
include DependencyCheck
|
8
|
-
# include RubyVersionCheck
|
9
|
-
|
10
|
-
def initialize
|
11
|
-
message = "There is a timing attack vulnerability in the basic authentication support in Action Controller. Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password."
|
12
|
-
super({
|
13
|
-
:title=>title,
|
14
|
-
:name=> "CVE-2015-7576",
|
15
|
-
:cve=>"2015-7576",
|
16
|
-
:osvdb=>"",
|
17
|
-
:cvss=>"",
|
18
|
-
:release_date => Date.new(2016, 1, 26),
|
19
|
-
:cwe=>"",
|
20
|
-
:owasp=>"A9",
|
21
|
-
:applies=>["rails", "sinatra", "padrino"],
|
22
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
23
|
-
:message=>message,
|
24
|
-
:mitigation=>"Please upgrade actionpack gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
|
25
|
-
:aux_links=>["http://securitytracker.com/id/1034816"]
|
26
|
-
})
|
27
|
-
self.save_minor=true
|
28
|
-
self.save_major=true
|
29
|
-
self.safe_dependencies = [{:name=>"actionpack", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
|
30
|
-
|
31
|
-
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
@@ -1,34 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-01-29
|
4
|
-
class CVE_2015_7577
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "There is a vulnerability in how the nested attributes feature in Active Record handles updates in combination with destroy flags when destroying records is disabled."
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-7577",
|
13
|
-
:cve=>"2015-7577",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"",
|
16
|
-
:release_date => Date.new(2016, 1, 26),
|
17
|
-
:cwe=>"",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade activerecord gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
|
23
|
-
:aux_links=>["http://securitytracker.com/id/1034816", "https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g"]
|
24
|
-
})
|
25
|
-
self.save_minor=true
|
26
|
-
self.save_major=true
|
27
|
-
# self.debug = true
|
28
|
-
self.safe_dependencies = [{:name=>"activerecord", :version=>['3.1.9999','3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
|
29
|
-
self.not_affected = {:name=>"actionpack", :version=>['3.0.x']}
|
30
|
-
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
@@ -1,30 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-01
|
4
|
-
class CVE_2015_7578
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "There is a possible XSS vulnerability in rails-html-sanitizer. Certain attributes are not removed from tags when they are sanitized, and these attributes can lead to an XSS attack on target applications."
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-7578",
|
13
|
-
:cve=>"2015-7578",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"",
|
16
|
-
:release_date => Date.new(2016, 1, 26),
|
17
|
-
:cwe=>"",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade rails-html-sanitizer gem to version 1.0.3 or later.",
|
23
|
-
:aux_links=>["http://securitytracker.com/id/1034816"]
|
24
|
-
})
|
25
|
-
self.safe_dependencies = [{:name=>"rails-html-sanitizer", :version=>['1.0.3']}]
|
26
|
-
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
@@ -1,30 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-01-31
|
4
|
-
class CVE_2015_7579
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "There is a XSS vulnerability in Rails::Html::FullSanitizer used by Action View's strip_tags. Due to the way that Rails::Html::FullSanitizer is implemented, if an attacker passes an already escaped HTML entity to the input of Action View's strip_tags these entities will be unescaped what may cause a XSS attack if used in combination with raw or html_safe."
|
9
|
-
super({
|
10
|
-
:title=>title,
|
11
|
-
:name=> "CVE-2015-7579",
|
12
|
-
:cve=>"2015-7579",
|
13
|
-
:osvdb=>"",
|
14
|
-
:cvss=>"",
|
15
|
-
:release_date => Date.new(2016, 1, 26),
|
16
|
-
:cwe=>"",
|
17
|
-
:owasp=>"A9",
|
18
|
-
:applies=>["rails", "sinatra", "padrino"],
|
19
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
20
|
-
:message=>message,
|
21
|
-
:mitigation=>"Please upgrade rails-html-sanitizer to version 1.0.3 or later.",
|
22
|
-
:aux_links=>["http://securitytracker.com/id/1034816"]
|
23
|
-
})
|
24
|
-
self.safe_dependencies = [{:name=>"rails-html-sanitizer", :version=>['1.0.3']}]
|
25
|
-
self.not_affected = {:name=>"rails-html-sanitizer", :version=>['1.0.0', '1.0.1']}
|
26
|
-
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
@@ -1,33 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-01
|
4
|
-
class CVE_2015_7581
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "There is an object leak vulnerability for wildcard controllers in Action Pack. Users that have a route that contains the string \":controller\" are susceptible to objects being leaked globally which can lead to unbounded memory growth. "
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-7581",
|
13
|
-
:cve=>"2015-7581",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"",
|
16
|
-
:release_date => Date.new(2016, 1, 26),
|
17
|
-
:cwe=>"",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade actionpack gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
|
23
|
-
:aux_links=>["http://securitytracker.com/id/1034816"]
|
24
|
-
})
|
25
|
-
self.save_minor=true
|
26
|
-
self.save_major=true
|
27
|
-
self.safe_dependencies = [{:name=>"actionpack", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
|
28
|
-
|
29
|
-
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
33
|
-
end
|
@@ -1,32 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-02
|
4
|
-
class CVE_2015_8241
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message ="The xmlNextChar function in libxml2 2.9.2 does not properly check the state, which allows context-dependent attackers to cause a denial of service (heap-based buffer over-read and application crash) or obtain sensitive information via crafted XML data."
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-8241",
|
13
|
-
:cve=>"2015-8241",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:P",
|
16
|
-
:release_date => Date.new(2015, 12, 15),
|
17
|
-
:cwe=>"119",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
|
23
|
-
:aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
|
24
|
-
})
|
25
|
-
|
26
|
-
self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
|
27
|
-
self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
|
28
|
-
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
@@ -1,32 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-02
|
4
|
-
class CVE_2015_8242
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "The xmlSAX2TextNode function in SAX2.c in the push interface in the HTML parser in libxml2 before 2.9.3 allows context-dependent attackers to cause a denial of service (stack-based buffer over-read and application crash) or obtain sensitive information via crafted XML data."
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-8242",
|
13
|
-
:cve=>"2015-8242",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"AV:N/AC:M/Au:N/C:P/I:N/A:P",
|
16
|
-
:release_date => Date.new(2015, 12, 15),
|
17
|
-
:cwe=>"119",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
|
23
|
-
:aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
|
24
|
-
})
|
25
|
-
|
26
|
-
self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
|
27
|
-
self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
|
28
|
-
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
@@ -1,32 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-02
|
4
|
-
class CVE_2015_8317
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "The xmlParseXMLDecl function in parser.c in libxml2 before 2.9.3 allows context-dependent attackers to obtain sensitive information via an (1) unterminated encoding value or (2) incomplete XML declaration in XML data, which triggers an out-of-bounds heap read"
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2015-8317",
|
13
|
-
:cve=>"2015-8317",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
16
|
-
:release_date => Date.new(2015, 12, 15),
|
17
|
-
:cwe=>"119",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade nokogiri gem to version 1.6.7.1 or later.",
|
23
|
-
:aux_links=>["https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s"]
|
24
|
-
})
|
25
|
-
|
26
|
-
self.safe_dependencies = [{:name=>"nokogiri", :version=>['1.6.7.1']}]
|
27
|
-
self.not_affected = {:name=>"nokogiri", :version=>['1.5.x', '1.4.x', '1.3.x', '1.1.x', '1.0.x', '0.x.x']}
|
28
|
-
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
@@ -1,32 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-01-28
|
4
|
-
class CVE_2016_0751
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
include DependencyCheck
|
7
|
-
|
8
|
-
def initialize
|
9
|
-
message = "There is a possible object leak which can lead to a denial of service vulnerability in Action Pack. A carefully crafted accept header can cause a global cache of mime types to grow indefinitely which can lead to a possible denial of service attack in Action Pack."
|
10
|
-
super({
|
11
|
-
:title=>title,
|
12
|
-
:name=> "CVE-2016-0751",
|
13
|
-
:cve=>"2016-0751",
|
14
|
-
:osvdb=>"",
|
15
|
-
:cvss=>"",
|
16
|
-
:release_date => Date.new(2016, 1, 26),
|
17
|
-
:cwe=>"",
|
18
|
-
:owasp=>"A9",
|
19
|
-
:applies=>["rails", "sinatra", "padrino"],
|
20
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
21
|
-
:message=>message,
|
22
|
-
:mitigation=>"Please upgrade actionpack gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
|
23
|
-
:aux_links=>["http://securitytracker.com/id/1034816"]
|
24
|
-
})
|
25
|
-
self.save_minor=true
|
26
|
-
self.save_major=true
|
27
|
-
self.safe_dependencies = [{:name=>"actionpack", :version=>['3.2.22.1', '4.0.9999', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
|
28
|
-
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
32
|
-
end
|
@@ -1,35 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-01-31
|
4
|
-
class CVE_2016_0752
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
# include PatternMatchCheck
|
7
|
-
include DependencyCheck
|
8
|
-
# include RubyVersionCheck
|
9
|
-
|
10
|
-
def initialize
|
11
|
-
message = "There is a possible directory traversal and information leak vulnerability in Action View. Applications that pass unverified user input to the render method in a controller may be vulnerable to an information leak vulnerability."
|
12
|
-
super({
|
13
|
-
:title=>title,
|
14
|
-
:name=> "CVE-2016-0752",
|
15
|
-
:cve=>"2016-0752",
|
16
|
-
:osvdb=>"",
|
17
|
-
:cvss=>"",
|
18
|
-
:release_date => Date.new(2016, 1, 26),
|
19
|
-
:cwe=>"",
|
20
|
-
:owasp=>"A9",
|
21
|
-
:applies=>["rails", "sinatra", "padrino"],
|
22
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
23
|
-
:message=>message,
|
24
|
-
:mitigation=>"Please upgrade actionview gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
|
25
|
-
:aux_links=>["http://securitytracker.com/id/1034816"]
|
26
|
-
})
|
27
|
-
self.save_minor=true
|
28
|
-
self.save_major=true
|
29
|
-
self.safe_dependencies = [{:name=>"actionview", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
|
30
|
-
|
31
|
-
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|
@@ -1,31 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-02-01
|
4
|
-
class CVE_2016_0753
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "There is a possible input validation circumvention vulnerability in Active Model. Code that uses Active Model based models (including Active Record models) and does not validate user input before passing it to the model can be subject to an attack where specially crafted input will cause the model to skip validations."
|
9
|
-
super({
|
10
|
-
:title=>title,
|
11
|
-
:name=> "CVE-2016-0753",
|
12
|
-
:cve=>"2016-0753",
|
13
|
-
:osvdb=>"",
|
14
|
-
:cvss=>"",
|
15
|
-
:release_date => Date.new(2016, 1, 26),
|
16
|
-
:cwe=>"",
|
17
|
-
:owasp=>"A9",
|
18
|
-
:applies=>["rails", "sinatra", "padrino"],
|
19
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
20
|
-
:message=>message,
|
21
|
-
:mitigation=>"Please upgrade activemodel gem to version 3.2.22.1, 4.1.14.1, 4.2.5.1, 5.0.0.beta1.1 or later.",
|
22
|
-
:aux_links=>["http://securitytracker.com/id/1034816"]
|
23
|
-
})
|
24
|
-
self.save_minor=true
|
25
|
-
self.save_major=true
|
26
|
-
self.safe_dependencies = [{:name=>"activemodel", :version=>['3.2.22.1', '4.1.14.1', '4.2.5.1', '5.0.0.beta1.1']}]
|
27
|
-
|
28
|
-
end
|
29
|
-
end
|
30
|
-
end
|
31
|
-
end
|
@@ -1,35 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2016-03-01
|
4
|
-
class CVE_2016_2097
|
5
|
-
# Include the testing skeleton for this CVE
|
6
|
-
# include PatternMatchCheck
|
7
|
-
include DependencyCheck
|
8
|
-
# include RubyVersionCheck
|
9
|
-
|
10
|
-
def initialize
|
11
|
-
message = "Possible Information Leak Vulnerability in Action View. There is a possible directory traversal and information leak vulnerability in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 patch was not covering all the scenarios."
|
12
|
-
title = "Possible Information Leak Vulnerability in Action View"
|
13
|
-
super({
|
14
|
-
:title=>title,
|
15
|
-
:name=> "CVE-2016-2097",
|
16
|
-
:cve=>"2016-2097",
|
17
|
-
:osvdb=>"",
|
18
|
-
:cvss=>"",
|
19
|
-
:release_date => Date.new(2016, 2, 29),
|
20
|
-
:cwe=>"",
|
21
|
-
:owasp=>"A9",
|
22
|
-
:applies=>["rails", "sinatra", "padrino"],
|
23
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
24
|
-
:message=>message,
|
25
|
-
:mitigation=>"Please upgrade actionview gem to version 3.2.22.2, 4.1.14.2 or later.",
|
26
|
-
:aux_links=>[]
|
27
|
-
})
|
28
|
-
self.safe_dependencies = [{:name=>"actionview", :version=>['3.2.22.2', '4.0.99', '4.1.14.2', '5.0.0']}]
|
29
|
-
self.save_minor = true
|
30
|
-
self.save_major = true
|
31
|
-
|
32
|
-
end
|
33
|
-
end
|
34
|
-
end
|
35
|
-
end
|