mrjoy-bundler-audit 0.1.4

data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml

@@ -0,0 +1,20 @@
+---
+gem: devise
+cve: 2013-0233
+osvdb: 89642
+url: http://osvdb.org/show/osvdb/89642
+title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
+date: 2013-01-28
+
+description: |
+  Devise contains a flaw that is triggered during when a type conversion error
+  occurs during the parsing of a malformed request. With a specially crafted
+  request, a remote attacker can bypass security restrictions.
+
+cvss_v2: 10.0
+
+patched_versions:
+  - ~> 1.5.4
+  - ~> 2.0.5
+  - ~> 2.1.3
+  - ">= 2.2.3"

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml

@@ -0,0 +1,19 @@
+--- 
+gem: dragonfly
+cve: 2013-1756
+osvdb: 90647
+url: http://www.osvdb.com/show/osvdb/90647
+title: Dragonfly Gem Remote Code Execution
+date: 2013-02-19
+
+description: |
+  The Dragonfly gem contains a flaw that allows an attacker to run arbitrary code
+  on a host machine using carefully crafted requests.
+
+cvss_v2: 
+
+patched_versions: 
+  - ">= 0.9.13"
+
+unaffected_versions:
+  - "< 0.7.0"

data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml

@@ -0,0 +1,9 @@
+--- 
+gem: enum_column3
+osvdb: 94679
+url: http://osvdb.org/show/osvdb/94679
+title: enum_column3 Gem for Ruby Symbol Creation Remote DoS 
+date: 2013-06-26
+description: The enum_column3 Gem for Ruby contains a flaw that may allow a remote denial of service. The issue is due to the program typecasting unexpected strings to symbols. This may allow a remote attacker to crash the program.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml

@@ -0,0 +1,18 @@
+---
+gem: extlib
+cve: 2013-1802
+osvdb: 90740
+url: http://osvdb.org/show/osvdb/90740
+title: extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+date: 2013-01-08
+
+description: |
+  extlib Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 0.9.16"
+

data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml

@@ -0,0 +1,12 @@
+---
+gem: fastreader
+cve: 2013-1876
+osvdb: 91232
+url: http://osvdb.org/show/osvdb/91232
+title: fastreader Gem for Ruby URI Handling Arbitrary Command Injection 
+date: 2013-03-13
+
+description: fastreader Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+
+cvss_v2: 9.3
+

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml

@@ -0,0 +1,10 @@
+--- 
+gem: fileutils
+cve: 
+osvdb: 90715
+url: http://osvdb.org/show/osvdb/90715
+title: fileutils Gem for Ruby files_utils.rb /tmp File Symlink Arbitrary File Overwrite
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against temporary files created by files_utils.rb to cause the program to unexpectedly overwrite an arbitrary file.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml

@@ -0,0 +1,10 @@
+--- 
+gem: fileutils
+cve: 
+osvdb: 90716
+url: http://osvdb.org/show/osvdb/90716
+title: fileutils Gem for Ruby Temporary Directory Hijacking Weakness
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw that is due to the program not verifying the existence of a directory before attempting to create it. This may allow a local attacker to create the directory in advance, thus owning any files subsequently written to it.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml

@@ -0,0 +1,10 @@
+--- 
+gem: fileutils
+cve: 2013-2516
+osvdb: 90717
+url: http://osvdb.org/show/osvdb/90717
+title: fileutils Gem for Ruby file_utils.rb Crafted URL Handling Remote Command Execution
+date: 2013-02-28
+description: fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is triggered when handling a specially crafted URL containing a command after a delimiter (;). This may allow a remote attacker to potentially execute arbitrary commands.
+cvss_v2: 
+patched_versions: 

data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml

@@ -0,0 +1,9 @@
+--- 
+gem: flash_tool
+cve: 2013-2513
+osvdb: 90829
+url: http://osvdb.org/show/osvdb/90829
+title: flash_tool Gem for Ruby File Download Handling Arbitrary Command Execution
+date: 2013-03-04
+description: flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands.
+cvss_v2: 

data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml

@@ -0,0 +1,18 @@
+--- 
+gem: ftpd
+cve: 2013-2512
+osvdb: 90784
+url: http://osvdb.org/show/osvdb/90784
+title: ftpd Gem for Ruby Shell Character Handling Remote Command Injection
+date: 2013-02-28
+
+description: | 
+  ftpd Gem for Ruby contains a flaw that is triggered when handling a
+  specially crafted option or filename that contains a shell
+  character. This may allow a remote attacker to inject arbitrary
+  commands.
+
+cvss_v2: 9.0
+
+patched_versions: 
+  - ">= 0.2.2"

data/data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml

@@ -0,0 +1,20 @@
+---
+gem: gtk2
+cve: 2007-6183
+osvdb: 40774
+url: http://osvdb.org/show/osvdb/40774
+title:
+  Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
+  Format String 
+date: 2007-11-27
+
+description: |
+  Format string vulnerability in the mdiag_initialize function in
+  gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
+  SVN versions before 20071127, allows context-dependent attackers to execute
+  arbitrary code via format string specifiers in the message parameter.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - "> 0.16.0"

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml

@@ -0,0 +1,19 @@
+---
+gem: httparty
+cve: 2013-1802
+osvdb: 90741
+url: http://osvdb.org/show/osvdb/90741
+title:
+  httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution 
+date: 2013-01-14
+
+description: |
+  httparty Gem for Ruby contains a flaw that is triggered when a type casting
+  error occurs during the parsing of parameters. This may allow a
+  context-dependent attacker to potentially execute arbitrary code.
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 0.10.0"
+

data/data/ruby-advisory-db/gems/json/OSVDB-90074.yml

@@ -0,0 +1,23 @@
+--- 
+gem: json
+cve: 2013-0269
+osvdb: 90074
+url: http://direct.osvdb.org/show/osvdb/90074
+title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
+date: 2013-02-11
+
+description: |
+  Ruby on Rails contains a flaw that may allow a remote denial of service.
+  The issue is due to the JSON gem being tricked in to generating Ruby symbols
+  during the parsing of certain JSON documents. Since Ruby symbols are not
+  garbage collected, a remote attacker can crash a users system. This also may
+  allow the attacker to create arbitrary objects that may be used to bypass
+  certain security mechanisms and potentially allow SQL injection attacks to
+  be conducted.
+
+cvss_v2: 9.0
+
+patched_versions: 
+  - ~> 1.5.5
+  - ~> 1.6.8
+  - ">= 1.7.7"

data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml

@@ -0,0 +1,10 @@
+--- 
+gem: karteek-docsplit
+cve: 2013-1933
+osvdb: 92117
+url: http://osvdb.org/show/osvdb/92117
+title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-08
+description: Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 9.3
+patched_versions: 

data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml

@@ -0,0 +1,10 @@
+--- 
+gem: kelredd-pruview
+cve: 2013-1947
+osvdb: 92228
+url: http://osvdb.org/show/osvdb/92228
+title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-04
+description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+cvss_v2: 9.3
+patched_versions: 

data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml

@@ -0,0 +1,10 @@
+--- 
+gem: ldoce
+cve: 2013-1911
+osvdb: 91870
+url: http://osvdb.org/show/osvdb/91870
+title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-01
+description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
+cvss_v2: 6.8
+patched_versions: 

data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml

@@ -0,0 +1,21 @@
+---
+gem: loofah
+osvdb: 90945
+url: http://www.osvdb.org/show/osvdb/90945
+title: Loofah HTML and XSS injection vulnerability
+date: 2012-09-08
+
+description: |
+  Loofah Gem for Ruby contains a flaw that allows a remote cross-site
+  scripting (XSS) attack. This flaw exists because the
+  Loofah::HTML::Document\#text function passes properly sanitized
+  user-supplied input to the Loofah::XssFoliate and
+  Loofah::Helpers\#strip_tags functions which convert input back to
+  text. This may allow an attacker to create a specially crafted
+  request that would execute arbitrary script code in a user's browser
+  within the trust relationship between their browser and the server.
+
+cvss_v2: 5.0
+
+patched_versions:
+  - ">=  0.4.6"

data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml

@@ -0,0 +1,21 @@
+--- 
+gem: mail
+cve: 2011-0739
+osvdb: 70667
+url: http://www.osvdb.org/show/osvdb/70667
+title: >
+  Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
+  Address Arbitrary Shell Command Injection 
+date: 2011-01-25
+
+description: |
+  Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
+  input passed from an email from address in the 'deliver()' function in
+  'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
+  command line argument. This may allow a remote attacker to inject arbitrary
+  shell commands.
+
+cvss_v2: 6.8
+
+patched_versions: 
+  - ">= 2.2.15"

data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml

@@ -0,0 +1,14 @@
+--- 
+gem: mail
+cve: 2012-2139
+osvdb: 81631
+url: http://www.osvdb.org/show/osvdb/81631
+title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
+date: 2012-03-14
+
+description: |
+  Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
+
+cvss_v2: 5.0
+patched_versions: 
+- ">= 2.4.4"

data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml

@@ -0,0 +1,16 @@
+--- 
+gem: mail
+cve: 2012-2140
+osvdb: 81632
+url: http://www.osvdb.org/show/osvdb/81632
+title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution
+date: 2012-03-14
+
+description: |
+  Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim
+  delivery methods, which may allow an attacker to execute arbitrary shell
+  commands..
+
+cvss_v2: 7.5
+patched_versions: 
+- ">= 2.4.4"

data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml

@@ -0,0 +1,10 @@
+--- 
+gem: md2pdf
+cve: 2013-1948
+osvdb: 92290
+url: http://osvdb.org/show/osvdb/92290
+title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
+date: 2013-04-13
+description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
+cvss_v2: 10.0
+patched_versions: 

data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml

@@ -0,0 +1,15 @@
+---
+gem: mini_magick
+cve: 2013-2616
+osvdb: 91231
+url: http://osvdb.org/show/osvdb/91231
+title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
+date: 2013-03-12
+
+description: MiniMagick Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input from an untrusted source passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
+
+cvss_v2: 9.3
+
+patched_versions:
+  - ">= 3.6.0"
+

data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml

@@ -0,0 +1,16 @@
+---
+gem: multi_xml
+cve: 2013-0175
+osvdb: 89148
+url: http://osvdb.org/show/osvdb/89148
+title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution 
+date: 2013-01-11
+
+description: |
+  The multi_xml Gem for Ruby contains a flaw that is triggered when an error
+  occurs during the parsing of the 'XML' parameter. With a crafted request
+  containing arbitrary symbol and yaml types, a remote attacker can execute
+  arbitrary commands.
+
+patched_versions:
+  - ">= 0.5.2"

data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml

@@ -0,0 +1,17 @@
+---
+gem: newrelic_rpm
+cve: 2013-0284
+osvdb: 90189
+url: http://osvdb.org/show/osvdb/90189
+title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
+date: 2012-12-06
+
+description: |
+  A bug in the Ruby agent causes database connection information and raw SQL
+  statements to be transmitted to New Relic servers. The database connection
+  information includes the database IP address, username, and password
+
+cvss_v2: 5.0
+
+patched_versions: 
+  - ">= 3.5.3.25"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml

@@ -0,0 +1,19 @@
+---
+gem: nori
+cve: 2013-0285
+osvdb: 90196
+url: http://osvdb.org/show/osvdb/90196
+title: Ruby Gem nori Parameter Parsing Remote Code Execution
+date: 2013-01-10
+
+description: |
+  The Ruby Gem nori has a parameter parsing error that may allow an attacker
+  to execute arbitrary code. This vulnerability has to do with type casting
+  during parsing, and is related to CVE-2013-0156.
+
+cvss_v2: 10.0
+
+patched_versions:
+  - ~> 1.0.3
+  - ~> 1.1.4
+  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml

@@ -0,0 +1,16 @@
+---
+gem: omniauth-oauth2
+cve: 2012-6134
+osvdb: 90264
+url: http://www.osvdb.org/show/osvdb/90264
+title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
+date: 2012-09-08
+
+description: |
+  The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
+  inject values into a user's session through a CSRF attack.
+
+cvss_v2: 6.8
+
+patched_versions:
+  - ">= 1.1.1"