RubyGems - mrjoy-bundler-audit - Versions diffs - 0.3.3 → 0.3.4 - Mend

mrjoy-bundler-audit 0.3.3 → 0.3.4

Files changed (121) hide show

data/data/ruby-advisory-db/gems/activesupport/OSVDB-91451.yml DELETED Viewed

@@ -1,28 +0,0 @@
----
-gem: activesupport
-framework: rails
-platform: jruby
-cve: 2013-1856
-osvdb: 91451
-url: http://www.osvdb.org/show/osvdb/91451
-title: XML Parsing Vulnerability affecting JRuby users
-date: 2013-03-19
-description: |
- The ActiveSupport XML parsing functionality supports multiple
- pluggable backends. One backend supported for JRuby users is
- ActiveSupport::XmlMini_JDOM which makes use of the
- javax.xml.parsers.DocumentBuilder class. In some JVM configurations
- the default settings of that class can allow an attacker to construct
- XML which, when parsed, will contain the contents of arbitrary URLs
- including files from the application server. They may also allow for
- various denial of service attacks. Action Pack
-cvss_v2: 7.8
-unaffected_versions:
-  - ~> 2.3.0
-patched_versions:
-  - ~> 3.1.12
-  - ">= 3.2.13"

data/data/ruby-advisory-db/gems/arabic-prawn/OSVDB-104365.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: Arabic-Prawn
-osvdb: 104365
-url: http://osvdb.org/show/osvdb/104365
-title: Arabic-Prawn Gem for Ruby contains a flaw
-date: 2014-03-10
-description: |
-  Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb
-  file. The issue is due to the program failing to sanitize user input. This may
-  allow a remote attacker to inject arbitrary commands.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/cocaine/OSVDB-98835.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: cocaine
-cve: 2013-4457
-osvdb: 98835
-url: http://www.osvdb.org/show/osvdb/98835
-title: Cocaine Gem for Ruby contains a flaw
-date: 2013-10-22
-description: Cocaine Gem for Ruby contains a flaw that is due to the method
-  of variable interpolation used by the program. With a specially crafted
-  object, a context-dependent attacker can execute arbitrary commands.
-cvss_v2: 6.8
-unaffected_versions:
-  - < 0.4.0
-patched_versions:
-  - '>= 0.5.3'

data/data/ruby-advisory-db/gems/command_wrap/OSVDB-91450.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: command_wrap
-cve: 2013-1875
-osvdb: 91450
-url: http://osvdb.org/show/osvdb/91450
-title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-18
-description: command_wrap Gem for Ruby contains a flaw that is triggered during the handling of input passed via the URL that contains a semicolon character (;). This will allow a remote attacker to inject arbitrary commands and have them executed in the context of the user clicking it.
-cvss_v2: 7.5
-patched_versions:

data/data/ruby-advisory-db/gems/crack/OSVDB-90742.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: crack
-cve: 2013-1800
-osvdb: 90742
-url: http://osvdb.org/show/osvdb/90742
-title: crack Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
-description: |
-  crack Gem for Ruby contains a flaw that is triggered when a type casting
-  error occurs during the parsing of parameters. This may allow a
-  context-dependent attacker to potentially execute arbitrary code.
-date: 2013-01-09
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.3.2"

data/data/ruby-advisory-db/gems/cremefraiche/OSVDB-93395.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: cremefraiche
-cve: 2013-2090
-osvdb: 93395
-url: http://osvdb.org/show/osvdb/93395
-title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-05-14
-description: Creme Fraiche Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input in file names. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2:
-patched_versions:
-  - ">= 0.6.1"

data/data/ruby-advisory-db/gems/curl/OSVDB-91230.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: curl
-cve: 2013-1878
-osvdb: 91230
-url: http://osvdb.org/show/osvdb/91230
-title: Curl Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-12
-description: Curl Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via the URL.  This may allow a context-dependent attacker to potentially execute arbitrary commands by injecting them via a semi-colon (;).
-cvss_v2: 7.5

data/data/ruby-advisory-db/gems/devise/OSVDB-89642.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: devise
-cve: 2013-0233
-osvdb: 89642
-url: http://osvdb.org/show/osvdb/89642
-title: Devise Database Type Conversion Crafted Request Parsing Security Bypass
-date: 2013-01-28
-description: |
-  Devise contains a flaw that is triggered during when a type conversion error
-  occurs during the parsing of a malformed request. With a specially crafted
-  request, a remote attacker can bypass security restrictions.
-cvss_v2: 10.0
-patched_versions:
-  - ~> 1.5.4
-  - ~> 2.0.5
-  - ~> 2.1.3
-  - ">= 2.2.3"

data/data/ruby-advisory-db/gems/dragonfly/OSVDB-90647.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: dragonfly
-cve: 2013-1756
-osvdb: 90647
-url: http://www.osvdb.com/show/osvdb/90647
-title: Dragonfly Gem Remote Code Execution
-date: 2013-02-19
-description: |
-  The Dragonfly gem contains a flaw that allows an attacker to run arbitrary code
-  on a host machine using carefully crafted requests.
-cvss_v2:
-patched_versions:
-  - ">= 0.9.13"
-unaffected_versions:
-  - "< 0.7.0"

data/data/ruby-advisory-db/gems/echor/OSVDB-102129.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: echor
-osvdb: 102129
-url: http://osvdb.org/show/osvdb/102129
-title: Echor Gem for Ruby contains a flaw
-date: 2014-01-14
-description: Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request function that is triggered when
-  a semi-colon (;) is injected into a username or password. This may allow a context-dependent attacker to inject
-  arbitrary commands if the gem is used in a rails application.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/echor/OSVDB-102130.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: echor
-osvdb: 102130
-url: http://osvdb.org/show/osvdb/102130
-title: Echor Gem for Ruby contains a flaw
-date: 2014-01-14
-description: Echor Gem for Ruby contains a flaw that is due to the program exposing credential information in the
-  system process listing. This may allow a local attacker to gain access to plaintext credential information.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/enum_column3/OSVDB-94679.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: enum_column3
-osvdb: 94679
-url: http://osvdb.org/show/osvdb/94679
-title: enum_column3 Gem for Ruby Symbol Creation Remote DoS
-date: 2013-06-26
-description: The enum_column3 Gem for Ruby contains a flaw that may allow a remote denial of service. The issue is due to the program typecasting unexpected strings to symbols. This may allow a remote attacker to crash the program.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/extlib/OSVDB-90740.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: extlib
-cve: 2013-1802
-osvdb: 90740
-url: http://osvdb.org/show/osvdb/90740
-title: extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
-date: 2013-01-08
-description: |
-  extlib Gem for Ruby contains a flaw that is triggered when a type casting
-  error occurs during the parsing of parameters. This may allow a
-  context-dependent attacker to potentially execute arbitrary code.
-cvss_v2: 9.3
-patched_versions:
-  - ">= 0.9.16"

data/data/ruby-advisory-db/gems/fastreader/OSVDB-91232.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: fastreader
-cve: 2013-1876
-osvdb: 91232
-url: http://osvdb.org/show/osvdb/91232
-title: fastreader Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-13
-description: fastreader Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
-cvss_v2: 9.3

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90715.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: fileutils
-cve:
-osvdb: 90715
-url: http://osvdb.org/show/osvdb/90715
-title: fileutils Gem for Ruby files_utils.rb /tmp File Symlink Arbitrary File Overwrite
-date: 2013-02-28
-description: fileutils Gem for Ruby contains a flaw as the program creates temporary files insecurely. It is possible for a local attacker to use a symlink attack against temporary files created by files_utils.rb to cause the program to unexpectedly overwrite an arbitrary file.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90716.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: fileutils
-cve:
-osvdb: 90716
-url: http://osvdb.org/show/osvdb/90716
-title: fileutils Gem for Ruby Temporary Directory Hijacking Weakness
-date: 2013-02-28
-description: fileutils Gem for Ruby contains a flaw that is due to the program not verifying the existence of a directory before attempting to create it. This may allow a local attacker to create the directory in advance, thus owning any files subsequently written to it.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/fileutils/OSVDB-90717.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: fileutils
-cve: 2013-2516
-osvdb: 90717
-url: http://osvdb.org/show/osvdb/90717
-title: fileutils Gem for Ruby file_utils.rb Crafted URL Handling Remote Command Execution
-date: 2013-02-28
-description: fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is triggered when handling a specially crafted URL containing a command after a delimiter (;). This may allow a remote attacker to potentially execute arbitrary commands.
-cvss_v2:
-patched_versions:

data/data/ruby-advisory-db/gems/flash_tool/OSVDB-90829.yml DELETED Viewed

@@ -1,9 +0,0 @@
----
-gem: flash_tool
-cve: 2013-2513
-osvdb: 90829
-url: http://osvdb.org/show/osvdb/90829
-title: flash_tool Gem for Ruby File Download Handling Arbitrary Command Execution
-date: 2013-03-04
-description: flash_tool Gem for Ruby contains a flaw that is triggered during the handling of downloaded files that contain shell characters. With a specially crafted file, a context-dependent attacker can execute arbitrary commands.
-cvss_v2:

data/data/ruby-advisory-db/gems/fog-dragonfly/OSVDB-96798.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: fog-dragonfly
-cve: 2013-5671
-osvdb: 96798
-url: http://www.osvdb.org/show/osvdb/96798
-title: fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution
-date: 2013-09-03
-description: fog-dragonfly Gem for Ruby contains a flaw that is due to the program
-  failing to properly sanitize input passed via the imagemagickutils.rb script. This
-  may allow a remote attacker to execute arbitrary commands.
-cvss_v2:
-patched_versions:
-- ">= 0.8.4"

data/data/ruby-advisory-db/gems/ftpd/OSVDB-90784.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: ftpd
-cve: 2013-2512
-osvdb: 90784
-url: http://osvdb.org/show/osvdb/90784
-title: ftpd Gem for Ruby Shell Character Handling Remote Command Injection
-date: 2013-02-28
-description: |
-  ftpd Gem for Ruby contains a flaw that is triggered when handling a
-  specially crafted option or filename that contains a shell
-  character. This may allow a remote attacker to inject arbitrary
-  commands.
-cvss_v2: 9.0
-patched_versions:
-  - ">= 0.2.2"

data/data/ruby-advisory-db/gems/gitlab-grit/OSVDB-99370.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: gitlab-grit
-cve: 2013-4489
-osvdb: 99370
-url: http://www.osvdb.org/show/osvdb/99370
-title: GitLab Grit Gem for Ruby contains a flaw
-date: 2013-11-04
-description: GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb script.
-  The issue is triggered when input passed via the code search box is not properly sanitized,
-  which allows strings to be evaluated by the Bourne shell. This may allow a remote attacker to
-  execute arbitrary commands.
-cvss_v2:
-patched_versions:
-  - '>= 2.6.1'

data/data/ruby-advisory-db/gems/gtk2/OSVDB-40774.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: gtk2
-cve: 2007-6183
-osvdb: 40774
-url: http://osvdb.org/show/osvdb/40774
-title:
-  Ruby-GNOME2 gtk/src/rbgtkmessagedialog.c Gtk::MessageDialog.new() Function
-  Format String
-date: 2007-11-27
-description: |
-  Format string vulnerability in the mdiag_initialize function in
-  gtk/src/rbgtkmessagedialog.c in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and
-  SVN versions before 20071127, allows context-dependent attackers to execute
-  arbitrary code via format string specifiers in the message parameter.
-cvss_v2: 6.8
-patched_versions:
-  - "> 0.16.0"

data/data/ruby-advisory-db/gems/httparty/OSVDB-90741.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: httparty
-cve: 2013-1801
-osvdb: 90741
-url: http://osvdb.org/show/osvdb/90741
-title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
-date: 2013-01-14
-description: |
-  httparty Gem for Ruby contains a flaw that is triggered when a type casting
-  error occurs during the parsing of parameters. This may allow a
-  context-dependent attacker to potentially execute arbitrary code.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.10.0"

data/data/ruby-advisory-db/gems/i18n/OSVDB-100528.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: i18n
-cve: 2013-4492
-osvdb: 100528
-url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
-title: i18n missing translation error message XSS
-date: 2013-12-03
-description: |
-  The HTML exception message raised by I18n::MissingTranslation fails
-  to escape the keys.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 0.5.1
-  - '>= 0.6.6'

data/data/ruby-advisory-db/gems/json/OSVDB-90074.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: json
-cve: 2013-0269
-osvdb: 90074
-url: http://direct.osvdb.org/show/osvdb/90074
-title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
-date: 2013-02-11
-description: |
-  Ruby on Rails contains a flaw that may allow a remote denial of service.
-  The issue is due to the JSON gem being tricked in to generating Ruby symbols
-  during the parsing of certain JSON documents. Since Ruby symbols are not
-  garbage collected, a remote attacker can crash a users system. This also may
-  allow the attacker to create arbitrary objects that may be used to bypass
-  certain security mechanisms and potentially allow SQL injection attacks to
-  be conducted.
-cvss_v2: 9.0
-patched_versions:
-  - ~> 1.5.5
-  - ~> 1.6.8
-  - ">= 1.7.7"

data/data/ruby-advisory-db/gems/karteek-docsplit/OSVDB-92117.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: karteek-docsplit
-cve: 2013-1933
-osvdb: 92117
-url: http://osvdb.org/show/osvdb/92117
-title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-08
-description: Karteek Docsplit Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to text_extractor.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2: 9.3
-patched_versions:

data/data/ruby-advisory-db/gems/kelredd-pruview/OSVDB-92228.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: kelredd-pruview
-cve: 2013-1947
-osvdb: 92228
-url: http://osvdb.org/show/osvdb/92228
-title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-04
-description: kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. The issue is triggered during the handling of a specially crafted file name that contains injected shell metacharacters. This may allow a context-dependent attacker to potentially execute arbitrary commands.
-cvss_v2: 9.3
-patched_versions:

data/data/ruby-advisory-db/gems/ldoce/OSVDB-91870.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: ldoce
-cve: 2013-1911
-osvdb: 91870
-url: http://osvdb.org/show/osvdb/91870
-title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-01
-description: ldoce Gem for Ruby contains a flaw that is triggered during the handling of a specially crafted URL or filename for MP3 files that have shell metacharacters injected in to it. This may allow a context-dependent attacker to execute arbitrary commands.
-cvss_v2: 6.8
-patched_versions: