dawnscanner 1.6.8 → 2.0.0.rc4

Sign up to get free protection for your applications and to get access to all the features.
Files changed (387) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +1 -0
  3. data/.ruby-version +1 -1
  4. data/Changelog.md +27 -1
  5. data/LICENSE.txt +1 -1
  6. data/README.md +59 -57
  7. data/Rakefile +10 -242
  8. data/Roadmap.md +15 -23
  9. data/VERSION +1 -1
  10. data/bin/dawn +17 -273
  11. data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
  12. data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
  13. data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
  14. data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
  15. data/dawnscanner.gemspec +10 -9
  16. data/doc/change.sh +13 -0
  17. data/doc/kickstart_kb.tar.gz +0 -0
  18. data/doc/knowledge_base.rb +650 -0
  19. data/docs/.placeholder +0 -0
  20. data/docs/CNAME +1 -0
  21. data/docs/_config.yml +1 -0
  22. data/lib/dawn/cli/dawn_cli.rb +139 -0
  23. data/lib/dawn/core.rb +8 -7
  24. data/lib/dawn/engine.rb +93 -34
  25. data/lib/dawn/gemfile_lock.rb +2 -2
  26. data/lib/dawn/kb/basic_check.rb +1 -2
  27. data/lib/dawn/kb/combo_check.rb +1 -1
  28. data/lib/dawn/kb/dependency_check.rb +1 -1
  29. data/lib/dawn/kb/operating_system_check.rb +1 -1
  30. data/lib/dawn/kb/pattern_match_check.rb +10 -9
  31. data/lib/dawn/kb/ruby_version_check.rb +11 -10
  32. data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
  33. data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
  34. data/lib/dawn/kb/version_check.rb +41 -24
  35. data/lib/dawn/knowledge_base.rb +259 -595
  36. data/lib/dawn/reporter.rb +2 -1
  37. data/lib/dawn/utils.rb +5 -2
  38. data/lib/dawn/version.rb +5 -5
  39. data/lib/dawnscanner.rb +7 -6
  40. data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
  41. data/spec/lib/kb/dependency_check.yml +29 -0
  42. metadata +30 -496
  43. checksums.yaml.gz.sig +0 -0
  44. data.tar.gz.sig +0 -0
  45. data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
  46. data/lib/dawn/kb/cve_2004_0755.rb +0 -33
  47. data/lib/dawn/kb/cve_2004_0983.rb +0 -31
  48. data/lib/dawn/kb/cve_2005_1992.rb +0 -31
  49. data/lib/dawn/kb/cve_2005_2337.rb +0 -33
  50. data/lib/dawn/kb/cve_2006_1931.rb +0 -30
  51. data/lib/dawn/kb/cve_2006_2582.rb +0 -28
  52. data/lib/dawn/kb/cve_2006_3694.rb +0 -31
  53. data/lib/dawn/kb/cve_2006_4112.rb +0 -27
  54. data/lib/dawn/kb/cve_2006_5467.rb +0 -28
  55. data/lib/dawn/kb/cve_2006_6303.rb +0 -28
  56. data/lib/dawn/kb/cve_2006_6852.rb +0 -27
  57. data/lib/dawn/kb/cve_2006_6979.rb +0 -29
  58. data/lib/dawn/kb/cve_2007_0469.rb +0 -29
  59. data/lib/dawn/kb/cve_2007_5162.rb +0 -28
  60. data/lib/dawn/kb/cve_2007_5379.rb +0 -27
  61. data/lib/dawn/kb/cve_2007_5380.rb +0 -29
  62. data/lib/dawn/kb/cve_2007_5770.rb +0 -30
  63. data/lib/dawn/kb/cve_2007_6077.rb +0 -31
  64. data/lib/dawn/kb/cve_2007_6612.rb +0 -30
  65. data/lib/dawn/kb/cve_2008_1145.rb +0 -38
  66. data/lib/dawn/kb/cve_2008_1891.rb +0 -38
  67. data/lib/dawn/kb/cve_2008_2376.rb +0 -30
  68. data/lib/dawn/kb/cve_2008_2662.rb +0 -33
  69. data/lib/dawn/kb/cve_2008_2663.rb +0 -32
  70. data/lib/dawn/kb/cve_2008_2664.rb +0 -33
  71. data/lib/dawn/kb/cve_2008_2725.rb +0 -31
  72. data/lib/dawn/kb/cve_2008_3655.rb +0 -37
  73. data/lib/dawn/kb/cve_2008_3657.rb +0 -37
  74. data/lib/dawn/kb/cve_2008_3790.rb +0 -30
  75. data/lib/dawn/kb/cve_2008_3905.rb +0 -36
  76. data/lib/dawn/kb/cve_2008_4094.rb +0 -27
  77. data/lib/dawn/kb/cve_2008_4310.rb +0 -100
  78. data/lib/dawn/kb/cve_2008_5189.rb +0 -27
  79. data/lib/dawn/kb/cve_2008_7248.rb +0 -27
  80. data/lib/dawn/kb/cve_2009_4078.rb +0 -29
  81. data/lib/dawn/kb/cve_2009_4124.rb +0 -30
  82. data/lib/dawn/kb/cve_2009_4214.rb +0 -27
  83. data/lib/dawn/kb/cve_2010_1330.rb +0 -28
  84. data/lib/dawn/kb/cve_2010_2489.rb +0 -60
  85. data/lib/dawn/kb/cve_2010_3933.rb +0 -27
  86. data/lib/dawn/kb/cve_2011_0188.rb +0 -67
  87. data/lib/dawn/kb/cve_2011_0446.rb +0 -28
  88. data/lib/dawn/kb/cve_2011_0447.rb +0 -28
  89. data/lib/dawn/kb/cve_2011_0739.rb +0 -28
  90. data/lib/dawn/kb/cve_2011_0995.rb +0 -61
  91. data/lib/dawn/kb/cve_2011_1004.rb +0 -34
  92. data/lib/dawn/kb/cve_2011_1005.rb +0 -31
  93. data/lib/dawn/kb/cve_2011_2197.rb +0 -27
  94. data/lib/dawn/kb/cve_2011_2686.rb +0 -29
  95. data/lib/dawn/kb/cve_2011_2705.rb +0 -32
  96. data/lib/dawn/kb/cve_2011_2929.rb +0 -27
  97. data/lib/dawn/kb/cve_2011_2930.rb +0 -28
  98. data/lib/dawn/kb/cve_2011_2931.rb +0 -30
  99. data/lib/dawn/kb/cve_2011_2932.rb +0 -27
  100. data/lib/dawn/kb/cve_2011_3009.rb +0 -28
  101. data/lib/dawn/kb/cve_2011_3186.rb +0 -29
  102. data/lib/dawn/kb/cve_2011_3187.rb +0 -29
  103. data/lib/dawn/kb/cve_2011_4319.rb +0 -30
  104. data/lib/dawn/kb/cve_2011_4815.rb +0 -28
  105. data/lib/dawn/kb/cve_2011_5036.rb +0 -26
  106. data/lib/dawn/kb/cve_2012_1098.rb +0 -30
  107. data/lib/dawn/kb/cve_2012_1099.rb +0 -27
  108. data/lib/dawn/kb/cve_2012_1241.rb +0 -27
  109. data/lib/dawn/kb/cve_2012_2139.rb +0 -26
  110. data/lib/dawn/kb/cve_2012_2140.rb +0 -27
  111. data/lib/dawn/kb/cve_2012_2660.rb +0 -28
  112. data/lib/dawn/kb/cve_2012_2661.rb +0 -27
  113. data/lib/dawn/kb/cve_2012_2671.rb +0 -28
  114. data/lib/dawn/kb/cve_2012_2694.rb +0 -30
  115. data/lib/dawn/kb/cve_2012_2695.rb +0 -27
  116. data/lib/dawn/kb/cve_2012_3424.rb +0 -29
  117. data/lib/dawn/kb/cve_2012_3463.rb +0 -27
  118. data/lib/dawn/kb/cve_2012_3464.rb +0 -27
  119. data/lib/dawn/kb/cve_2012_3465.rb +0 -26
  120. data/lib/dawn/kb/cve_2012_4464.rb +0 -27
  121. data/lib/dawn/kb/cve_2012_4466.rb +0 -27
  122. data/lib/dawn/kb/cve_2012_4481.rb +0 -26
  123. data/lib/dawn/kb/cve_2012_4522.rb +0 -27
  124. data/lib/dawn/kb/cve_2012_5370.rb +0 -27
  125. data/lib/dawn/kb/cve_2012_5371.rb +0 -27
  126. data/lib/dawn/kb/cve_2012_5380.rb +0 -28
  127. data/lib/dawn/kb/cve_2012_6109.rb +0 -25
  128. data/lib/dawn/kb/cve_2012_6134.rb +0 -27
  129. data/lib/dawn/kb/cve_2012_6496.rb +0 -28
  130. data/lib/dawn/kb/cve_2012_6497.rb +0 -28
  131. data/lib/dawn/kb/cve_2012_6684.rb +0 -28
  132. data/lib/dawn/kb/cve_2013_0155.rb +0 -29
  133. data/lib/dawn/kb/cve_2013_0156.rb +0 -27
  134. data/lib/dawn/kb/cve_2013_0162.rb +0 -28
  135. data/lib/dawn/kb/cve_2013_0175.rb +0 -27
  136. data/lib/dawn/kb/cve_2013_0183.rb +0 -25
  137. data/lib/dawn/kb/cve_2013_0184.rb +0 -25
  138. data/lib/dawn/kb/cve_2013_0233.rb +0 -26
  139. data/lib/dawn/kb/cve_2013_0256.rb +0 -59
  140. data/lib/dawn/kb/cve_2013_0262.rb +0 -26
  141. data/lib/dawn/kb/cve_2013_0263.rb +0 -26
  142. data/lib/dawn/kb/cve_2013_0269.rb +0 -27
  143. data/lib/dawn/kb/cve_2013_0276.rb +0 -28
  144. data/lib/dawn/kb/cve_2013_0277.rb +0 -25
  145. data/lib/dawn/kb/cve_2013_0284.rb +0 -27
  146. data/lib/dawn/kb/cve_2013_0285.rb +0 -27
  147. data/lib/dawn/kb/cve_2013_0333.rb +0 -28
  148. data/lib/dawn/kb/cve_2013_0334.rb +0 -25
  149. data/lib/dawn/kb/cve_2013_1607.rb +0 -25
  150. data/lib/dawn/kb/cve_2013_1655.rb +0 -65
  151. data/lib/dawn/kb/cve_2013_1656.rb +0 -28
  152. data/lib/dawn/kb/cve_2013_1756.rb +0 -26
  153. data/lib/dawn/kb/cve_2013_1800.rb +0 -26
  154. data/lib/dawn/kb/cve_2013_1801.rb +0 -27
  155. data/lib/dawn/kb/cve_2013_1802.rb +0 -27
  156. data/lib/dawn/kb/cve_2013_1812.rb +0 -27
  157. data/lib/dawn/kb/cve_2013_1821.rb +0 -28
  158. data/lib/dawn/kb/cve_2013_1854.rb +0 -26
  159. data/lib/dawn/kb/cve_2013_1855.rb +0 -25
  160. data/lib/dawn/kb/cve_2013_1856.rb +0 -26
  161. data/lib/dawn/kb/cve_2013_1857.rb +0 -27
  162. data/lib/dawn/kb/cve_2013_1875.rb +0 -27
  163. data/lib/dawn/kb/cve_2013_1898.rb +0 -27
  164. data/lib/dawn/kb/cve_2013_1911.rb +0 -28
  165. data/lib/dawn/kb/cve_2013_1933.rb +0 -27
  166. data/lib/dawn/kb/cve_2013_1947.rb +0 -27
  167. data/lib/dawn/kb/cve_2013_1948.rb +0 -27
  168. data/lib/dawn/kb/cve_2013_2065.rb +0 -29
  169. data/lib/dawn/kb/cve_2013_2090.rb +0 -28
  170. data/lib/dawn/kb/cve_2013_2105.rb +0 -26
  171. data/lib/dawn/kb/cve_2013_2119.rb +0 -27
  172. data/lib/dawn/kb/cve_2013_2512.rb +0 -26
  173. data/lib/dawn/kb/cve_2013_2513.rb +0 -25
  174. data/lib/dawn/kb/cve_2013_2516.rb +0 -26
  175. data/lib/dawn/kb/cve_2013_2615.rb +0 -27
  176. data/lib/dawn/kb/cve_2013_2616.rb +0 -27
  177. data/lib/dawn/kb/cve_2013_2617.rb +0 -28
  178. data/lib/dawn/kb/cve_2013_3221.rb +0 -27
  179. data/lib/dawn/kb/cve_2013_4164.rb +0 -30
  180. data/lib/dawn/kb/cve_2013_4203.rb +0 -25
  181. data/lib/dawn/kb/cve_2013_4389.rb +0 -26
  182. data/lib/dawn/kb/cve_2013_4413.rb +0 -27
  183. data/lib/dawn/kb/cve_2013_4457.rb +0 -29
  184. data/lib/dawn/kb/cve_2013_4478.rb +0 -26
  185. data/lib/dawn/kb/cve_2013_4479.rb +0 -26
  186. data/lib/dawn/kb/cve_2013_4489.rb +0 -28
  187. data/lib/dawn/kb/cve_2013_4491.rb +0 -29
  188. data/lib/dawn/kb/cve_2013_4492.rb +0 -29
  189. data/lib/dawn/kb/cve_2013_4562.rb +0 -27
  190. data/lib/dawn/kb/cve_2013_4593.rb +0 -27
  191. data/lib/dawn/kb/cve_2013_5647.rb +0 -29
  192. data/lib/dawn/kb/cve_2013_5671.rb +0 -26
  193. data/lib/dawn/kb/cve_2013_6414.rb +0 -30
  194. data/lib/dawn/kb/cve_2013_6415.rb +0 -29
  195. data/lib/dawn/kb/cve_2013_6416.rb +0 -29
  196. data/lib/dawn/kb/cve_2013_6417.rb +0 -30
  197. data/lib/dawn/kb/cve_2013_6421.rb +0 -28
  198. data/lib/dawn/kb/cve_2013_6459.rb +0 -28
  199. data/lib/dawn/kb/cve_2013_6460.rb +0 -53
  200. data/lib/dawn/kb/cve_2013_6461.rb +0 -57
  201. data/lib/dawn/kb/cve_2013_7086.rb +0 -27
  202. data/lib/dawn/kb/cve_2014_0036.rb +0 -27
  203. data/lib/dawn/kb/cve_2014_0080.rb +0 -29
  204. data/lib/dawn/kb/cve_2014_0081.rb +0 -27
  205. data/lib/dawn/kb/cve_2014_0082.rb +0 -27
  206. data/lib/dawn/kb/cve_2014_0130.rb +0 -27
  207. data/lib/dawn/kb/cve_2014_1233.rb +0 -27
  208. data/lib/dawn/kb/cve_2014_1234.rb +0 -26
  209. data/lib/dawn/kb/cve_2014_2322.rb +0 -28
  210. data/lib/dawn/kb/cve_2014_2525.rb +0 -59
  211. data/lib/dawn/kb/cve_2014_2538.rb +0 -26
  212. data/lib/dawn/kb/cve_2014_3482.rb +0 -28
  213. data/lib/dawn/kb/cve_2014_3483.rb +0 -28
  214. data/lib/dawn/kb/cve_2014_3916.rb +0 -29
  215. data/lib/dawn/kb/cve_2014_4975.rb +0 -28
  216. data/lib/dawn/kb/cve_2014_7818.rb +0 -27
  217. data/lib/dawn/kb/cve_2014_7819.rb +0 -31
  218. data/lib/dawn/kb/cve_2014_7829.rb +0 -30
  219. data/lib/dawn/kb/cve_2014_8090.rb +0 -30
  220. data/lib/dawn/kb/cve_2014_9490.rb +0 -29
  221. data/lib/dawn/kb/cve_2015_1819.rb +0 -34
  222. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
  223. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
  224. data/lib/dawn/kb/cve_2015_2963.rb +0 -27
  225. data/lib/dawn/kb/cve_2015_3224.rb +0 -26
  226. data/lib/dawn/kb/cve_2015_3225.rb +0 -28
  227. data/lib/dawn/kb/cve_2015_3226.rb +0 -27
  228. data/lib/dawn/kb/cve_2015_3227.rb +0 -28
  229. data/lib/dawn/kb/cve_2015_3448.rb +0 -29
  230. data/lib/dawn/kb/cve_2015_4020.rb +0 -34
  231. data/lib/dawn/kb/cve_2015_5312.rb +0 -30
  232. data/lib/dawn/kb/cve_2015_7497.rb +0 -32
  233. data/lib/dawn/kb/cve_2015_7498.rb +0 -32
  234. data/lib/dawn/kb/cve_2015_7499.rb +0 -32
  235. data/lib/dawn/kb/cve_2015_7500.rb +0 -32
  236. data/lib/dawn/kb/cve_2015_7519.rb +0 -31
  237. data/lib/dawn/kb/cve_2015_7541.rb +0 -31
  238. data/lib/dawn/kb/cve_2015_7576.rb +0 -35
  239. data/lib/dawn/kb/cve_2015_7577.rb +0 -34
  240. data/lib/dawn/kb/cve_2015_7578.rb +0 -30
  241. data/lib/dawn/kb/cve_2015_7579.rb +0 -30
  242. data/lib/dawn/kb/cve_2015_7581.rb +0 -33
  243. data/lib/dawn/kb/cve_2015_8241.rb +0 -32
  244. data/lib/dawn/kb/cve_2015_8242.rb +0 -32
  245. data/lib/dawn/kb/cve_2015_8317.rb +0 -32
  246. data/lib/dawn/kb/cve_2016_0751.rb +0 -32
  247. data/lib/dawn/kb/cve_2016_0752.rb +0 -35
  248. data/lib/dawn/kb/cve_2016_0753.rb +0 -31
  249. data/lib/dawn/kb/cve_2016_2097.rb +0 -35
  250. data/lib/dawn/kb/cve_2016_2098.rb +0 -35
  251. data/lib/dawn/kb/cve_2016_5697.rb +0 -30
  252. data/lib/dawn/kb/cve_2016_6316.rb +0 -33
  253. data/lib/dawn/kb/cve_2016_6317.rb +0 -32
  254. data/lib/dawn/kb/cve_2016_6582.rb +0 -43
  255. data/lib/dawn/kb/not_revised_code.rb +0 -22
  256. data/lib/dawn/kb/osvdb_105971.rb +0 -29
  257. data/lib/dawn/kb/osvdb_108530.rb +0 -27
  258. data/lib/dawn/kb/osvdb_108563.rb +0 -28
  259. data/lib/dawn/kb/osvdb_108569.rb +0 -28
  260. data/lib/dawn/kb/osvdb_108570.rb +0 -27
  261. data/lib/dawn/kb/osvdb_115654.rb +0 -33
  262. data/lib/dawn/kb/osvdb_116010.rb +0 -30
  263. data/lib/dawn/kb/osvdb_117903.rb +0 -30
  264. data/lib/dawn/kb/osvdb_118579.rb +0 -31
  265. data/lib/dawn/kb/osvdb_118830.rb +0 -32
  266. data/lib/dawn/kb/osvdb_118954.rb +0 -33
  267. data/lib/dawn/kb/osvdb_119878.rb +0 -32
  268. data/lib/dawn/kb/osvdb_119927.rb +0 -33
  269. data/lib/dawn/kb/osvdb_120415.rb +0 -31
  270. data/lib/dawn/kb/osvdb_120857.rb +0 -34
  271. data/lib/dawn/kb/osvdb_121701.rb +0 -30
  272. data/lib/dawn/kb/osvdb_132234.rb +0 -34
  273. data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
  274. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
  275. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
  276. data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
  277. data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
  278. data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
  279. data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
  280. data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
  281. data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
  282. data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
  283. data/lib/dawn/knowledge_base_experimental.rb +0 -245
  284. data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
  285. data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
  286. data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
  287. data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
  288. data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
  289. data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
  290. data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
  291. data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
  292. data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
  293. data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
  294. data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
  295. data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
  296. data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
  297. data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
  298. data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
  299. data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
  300. data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
  301. data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
  302. data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
  303. data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
  304. data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
  305. data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
  306. data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
  307. data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
  308. data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
  309. data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
  310. data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
  311. data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
  312. data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
  313. data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
  314. data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
  315. data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
  316. data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
  317. data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
  318. data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
  319. data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
  320. data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
  321. data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
  322. data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
  323. data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
  324. data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
  325. data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
  326. data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
  327. data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
  328. data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
  329. data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
  330. data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
  331. data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
  332. data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
  333. data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
  334. data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
  335. data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
  336. data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
  337. data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
  338. data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
  339. data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
  340. data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
  341. data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
  342. data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
  343. data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
  344. data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
  345. data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
  346. data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
  347. data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
  348. data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
  349. data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
  350. data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
  351. data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
  352. data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
  353. data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
  354. data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
  355. data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
  356. data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
  357. data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
  358. data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
  359. data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
  360. data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
  361. data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
  362. data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
  363. data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
  364. data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
  365. data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
  366. data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
  367. data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
  368. data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
  369. data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
  370. data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
  371. data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
  372. data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
  373. data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
  374. data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
  375. data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
  376. data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
  377. data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
  378. data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
  379. data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
  380. data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
  381. data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
  382. data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
  383. data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
  384. data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
  385. data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
  386. data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
  387. metadata.gz.sig +0 -0
checksums.yaml.gz.sig DELETED
Binary file
data.tar.gz.sig DELETED
Binary file
@@ -1,21 +0,0 @@
1
- -----BEGIN CERTIFICATE-----
2
- MIIDfDCCAmSgAwIBAgIBATANBgkqhkiG9w0BAQUFADBCMQ4wDAYDVQQDDAVwYW9s
3
- bzEbMBkGCgmSJomT8ixkARkWC2Rhd25zY2FubmVyMRMwEQYKCZImiZPyLGQBGRYD
4
- b3JnMB4XDTE3MDQwNzE0MjU0M1oXDTE4MDQwNzE0MjU0M1owQjEOMAwGA1UEAwwF
5
- cGFvbG8xGzAZBgoJkiaJk/IsZAEZFgtkYXduc2Nhbm5lcjETMBEGCgmSJomT8ixk
6
- ARkWA29yZzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKY7klJMYUud
7
- 10+6gsb1R7Vvnn96BpVc6sPXxInmQeoaQCZ4lT04ARfya7M6E5NHQDjCtSxv2Nib
8
- QX8gASLQ/zbg6fDXsUh/SACzguSqBMmwa1LcFs/cBtFuNjq8I/dPffHUVKw1OgzE
9
- hkzzmfoYHtga/XptmC24HGdJs5bEGCYTwX6luXPJVAMSxQVx/ZXoHjoR2P/ZMobO
10
- md7FSsd4Tk03z/MpkDF9jjMPb7DjMy2ke8VHMRzBurMldhmD2GLRBo+QAnTHrRNp
11
- a3yXoWmTlnnxAlJUqSGn83n7r1roHasdT7KzhPmAQ42qh6FrjbkQl/jdJA2fl3I3
12
- F0+emUMo9J8CAwEAAaN9MHswCQYDVR0TBAIwADALBgNVHQ8EBAMCBLAwHQYDVR0O
13
- BBYEFGrgDWYLVLOvh1i9ValuYILfIy7rMCAGA1UdEQQZMBeBFXBhb2xvQGRhd25z
14
- Y2FubmVyLm9yZzAgBgNVHRIEGTAXgRVwYW9sb0BkYXduc2Nhbm5lci5vcmcwDQYJ
15
- KoZIhvcNAQEFBQADggEBAHnheFofuUUhycQUbvvo/QlilUWwm5ez9a8tnU3rAeGs
16
- 6VVsjSf5j30PeQWAVporY3wuPD6Tnqvx0qqOcEtcBJcNcdbqr8h/lLQe66PJnRjM
17
- rcAIGSI/KtAfBYSQAP/d711jVjlZr69LjlQjvbV99i36ZDmKHGcrNBnsP49jMuPP
18
- cLydkHKvReI6cjZchfO27r1oEVCcd9Z6OTB7StD2SGrXgjbXT6jWuKy9npS0GlCr
19
- ZhbONaAaqfNoUhrLptHzm4FNkx1RXERL/HqIsA2pv/L1ZveOWLxrQgI3MuujkoVL
20
- nyZ9QdMe5aRX2OoNvfso64jO/IXPlYx+XH8ag3EWRpo=
21
- -----END CERTIFICATE-----
@@ -1,33 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-06
4
- class CVE_2004_0755
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions."
9
-
10
- super({
11
- :name=>"CVE-2004-0755",
12
- :cvss=>"AV:L/AC:L/Au:N/C:P/I:N/A:N",
13
- :release_date => Date.new(2004, 10, 20),
14
- :cve=>"2004-0755",
15
- :severity=>:medium,
16
- :priority=>:medium,
17
- :cwe=>"",
18
- :owasp=>"A9",
19
- :applies=>["rails", "sinatra", "padrino"],
20
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
21
- :message=>message,
22
- :mitigation=>"Upgrade your ruby interpreter",
23
- :aux_links=>["http://xforce.iss.net/xforce/xfdb/16996"]
24
- })
25
-
26
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.999", :patchlevel=>"p0"}, {:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
27
-
28
-
29
-
30
- end
31
- end
32
- end
33
- end
@@ -1,31 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-06
4
- class CVE_2004_0983
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request."
9
- super({
10
- :name=>"CVE-2004-0983",
11
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
12
- :release_date => Date.new(2005, 03, 01),
13
- :cve=>"2004-0983",
14
- :severity=>:high,
15
- :priority=>:high,
16
- :cwe=>"",
17
- :owasp=>"A9",
18
- :applies=>["rails", "sinatra", "padrino"],
19
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
20
- :message=>message,
21
- :mitigation=>"Upgrade your ruby interpreter",
22
- :aux_links=>["http://xforce.iss.net/xforce/xfdb/17985"]
23
- })
24
-
25
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"}, {:engine=>"ruby", :version=>"1.6.7", :patchlevel=>"p0"}]
26
-
27
-
28
- end
29
- end
30
- end
31
- end
@@ -1,31 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-06
4
- class CVE_2005_1992
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents \"security protection\" using handlers, which allows remote attackers to execute arbitrary commands."
9
-
10
- super({
11
- :name=>"CVE-2005-1992",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
13
- :release_date => Date.new(2005, 06, 20),
14
- :cve=>"CVE-2005-1992",
15
- :priority=>:high,
16
- :severity=>:high,
17
- :cwe=>"",
18
- :owasp=>"A9",
19
- :applies=>["rails", "sinatra", "padrino"],
20
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
21
- :message=>message,
22
- :mitigation=>"Upgrade your ruby interpreter",
23
- :aux_links=>["http://www2.ruby-lang.org/en/20050701.html"]
24
- })
25
-
26
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.999", :patchlevel=>"p0"}]
27
-
28
- end
29
- end
30
- end
31
- end
@@ -1,33 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-06
4
- class CVE_2005_2337
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message="Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin)."
9
- super({
10
- :name=>"CVE-2005-2337",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2005, 10, 07),
13
- :cve=>"CVE-2005-2337",
14
- :severity=>:high,
15
- :priority=>:high,
16
- :cwe=>"",
17
- :owasp=>"A9",
18
- :applies=>["rails", "sinatra", "padrino"],
19
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
20
- :message=>message,
21
- :mitigation=>"Upgrade your ruby interpreter",
22
- :aux_links=>["http://www.ruby-lang.org/en/20051003.html"]
23
- })
24
-
25
- self.safe_rubies = [
26
- {:engine=>"ruby", :version=>"1.6.8", :patchlevel=>"p0"},
27
- {:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"},
28
- ]
29
-
30
- end
31
- end
32
- end
33
- end
@@ -1,30 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-06
4
- class CVE_2006_1931
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The HTTP/XMLRPC server in Ruby before 1.8.2 uses blocking sockets, which allows attackers to cause a denial of service (blocked connections) via a large amount of data."
9
- super({
10
- :name=>"CVE-2006-1931",
11
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
12
- :release_date => Date.new(2005, 06, 20),
13
- :cwe=>"",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
- :message=>message,
18
- :mitigation=>"Upgrade your ruby interpreter",
19
- :aux_links=>["http://www.securityfocus.com/bid/17645"]
20
- })
21
-
22
- self.safe_rubies = [
23
- {:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p0"},
24
- {:engine=>"ruby", :version=>"1.6.8", :patchlevel=>"p0"}
25
- ]
26
-
27
- end
28
- end
29
- end
30
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2006_2582
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to execute arbitrary Ruby code via unknown attack vectors."
9
- super({
10
- :name=>"CVE-2006-2582",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2006, 5, 25),
13
- :cwe=>"",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rwiki to version 2.1.0 or above",
19
- :aux_links=>["http://secunia.com/advisories/20264"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rwiki", :version=>['2.1.0']}]
23
-
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,31 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2006_3694
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "Multiple unspecified vulnerabilities in Ruby before 1.8.5 allow remote attackers to bypass \"safe level\" checks via unspecified vectors involving (1) the alias function and (2) \"directory operations\"."
9
- super({
10
- :name=>"CVE-2006-3694",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:N",
12
- :release_date => Date.new(2006, 7, 21),
13
- :cwe=>"",
14
- :severity=>:medium,
15
- :priority=>:medium,
16
- :owasp=>"A9",
17
- :applies=>["rails", "sinatra", "padrino"],
18
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
19
- :message=>message,
20
- :mitigation=>"Upgrade your ruby interpreter",
21
- :aux_links=>["http://www.securityfocus.com/bid/18944"]
22
- })
23
-
24
- self.safe_rubies = [
25
- {:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p0"}
26
- ]
27
-
28
- end
29
- end
30
- end
31
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2006_4112
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Unspecified vulnerability in the \"dependency resolution mechanism\" in Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby code via a URL that is not properly handled in the routing code, which leads to a denial of service (application hang) or \"data loss,\" a different vulnerability than CVE-2006-4111."
9
- super({
10
- :name=>"CVE-2006-4112",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2006, 8, 14),
13
- :cwe=>"",
14
- :owasp=>"A9",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rails version at least to 1.1.6 or higher. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links=>["http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rails", :version=>['1.1.6']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2006_5467
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The cgi.rb CGI library for Ruby 1.8 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an HTTP request with a multipart MIME body that contains an invalid boundary specifier, as demonstrated using a specifier that begins with a \"-\" instead of \"--\" and contains an inconsistent ID."
9
-
10
- super({
11
- :name=>"CVE-2006-5467",
12
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
- :release_date => Date.new(2006, 10, 27),
14
- :cwe=>"",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
18
- :message=>message,
19
- :mitigation=>"Upgrade your ruby interpreter",
20
- :aux_links=>["http://www.securityfocus.com/bid/20777"]
21
- })
22
-
23
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2006_6303
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The read_multipart function in cgi.rb in Ruby before 1.8.5-p2 does not properly detect boundaries in MIME multipart content, which allows remote attackers to cause a denial of service (infinite loop) via crafted HTTP requests, a different issue than CVE-2006-5467."
9
-
10
- super({
11
- :name=>"CVE-2006-6303",
12
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
13
- :release_date => Date.new(2006, 12, 6),
14
- :cwe=>"",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
18
- :message=>message,
19
- :mitigation=>"Upgrade your ruby interpreter",
20
- :aux_links=>["http://www.ruby-lang.org/en/news/2006/12/04/another-dos-vulnerability-in-cgi-library/"]
21
- })
22
-
23
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p0"}]
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2006_6852
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Eval injection vulnerability in tDiary 2.0.3 and 2.1.4.20061127 allows remote authenticated users to execute arbitrary Ruby code via unspecified vectors, possibly related to incorrect input validation by (1) conf.rhtml and (2) i.conf.rhtml. NOTE: some of these details are obtained from third party information."
9
- super({
10
- :name=>"CVE-2006-6852",
11
- :cvss=>"AV:N/AC:M/Au:S/C:P/I:P/A:P",
12
- :release_date => Date.new(2006, 12, 31),
13
- :cwe=>"",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade tdiary version to the latest version.",
19
- :aux_links=>["http://www.tdiary.org/20061210.html"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"tdiary", :version=>['2.0.4', '2.1.5']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,29 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2006_6979
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The ruby handlers in the Magnatune component in Amarok do not properly quote text in certain contexts, probably including construction of an unzip command line, which allows attackers to execute arbitrary commands via shell metacharacters."
9
-
10
- super({
11
- :name=>"CVE-2006-6979",
12
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
13
- :release_date => Date.new(2007, 2, 8),
14
- :cwe=>"20",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
18
- :message=>message,
19
- :mitigation=>"It seems there is no real workaround but not using amarok in your project. If it's needed, please sanitize your code before passing input to Magnatune component",
20
- :aux_links=>["http://www.securityfocus.com/bid/22568"]
21
- })
22
-
23
- self.safe_dependencies = [{:name=>"amarok", :version=>['999.999.999']}]
24
-
25
-
26
- end
27
- end
28
- end
29
- end
@@ -1,29 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-07
4
- class CVE_2007_0469
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "The extract_files function in installer.rb in RubyGems before 0.9.1 does not check whether files exist before overwriting them, which allows user-assisted remote attackers to overwrite arbitrary files, cause a denial of service, or execute arbitrary code via crafted GEM packages."
9
- super({
10
- :name=>"CVE-2007-0469",
11
- :cvss=>"AV:N/AC:M/Au:N/C:C/I:C/A:C",
12
- :release_date => Date.new(2007, 1, 24),
13
- :cwe=>"",
14
- :severity=>:high,
15
- :priority=>:high,
16
- :owasp=>"A9",
17
- :applies=>["rails", "sinatra", "padrino"],
18
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
19
- :message=>message,
20
- :mitigation=>"This vulnerability should never occur due to the rubygem evolution. However if it has been found, please upgrade your whole development environment ot something newer",
21
- :aux_links=>["http://www.securityfocus.com/archive/1/archive/1/458128/100/0/threaded"]
22
- })
23
-
24
- self.safe_dependencies = [{:name=>"rubygems", :version=>['0.9.1', '0.8.12']}]
25
-
26
- end
27
- end
28
- end
29
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2007_5162
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The connect method in lib/net/http.rb in the (1) Net::HTTP and (2) Net::HTTPS libraries in Ruby 1.8.5 and 1.8.6 does not verify that the commonName (CN) field in a server certificate matches the domain name in an HTTPS request, which makes it easier for remote attackers to intercept SSL transmissions via a man-in-the-middle attack or spoofed web site."
9
-
10
- super({
11
- :name=>"CVE-2007-5162",
12
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
13
- :release_date => Date.new(2007, 10, 1),
14
- :cwe=>"287",
15
- :owasp=>"A9",
16
- :applies=>["rails", "sinatra", "padrino"],
17
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
18
- :message=>message,
19
- :mitigation=>"Upgrade your ruby interpreter",
20
- :aux_links=>["http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=13504"]
21
- })
22
-
23
- self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"}, {:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p999"}]
24
-
25
- end
26
- end
27
- end
28
- end