dawnscanner 1.6.9 → 2.0.0.rc1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.ruby-version +1 -1
- data/Changelog.md +8 -0
- data/LICENSE.txt +1 -1
- data/Rakefile +6 -239
- data/VERSION +1 -1
- data/bin/dawn +6 -46
- data/dawnscanner.gemspec +6 -1
- data/doc/change.sh +13 -0
- data/doc/knowledge_base.rb +650 -0
- data/lib/dawn/cli/dawn_cli.rb +103 -0
- data/lib/dawn/engine.rb +9 -11
- data/lib/dawn/gemfile_lock.rb +2 -2
- data/lib/dawn/kb/basic_check.rb +1 -0
- data/lib/dawn/kb/combo_check.rb +1 -1
- data/lib/dawn/kb/dependency_check.rb +1 -1
- data/lib/dawn/kb/pattern_match_check.rb +1 -1
- data/lib/dawn/kb/ruby_version_check.rb +11 -10
- data/lib/dawn/kb/{gem_check.rb → rubygem_check.rb} +1 -1
- data/lib/dawn/kb/version_check.rb +25 -25
- data/lib/dawn/knowledge_base.rb +211 -588
- data/lib/dawn/utils.rb +5 -2
- data/lib/dawn/version.rb +5 -5
- data/lib/dawnscanner.rb +4 -3
- metadata +23 -450
- data/lib/dawn/kb/cve_2004_0755.rb +0 -33
- data/lib/dawn/kb/cve_2004_0983.rb +0 -31
- data/lib/dawn/kb/cve_2005_1992.rb +0 -31
- data/lib/dawn/kb/cve_2005_2337.rb +0 -33
- data/lib/dawn/kb/cve_2006_1931.rb +0 -30
- data/lib/dawn/kb/cve_2006_2582.rb +0 -28
- data/lib/dawn/kb/cve_2006_3694.rb +0 -31
- data/lib/dawn/kb/cve_2006_4112.rb +0 -27
- data/lib/dawn/kb/cve_2006_5467.rb +0 -28
- data/lib/dawn/kb/cve_2006_6303.rb +0 -28
- data/lib/dawn/kb/cve_2006_6852.rb +0 -27
- data/lib/dawn/kb/cve_2006_6979.rb +0 -29
- data/lib/dawn/kb/cve_2007_0469.rb +0 -29
- data/lib/dawn/kb/cve_2007_5162.rb +0 -28
- data/lib/dawn/kb/cve_2007_5379.rb +0 -27
- data/lib/dawn/kb/cve_2007_5380.rb +0 -29
- data/lib/dawn/kb/cve_2007_5770.rb +0 -30
- data/lib/dawn/kb/cve_2007_6077.rb +0 -31
- data/lib/dawn/kb/cve_2007_6612.rb +0 -30
- data/lib/dawn/kb/cve_2008_1145.rb +0 -38
- data/lib/dawn/kb/cve_2008_1891.rb +0 -38
- data/lib/dawn/kb/cve_2008_2376.rb +0 -30
- data/lib/dawn/kb/cve_2008_2662.rb +0 -33
- data/lib/dawn/kb/cve_2008_2663.rb +0 -32
- data/lib/dawn/kb/cve_2008_2664.rb +0 -33
- data/lib/dawn/kb/cve_2008_2725.rb +0 -31
- data/lib/dawn/kb/cve_2008_3655.rb +0 -37
- data/lib/dawn/kb/cve_2008_3657.rb +0 -37
- data/lib/dawn/kb/cve_2008_3790.rb +0 -30
- data/lib/dawn/kb/cve_2008_3905.rb +0 -36
- data/lib/dawn/kb/cve_2008_4094.rb +0 -27
- data/lib/dawn/kb/cve_2008_4310.rb +0 -100
- data/lib/dawn/kb/cve_2008_5189.rb +0 -27
- data/lib/dawn/kb/cve_2008_7248.rb +0 -27
- data/lib/dawn/kb/cve_2009_4078.rb +0 -29
- data/lib/dawn/kb/cve_2009_4124.rb +0 -30
- data/lib/dawn/kb/cve_2009_4214.rb +0 -27
- data/lib/dawn/kb/cve_2010_1330.rb +0 -28
- data/lib/dawn/kb/cve_2010_2489.rb +0 -60
- data/lib/dawn/kb/cve_2010_3933.rb +0 -27
- data/lib/dawn/kb/cve_2011_0188.rb +0 -67
- data/lib/dawn/kb/cve_2011_0446.rb +0 -28
- data/lib/dawn/kb/cve_2011_0447.rb +0 -28
- data/lib/dawn/kb/cve_2011_0739.rb +0 -28
- data/lib/dawn/kb/cve_2011_0995.rb +0 -61
- data/lib/dawn/kb/cve_2011_1004.rb +0 -34
- data/lib/dawn/kb/cve_2011_1005.rb +0 -31
- data/lib/dawn/kb/cve_2011_2197.rb +0 -27
- data/lib/dawn/kb/cve_2011_2686.rb +0 -29
- data/lib/dawn/kb/cve_2011_2705.rb +0 -32
- data/lib/dawn/kb/cve_2011_2929.rb +0 -27
- data/lib/dawn/kb/cve_2011_2930.rb +0 -28
- data/lib/dawn/kb/cve_2011_2931.rb +0 -30
- data/lib/dawn/kb/cve_2011_2932.rb +0 -27
- data/lib/dawn/kb/cve_2011_3009.rb +0 -28
- data/lib/dawn/kb/cve_2011_3186.rb +0 -29
- data/lib/dawn/kb/cve_2011_3187.rb +0 -29
- data/lib/dawn/kb/cve_2011_4319.rb +0 -30
- data/lib/dawn/kb/cve_2011_4815.rb +0 -28
- data/lib/dawn/kb/cve_2011_5036.rb +0 -26
- data/lib/dawn/kb/cve_2012_1098.rb +0 -30
- data/lib/dawn/kb/cve_2012_1099.rb +0 -27
- data/lib/dawn/kb/cve_2012_1241.rb +0 -27
- data/lib/dawn/kb/cve_2012_2139.rb +0 -26
- data/lib/dawn/kb/cve_2012_2140.rb +0 -27
- data/lib/dawn/kb/cve_2012_2660.rb +0 -28
- data/lib/dawn/kb/cve_2012_2661.rb +0 -27
- data/lib/dawn/kb/cve_2012_2671.rb +0 -28
- data/lib/dawn/kb/cve_2012_2694.rb +0 -30
- data/lib/dawn/kb/cve_2012_2695.rb +0 -27
- data/lib/dawn/kb/cve_2012_3424.rb +0 -29
- data/lib/dawn/kb/cve_2012_3463.rb +0 -27
- data/lib/dawn/kb/cve_2012_3464.rb +0 -27
- data/lib/dawn/kb/cve_2012_3465.rb +0 -26
- data/lib/dawn/kb/cve_2012_4464.rb +0 -27
- data/lib/dawn/kb/cve_2012_4466.rb +0 -27
- data/lib/dawn/kb/cve_2012_4481.rb +0 -26
- data/lib/dawn/kb/cve_2012_4522.rb +0 -27
- data/lib/dawn/kb/cve_2012_5370.rb +0 -27
- data/lib/dawn/kb/cve_2012_5371.rb +0 -27
- data/lib/dawn/kb/cve_2012_5380.rb +0 -28
- data/lib/dawn/kb/cve_2012_6109.rb +0 -25
- data/lib/dawn/kb/cve_2012_6134.rb +0 -27
- data/lib/dawn/kb/cve_2012_6496.rb +0 -28
- data/lib/dawn/kb/cve_2012_6497.rb +0 -28
- data/lib/dawn/kb/cve_2012_6684.rb +0 -28
- data/lib/dawn/kb/cve_2013_0155.rb +0 -29
- data/lib/dawn/kb/cve_2013_0156.rb +0 -27
- data/lib/dawn/kb/cve_2013_0162.rb +0 -28
- data/lib/dawn/kb/cve_2013_0175.rb +0 -27
- data/lib/dawn/kb/cve_2013_0183.rb +0 -25
- data/lib/dawn/kb/cve_2013_0184.rb +0 -25
- data/lib/dawn/kb/cve_2013_0233.rb +0 -26
- data/lib/dawn/kb/cve_2013_0256.rb +0 -59
- data/lib/dawn/kb/cve_2013_0262.rb +0 -26
- data/lib/dawn/kb/cve_2013_0263.rb +0 -26
- data/lib/dawn/kb/cve_2013_0269.rb +0 -27
- data/lib/dawn/kb/cve_2013_0276.rb +0 -28
- data/lib/dawn/kb/cve_2013_0277.rb +0 -25
- data/lib/dawn/kb/cve_2013_0284.rb +0 -27
- data/lib/dawn/kb/cve_2013_0285.rb +0 -27
- data/lib/dawn/kb/cve_2013_0333.rb +0 -28
- data/lib/dawn/kb/cve_2013_0334.rb +0 -25
- data/lib/dawn/kb/cve_2013_1607.rb +0 -25
- data/lib/dawn/kb/cve_2013_1655.rb +0 -65
- data/lib/dawn/kb/cve_2013_1656.rb +0 -28
- data/lib/dawn/kb/cve_2013_1756.rb +0 -26
- data/lib/dawn/kb/cve_2013_1800.rb +0 -26
- data/lib/dawn/kb/cve_2013_1801.rb +0 -27
- data/lib/dawn/kb/cve_2013_1802.rb +0 -27
- data/lib/dawn/kb/cve_2013_1812.rb +0 -27
- data/lib/dawn/kb/cve_2013_1821.rb +0 -28
- data/lib/dawn/kb/cve_2013_1854.rb +0 -26
- data/lib/dawn/kb/cve_2013_1855.rb +0 -25
- data/lib/dawn/kb/cve_2013_1856.rb +0 -26
- data/lib/dawn/kb/cve_2013_1857.rb +0 -27
- data/lib/dawn/kb/cve_2013_1875.rb +0 -27
- data/lib/dawn/kb/cve_2013_1898.rb +0 -27
- data/lib/dawn/kb/cve_2013_1911.rb +0 -28
- data/lib/dawn/kb/cve_2013_1933.rb +0 -27
- data/lib/dawn/kb/cve_2013_1947.rb +0 -27
- data/lib/dawn/kb/cve_2013_1948.rb +0 -27
- data/lib/dawn/kb/cve_2013_2065.rb +0 -29
- data/lib/dawn/kb/cve_2013_2090.rb +0 -28
- data/lib/dawn/kb/cve_2013_2105.rb +0 -26
- data/lib/dawn/kb/cve_2013_2119.rb +0 -27
- data/lib/dawn/kb/cve_2013_2512.rb +0 -26
- data/lib/dawn/kb/cve_2013_2513.rb +0 -25
- data/lib/dawn/kb/cve_2013_2516.rb +0 -26
- data/lib/dawn/kb/cve_2013_2615.rb +0 -27
- data/lib/dawn/kb/cve_2013_2616.rb +0 -27
- data/lib/dawn/kb/cve_2013_2617.rb +0 -28
- data/lib/dawn/kb/cve_2013_3221.rb +0 -27
- data/lib/dawn/kb/cve_2013_4164.rb +0 -30
- data/lib/dawn/kb/cve_2013_4203.rb +0 -25
- data/lib/dawn/kb/cve_2013_4389.rb +0 -26
- data/lib/dawn/kb/cve_2013_4413.rb +0 -27
- data/lib/dawn/kb/cve_2013_4457.rb +0 -29
- data/lib/dawn/kb/cve_2013_4478.rb +0 -26
- data/lib/dawn/kb/cve_2013_4479.rb +0 -26
- data/lib/dawn/kb/cve_2013_4489.rb +0 -28
- data/lib/dawn/kb/cve_2013_4491.rb +0 -29
- data/lib/dawn/kb/cve_2013_4492.rb +0 -29
- data/lib/dawn/kb/cve_2013_4562.rb +0 -27
- data/lib/dawn/kb/cve_2013_4593.rb +0 -27
- data/lib/dawn/kb/cve_2013_5647.rb +0 -29
- data/lib/dawn/kb/cve_2013_5671.rb +0 -26
- data/lib/dawn/kb/cve_2013_6414.rb +0 -30
- data/lib/dawn/kb/cve_2013_6415.rb +0 -29
- data/lib/dawn/kb/cve_2013_6416.rb +0 -29
- data/lib/dawn/kb/cve_2013_6417.rb +0 -30
- data/lib/dawn/kb/cve_2013_6421.rb +0 -28
- data/lib/dawn/kb/cve_2013_6459.rb +0 -28
- data/lib/dawn/kb/cve_2013_6460.rb +0 -53
- data/lib/dawn/kb/cve_2013_6461.rb +0 -57
- data/lib/dawn/kb/cve_2013_7086.rb +0 -27
- data/lib/dawn/kb/cve_2014_0036.rb +0 -27
- data/lib/dawn/kb/cve_2014_0080.rb +0 -29
- data/lib/dawn/kb/cve_2014_0081.rb +0 -27
- data/lib/dawn/kb/cve_2014_0082.rb +0 -27
- data/lib/dawn/kb/cve_2014_0130.rb +0 -27
- data/lib/dawn/kb/cve_2014_1233.rb +0 -27
- data/lib/dawn/kb/cve_2014_1234.rb +0 -26
- data/lib/dawn/kb/cve_2014_2322.rb +0 -28
- data/lib/dawn/kb/cve_2014_2525.rb +0 -59
- data/lib/dawn/kb/cve_2014_2538.rb +0 -26
- data/lib/dawn/kb/cve_2014_3482.rb +0 -28
- data/lib/dawn/kb/cve_2014_3483.rb +0 -28
- data/lib/dawn/kb/cve_2014_3916.rb +0 -29
- data/lib/dawn/kb/cve_2014_4975.rb +0 -28
- data/lib/dawn/kb/cve_2014_7818.rb +0 -27
- data/lib/dawn/kb/cve_2014_7819.rb +0 -31
- data/lib/dawn/kb/cve_2014_7829.rb +0 -30
- data/lib/dawn/kb/cve_2014_8090.rb +0 -30
- data/lib/dawn/kb/cve_2014_9490.rb +0 -29
- data/lib/dawn/kb/cve_2015_1819.rb +0 -34
- data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_a.rb +0 -28
- data/lib/dawn/kb/cve_2015_1840/cve_2015_1840_b.rb +0 -28
- data/lib/dawn/kb/cve_2015_2963.rb +0 -27
- data/lib/dawn/kb/cve_2015_3224.rb +0 -26
- data/lib/dawn/kb/cve_2015_3225.rb +0 -28
- data/lib/dawn/kb/cve_2015_3226.rb +0 -27
- data/lib/dawn/kb/cve_2015_3227.rb +0 -28
- data/lib/dawn/kb/cve_2015_3448.rb +0 -29
- data/lib/dawn/kb/cve_2015_4020.rb +0 -34
- data/lib/dawn/kb/cve_2015_5312.rb +0 -30
- data/lib/dawn/kb/cve_2015_7497.rb +0 -32
- data/lib/dawn/kb/cve_2015_7498.rb +0 -32
- data/lib/dawn/kb/cve_2015_7499.rb +0 -32
- data/lib/dawn/kb/cve_2015_7500.rb +0 -32
- data/lib/dawn/kb/cve_2015_7519.rb +0 -31
- data/lib/dawn/kb/cve_2015_7541.rb +0 -31
- data/lib/dawn/kb/cve_2015_7576.rb +0 -35
- data/lib/dawn/kb/cve_2015_7577.rb +0 -34
- data/lib/dawn/kb/cve_2015_7578.rb +0 -30
- data/lib/dawn/kb/cve_2015_7579.rb +0 -30
- data/lib/dawn/kb/cve_2015_7581.rb +0 -33
- data/lib/dawn/kb/cve_2015_8241.rb +0 -32
- data/lib/dawn/kb/cve_2015_8242.rb +0 -32
- data/lib/dawn/kb/cve_2015_8317.rb +0 -32
- data/lib/dawn/kb/cve_2016_0751.rb +0 -32
- data/lib/dawn/kb/cve_2016_0752.rb +0 -35
- data/lib/dawn/kb/cve_2016_0753.rb +0 -31
- data/lib/dawn/kb/cve_2016_2097.rb +0 -35
- data/lib/dawn/kb/cve_2016_2098.rb +0 -35
- data/lib/dawn/kb/cve_2016_5697.rb +0 -30
- data/lib/dawn/kb/cve_2016_6316.rb +0 -33
- data/lib/dawn/kb/cve_2016_6317.rb +0 -32
- data/lib/dawn/kb/cve_2016_6582.rb +0 -43
- data/lib/dawn/kb/not_revised_code.rb +0 -22
- data/lib/dawn/kb/osvdb_105971.rb +0 -29
- data/lib/dawn/kb/osvdb_108530.rb +0 -27
- data/lib/dawn/kb/osvdb_108563.rb +0 -28
- data/lib/dawn/kb/osvdb_108569.rb +0 -28
- data/lib/dawn/kb/osvdb_108570.rb +0 -27
- data/lib/dawn/kb/osvdb_115654.rb +0 -33
- data/lib/dawn/kb/osvdb_116010.rb +0 -30
- data/lib/dawn/kb/osvdb_117903.rb +0 -30
- data/lib/dawn/kb/osvdb_118579.rb +0 -31
- data/lib/dawn/kb/osvdb_118830.rb +0 -32
- data/lib/dawn/kb/osvdb_118954.rb +0 -33
- data/lib/dawn/kb/osvdb_119878.rb +0 -32
- data/lib/dawn/kb/osvdb_119927.rb +0 -33
- data/lib/dawn/kb/osvdb_120415.rb +0 -31
- data/lib/dawn/kb/osvdb_120857.rb +0 -34
- data/lib/dawn/kb/osvdb_121701.rb +0 -30
- data/lib/dawn/kb/osvdb_132234.rb +0 -34
- data/lib/dawn/kb/owasp_ror_cheatsheet.rb +0 -33
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_backup_files.rb +0 -18
- data/lib/dawn/kb/owasp_ror_cheatsheet/check_for_safe_redirect_and_forward.rb +0 -57
- data/lib/dawn/kb/owasp_ror_cheatsheet/command_injection.rb +0 -28
- data/lib/dawn/kb/owasp_ror_cheatsheet/csrf.rb +0 -29
- data/lib/dawn/kb/owasp_ror_cheatsheet/mass_assignment_in_model.rb +0 -33
- data/lib/dawn/kb/owasp_ror_cheatsheet/security_related_headers.rb +0 -35
- data/lib/dawn/kb/owasp_ror_cheatsheet/sensitive_files.rb +0 -29
- data/lib/dawn/kb/owasp_ror_cheatsheet/session_stored_in_database.rb +0 -31
- data/lib/dawn/kb/simpleform_xss_20131129.rb +0 -28
- data/lib/dawn/knowledge_base_experimental.rb +0 -245
- data/spec/lib/kb/cve_2011_2705_spec.rb +0 -35
- data/spec/lib/kb/cve_2011_2930_spec.rb +0 -31
- data/spec/lib/kb/cve_2011_3009_spec.rb +0 -25
- data/spec/lib/kb/cve_2011_3187_spec.rb +0 -24
- data/spec/lib/kb/cve_2011_4319_spec.rb +0 -44
- data/spec/lib/kb/cve_2011_5036_spec.rb +0 -95
- data/spec/lib/kb/cve_2012_1098_spec.rb +0 -36
- data/spec/lib/kb/cve_2012_2139_spec.rb +0 -20
- data/spec/lib/kb/cve_2012_2671_spec.rb +0 -23
- data/spec/lib/kb/cve_2012_6109_spec.rb +0 -112
- data/spec/lib/kb/cve_2012_6684_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_0162_spec.rb +0 -23
- data/spec/lib/kb/cve_2013_0183_spec.rb +0 -54
- data/spec/lib/kb/cve_2013_0184_spec.rb +0 -115
- data/spec/lib/kb/cve_2013_0256_spec.rb +0 -34
- data/spec/lib/kb/cve_2013_0262_spec.rb +0 -44
- data/spec/lib/kb/cve_2013_0263_spec.rb +0 -11
- data/spec/lib/kb/cve_2013_0334_spec.rb +0 -35
- data/spec/lib/kb/cve_2013_1607_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_1655_spec.rb +0 -31
- data/spec/lib/kb/cve_2013_1756_spec.rb +0 -23
- data/spec/lib/kb/cve_2013_2090_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2105_spec.rb +0 -11
- data/spec/lib/kb/cve_2013_2119_spec.rb +0 -27
- data/spec/lib/kb/cve_2013_2512_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2513_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_2516_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_4203_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_4413_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_4489_spec.rb +0 -63
- data/spec/lib/kb/cve_2013_4491_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_4593_spec.rb +0 -16
- data/spec/lib/kb/cve_2013_5647_spec.rb +0 -19
- data/spec/lib/kb/cve_2013_5671_spec.rb +0 -27
- data/spec/lib/kb/cve_2013_6414_spec.rb +0 -26
- data/spec/lib/kb/cve_2013_6416_spec.rb +0 -31
- data/spec/lib/kb/cve_2013_6459_spec.rb +0 -15
- data/spec/lib/kb/cve_2013_7086_spec.rb +0 -22
- data/spec/lib/kb/cve_2014_0036_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_0080_spec.rb +0 -33
- data/spec/lib/kb/cve_2014_0081_spec.rb +0 -50
- data/spec/lib/kb/cve_2014_0082_spec.rb +0 -52
- data/spec/lib/kb/cve_2014_0130_spec.rb +0 -19
- data/spec/lib/kb/cve_2014_1233_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_1234_spec.rb +0 -16
- data/spec/lib/kb/cve_2014_2322_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_2538_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_3482_spec.rb +0 -15
- data/spec/lib/kb/cve_2014_3483_spec.rb +0 -27
- data/spec/lib/kb/cve_2014_7818_spec.rb +0 -42
- data/spec/lib/kb/cve_2014_7819_spec.rb +0 -139
- data/spec/lib/kb/cve_2014_7829_spec.rb +0 -50
- data/spec/lib/kb/cve_2014_9490_spec.rb +0 -17
- data/spec/lib/kb/cve_2015_1819_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_1840_spec.rb +0 -39
- data/spec/lib/kb/cve_2015_2963_spec.rb +0 -17
- data/spec/lib/kb/cve_2015_3224_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_3225_spec.rb +0 -27
- data/spec/lib/kb/cve_2015_3226_spec.rb +0 -35
- data/spec/lib/kb/cve_2015_3227_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_3448_spec.rb +0 -16
- data/spec/lib/kb/cve_2015_4020_spec.rb +0 -24
- data/spec/lib/kb/cve_2015_5312_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7497_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7498_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7499_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7500_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_7519_spec.rb +0 -23
- data/spec/lib/kb/cve_2015_7541_spec.rb +0 -15
- data/spec/lib/kb/cve_2015_7576_spec.rb +0 -51
- data/spec/lib/kb/cve_2015_7577_spec.rb +0 -63
- data/spec/lib/kb/cve_2015_7578_spec.rb +0 -15
- data/spec/lib/kb/cve_2015_7579_spec.rb +0 -23
- data/spec/lib/kb/cve_2015_7581_spec.rb +0 -51
- data/spec/lib/kb/cve_2015_8241_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_8242_spec.rb +0 -31
- data/spec/lib/kb/cve_2015_8317_spec.rb +0 -31
- data/spec/lib/kb/cve_2016_0751_spec.rb +0 -55
- data/spec/lib/kb/cve_2016_0752_spec.rb +0 -51
- data/spec/lib/kb/cve_2016_0753_spec.rb +0 -51
- data/spec/lib/kb/cve_2016_2097_spec.rb +0 -35
- data/spec/lib/kb/cve_2016_2098_spec.rb +0 -59
- data/spec/lib/kb/cve_2016_5697_spec.rb +0 -15
- data/spec/lib/kb/cve_2016_6316_spec.rb +0 -44
- data/spec/lib/kb/cve_2016_6317_spec.rb +0 -35
- data/spec/lib/kb/cve_2016_6582_spec.rb +0 -29
- data/spec/lib/kb/osvdb_105971_spec.rb +0 -15
- data/spec/lib/kb/osvdb_108530_spec.rb +0 -22
- data/spec/lib/kb/osvdb_108563_spec.rb +0 -18
- data/spec/lib/kb/osvdb_108569_spec.rb +0 -17
- data/spec/lib/kb/osvdb_108570_spec.rb +0 -17
- data/spec/lib/kb/osvdb_115654_spec.rb +0 -15
- data/spec/lib/kb/osvdb_116010_spec.rb +0 -15
- data/spec/lib/kb/osvdb_117903_spec.rb +0 -23
- data/spec/lib/kb/osvdb_118579_spec.rb +0 -8
- data/spec/lib/kb/osvdb_118830_spec.rb +0 -16
- data/spec/lib/kb/osvdb_118954_spec.rb +0 -20
- data/spec/lib/kb/osvdb_119878_spec.rb +0 -92
- data/spec/lib/kb/osvdb_119927_spec.rb +0 -16
- data/spec/lib/kb/osvdb_120415_spec.rb +0 -16
- data/spec/lib/kb/osvdb_120857_spec.rb +0 -32
- data/spec/lib/kb/osvdb_121701_spec.rb +0 -15
- data/spec/lib/kb/osvdb_132234_spec.rb +0 -15
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-06
|
4
|
-
class CVE_2012_2695
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2012-2695",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
-
:release_date => Date.new(2012, 6, 22),
|
14
|
-
:cwe=>"",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade rails version at least to 3.2.6, 3.1.6 or 3.0.14. As a general rule, using the latest stable rails version is recommended.",
|
20
|
-
:aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/l4L0TEVAz1k/discussion"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.0.14', '3.2.6', '3.1.6']}]
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,29 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-07-12
|
4
|
-
class CVE_2012_3424
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2012-3424",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
13
|
-
:release_date => Date.new(2012, 8, 8),
|
14
|
-
:cwe=>"287",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade rails version at least to 3.0.16, 3.1.7 or 3.2.7. As a general rule, using the latest stable rails version is recommended.",
|
20
|
-
:aux_links=>["https://groups.google.com/group/rubyonrails-security/msg/244d32f2fa25147d?hl=en&dmode=source&output=gplain"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.0.16', '3.1.7', '3.2.7']}]
|
24
|
-
|
25
|
-
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
29
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-30
|
4
|
-
class CVE_2012_3463
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message="Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the prompt field to the select_tag helper."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-3463",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2012, 8, 10),
|
13
|
-
:cwe=>"79",
|
14
|
-
:owasp=>"A3",
|
15
|
-
:applies=>["rails"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade rails version at least to 3.0.17, 3.1.8 or 3.2.8. As a general rule, using the latest stable rails version is recommended.",
|
19
|
-
:aux_links=>["https://groups.google.com/group/rubyonrails-security/msg/961e18e514527078?dmode=source&output=gplain"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.0.17', '3.1.8', '3.2.8']}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-30
|
4
|
-
class CVE_2012_3464
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might allow remote attackers to inject arbitrary web script or HTML via vectors involving a ' (quote) character."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-3464",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2012, 8, 10),
|
13
|
-
:cwe=>"79",
|
14
|
-
:owasp=>"A3",
|
15
|
-
:applies=>["rails"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade rails version at least to 3.0.17, 3.1.8 or 3.2.8. As a general rule, using the latest stable rails version is recommended.",
|
19
|
-
:aux_links=>["https://groups.google.com/group/rubyonrails-security/msg/8f1bbe1cef8c6caf?dmode=source&output=gplain"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.0.17', '3.1.8', '3.2.8']}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,26 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-13
|
4
|
-
class CVE_2012_3465
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via malformed HTML markup."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-3465",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2012, 8, 10),
|
13
|
-
:cwe=>"79",
|
14
|
-
:owasp=>"A3",
|
15
|
-
:applies=>["rails"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade rails version at least to 2.3.13, 3.0.10, 3.1.0. As a general rule, using the latest stable rails version is recommended.",
|
19
|
-
:aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/FgVEtBajcTY/discussion"]
|
20
|
-
})
|
21
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['2.3.14', '3.0.17', '3.1.8', '3.2.8']}]
|
22
|
-
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-30
|
4
|
-
class CVE_2012_4464
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "Ruby 1.9.3 before patchlevel 286 and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the (1) exc_to_s or (2) name_err_to_s API function, which marks the string as tainted, a different vulnerability than CVE-2012-4466. NOTE: this issue might exist because of a CVE-2011-1005 regression."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-4464",
|
11
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2013, 4, 25),
|
13
|
-
:cwe=>"264",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade ruby interpreter to 1.9.3-p286 or 2.0.0-p195 or latest version available",
|
19
|
-
:aux_links=>["http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p286"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-30
|
4
|
-
class CVE_2012_4466
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message="Ruby 1.8.7 before patchlevel 371, 1.9.3 before patchlevel 286, and 2.0 before revision r37068 allows context-dependent attackers to bypass safe-level restrictions and modify untainted strings via the name_err_mesg_to_str API function, which marks the string as tainted, a different vulnerability than CVE-2011-1005."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-4466",
|
11
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2013, 4, 25),
|
13
|
-
:cwe=>"264",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade ruby interpreter to 1.8.7-p371, 1.9.3-p286 or 2.0.0-p195 or latest version available",
|
19
|
-
:aux_links=>["http://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p371"}, {:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p286"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,26 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-31
|
4
|
-
class CVE_2012_4481
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message="The safe-level feature in Ruby 1.8.7 allows context-dependent attackers to modify strings via the NameError#to_s method when operating on Ruby objects. NOTE: this issue is due to an incomplete fix for CVE-2011-1005."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-4481",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2013, 5, 2),
|
13
|
-
:cwe=>"264",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade ruby interpreter to 1.9.3 or 2.0.0 or latest version available",
|
19
|
-
:aux_links=>["https://bugzilla.redhat.com/show_bug.cgi?id=863484"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.8.7", :patchlevel=>"p9999"}]
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-07-15
|
4
|
-
class CVE_2012_4522
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The rb_get_path_check function in file.c in Ruby 1.9.3 before patchlevel 286 and Ruby 2.0.0 before r37163 allows context-dependent attackers to create files in unexpected locations or with unexpected names via a NUL byte in a file path."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-4522",
|
11
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:P/A:N",
|
12
|
-
:release_date => Date.new(2012, 11, 24),
|
13
|
-
:cwe=>"264",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Upgrade ruby interpreter to latest 1.9.3 patchset or even better use ruby 2.x",
|
19
|
-
:aux_links=>["http://www.ruby-lang.org/en/news/2012/10/12/poisoned-NUL-byte-vulnerability/"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p286"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p0"}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-30
|
4
|
-
class CVE_2012_5370
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message="JRuby computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4838."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-5370",
|
11
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
12
|
-
:release_date => Date.new(2012, 11, 28),
|
13
|
-
:cwe=>"310",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"At the moment we're writing this (May 2013) there is no mitigation against this vulnerability. You must consider changing your hashing algorithm",
|
19
|
-
:aux_links=>["https://bugzilla.redhat.com/show_bug.cgi?id=880671"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"jruby", :version=>"999.999.999", :patchlevel=>"p999"}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-30
|
4
|
-
class CVE_2012_5371
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message="Ruby (aka CRuby) 1.9 before 1.9.3-p327 and 2.0 before r37575 computes hash values without properly restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table, as demonstrated by a universal multicollision attack against a variant of the MurmurHash2 algorithm, a different vulnerability than CVE-2011-4815."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-5371",
|
11
|
-
:cvss=>"AV:N/AC:L/Au:N/C:N/I:N/A:P",
|
12
|
-
:release_date => Date.new(2012, 11, 28),
|
13
|
-
:cwe=>"310",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade ruby interpreter to 1.9.3-p327 or 2.0.0-p195 or latest version available",
|
19
|
-
:aux_links=>["http://www.ruby-lang.org/en/news/2012/11/09/ruby19-hashdos-cve-2012-5371/"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p327"}, {:engine=>"ruby", :version=>"2.0.0", :patchlevel=>"p195"}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-07-15
|
4
|
-
class CVE_2012_5380
|
5
|
-
include RubyVersionCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "** DISPUTED ** Untrusted search path vulnerability in the installation functionality in Ruby 1.9.3-p194, when installed in the top-level C:\ directory, might allow local users to gain privileges via a Trojan horse DLL in the C:\Ruby193\bin directory, which may be added to the PATH system environment variable by an administrator, as demonstrated by a Trojan horse wlbsctrl.dll file used by the \"IKE and AuthIP IPsec Keying Modules\" system service in Windows Vista SP1, Windows Server 2008 SP2, Windows 7 SP1, and Windows 8 Release Preview. NOTE: CVE disputes this issue because the unsafe PATH is established only by a separate administrative action that is not a default part of the Ruby installation."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-5380",
|
11
|
-
:cvss=>"AV:L/AC:H/Au:S/C:C/I:C/A:C",
|
12
|
-
:release_date => Date.new(2012, 10, 11),
|
13
|
-
:cwe=>"426",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::RUBY_VERSION_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Upgrade ruby to the latest 1.9.3 patch or even better use ruby 2.x",
|
19
|
-
:aux_links=>["https://www.htbridge.com/advisory/HTB23108"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_rubies = [{:engine=>"ruby", :version=>"1.9.3", :patchlevel=>"p195"}]
|
23
|
-
|
24
|
-
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,25 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2014-02-06
|
4
|
-
class CVE_2012_6109
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-6109",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:N/I:N/A:P",
|
12
|
-
:release_date => Date.new(2013, 3, 1),
|
13
|
-
:cwe=>"",
|
14
|
-
:owasp=>"A9",
|
15
|
-
:applies=>["rails", "sinatra", "padrino"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"Please upgrade rack version up to version 1.4.4, 1.3.9, 1.2.7, 1.1.5 or higher.",
|
19
|
-
:aux_links=>["https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ"]
|
20
|
-
})
|
21
|
-
self.safe_dependencies = [{:name=>"rack", :version=>['1.4.2', '1.3.7', '1.2.6', '1.1.4', '1.0.9999', '0.9.9999', '0.4.9999', '0.3.9999', '0.2.9999', '0.1.9999']}]
|
22
|
-
end
|
23
|
-
end
|
24
|
-
end
|
25
|
-
end
|
@@ -1,27 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-31
|
4
|
-
class CVE_2012_6134
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message="Cross-site request forgery (CSRF) vulnerability in the omniauth-oauth2 gem 1.1.1 and earlier for Ruby allows remote attackers to hijack the authentication of users for requests that modify session state."
|
9
|
-
super({
|
10
|
-
:name=>"CVE-2012-6134",
|
11
|
-
:cvss=>"AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
12
|
-
:release_date => Date.new(2013, 4, 9),
|
13
|
-
:cwe=>"352",
|
14
|
-
:owasp=>"A8",
|
15
|
-
:applies=>["rails"],
|
16
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
17
|
-
:message=>message,
|
18
|
-
:mitigation=>"At January 2014 there are no further releases of omniauth-oauth2 gem, however the vulnerability it has been fixed in the git repository. As remediation we suggest to ask your Gemfile to fetch the code directly from git@github.com:intridea/omniauth-oauth2.git",
|
19
|
-
:aux_links=>["https://github.com/intridea/omniauth-oauth2/pull/25"]
|
20
|
-
})
|
21
|
-
|
22
|
-
self.safe_dependencies = [{:name=>"omniauth-oauth2", :version=>['1.1.2']}]
|
23
|
-
|
24
|
-
end
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-06
|
4
|
-
class CVE_2012_6496
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "SQL injection vulnerability in the Active Record component in Ruby on Rails before 3.0.18, 3.1.x before 3.1.9, and 3.2.x before 3.2.10 allows remote attackers to execute arbitrary SQL commands via a crafted request that leverages incorrect behavior of dynamic finders in applications that can use unexpected data types in certain find_by_ method calls."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2012-6496",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:P/A:P",
|
13
|
-
:release_date => Date.new(2013, 1, 4),
|
14
|
-
:cwe=>"200",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade rails version at least to 3.2.10, 3.1.9 or 3.0.18. As a general rule, using the latest stable rails version is recommended.",
|
20
|
-
:aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.safe_dependencies = [{:name=>"rails", :version=>['3.0.18', '3.2.10', '3.1.9']}]
|
24
|
-
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|
@@ -1,28 +0,0 @@
|
|
1
|
-
module Dawn
|
2
|
-
module Kb
|
3
|
-
# Automatically created with rake on 2013-05-06
|
4
|
-
class CVE_2012_6497
|
5
|
-
include DependencyCheck
|
6
|
-
|
7
|
-
def initialize
|
8
|
-
message = "The Authlogic gem for Ruby on Rails, when used with certain versions before 3.2.10, makes potentially unsafe find_by_id method calls, which might allow remote attackers to conduct CVE-2012-6496 SQL injection attacks via a crafted parameter in environments that have a known secret_token value, as demonstrated by a value contained in secret_token.rb in an open-source product."
|
9
|
-
|
10
|
-
super({
|
11
|
-
:name=>"CVE-2012-6497",
|
12
|
-
:cvss=>"AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
13
|
-
:release_date => Date.new(2013, 1, 4),
|
14
|
-
:cwe=>"200",
|
15
|
-
:owasp=>"A9",
|
16
|
-
:applies=>["rails"],
|
17
|
-
:kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK,
|
18
|
-
:message=>message,
|
19
|
-
:mitigation=>"Please upgrade rails version to the latest stable rails version.",
|
20
|
-
:aux_links=>["https://groups.google.com/d/topic/rubyonrails-security/DCNTNp_qjFM/discussion"]
|
21
|
-
})
|
22
|
-
|
23
|
-
self.safe_dependencies = [{:name=>"authlogic", :version=>['3.2.10']}]
|
24
|
-
|
25
|
-
end
|
26
|
-
end
|
27
|
-
end
|
28
|
-
end
|