dawnscanner 1.6.8 → 2.0.0.rc4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (387) hide show
  1. checksums.yaml +5 -5
  2. data/.gitignore +1 -0
  3. data/.ruby-version +1 -1
  4. data/Changelog.md +27 -1
  5. data/LICENSE.txt +1 -1
  6. data/README.md +59 -57
  7. data/Rakefile +10 -242
  8. data/Roadmap.md +15 -23
  9. data/VERSION +1 -1
  10. data/bin/dawn +17 -273
  11. data/checksum/dawnscanner-1.6.8.gem.sha1 +1 -0
  12. data/checksum/dawnscanner-2.0.0.rc1.gem.sha1 +1 -0
  13. data/checksum/dawnscanner-2.0.0.rc2.gem.sha1 +1 -0
  14. data/checksum/dawnscanner-2.0.0.rc3.gem.sha1 +1 -0
  15. data/dawnscanner.gemspec +10 -9
  16. data/doc/change.sh +13 -0
  17. data/doc/kickstart_kb.tar.gz +0 -0
  18. data/doc/knowledge_base.rb +650 -0
  19. data/docs/.placeholder +0 -0
  20. data/docs/CNAME +1 -0
  21. data/docs/_config.yml +1 -0
  22. data/lib/dawn/cli/dawn_cli.rb +139 -0
  23. data/lib/dawn/core.rb +8 -7
  24. data/lib/dawn/engine.rb +93 -34
  25. data/lib/dawn/gemfile_lock.rb +2 -2
  26. data/lib/dawn/kb/basic_check.rb +1 -2
  27. data/lib/dawn/kb/combo_check.rb +1 -1
  28. data/lib/dawn/kb/dependency_check.rb +1 -1
  29. data/lib/dawn/kb/operating_system_check.rb +1 -1
  30. data/lib/dawn/kb/pattern_match_check.rb +10 -9
  31. data/lib/dawn/kb/ruby_version_check.rb +11 -10
  32. data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
  33. data/lib/dawn/kb/unsafe_depedency_check.rb +44 -0
  34. data/lib/dawn/kb/version_check.rb +41 -24
  35. data/lib/dawn/knowledge_base.rb +259 -595
  36. data/lib/dawn/reporter.rb +2 -1
  37. data/lib/dawn/utils.rb +5 -2
  38. data/lib/dawn/version.rb +5 -5
  39. data/lib/dawnscanner.rb +7 -6
  40. data/spec/lib/kb/codesake_unsafe_dependency_check_spec.rb +29 -0
  41. data/spec/lib/kb/dependency_check.yml +29 -0
  42. metadata +30 -496
  43. checksums.yaml.gz.sig +0 -0
  44. data.tar.gz.sig +0 -0
  45. data/certs/paolo_at_dawnscanner_dot_org.pem +0 -21
  46. data/lib/dawn/kb/cve_2004_0755.rb +0 -33
  47. data/lib/dawn/kb/cve_2004_0983.rb +0 -31
  48. data/lib/dawn/kb/cve_2005_1992.rb +0 -31
  49. data/lib/dawn/kb/cve_2005_2337.rb +0 -33
  50. data/lib/dawn/kb/cve_2006_1931.rb +0 -30
  51. data/lib/dawn/kb/cve_2006_2582.rb +0 -28
  52. data/lib/dawn/kb/cve_2006_3694.rb +0 -31
  53. data/lib/dawn/kb/cve_2006_4112.rb +0 -27
  54. data/lib/dawn/kb/cve_2006_5467.rb +0 -28
  55. data/lib/dawn/kb/cve_2006_6303.rb +0 -28
  56. data/lib/dawn/kb/cve_2006_6852.rb +0 -27
  57. data/lib/dawn/kb/cve_2006_6979.rb +0 -29
  58. data/lib/dawn/kb/cve_2007_0469.rb +0 -29
  59. data/lib/dawn/kb/cve_2007_5162.rb +0 -28
  60. data/lib/dawn/kb/cve_2007_5379.rb +0 -27
  61. data/lib/dawn/kb/cve_2007_5380.rb +0 -29
  62. data/lib/dawn/kb/cve_2007_5770.rb +0 -30
  63. data/lib/dawn/kb/cve_2007_6077.rb +0 -31
  64. data/lib/dawn/kb/cve_2007_6612.rb +0 -30
  65. data/lib/dawn/kb/cve_2008_1145.rb +0 -38
  66. data/lib/dawn/kb/cve_2008_1891.rb +0 -38
  67. data/lib/dawn/kb/cve_2008_2376.rb +0 -30
  68. data/lib/dawn/kb/cve_2008_2662.rb +0 -33
  69. data/lib/dawn/kb/cve_2008_2663.rb +0 -32
  70. data/lib/dawn/kb/cve_2008_2664.rb +0 -33
  71. data/lib/dawn/kb/cve_2008_2725.rb +0 -31
  72. data/lib/dawn/kb/cve_2008_3655.rb +0 -37
  73. data/lib/dawn/kb/cve_2008_3657.rb +0 -37
  74. data/lib/dawn/kb/cve_2008_3790.rb +0 -30
  75. data/lib/dawn/kb/cve_2008_3905.rb +0 -36
  76. data/lib/dawn/kb/cve_2008_4094.rb +0 -27
  77. data/lib/dawn/kb/cve_2008_4310.rb +0 -100
  78. data/lib/dawn/kb/cve_2008_5189.rb +0 -27
  79. data/lib/dawn/kb/cve_2008_7248.rb +0 -27
  80. data/lib/dawn/kb/cve_2009_4078.rb +0 -29
  81. data/lib/dawn/kb/cve_2009_4124.rb +0 -30
  82. data/lib/dawn/kb/cve_2009_4214.rb +0 -27
  83. data/lib/dawn/kb/cve_2010_1330.rb +0 -28
  84. data/lib/dawn/kb/cve_2010_2489.rb +0 -60
  85. data/lib/dawn/kb/cve_2010_3933.rb +0 -27
  86. data/lib/dawn/kb/cve_2011_0188.rb +0 -67
  87. data/lib/dawn/kb/cve_2011_0446.rb +0 -28
  88. data/lib/dawn/kb/cve_2011_0447.rb +0 -28
  89. data/lib/dawn/kb/cve_2011_0739.rb +0 -28
  90. data/lib/dawn/kb/cve_2011_0995.rb +0 -61
  91. data/lib/dawn/kb/cve_2011_1004.rb +0 -34
  92. data/lib/dawn/kb/cve_2011_1005.rb +0 -31
  93. data/lib/dawn/kb/cve_2011_2197.rb +0 -27
  94. data/lib/dawn/kb/cve_2011_2686.rb +0 -29
  95. data/lib/dawn/kb/cve_2011_2705.rb +0 -32
  96. data/lib/dawn/kb/cve_2011_2929.rb +0 -27
  97. data/lib/dawn/kb/cve_2011_2930.rb +0 -28
  98. data/lib/dawn/kb/cve_2011_2931.rb +0 -30
  99. data/lib/dawn/kb/cve_2011_2932.rb +0 -27
  100. data/lib/dawn/kb/cve_2011_3009.rb +0 -28
  101. data/lib/dawn/kb/cve_2011_3186.rb +0 -29
  102. data/lib/dawn/kb/cve_2011_3187.rb +0 -29
  103. data/lib/dawn/kb/cve_2011_4319.rb +0 -30
  104. data/lib/dawn/kb/cve_2011_4815.rb +0 -28
  105. data/lib/dawn/kb/cve_2011_5036.rb +0 -26
  106. data/lib/dawn/kb/cve_2012_1098.rb +0 -30
  107. data/lib/dawn/kb/cve_2012_1099.rb +0 -27
  108. data/lib/dawn/kb/cve_2012_1241.rb +0 -27
  109. data/lib/dawn/kb/cve_2012_2139.rb +0 -26
  110. data/lib/dawn/kb/cve_2012_2140.rb +0 -27
  111. data/lib/dawn/kb/cve_2012_2660.rb +0 -28
  112. data/lib/dawn/kb/cve_2012_2661.rb +0 -27
  113. data/lib/dawn/kb/cve_2012_2671.rb +0 -28
  114. data/lib/dawn/kb/cve_2012_2694.rb +0 -30
  115. data/lib/dawn/kb/cve_2012_2695.rb +0 -27
  116. data/lib/dawn/kb/cve_2012_3424.rb +0 -29
  117. data/lib/dawn/kb/cve_2012_3463.rb +0 -27
  118. data/lib/dawn/kb/cve_2012_3464.rb +0 -27
  119. data/lib/dawn/kb/cve_2012_3465.rb +0 -26
  120. data/lib/dawn/kb/cve_2012_4464.rb +0 -27
  121. data/lib/dawn/kb/cve_2012_4466.rb +0 -27
  122. data/lib/dawn/kb/cve_2012_4481.rb +0 -26
  123. data/lib/dawn/kb/cve_2012_4522.rb +0 -27
  124. data/lib/dawn/kb/cve_2012_5370.rb +0 -27
  125. data/lib/dawn/kb/cve_2012_5371.rb +0 -27
  126. data/lib/dawn/kb/cve_2012_5380.rb +0 -28
  127. data/lib/dawn/kb/cve_2012_6109.rb +0 -25
  128. data/lib/dawn/kb/cve_2012_6134.rb +0 -27
  129. data/lib/dawn/kb/cve_2012_6496.rb +0 -28
  130. data/lib/dawn/kb/cve_2012_6497.rb +0 -28
  131. data/lib/dawn/kb/cve_2012_6684.rb +0 -28
  132. data/lib/dawn/kb/cve_2013_0155.rb +0 -29
  133. data/lib/dawn/kb/cve_2013_0156.rb +0 -27
  134. data/lib/dawn/kb/cve_2013_0162.rb +0 -28
  135. data/lib/dawn/kb/cve_2013_0175.rb +0 -27
  136. data/lib/dawn/kb/cve_2013_0183.rb +0 -25
  137. data/lib/dawn/kb/cve_2013_0184.rb +0 -25
  138. data/lib/dawn/kb/cve_2013_0233.rb +0 -26
  139. data/lib/dawn/kb/cve_2013_0256.rb +0 -59
  140. data/lib/dawn/kb/cve_2013_0262.rb +0 -26
  141. data/lib/dawn/kb/cve_2013_0263.rb +0 -26
  142. data/lib/dawn/kb/cve_2013_0269.rb +0 -27
  143. data/lib/dawn/kb/cve_2013_0276.rb +0 -28
  144. data/lib/dawn/kb/cve_2013_0277.rb +0 -25
  145. data/lib/dawn/kb/cve_2013_0284.rb +0 -27
  146. data/lib/dawn/kb/cve_2013_0285.rb +0 -27
  147. data/lib/dawn/kb/cve_2013_0333.rb +0 -28
  148. data/lib/dawn/kb/cve_2013_0334.rb +0 -25
  149. data/lib/dawn/kb/cve_2013_1607.rb +0 -25
  150. data/lib/dawn/kb/cve_2013_1655.rb +0 -65
  151. data/lib/dawn/kb/cve_2013_1656.rb +0 -28
  152. data/lib/dawn/kb/cve_2013_1756.rb +0 -26
  153. data/lib/dawn/kb/cve_2013_1800.rb +0 -26
  154. data/lib/dawn/kb/cve_2013_1801.rb +0 -27
  155. data/lib/dawn/kb/cve_2013_1802.rb +0 -27
  156. data/lib/dawn/kb/cve_2013_1812.rb +0 -27
  157. data/lib/dawn/kb/cve_2013_1821.rb +0 -28
  158. data/lib/dawn/kb/cve_2013_1854.rb +0 -26
  159. data/lib/dawn/kb/cve_2013_1855.rb +0 -25
  160. data/lib/dawn/kb/cve_2013_1856.rb +0 -26
  161. data/lib/dawn/kb/cve_2013_1857.rb +0 -27
  162. data/lib/dawn/kb/cve_2013_1875.rb +0 -27
  163. data/lib/dawn/kb/cve_2013_1898.rb +0 -27
  164. data/lib/dawn/kb/cve_2013_1911.rb +0 -28
  165. data/lib/dawn/kb/cve_2013_1933.rb +0 -27
  166. data/lib/dawn/kb/cve_2013_1947.rb +0 -27
  167. data/lib/dawn/kb/cve_2013_1948.rb +0 -27
  168. data/lib/dawn/kb/cve_2013_2065.rb +0 -29
  169. data/lib/dawn/kb/cve_2013_2090.rb +0 -28
  170. data/lib/dawn/kb/cve_2013_2105.rb +0 -26
  171. data/lib/dawn/kb/cve_2013_2119.rb +0 -27
  172. data/lib/dawn/kb/cve_2013_2512.rb +0 -26
  173. data/lib/dawn/kb/cve_2013_2513.rb +0 -25
  174. data/lib/dawn/kb/cve_2013_2516.rb +0 -26
  175. data/lib/dawn/kb/cve_2013_2615.rb +0 -27
  176. data/lib/dawn/kb/cve_2013_2616.rb +0 -27
  177. data/lib/dawn/kb/cve_2013_2617.rb +0 -28
  178. data/lib/dawn/kb/cve_2013_3221.rb +0 -27
  179. data/lib/dawn/kb/cve_2013_4164.rb +0 -30
  180. data/lib/dawn/kb/cve_2013_4203.rb +0 -25
  181. data/lib/dawn/kb/cve_2013_4389.rb +0 -26
  182. data/lib/dawn/kb/cve_2013_4413.rb +0 -27
  183. data/lib/dawn/kb/cve_2013_4457.rb +0 -29
  184. data/lib/dawn/kb/cve_2013_4478.rb +0 -26
  185. data/lib/dawn/kb/cve_2013_4479.rb +0 -26
  186. data/lib/dawn/kb/cve_2013_4489.rb +0 -28
  187. data/lib/dawn/kb/cve_2013_4491.rb +0 -29
  188. data/lib/dawn/kb/cve_2013_4492.rb +0 -29
  189. data/lib/dawn/kb/cve_2013_4562.rb +0 -27
  190. data/lib/dawn/kb/cve_2013_4593.rb +0 -27
  191. data/lib/dawn/kb/cve_2013_5647.rb +0 -29
  192. data/lib/dawn/kb/cve_2013_5671.rb +0 -26
  193. data/lib/dawn/kb/cve_2013_6414.rb +0 -30
  194. data/lib/dawn/kb/cve_2013_6415.rb +0 -29
  195. data/lib/dawn/kb/cve_2013_6416.rb +0 -29
  196. data/lib/dawn/kb/cve_2013_6417.rb +0 -30
  197. data/lib/dawn/kb/cve_2013_6421.rb +0 -28
  198. data/lib/dawn/kb/cve_2013_6459.rb +0 -28
  199. data/lib/dawn/kb/cve_2013_6460.rb +0 -53
  200. data/lib/dawn/kb/cve_2013_6461.rb +0 -57
  201. data/lib/dawn/kb/cve_2013_7086.rb +0 -27
  202. data/lib/dawn/kb/cve_2014_0036.rb +0 -27
  203. data/lib/dawn/kb/cve_2014_0080.rb +0 -29
  204. data/lib/dawn/kb/cve_2014_0081.rb +0 -27
  205. data/lib/dawn/kb/cve_2014_0082.rb +0 -27
  206. data/lib/dawn/kb/cve_2014_0130.rb +0 -27
  207. data/lib/dawn/kb/cve_2014_1233.rb +0 -27
  208. data/lib/dawn/kb/cve_2014_1234.rb +0 -26
  209. data/lib/dawn/kb/cve_2014_2322.rb +0 -28
  210. data/lib/dawn/kb/cve_2014_2525.rb +0 -59
  211. data/lib/dawn/kb/cve_2014_2538.rb +0 -26
  212. data/lib/dawn/kb/cve_2014_3482.rb +0 -28
  213. data/lib/dawn/kb/cve_2014_3483.rb +0 -28
  214. data/lib/dawn/kb/cve_2014_3916.rb +0 -29
  215. data/lib/dawn/kb/cve_2014_4975.rb +0 -28
  216. data/lib/dawn/kb/cve_2014_7818.rb +0 -27
  217. data/lib/dawn/kb/cve_2014_7819.rb +0 -31
  218. data/lib/dawn/kb/cve_2014_7829.rb +0 -30
  219. data/lib/dawn/kb/cve_2014_8090.rb +0 -30
  220. data/lib/dawn/kb/cve_2014_9490.rb +0 -29
  221. data/lib/dawn/kb/cve_2015_1819.rb +0 -34
  222. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
  223. data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
  224. data/lib/dawn/kb/cve_2015_2963.rb +0 -27
  225. data/lib/dawn/kb/cve_2015_3224.rb +0 -26
  226. data/lib/dawn/kb/cve_2015_3225.rb +0 -28
  227. data/lib/dawn/kb/cve_2015_3226.rb +0 -27
  228. data/lib/dawn/kb/cve_2015_3227.rb +0 -28
  229. data/lib/dawn/kb/cve_2015_3448.rb +0 -29
  230. data/lib/dawn/kb/cve_2015_4020.rb +0 -34
  231. data/lib/dawn/kb/cve_2015_5312.rb +0 -30
  232. data/lib/dawn/kb/cve_2015_7497.rb +0 -32
  233. data/lib/dawn/kb/cve_2015_7498.rb +0 -32
  234. data/lib/dawn/kb/cve_2015_7499.rb +0 -32
  235. data/lib/dawn/kb/cve_2015_7500.rb +0 -32
  236. data/lib/dawn/kb/cve_2015_7519.rb +0 -31
  237. data/lib/dawn/kb/cve_2015_7541.rb +0 -31
  238. data/lib/dawn/kb/cve_2015_7576.rb +0 -35
  239. data/lib/dawn/kb/cve_2015_7577.rb +0 -34
  240. data/lib/dawn/kb/cve_2015_7578.rb +0 -30
  241. data/lib/dawn/kb/cve_2015_7579.rb +0 -30
  242. data/lib/dawn/kb/cve_2015_7581.rb +0 -33
  243. data/lib/dawn/kb/cve_2015_8241.rb +0 -32
  244. data/lib/dawn/kb/cve_2015_8242.rb +0 -32
  245. data/lib/dawn/kb/cve_2015_8317.rb +0 -32
  246. data/lib/dawn/kb/cve_2016_0751.rb +0 -32
  247. data/lib/dawn/kb/cve_2016_0752.rb +0 -35
  248. data/lib/dawn/kb/cve_2016_0753.rb +0 -31
  249. data/lib/dawn/kb/cve_2016_2097.rb +0 -35
  250. data/lib/dawn/kb/cve_2016_2098.rb +0 -35
  251. data/lib/dawn/kb/cve_2016_5697.rb +0 -30
  252. data/lib/dawn/kb/cve_2016_6316.rb +0 -33
  253. data/lib/dawn/kb/cve_2016_6317.rb +0 -32
  254. data/lib/dawn/kb/cve_2016_6582.rb +0 -43
  255. data/lib/dawn/kb/not_revised_code.rb +0 -22
  256. data/lib/dawn/kb/osvdb_105971.rb +0 -29
  257. data/lib/dawn/kb/osvdb_108530.rb +0 -27
  258. data/lib/dawn/kb/osvdb_108563.rb +0 -28
  259. data/lib/dawn/kb/osvdb_108569.rb +0 -28
  260. data/lib/dawn/kb/osvdb_108570.rb +0 -27
  261. data/lib/dawn/kb/osvdb_115654.rb +0 -33
  262. data/lib/dawn/kb/osvdb_116010.rb +0 -30
  263. data/lib/dawn/kb/osvdb_117903.rb +0 -30
  264. data/lib/dawn/kb/osvdb_118579.rb +0 -31
  265. data/lib/dawn/kb/osvdb_118830.rb +0 -32
  266. data/lib/dawn/kb/osvdb_118954.rb +0 -33
  267. data/lib/dawn/kb/osvdb_119878.rb +0 -32
  268. data/lib/dawn/kb/osvdb_119927.rb +0 -33
  269. data/lib/dawn/kb/osvdb_120415.rb +0 -31
  270. data/lib/dawn/kb/osvdb_120857.rb +0 -34
  271. data/lib/dawn/kb/osvdb_121701.rb +0 -30
  272. data/lib/dawn/kb/osvdb_132234.rb +0 -34
  273. data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
  274. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
  275. data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
  276. data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
  277. data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
  278. data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
  279. data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
  280. data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
  281. data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
  282. data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
  283. data/lib/dawn/knowledge_base_experimental.rb +0 -245
  284. data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
  285. data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
  286. data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
  287. data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
  288. data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
  289. data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
  290. data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
  291. data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
  292. data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
  293. data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
  294. data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
  295. data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
  296. data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
  297. data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
  298. data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
  299. data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
  300. data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
  301. data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
  302. data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
  303. data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
  304. data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
  305. data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
  306. data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
  307. data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
  308. data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
  309. data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
  310. data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
  311. data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
  312. data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
  313. data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
  314. data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
  315. data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
  316. data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
  317. data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
  318. data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
  319. data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
  320. data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
  321. data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
  322. data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
  323. data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
  324. data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
  325. data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
  326. data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
  327. data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
  328. data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
  329. data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
  330. data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
  331. data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
  332. data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
  333. data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
  334. data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
  335. data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
  336. data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
  337. data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
  338. data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
  339. data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
  340. data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
  341. data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
  342. data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
  343. data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
  344. data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
  345. data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
  346. data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
  347. data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
  348. data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
  349. data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
  350. data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
  351. data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
  352. data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
  353. data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
  354. data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
  355. data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
  356. data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
  357. data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
  358. data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
  359. data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
  360. data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
  361. data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
  362. data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
  363. data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
  364. data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
  365. data/spec/lib/kb/cve_2016_2098_spec.rb +0 -55
  366. data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
  367. data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
  368. data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
  369. data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
  370. data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
  371. data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
  372. data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
  373. data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
  374. data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
  375. data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
  376. data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
  377. data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
  378. data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
  379. data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
  380. data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
  381. data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
  382. data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
  383. data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
  384. data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
  385. data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
  386. data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
  387. metadata.gz.sig +0 -0
@@ -1,30 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2008_3790
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "The REXML module in Ruby 1.8.6 through 1.8.6-p287, 1.8.7 through 1.8.7-p72, and 1.9 allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML document with recursively nested entities, aka an \"XML entity explosion.\""
9
- super({
10
- :name=>"CVE-2008-3790",
11
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
12
- :release_date => Date.new(2008, 8, 27),
13
- :cwe=>"20",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
- :message=>message,
18
- :mitigation=>"Upgrade your ruby interpreter",
19
- :aux_links=>["http://www.ruby-lang.org/en/news/2008/08/23/dos-vulnerability-in-rexml/"]
20
- })
21
-
22
- self.safe_rubies = [
23
- {:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p73"},
24
- {:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p73"},
25
- {:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p1"}
26
- ]
27
- end
28
- end
29
- end
30
- end
@@ -1,36 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2008_3905
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "resolv.rb in Ruby 1.8.5 and earlier, 1.8.6 before 1.8.6-p287, 1.8.7 before 1.8.7-p72, and 1.9 r18423 and earlier uses sequential transaction IDs and constant source ports for DNS requests, which makes it easier for remote attackers to spoof DNS responses, a different vulnerability than CVE-2008-1447."
9
- super({
10
- :name=>"CVE-2008-3905",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:P",
12
- :release_date => Date.new(2008, 9, 4),
13
- :cwe=>"287",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
- :message=>message,
18
- :mitigation=>"Upgrade your ruby interpreter",
19
- :aux_links=>["http://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/"]
20
- })
21
-
22
- self.safe_rubies = [
23
- {:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p0"},
24
- {:engine=>"ruby", :version=>"1.8.6", :patchlevel=>"p287"},
25
- {:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"},
26
- {:engine=>"ruby", :version=>"1.8.4", :patchlevel=>"p999"},
27
- {:engine=>"ruby", :version=>"1.8.3", :patchlevel=>"p999"},
28
- {:engine=>"ruby", :version=>"1.8.2", :patchlevel=>"p999"},
29
- {:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
30
- {:engine=>"ruby", :version=>"1.8.0", :patchlevel=>"p999"},
31
- {:engine=>"ruby", :version=>"1.6.999", :patchlevel=>"p0"}]
32
-
33
- end
34
- end
35
- end
36
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2008_4094
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) :limit and (2) :offset parameters, related to ActiveRecord, ActiveSupport, ActiveResource, ActionPack, and ActionMailer."
9
- super({
10
- :name=>"CVE-2008-4094",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2008, 9, 30),
13
- :cwe=>"89",
14
- :owasp=>"A1",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rails version at least to 2.1.1 or higher. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links=>["http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure"]
20
- })
21
-
22
-
23
- self.safe_dependencies = [{:name=>"rails", :version=>['2.1.1', '2.0.999', '1.9.999', '1.2.999', '1.1.999', '0.999.999']}]
24
- end
25
- end
26
- end
27
- end
@@ -1,100 +0,0 @@
1
- module Dawn
2
- module Kb
3
- class CVE_2008_4310_a
4
- include RubyVersionCheck
5
- def initialize
6
- message = "CVE_2008_4310_a: ruby 1.8.1 and 1.8.5 have problems"
7
- super({
8
- :name=>"CVE-2008_4310_a",
9
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
10
- })
11
- self.safe_rubies = [
12
- {:engine=>"ruby", :version=>"1.8.1", :patchlevel=>"p999"},
13
- {:engine=>"ruby", :version=>"1.8.5", :patchlevel=>"p999"}
14
- ]
15
- end
16
- end
17
-
18
- class CVE_2008_4310_b
19
- include OperatingSystemCheck
20
-
21
- def initialize
22
-
23
- message = "CVE_2008_4310_b: Only on RedHat EL 4 and 5"
24
-
25
- super({
26
- :name=>"CVE-2008_4310_b",
27
- :kind=>Dawn::KnowledgeBase::OS_CHECK,
28
- })
29
-
30
- self.safe_os=[
31
- #RHEL 5.10
32
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-371']},
33
- #RHEL 5.9
34
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-348']},
35
- #RHEL 5.8
36
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-308']},
37
- #RHEL 5.7
38
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-274']},
39
- #RHEL 5.6
40
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-238']},
41
- #RHEL 5.5
42
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-194']},
43
- #RHEL 5.4
44
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-164']},
45
- #RHEL 5.3
46
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-128']},
47
- #RHEL 5.2
48
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-92']},
49
- #RHEL 5.1
50
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-53']},
51
- #RHEL 5.0
52
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.18-8']},
53
- #RHEL 4.9
54
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-100']},
55
- #RHEL 4.8
56
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-89']},
57
- #RHEL 4.7
58
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-78']},
59
- #RHEL 4.6
60
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-67']},
61
- #RHEL 4.5
62
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-55']},
63
- #RHEL 4.4
64
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-42']},
65
- #RHEL 4.3
66
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-34']},
67
- #RHEL 4.2
68
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-22']},
69
- #RHEL 4.1
70
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-11']},
71
- #RHEL 4.0
72
- {:family=>"linux", :vendor=>"redhat", :version=>['2.6.9-5']}
73
- ]
74
- end
75
- end
76
-
77
- class CVE_2008_4310
78
- include ComboCheck
79
-
80
- def initialize
81
- message = "httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat Enterprise Linux 4 and 5, allows remote attackers to cause a denial of service (CPU consumption) via a crafted HTTP request. NOTE: this issue exists because of an incomplete fix for CVE-2008-3656."
82
-
83
- super({
84
- :name=>"CVE-2008-4310",
85
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:C",
86
- :release_date => Date.new(2008, 12, 9),
87
- :cwe=>"399",
88
- :owasp=>"A9",
89
- :applies=>["sinatra", "padrino", "rails"],
90
- :kind=>Dawn::KnowledgeBase::COMBO_CHECK,
91
- :message=>message,
92
- :mitigation=>"Please upgrade your ruby interpreter",
93
- :aux_links=>["http://secunia.com/advisories/33013"],
94
- :checks=>[CVE_2008_4310_a.new, CVE_2008_4310_b.new]
95
- })
96
-
97
- end
98
- end
99
- end
100
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2008_5189
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function."
9
- super({
10
- :name=>"CVE-2008-5189",
11
- :cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2008, 11, 21),
13
- :cwe=>"352",
14
- :owasp=>"A8",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rails version at least to 2.0.5 or higher. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links=>["http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rails", :version=>['2.0.5', '1.9.999', '1.2.999', '1.1.999', '0.999.999']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2008_7248
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote attackers to bypass cross-site request forgery (CSRF) protection for requests to applications that rely on this protection, as demonstrated using text/plain."
9
- super({
10
- :name=>"CVE-2008-7248",
11
- :cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2009, 12, 16),
13
- :cwe=>"20",
14
- :owasp=>"A9",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rails version at least to 2.1.3 or 2.2.2 or higher. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links=>["http://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rails", :version=>['2.1.3', '2.2.2']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,29 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2009_4078
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Multiple cross-site scripting (XSS) vulnerabilities in Redmine 0.8.5 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors."
9
- super({
10
- :name=>"CVE-2009-4078",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2009, 11, 25),
13
- :cwe=>"79",
14
- :owasp=>"A3",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade redmine version at least to 0.8.6 or higher. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links=>["http://www.redmine.org/wiki/redmine/Changelog#v086-2009-11-04"]
20
- })
21
-
22
- self.safe_dependencies = [
23
- {:name=>"redmine", :version=>['0.8.5', '0.7.999', '0.6.999', '0.5.999', '0.4.999', '0.3.999', '0.2.999', '0.1.999']}
24
- ]
25
-
26
- end
27
- end
28
- end
29
- end
@@ -1,30 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2009_4124
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "Heap-based buffer overflow in the rb_str_justify function in string.c in Ruby 1.9.1 before 1.9.1-p376 allows context-dependent attackers to execute arbitrary code via unspecified vectors involving (1) String#ljust, (2) String#center, or (3) String#rjust. NOTE: some of these details are obtained from third party information."
9
- super({
10
- :name=>"CVE-2009-4124",
11
- :cvss=>"AV:N/AC:L/Au:N/C:C/I:C/A:C",
12
- :release_date => Date.new(2009, 12, 11),
13
- :cwe=>"119",
14
- :owasp=>"A9",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
- :message=>message,
18
- :mitigation=>"Upgrade your ruby interpreter",
19
- :aux_links=>["http://www.ruby-lang.org/en/news/2009/12/07/heap-overflow-in-string/"]
20
- })
21
-
22
- self.safe_rubies = [
23
- {:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p376"},
24
- ]
25
-
26
-
27
- end
28
- end
29
- end
30
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2009_4214
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Cross-site scripting (XSS) vulnerability in the strip_tags function in Ruby on Rails before before 2.3.5, allows remote attackers to inject arbitrary web script or HTML via vectors involving non-printing ASCII characters, related to HTML::Tokenizer and actionpack/lib/action_controller/vendor/html-scanner/html/node.rb."
9
- super({
10
- :name=>"CVE-2009-4214",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2009, 12, 7),
13
- :cwe=>"79",
14
- :owasp=>"A3",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rails version at least to 2.3.5 or higher. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links=>["http://groups.google.com/group/rubyonrails-security/browse_thread/thread/4d4f71f2aef4c0ab?pli=1"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rails", :version=>['2.3.5', '2.2.999', '2.1.999', '1.999.999', '0.999.999']}]
23
-
24
- end
25
- end
26
- end
27
- end
@@ -1,28 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2013-07-09
4
- class CVE_2010_1330
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message="The regular expression engine in JRuby before 1.4.1, when $KCODE is set to 'u', does not properly handle characters immediately after a UTF-8 character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted string."
9
- super({
10
- :name=>"CVE-2010-1330",
11
- :cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
12
- :release_date => Date.new(2012, 11, 23),
13
- :cwe=>"79",
14
- :owasp=>"A3",
15
- :applies=>["rails", "sinatra", "padrino"],
16
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
17
- :message=>message,
18
- :mitigation=>"Upgrade your jruby interpreter",
19
- :aux_links=>["http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html"]
20
- })
21
-
22
- self.safe_rubies = [{:engine=>"jruby", :version=>"1.4.2", :patchlevel=>"p0"}]
23
-
24
-
25
- end
26
- end
27
- end
28
- end
@@ -1,60 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-09
4
- class CVE_2010_2489_a
5
- include RubyVersionCheck
6
-
7
- def initialize
8
- message = "CVE_2010_2489_a: ruby 1.9.2-p429 has problems"
9
- super({
10
- :name=>"CVE_2010_2489_a",
11
- :kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
12
- })
13
- self.safe_rubies = [
14
- {:engine=>"ruby", :version=>"1.9.2", :patchlevel=>"p430"},
15
- {:engine=>"ruby", :version=>"1.9.1", :patchlevel=>"p999"},
16
- {:engine=>"ruby", :version=>"1.9.0", :patchlevel=>"p999"}
17
- ]
18
- end
19
- end
20
-
21
- class CVE_2010_2489_b
22
- include OperatingSystemCheck
23
- def initialize
24
- message = "CVE_2010_2489_a: Only on Windows"
25
- super({
26
- :name=>"CVE_2010_2489_ab",
27
- :kind=>Dawn::KnowledgeBase::OS_CHECK,
28
- })
29
-
30
- self.safe_os = [
31
- {:family=>"windows", :vendor=>"microsoft", :version=>['none']}
32
- ]
33
-
34
- end
35
-
36
- end
37
-
38
- class CVE_2010_2489
39
- include ComboCheck
40
-
41
- def initialize
42
- message = "Buffer overflow in Ruby 1.9.x before 1.9.1-p429 on Windows might allow local users to gain privileges via a crafted ARGF.inplace_mode value that is not properly handled when constructing the filenames of the backup files"
43
- super({
44
- :name=>"CVE-2010-2489",
45
- :cvss=>"AV:L/AC:L/Au:N/C:C/I:C/A:C",
46
- :release_date => Date.new(2010, 7, 10),
47
- :cwe=>"119",
48
- :owasp=>"A9",
49
- :applies=>["sinatra", "padrino", "rails"],
50
- :kind=>Dawn::KnowledgeBase::COMBO_CHECK,
51
- :message=>message,
52
- :mitigation=>"Please upgrade your ruby interpreter",
53
- :aux_links=>["http://www.ruby-lang.org/en/news/2010/07/02/ruby-1-9-1-p429-is-released/"],
54
- :checks=>[CVE_2010_2489_a.new, CVE_2010_2489_b.new]
55
- })
56
-
57
- end
58
- end
59
- end
60
- end
@@ -1,27 +0,0 @@
1
- module Dawn
2
- module Kb
3
- # Automatically created with rake on 2014-01-08
4
- class CVE_2010_3933
5
- include DependencyCheck
6
-
7
- def initialize
8
- message = "Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested attributes, which allows remote attackers to modify arbitrary records by changing the names of parameters for form inputs."
9
- super({
10
- :name=>"CVE-2010-3933",
11
- :cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
12
- :release_date => Date.new(2010, 10, 28),
13
- :cwe=>"20",
14
- :owasp=>"A9",
15
- :applies=>["rails"],
16
- :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
17
- :message=>message,
18
- :mitigation=>"Please upgrade rails version at least to 2.3.10, 3.0.1 or higher. As a general rule, using the latest stable rails version is recommended.",
19
- :aux_links=>["ttp://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0"]
20
- })
21
-
22
- self.safe_dependencies = [{:name=>"rails", :version=>['2.3.10', '3.0.1']}]
23
-
24
- end
25
- end
26
- end
27
- end