mrjoy-bundler-audit 0.1.4

data/data/ruby-advisory-db/gems/actionpack/OSVDB-84513.yml

@@ -0,0 +1,23 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2012-3465
+osvdb: 84513
+url: http://www.osvdb.org/show/osvdb/84513
+title: Ruby on Rails strip_tags Helper Method XSS
+date: 2012-08-09
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because the application does not validate input
+  passed via the 'strip_tags' helper method before returning it to the user.
+  This may allow a user to create a specially crafted request that would
+  execute arbitrary script code in a user's browser within the trust
+  relationship between their browser and the server.
+
+cvss_v2: 4.3
+
+patched_versions: 
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-84515.yml

@@ -0,0 +1,26 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2012-3463
+osvdb: 84515
+url: http://osvdb.org/84515
+title: Ruby on Rails select_tag Helper Method prompt Value XSS
+date: 2012-08-09
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because input passed via the prompt value is not
+  properly sanitized by the select_tag helper method before returning it to
+  the user. This may allow a user to create a specially crafted request that
+  would execute arbitrary script code in a user's browser within the trust
+  relationship between their browser and the server.
+
+cvss_v2: 4.3
+
+unaffected_versions:
+  - ~> 2.3.0
+
+patched_versions: 
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-89026.yml

@@ -0,0 +1,24 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2013-0156
+osvdb: 89026
+url: http://osvdb.org/show/osvdb/89026
+title:
+  Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
+  Remote Code Execution 
+date: 2013-01-08
+
+description: |
+  Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
+  The issue is triggered when a type casting error occurs during the parsing
+  of parameters. This may allow a remote attacker to potentially execute
+  arbitrary code.
+
+cvss_v2: 10.0
+
+patched_versions: 
+  - ~> 2.3.15
+  - ~> 3.0.19
+  - ~> 3.1.10
+  - ">= 3.2.11"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91452.yml

@@ -0,0 +1,20 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2013-1855
+osvdb: 91452
+url: http://www.osvdb.org/show/osvdb/91452
+title: XSS vulnerability in sanitize_css in Action Pack
+date: 2013-03-19
+
+description: | 
+  There is an XSS vulnerability in the `sanitize_css` method in Action
+  Pack. Carefully crafted text can bypass the sanitization provided in
+  the `sanitize_css` method in Action Pack
+
+cvss_v2: 4.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/actionpack/OSVDB-91454.yml

@@ -0,0 +1,23 @@
+--- 
+gem: actionpack
+framework: rails
+cve: 2013-1857
+osvdb: 91454
+url: http://osvdb.org/show/osvdb/91454
+title: XSS Vulnerability in the `sanitize` helper of Ruby on Rails
+date: 2013-03-19
+
+description: | 
+  The sanitize helper in Ruby on Rails is designed to
+  filter HTML and remove all tags and attributes which could be
+  malicious. The code which ensured that URLs only contain supported
+  protocols contained several bugs which could allow an attacker to
+  embed a tag containing a URL which executes arbitrary javascript
+  code.
+
+cvss_v2: 4.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82403.yml

@@ -0,0 +1,25 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2012-2661
+osvdb: 82403
+url: http://www.osvdb.org/show/osvdb/82403
+title: Ruby on Rails where Method ActiveRecord Class SQL Injection
+date: 2012-05-31
+
+description: |
+  Ruby on Rails (RoR) contains a flaw that may allow an attacker to carry out
+  an SQL injection attack. The issue is due to the ActiveRecord class not
+  properly sanitizing user-supplied input to the 'where' method. This may
+  allow an attacker to inject or manipulate SQL queries in an application
+  built on RoR, allowing for the manipulation or disclosure of arbitrary data.
+
+cvss_v2: 5.0
+
+unaffected_versions:
+  - ~> 2.3.14
+
+patched_versions: 
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-82610.yml

@@ -0,0 +1,24 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2012-2660
+osvdb: 82610
+url: http://www.osvdb.org/show/osvdb/82610
+title:
+  Ruby on Rails ActiveRecord Class Rack Query Parameter Parsing SQL Query
+  Arbitrary IS NULL Clause Injection
+date: 2012-05-31
+
+description: |
+  Ruby on Rails contains a flaw related to the way ActiveRecord handles
+  parameters in conjunction with the way Rack parses query parameters.
+  This issue may allow an attacker to inject arbitrary 'IS NULL' clauses in
+  to application SQL queries. This may also allow an attacker to have the
+  SQL query check for NULL in arbitrary places.
+
+cvss_v2: 7.5
+
+patched_versions: 
+  - ~> 3.0.13
+  - ~> 3.1.5
+  - ">= 3.2.4"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-89025.yml

@@ -0,0 +1,24 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-0155
+osvdb: 89025
+url: http://osvdb.org/show/osvdb/89025
+title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 
+date: 2013-01-08
+
+description: |
+  Ruby on Rails contains a flaw in the Active Record. The issue is due to an
+  error with the way the Active Record handles parameters combined with an
+  error during the parsing of the JSON parameters. This may allow a remote
+  attacker to bypass restrictions abd issue unexpected database queries with
+  "IS NULL" or empty where clauses, and forcing the query to unexpectedly check
+  for NULL or eliminate a WHERE clause.
+
+cvss_v2: 10.0
+
+patched_versions: 
+  - ~> 2.3.16
+  - ~> 3.0.19
+  - ~> 3.1.10
+  - ">= 3.2.11"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90072.yml

@@ -0,0 +1,21 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-0276
+osvdb: 90072
+url: http://direct.osvdb.org/show/osvdb/90072
+title: Ruby on Rails Active Record attr_protected Method Bypass
+date: 2013-02-11
+
+description: |
+  Ruby on Rails contains a flaw in the attr_protected method of the
+  Active Record. The issue is triggered during the handling of a specially
+  crafted request, which may allow a remote attacker to bypass protection
+  mechanisms and alter values that would otherwise be protected.
+
+cvss_v2: 5.0
+
+patched_versions: 
+  - ~> 2.3.17
+  - ~> 3.1.11
+  - ">= 3.2.12"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-90073.yml

@@ -0,0 +1,23 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-0277
+osvdb: 90073
+url: http://direct.osvdb.org/show/osvdb/90073
+title:
+  Ruby on Rails Active Record +serialize+ Helper YAML Attribute Handling Remote
+  Code Execution 
+date: 2013-02-11
+
+description: |
+  Ruby on Rails contains a flaw in the +serialize+ helper in the Active Record.
+  The issue is triggered when the system is configured to allow users to
+  directly provide values to be serialized and deserialized using YAML.
+  With a specially crafted YAML attribute, a remote attacker can deserialize
+  arbitrary YAML and execute code associated with it.
+
+cvss_v2: 10.0
+
+patched_versions: 
+  - ~> 2.3.17
+  - ">= 3.1.0"

data/data/ruby-advisory-db/gems/activerecord/OSVDB-91453.yml

@@ -0,0 +1,26 @@
+--- 
+gem: activerecord
+framework: rails
+cve: 2013-1854
+osvdb: 91453
+url: http://osvdb.org/show/osvdb/91453
+title: Symbol DoS vulnerability in Active Record
+date: 2013-03-19
+
+description: | 
+  When a hash is provided as the find value for a query, the keys of
+  the hash may be converted to symbols. Carefully crafted requests can
+  coerce `params[:name]` to return a hash, and the keys to that hash
+  may be converted to symbols. Ruby symbols are not garbage collected,
+  so an attacker can initiate a denial of service attack by creating a
+  large number of symbols.
+
+cvss_v2: 7.8
+
+unaffected_versions:
+  - ~> 3.0.0
+
+patched_versions: 
+  - ~> 2.3.18
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-79726.yml

@@ -0,0 +1,26 @@
+--- 
+gem: activesupport
+framework: rails
+cve: 2012-1098
+osvdb: 79726
+url: http://osvdb.org/79726
+title: Ruby on Rails SafeBuffer Object [] Direct Manipulation XSS
+date: 2012-03-01
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because athe application does not validate direct
+  manipulations of SafeBuffer objects via '[]' and other methods. This may
+  allow a user to create a specially crafted request that would execute
+  arbitrary script code in a user's browser within the trust relationship
+  between their browser and the server.
+
+cvss_v2: 4.3
+
+unaffected_versions:
+  - "< 3.0.0"
+
+patched_versions: 
+  - ~> 3.0.12
+  - ~> 3.1.4
+  - ">= 3.2.2"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-84516.yml

@@ -0,0 +1,23 @@
+--- 
+gem: activesupport
+framework: rails
+cve: 2012-3464
+osvdb: 84516
+url: http://www.osvdb.org/show/osvdb/84516
+title: Ruby on Rails HTML Escaping Code XSS
+date: 2012-08-09
+
+description: |
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
+  attack. This flaw exists because the HTML escaping code functionality does
+  not properly escape a single quote character. This may allow a user to create
+  a specially crafted request that would execute arbitrary script code in a
+  user's browser within the trust relationship between their browser and the
+  server.
+
+cvss_v2: 4.3
+
+patched_versions: 
+  - ~> 3.0.17
+  - ~> 3.1.8
+  - ">= 3.2.8"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-89594.yml

@@ -0,0 +1,25 @@
+--- 
+gem: activesupport
+framework: rails
+cve: 2013-0333
+osvdb: 89594
+url: http://osvdb.org/show/osvdb/89594
+title:
+  Ruby on Rails JSON Parser Crafted Payload YAML Subset Decoding Remote Code
+  Execution 
+date: 2013-01-28
+
+description: |
+  Ruby on Rails contains a flaw in the JSON parser. Rails supports multiple
+  parsing backends, one of which involves transforming JSON into YAML via the
+  YAML parser. With a specially crafted payload, an attacker can subvert the
+  backend into decoding a subset of YAML. This may allow a remote attacker to
+  bypass restrictions, allowing them to bypass authentication systems, inject
+  arbitrary SQL, inject and execute arbitrary code, or perform a DoS attack on
+  a Rails application.
+
+cvss_v2: 9.3
+
+patched_versions: 
+  - ~> 2.3.16
+  - ">= 3.0.20"

data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml

@@ -0,0 +1,28 @@
+--- 
+gem: activesupport
+framework: rails
+platform: jruby
+cve: 2013-1856
+osvdb: 91451
+url: http://www.osvdb.org/show/osvdb/91451
+title: XML Parsing Vulnerability affecting JRuby users
+date: 2013-03-19
+
+description: | 
+ The ActiveSupport XML parsing functionality supports multiple
+ pluggable backends. One backend supported for JRuby users is
+ ActiveSupport::XmlMini_JDOM which makes use of the
+ javax.xml.parsers.DocumentBuilder class. In some JVM configurations
+ the default settings of that class can allow an attacker to construct
+ XML which, when parsed, will contain the contents of arbitrary URLs
+ including files from the application server. They may also allow for
+ various denial of service attacks. Action Pack
+
+cvss_v2: 7.8
+
+unaffected_versions:
+  - ~> 2.3.0
+
+patched_versions:   
+  - ~> 3.1.12
+  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml

@@ -0,0 +1,10 @@
+--- 
+gem: command_wrap
+cve: 2013-1875
+osvdb: 91450
+url: http://osvdb.org/show/osvdb/91450
+title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-18
+description: command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
+cvss_v2: 7.5
+patched_versions: 

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml

@@ -0,0 +1,17 @@
+---
+gem: crack
+cve: 2013-1800
+osvdb: 90742
+url: http://osvdb.org/show/osvdb/90742
+title: crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+description: |
+  crack Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+date: 2013-01-09
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 0.3.2"
+

data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml

@@ -0,0 +1,11 @@
+--- 
+gem: cremefraiche
+cve: 2013-2090
+osvdb: 93395
+url: http://osvdb.org/show/osvdb/93395
+title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-05-14
+description: Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 
+patched_versions: 
+  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml

@@ -0,0 +1,12 @@
+---
+gem: curl
+cve: 2013-1878
+osvdb: 91230
+url: http://osvdb.org/show/osvdb/91230
+title: Curl Gem for Ruby URI Handling Arbitrary Command Injection 
+date: 2013-03-12
+
+description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
+
+cvss_v2: 9.3
+