RubyGems - mrjoy-bundler-audit - Versions diffs - 0.3.3 → 0.3.4 - Mend

mrjoy-bundler-audit 0.3.3 → 0.3.4

Files changed (121) hide show

data/data/ruby-advisory-db/gems/loofah/OSVDB-90945.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: loofah
-osvdb: 90945
-url: http://www.osvdb.org/show/osvdb/90945
-title: Loofah HTML and XSS injection vulnerability
-date: 2012-09-08
-description: |
-  Loofah Gem for Ruby contains a flaw that allows a remote cross-site
-  scripting (XSS) attack. This flaw exists because the
-  Loofah::HTML::Document\#text function passes properly sanitized
-  user-supplied input to the Loofah::XssFoliate and
-  Loofah::Helpers\#strip_tags functions which convert input back to
-  text. This may allow an attacker to create a specially crafted
-  request that would execute arbitrary script code in a user's browser
-  within the trust relationship between their browser and the server.
-cvss_v2: 5.0
-patched_versions:
-  - ">=  0.4.6"

data/data/ruby-advisory-db/gems/mail/OSVDB-70667.yml DELETED Viewed

@@ -1,21 +0,0 @@
----
-gem: mail
-cve: 2011-0739
-osvdb: 70667
-url: http://www.osvdb.org/show/osvdb/70667
-title: >
-  Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From:
-  Address Arbitrary Shell Command Injection
-date: 2011-01-25
-description: |
-  Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
-  input passed from an email from address in the 'deliver()' function in
-  'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
-  command line argument. This may allow a remote attacker to inject arbitrary
-  shell commands.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 2.2.15"

data/data/ruby-advisory-db/gems/mail/OSVDB-81631.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: mail
-cve: 2012-2139
-osvdb: 81631
-url: http://www.osvdb.org/show/osvdb/81631
-title: Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation
-date: 2012-03-14
-description: |
-  Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the 'to' parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.
-cvss_v2: 5.0
-patched_versions:
-- ">= 2.4.4"

data/data/ruby-advisory-db/gems/mail/OSVDB-81632.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: mail
-cve: 2012-2140
-osvdb: 81632
-url: http://www.osvdb.org/show/osvdb/81632
-title: Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution
-date: 2012-03-14
-description: |
-  Mail Gem for Ruby contains a flaw that occurs within the sendmail and exim
-  delivery methods, which may allow an attacker to execute arbitrary shell
-  commands..
-cvss_v2: 7.5
-patched_versions:
-- ">= 2.4.4"

data/data/ruby-advisory-db/gems/md2pdf/OSVDB-92290.yml DELETED Viewed

@@ -1,10 +0,0 @@
----
-gem: md2pdf
-cve: 2013-1948
-osvdb: 92290
-url: http://osvdb.org/show/osvdb/92290
-title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection Arbitrary Command Execution
-date: 2013-04-13
-description: md2pdf Gem for Ruby contains a flaw that is due to the program failing to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted file name that contains shell metacharacters, a context-dependent attacker can execute arbitrary commands
-cvss_v2: 10.0
-patched_versions:

data/data/ruby-advisory-db/gems/mini_magick/OSVDB-91231.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: mini_magick
-cve: 2013-2616
-osvdb: 91231
-url: http://osvdb.org/show/osvdb/91231
-title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection
-date: 2013-03-12
-description: MiniMagick Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input from an untrusted source passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.
-cvss_v2: 9.3
-patched_versions:
-  - ">= 3.6.0"

data/data/ruby-advisory-db/gems/multi_xml/OSVDB-89148.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: multi_xml
-cve: 2013-0175
-osvdb: 89148
-url: http://osvdb.org/show/osvdb/89148
-title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution
-date: 2013-01-11
-description: |
-  The multi_xml Gem for Ruby contains a flaw that is triggered when an error
-  occurs during the parsing of the 'XML' parameter. With a crafted request
-  containing arbitrary symbol and yaml types, a remote attacker can execute
-  arbitrary commands.
-patched_versions:
-  - ">= 0.5.2"

data/data/ruby-advisory-db/gems/newrelic_rpm/OSVDB-90189.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: newrelic_rpm
-cve: 2013-0284
-osvdb: 90189
-url: http://osvdb.org/show/osvdb/90189
-title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information
-date: 2012-12-06
-description: |
-  A bug in the Ruby agent causes database connection information and raw SQL
-  statements to be transmitted to New Relic servers. The database connection
-  information includes the database IP address, username, and password
-cvss_v2: 5.0
-patched_versions:
-  - ">= 3.5.3.25"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101179.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: nokogiri
-cve: 2013-6460
-osvdb: 101179
-url: http://www.osvdb.org/show/osvdb/101179
-title: Nokogiri Gem for JRuby Crafted XML Document Handling Infinite Loop Remote DoS
-date: 2013-12-14
-description: Nokogiri Gem for JRuby contains a flaw that may allow a remote denial of service. The issue is triggered when handling a specially crafted XML document, which can result in an infinite loop. This may allow a context-dependent attacker to crash the server.
-cvss_v2:
-patched_versions:
-  - ~> 1.5.11
-  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nokogiri/OSVDB-101458.yml DELETED Viewed

@@ -1,15 +0,0 @@
----
-gem: nokogiri
-cve: 2013-6461
-osvdb: 101458
-url: http://www.osvdb.org/show/osvdb/101458
-title: Nokogiri Gem for Ruby External Entity (XXE) Expansion Remote DoS
-date: 2013-12-14
-description: Nokogiri gem for Ruby contains an flaw that is triggered during the parsing of XML data.
-  The issue is due to an incorrectly configured XML parser accepting XML external entities from
-  an untrusted source. By sending specially crafted XML data, a remote attacker can cause an infinite
-  loop and crash the program.
-cvss_v2:
-patched_versions:
-  - ~> 1.5.11
-  - ">= 1.6.1"

data/data/ruby-advisory-db/gems/nori/OSVDB-90196.yml DELETED Viewed

@@ -1,19 +0,0 @@
----
-gem: nori
-cve: 2013-0285
-osvdb: 90196
-url: http://osvdb.org/show/osvdb/90196
-title: Ruby Gem nori Parameter Parsing Remote Code Execution
-date: 2013-01-10
-description: |
-  The Ruby Gem nori has a parameter parsing error that may allow an attacker
-  to execute arbitrary code. This vulnerability has to do with type casting
-  during parsing, and is related to CVE-2013-0156.
-cvss_v2: 7.5
-patched_versions:
-  - ~> 1.0.3
-  - ~> 1.1.4
-  - ">= 2.0.2"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99693.yml DELETED Viewed

@@ -1,22 +0,0 @@
----
-gem: omniauth-facebook
-cve: 2013-4562
-osvdb: 99693
-url: http://www.osvdb.org/show/osvdb/99693
-title: omniauth-facebook Gem for Ruby Unspecified CSRF
-date: 2013-11-12
-description: |
-  omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not
-  require multiple steps, explicit confirmation, or a unique token when
-  performing certain sensitive actions. By tricking a user into following
-  a specially crafted link, a context-dependent attacker can perform a
-  Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to
-  perform an unspecified action.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.5.0"
-unaffected_versions:
-  - "<= 1.4.0"

data/data/ruby-advisory-db/gems/omniauth-facebook/OSVDB-99888.yml DELETED Viewed

@@ -1,17 +0,0 @@
----
-gem: omniauth-facebook
-cve: 2013-4593
-osvdb: 99888
-url: http://www.osvdb.org/show/osvdb/99888
-title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication Bypass
-date: 2013-11-14
-description: |
-  omniauth-facebook Gem for Ruby contains a flaw that is due to the application
-  supporting passing the access token via the URL. This may allow a remote
-  attacker to bypass authentication and authenticate as another user.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.5.1"

data/data/ruby-advisory-db/gems/omniauth-oauth2/OSVDB-90264.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: omniauth-oauth2
-cve: 2012-6134
-osvdb: 90264
-url: http://www.osvdb.org/show/osvdb/90264
-title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability
-date: 2012-09-08
-description: |
-  The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to
-  inject values into a user's session through a CSRF attack.
-cvss_v2: 6.8
-patched_versions:
-  - ">= 1.1.1"

data/data/ruby-advisory-db/gems/paperclip/OSVDB-103151.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paperclip
-osvdb: 103151
-url: http://osvdb.org/show/osvdb/103151
-title: Paperclip Gem for Ruby contains a flaw
-date: 2014-01-31
-description: Paperclip Gem for Ruby contains a flaw that is due to the application failing to properly
-  validate the file extension, instead only validating the Content-Type header during file uploads.
-  This may allow a remote attacker to bypass restrictions on file types for uploaded files by
-  spoofing the content-type.
-cvss_v2:
-patched_versions:
-  - ">= 4.0.0"

data/data/ruby-advisory-db/gems/paratrooper-newrelic/OSVDB-101839.yml DELETED Viewed

@@ -1,12 +0,0 @@
----
-gem: paratrooper-newrelic
-cve: 2014-1234
-osvdb: 101839
-url: http://www.osvdb.org/show/osvdb/101839
-title: Paratrooper-newrelic Gem for Ruby contains a flaw
-date: 2014-01-08
-description: Paratrooper-newrelic Gem for Ruby contains a flaw in /lib/paratrooper-newrelic.rb.
-  The issue is triggered when the script exposes the API key, allowing a local attacker to
-  gain access to it by monitoring the process tree.
-cvss_v2: 2.1
-patched_versions:

data/data/ruby-advisory-db/gems/paratrooper-pingdom/OSVDB-101847.yml DELETED Viewed

@@ -1,13 +0,0 @@
----
-gem: paratrooper-pingdom
-cve: 2014-1233
-osvdb: 101847
-url: http://www.osvdb.org/show/osvdb/101847
-title: Paratrooper-pingdom Gem for Ruby contains a flaw
-date: 2013-12-26
-description: paratrooper-pingdom Gem for Ruby contains a flaw in /lib/paratrooper-pingdom.rb.
-  The issue is triggered when the script exposes API login credentials, allowing a local
-  attacker to gain access to the API key, username, and password for the API login by
-  monitoring the process tree.
-cvss_v2: 2.1
-patched_versions:

data/data/ruby-advisory-db/gems/pdfkit/OSVDB-90867.yml DELETED Viewed

@@ -1,11 +0,0 @@
----
-gem: pdfkit
-cve: 2013-1607
-osvdb: 90867
-url: http://osvdb.org/show/osvdb/90867
-title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution
-date: 2013-02-21
-description: PDFKit Gem for Ruby contains a flaw that is due to the program failing to properly validate input during the handling of parameters when generating PDF files. This may allow a remote attacker to potentially execute arbitrary code via the pdfkit generation options.
-cvss_v2:
-patched_versions:
-  - ">= 0.5.3"

data/data/ruby-advisory-db/gems/rack-cache/OSVDB-83077.yml DELETED Viewed

@@ -1,18 +0,0 @@
----
-gem: rack-cache
-cve: 2012-2671
-osvdb: 83077
-url: http://osvdb.org/83077
-title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness
-date: 2012-06-06
-description: |
-  Rack::Cache (rack-cache) contains a flaw related to the rubygem caching
-  sensitive HTTP headers. This will result in a weakness that may make it
-  easier for an attacker to gain access to a user's session via a specially
-  crafted header.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 1.2"

data/data/ruby-advisory-db/gems/rack/OSVDB-89939.yml DELETED Viewed

@@ -1,23 +0,0 @@
----
-gem: rack
-cve: 2013-0263
-osvdb: 89939
-url: http://osvdb.org/show/osvdb/89939
-title: |
-  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution
-date: 2009-12-01
-description: |
-  Rack contains a flaw that is due to an error in the Rack::Session::Cookie
-  function. Users of the Marshal session cookie encoding (the default), are
-  subject to a timing attack that may lead an attacker to execute arbitrary
-  code. This attack is more practical against 'cloud' users as intra-cloud
-  latencies are sufficiently low to make the attack viable.
-cvss_v2: 5.1
-patched_versions:
-- ~> 1.1.6
-- ~> 1.2.8
-- ~> 1.3.10
-- ~> 1.4.5
-- ">= 1.5.2"

data/data/ruby-advisory-db/gems/rbovirt/OSVDB-104080.yml DELETED Viewed

@@ -1,20 +0,0 @@
----
-gem: rbovirt
-cve: 2014-0036
-osvdb: 104080
-url: http://osvdb.org/show/osvdb/104080
-title: rbovirt Gem for Ruby contains a flaw
-date: 2014-03-05
-description: |
-  rbovirt Gem for Ruby contains a flaw related to certificate validation.
-  The issue is due to the program failing to validate SSL certificates. This may
-  allow an attacker with access to network traffic (e.g. MiTM, DNS cache
-  poisoning) to spoof the SSL server via an arbitrary certificate that appears
-  valid. Such an attack would allow for the interception of sensitive traffic,
-  and potentially allow for the injection of content into the SSL stream.
-cvss_v2:
-patched_versions:
-  - '>= 0.0.24'

data/data/ruby-advisory-db/gems/rdoc/OSVDB-90004.yml DELETED Viewed

@@ -1,27 +0,0 @@
----
-gem: rdoc
-cve: 2013-0256
-osvdb: 90004
-url: http://www.osvdb.org/show/osvdb/90004
-title: RDoc 2.3.0 through 3.12 XSS Exploit
-date: 2013-02-06
-description: |
-  Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases
-  up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit
-  may lead to cookie disclosure to third parties.
-  The exploit exists in darkfish.js which is copied from the RDoc install
-  location to the generated documentation.
-  RDoc is a static documentation generation tool. Patching the library itself
-  is insufficient to correct this exploit.
-  This exploit was discovered by Evgeny Ermakov <corwmh@gmail.com>.
-cvss_v2: 4.3
-patched_versions:
-  - ~> 3.9.5
-  - ~> 3.12.1
-  - ">= 4.0"

data/data/ruby-advisory-db/gems/redis-namespace/OSVDB-96425.yml DELETED Viewed

@@ -1,16 +0,0 @@
----
-gem: redis-namespace
-osvdb: 96425
-url: http://www.osvdb.org/show/osvdb/96425
-title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation
-date: 2013-08-03
-description: |
-  redis-namespace Gem for Ruby contains a flaw in the method_missing implementation.
-  The issue is triggered when handling exec commands called via send(). This may allow a
-  remote attacker to execute arbitrary commands.
-cvss_v2:
-patched_versions:
-  - ">= 1.3.1"
-  - ">= 1.2.2"
-  - ">= 1.1.1"
-  - ">= 1.0.4"

data/data/ruby-advisory-db/gems/rgpg/OSVDB-95948.yml DELETED Viewed

@@ -1,14 +0,0 @@
----
-gem: rgpg
-osvdb: 95948
-cve: 2013-4203
-url: http://www.osvdb.org/show/osvdb/95948
-title: Ruby rgpg Gem Shell Command Injection Vulnerabilities
-date: 2013-08-02
-description: |
-  rgpg Gem for Ruby contains a flaw in the GpgHelper module (lib/rgpg/gpg_helper.rb).
-  The issue is due to the program failing to properly sanitize user-supplied input before being used in the system() function for execution.
-  This may allow a remote attacker to execute arbitrary commands.
-cvss_v2: 7.5
-patched_versions:
-  - ">= 0.2.3"