From df7b223778d8f5eaa5ed534a80105a7360ddd434 Mon Sep 17 00:00:00 2001 From: kallal79 Date: Tue, 31 Mar 2026 07:27:20 +0530 Subject: [PATCH 1/2] Updated advisory posts against rubysec/ruby-advisory-db@b1e3c15 --- advisories/_posts/2006-05-14-CVE-2006-2581.md | 92 +-- advisories/_posts/2006-05-14-CVE-2006-2582.md | 90 +-- advisories/_posts/2007-01-22-CVE-2007-0469.md | 54 +- advisories/_posts/2007-05-21-OSVDB-101157.md | 50 +- advisories/_posts/2007-06-15-OSVDB-95668.md | 50 +- advisories/_posts/2007-11-27-CVE-2007-6183.md | 46 +- advisories/_posts/2008-08-12-CVE-2008-7311.md | 48 +- advisories/_posts/2008-08-15-OSVDB-95749.md | 58 +- advisories/_posts/2008-09-22-CVE-2008-7310.md | 44 +- advisories/_posts/2008-10-10-OSVDB-95376.md | 56 +- advisories/_posts/2008-12-08-CVE-2008-4310.md | 66 +- advisories/_posts/2009-07-10-CVE-2009-2422.md | 76 +- advisories/_posts/2009-12-07-CVE-2009-4123.md | 54 +- advisories/_posts/2010-02-01-OSVDB-62067.md | 74 +- advisories/_posts/2010-04-27-OSVDB-110439.md | 58 +- advisories/_posts/2010-08-12-OSVDB-114600.md | 50 +- advisories/_posts/2010-11-02-CVE-2010-3978.md | 54 +- advisories/_posts/2011-01-12-OSVDB-106954.md | 48 +- advisories/_posts/2011-01-25-CVE-2011-0739.md | 52 +- .../_posts/2011-02-10-CVE-2011-10019.md | 68 +- advisories/_posts/2011-04-19-OSVDB-73751.md | 46 +- advisories/_posts/2011-05-13-CVE-2011-0995.md | 64 +- advisories/_posts/2011-08-16-CVE-2011-3186.md | 48 +- advisories/_posts/2011-09-01-CVE-2011-4969.md | 72 +- advisories/_posts/2011-09-01-OSVDB-97854.md | 60 +- advisories/_posts/2011-09-20-OSVDB-115917.md | 58 +- advisories/_posts/2011-10-05-OSVDB-76011.md | 50 +- advisories/_posts/2011-10-27-CVE-2011-3870.md | 74 +- advisories/_posts/2011-10-27-CVE-2011-3871.md | 76 +- advisories/_posts/2011-12-28-CVE-2011-5036.md | 54 +- advisories/_posts/2012-02-01-CVE-2012-6135.md | 52 +- advisories/_posts/2012-02-29-CVE-2012-6684.md | 68 +- advisories/_posts/2012-03-01-CVE-2012-1098.md | 62 +- advisories/_posts/2012-03-01-CVE-2012-1099.md | 56 +- advisories/_posts/2012-03-14-CVE-2012-2139.md | 44 +- advisories/_posts/2012-03-14-CVE-2012-2140.md | 46 +- advisories/_posts/2012-04-20-CVE-2012-2126.md | 48 +- advisories/_posts/2012-05-04-CVE-2012-6109.md | 54 +- advisories/_posts/2012-05-29-CVE-2012-1053.md | 88 +-- advisories/_posts/2012-05-29-CVE-2012-1906.md | 72 +- advisories/_posts/2012-05-31-CVE-2012-2660.md | 58 +- advisories/_posts/2012-05-31-CVE-2012-2661.md | 64 +- advisories/_posts/2012-06-06-CVE-2012-2671.md | 48 +- advisories/_posts/2012-06-08-CVE-2012-6685.md | 46 +- advisories/_posts/2012-07-02-OSVDB-125712.md | 54 +- advisories/_posts/2012-07-02-OSVDB-125713.md | 50 +- advisories/_posts/2012-07-26-CVE-2012-3424.md | 62 +- advisories/_posts/2012-08-08-CVE-2010-5142.md | 58 +- advisories/_posts/2012-08-09-CVE-2012-3463.md | 62 +- advisories/_posts/2012-08-09-CVE-2012-3464.md | 56 +- advisories/_posts/2012-08-09-CVE-2012-3465.md | 56 +- advisories/_posts/2012-09-08-CVE-2012-6134.md | 42 +- advisories/_posts/2012-09-08-OSVDB-90945.md | 64 +- advisories/_posts/2012-09-25-CVE-2012-2125.md | 50 +- advisories/_posts/2012-12-04-CVE-2012-5604.md | 48 +- advisories/_posts/2012-12-06-CVE-2013-0284.md | 46 +- advisories/_posts/2012-12-21-CVE-2012-6497.md | 48 +- advisories/_posts/2012-12-22-CVE-2012-6496.md | 54 +- advisories/_posts/2013-01-07-CVE-2013-0183.md | 50 +- advisories/_posts/2013-01-08-CVE-2013-0155.md | 64 +- advisories/_posts/2013-01-08-CVE-2013-0156.md | 64 +- advisories/_posts/2013-01-08-CVE-2013-1802.md | 46 +- advisories/_posts/2013-01-09-CVE-2013-1800.md | 50 +- advisories/_posts/2013-01-10-CVE-2013-0285.md | 48 +- advisories/_posts/2013-01-11-CVE-2013-0175.md | 46 +- advisories/_posts/2013-01-13-CVE-2013-0184.md | 54 +- advisories/_posts/2013-01-14-CVE-2013-1801.md | 46 +- advisories/_posts/2013-01-28-CVE-2013-0233.md | 52 +- advisories/_posts/2013-01-28-CVE-2013-0333.md | 56 +- advisories/_posts/2013-02-06-CVE-2013-0256.md | 52 +- advisories/_posts/2013-02-07-CVE-2013-0262.md | 50 +- advisories/_posts/2013-02-07-CVE-2013-0263.md | 56 +- advisories/_posts/2013-02-11-CVE-2013-0276.md | 56 +- advisories/_posts/2013-02-11-CVE-2013-0277.md | 56 +- advisories/_posts/2013-02-12-CVE-2013-0269.md | 56 +- advisories/_posts/2013-02-12-OSVDB-115090.md | 54 +- advisories/_posts/2013-02-12-OSVDB-115091.md | 54 +- advisories/_posts/2013-02-19-CVE-2013-1756.md | 52 +- advisories/_posts/2013-02-21-CVE-2013-0162.md | 46 +- advisories/_posts/2013-02-21-CVE-2013-1607.md | 48 +- advisories/_posts/2013-02-21-CVE-2013-1656.md | 74 +- advisories/_posts/2013-02-21-CVE-2013-2506.md | 54 +- .../_posts/2013-02-25-GHSA-5qw5-wf2q-f538.md | 76 +- advisories/_posts/2013-02-28-CVE-2013-2512.md | 50 +- advisories/_posts/2013-02-28-CVE-2013-2516.md | 48 +- advisories/_posts/2013-03-04-CVE-2013-2513.md | 42 +- advisories/_posts/2013-03-12-CVE-2013-2616.md | 48 +- advisories/_posts/2013-03-12-CVE-2013-2617.md | 40 +- advisories/_posts/2013-03-13-CVE-2013-2615.md | 44 +- advisories/_posts/2013-03-18-CVE-2013-1875.md | 44 +- advisories/_posts/2013-03-19-CVE-2013-1854.md | 66 +- advisories/_posts/2013-03-19-CVE-2013-1855.md | 64 +- advisories/_posts/2013-03-19-CVE-2013-1856.md | 68 +- advisories/_posts/2013-03-19-CVE-2013-1857.md | 66 +- advisories/_posts/2013-03-26-CVE-2013-1898.md | 46 +- advisories/_posts/2013-04-01-CVE-2013-1911.md | 46 +- advisories/_posts/2013-04-04-CVE-2013-1947.md | 46 +- advisories/_posts/2013-04-08-CVE-2013-1933.md | 46 +- advisories/_posts/2013-04-13-CVE-2013-1948.md | 46 +- advisories/_posts/2013-04-21-CVE-2013-3221.md | 92 +-- advisories/_posts/2013-05-14-CVE-2013-2090.md | 50 +- advisories/_posts/2013-05-17-CVE-2013-2105.md | 42 +- advisories/_posts/2013-05-29-CVE-2013-2119.md | 50 +- advisories/_posts/2013-06-10-CVE-2013-4136.md | 50 +- advisories/_posts/2013-06-26-OSVDB-94679.md | 46 +- advisories/_posts/2013-07-09-CVE-2014-2538.md | 48 +- advisories/_posts/2013-07-25-CVE-2013-4170.md | 68 +- advisories/_posts/2013-08-02-CVE-2013-4203.md | 48 +- advisories/_posts/2013-08-02-OSVDB-114435.md | 58 +- advisories/_posts/2013-08-03-OSVDB-96425.md | 58 +- advisories/_posts/2013-08-14-CVE-2013-5647.md | 46 +- advisories/_posts/2013-09-01-CVE-2013-4318.md | 44 +- advisories/_posts/2013-09-03-CVE-2013-5671.md | 50 +- advisories/_posts/2013-09-09-CVE-2013-4287.md | 60 +- advisories/_posts/2013-09-19-CVE-2013-6459.md | 52 +- advisories/_posts/2013-09-24-CVE-2013-4363.md | 64 +- advisories/_posts/2013-10-01-CVE-2013-7463.md | 38 +- advisories/_posts/2013-10-08-CVE-2013-4413.md | 46 +- advisories/_posts/2013-10-16-CVE-2013-4389.md | 56 +- advisories/_posts/2013-10-22-CVE-2013-4457.md | 48 +- advisories/_posts/2013-10-29-CVE-2013-4478.md | 74 +- advisories/_posts/2013-10-29-CVE-2013-4479.md | 74 +- advisories/_posts/2013-11-04-CVE-2013-4489.md | 44 +- advisories/_posts/2013-11-12-CVE-2013-4562.md | 56 +- advisories/_posts/2013-11-14-CVE-2013-4593.md | 50 +- advisories/_posts/2013-12-02-CVE-2013-6421.md | 52 +- advisories/_posts/2013-12-03-CVE-2013-4491.md | 56 +- advisories/_posts/2013-12-03-CVE-2013-4492.md | 44 +- advisories/_posts/2013-12-03-CVE-2013-6414.md | 52 +- advisories/_posts/2013-12-03-CVE-2013-6415.md | 52 +- advisories/_posts/2013-12-03-CVE-2013-6416.md | 64 +- advisories/_posts/2013-12-03-CVE-2013-6417.md | 62 +- advisories/_posts/2013-12-12-CVE-2013-7086.md | 44 +- advisories/_posts/2013-12-14-CVE-2013-6460.md | 52 +- advisories/_posts/2013-12-14-CVE-2013-6461.md | 46 +- advisories/_posts/2013-12-14-CVE-2013-7111.md | 40 +- advisories/_posts/2013-12-24-CVE-2013-7222.md | 50 +- advisories/_posts/2013-12-24-CVE-2013-7223.md | 56 +- advisories/_posts/2013-12-24-CVE-2013-7224.md | 50 +- advisories/_posts/2013-12-24-CVE-2013-7225.md | 56 +- advisories/_posts/2013-12-24-CVE-2013-7249.md | 48 +- advisories/_posts/2013-12-26-CVE-2014-1233.md | 46 +- advisories/_posts/2013-12-31-OSVDB-101577.md | 48 +- advisories/_posts/2014-01-08-CVE-2014-1234.md | 44 +- advisories/_posts/2014-01-14-CVE-2014-0013.md | 84 +-- advisories/_posts/2014-01-14-CVE-2014-0014.md | 78 +- advisories/_posts/2014-01-14-CVE-2014-1834.md | 46 +- advisories/_posts/2014-01-14-CVE-2014-1835.md | 42 +- advisories/_posts/2014-01-28-CVE-2014-1831.md | 48 +- advisories/_posts/2014-01-29-CVE-2014-1832.md | 48 +- advisories/_posts/2014-01-31-OSVDB-103151.md | 52 +- advisories/_posts/2014-02-07-CVE-2014-0046.md | 70 +- advisories/_posts/2014-02-13-CVE-2014-0083.md | 48 +- advisories/_posts/2014-02-18-CVE-2014-0080.md | 60 +- advisories/_posts/2014-02-18-CVE-2014-0081.md | 60 +- advisories/_posts/2014-02-18-CVE-2014-0082.md | 58 +- advisories/_posts/2014-03-05-CVE-2014-0036.md | 44 +- advisories/_posts/2014-03-10-CVE-2014-2322.md | 74 +- advisories/_posts/2014-03-13-CVE-2014-0135.md | 58 +- advisories/_posts/2014-03-25-CVE-2014-4920.md | 54 +- advisories/_posts/2014-03-28-CVE-2014-0156.md | 48 +- advisories/_posts/2014-04-16-CVE-2014-2888.md | 48 +- advisories/_posts/2014-04-24-OSVDB-106279.md | 50 +- advisories/_posts/2014-04-30-OSVDB-118481.md | 62 +- advisories/_posts/2014-05-06-CVE-2014-0130.md | 62 +- advisories/_posts/2014-06-07-OSVDB-107783.md | 48 +- .../_posts/2014-06-30-CVE-2014-10075.md | 80 +-- advisories/_posts/2014-06-30-CVE-2014-4991.md | 46 +- advisories/_posts/2014-06-30-CVE-2014-4992.md | 42 +- advisories/_posts/2014-06-30-CVE-2014-4993.md | 46 +- advisories/_posts/2014-06-30-CVE-2014-4994.md | 44 +- advisories/_posts/2014-06-30-CVE-2014-4995.md | 48 +- advisories/_posts/2014-06-30-CVE-2014-4996.md | 48 +- advisories/_posts/2014-06-30-CVE-2014-4997.md | 44 +- advisories/_posts/2014-06-30-CVE-2014-4998.md | 46 +- advisories/_posts/2014-06-30-CVE-2014-4999.md | 46 +- advisories/_posts/2014-06-30-CVE-2014-5000.md | 44 +- advisories/_posts/2014-06-30-CVE-2014-5001.md | 56 +- advisories/_posts/2014-06-30-CVE-2014-5002.md | 48 +- advisories/_posts/2014-06-30-CVE-2014-5003.md | 46 +- advisories/_posts/2014-06-30-OSVDB-108530.md | 52 +- advisories/_posts/2014-06-30-OSVDB-108570.md | 52 +- advisories/_posts/2014-06-30-OSVDB-108572.md | 54 +- advisories/_posts/2014-06-30-OSVDB-108575.md | 52 +- advisories/_posts/2014-06-30-OSVDB-108579.md | 48 +- advisories/_posts/2014-06-30-OSVDB-108585.md | 50 +- advisories/_posts/2014-06-30-OSVDB-108593.md | 62 +- advisories/_posts/2014-06-30-OSVDB-108594.md | 50 +- advisories/_posts/2014-07-02-CVE-2014-3482.md | 62 +- advisories/_posts/2014-07-02-CVE-2014-3483.md | 64 +- advisories/_posts/2014-07-09-CVE-2014-5004.md | 64 +- advisories/_posts/2014-07-09-OSVDB-108899.md | 58 +- advisories/_posts/2014-07-09-OSVDB-108900.md | 56 +- advisories/_posts/2014-08-13-CVE-2013-0334.md | 56 +- advisories/_posts/2014-08-18-CVE-2014-3514.md | 54 +- advisories/_posts/2014-08-22-CVE-2014-5441.md | 54 +- advisories/_posts/2014-08-25-OSVDB-110439.md | 54 +- advisories/_posts/2014-09-04-OSVDB-110796.md | 56 +- advisories/_posts/2014-09-25-OSVDB-112683.md | 50 +- .../_posts/2014-09-27-CVE-2014-10077.md | 54 +- .../_posts/2014-09-29-GHSA-mpwp-4h2m-765c.md | 70 +- advisories/_posts/2014-09-29-OSVDB-112346.md | 52 +- advisories/_posts/2014-10-13-OSVDB-126330.md | 46 +- advisories/_posts/2014-10-30-CVE-2014-7818.md | 60 +- advisories/_posts/2014-10-30-CVE-2014-7819.md | 78 +- advisories/_posts/2014-11-17-CVE-2014-7829.md | 64 +- advisories/_posts/2014-12-04-CVE-2014-9489.md | 58 +- advisories/_posts/2014-12-08-CVE-2014-9490.md | 50 +- advisories/_posts/2014-12-18-CVE-2014-8144.md | 60 +- advisories/_posts/2015-02-03-OSVDB-117903.md | 56 +- advisories/_posts/2015-02-10-CVE-2015-1426.md | 68 +- advisories/_posts/2015-02-10-OSVDB-118830.md | 68 +- advisories/_posts/2015-02-16-CVE-2015-1585.md | 52 +- advisories/_posts/2015-02-17-CVE-2015-2179.md | 46 +- advisories/_posts/2015-03-05-OSVDB-119205.md | 66 +- advisories/_posts/2015-03-24-CVE-2015-1820.md | 52 +- advisories/_posts/2015-03-24-CVE-2015-1828.md | 46 +- advisories/_posts/2015-04-07-OSVDB-120415.md | 66 +- advisories/_posts/2015-04-14-CVE-2015-1819.md | 122 ++-- advisories/_posts/2015-04-14-CVE-2015-1866.md | 72 +- advisories/_posts/2015-04-15-OSVDB-120857.md | 52 +- advisories/_posts/2015-04-21-OSVDB-125678.md | 48 +- .../_posts/2015-04-29-CVE-2015-20108.md | 70 +- advisories/_posts/2015-04-29-CVE-2015-3448.md | 42 +- advisories/_posts/2015-05-05-CVE-2015-3649.md | 44 +- advisories/_posts/2015-05-11-OSVDB-126329.md | 52 +- advisories/_posts/2015-05-14-CVE-2015-3900.md | 62 +- advisories/_posts/2015-05-25-CVE-2015-9284.md | 66 +- advisories/_posts/2015-06-04-CVE-2015-4410.md | 50 +- advisories/_posts/2015-06-04-CVE-2015-4412.md | 50 +- advisories/_posts/2015-06-04-OSVDB-125676.md | 56 +- advisories/_posts/2015-06-05-CVE-2015-2963.md | 48 +- advisories/_posts/2015-06-08-CVE-2015-4020.md | 58 +- advisories/_posts/2015-06-16-CVE-2015-1840.md | 86 +-- advisories/_posts/2015-06-16-CVE-2015-3224.md | 48 +- advisories/_posts/2015-06-16-CVE-2015-3225.md | 46 +- advisories/_posts/2015-06-16-CVE-2015-3226.md | 116 +-- advisories/_posts/2015-06-16-CVE-2015-3227.md | 76 +- advisories/_posts/2015-06-16-CVE-2015-4619.md | 52 +- advisories/_posts/2015-06-22-CVE-2015-5147.md | 52 +- advisories/_posts/2015-06-30-OSVDB-124383.md | 52 +- advisories/_posts/2015-07-06-OSVDB-125675.md | 48 +- .../_posts/2015-07-13-CVE-2017-11173.md | 60 +- advisories/_posts/2015-07-17-OSVDB-126331.md | 56 +- advisories/_posts/2015-07-20-OSVDB-125701.md | 54 +- advisories/_posts/2015-07-21-CVE-2015-5378.md | 64 +- advisories/_posts/2015-07-21-CVE-2015-8857.md | 80 +-- advisories/_posts/2015-07-28-OSVDB-125699.md | 60 +- advisories/_posts/2015-08-20-CVE-2015-5619.md | 64 +- advisories/_posts/2015-08-24-OSVDB-131671.md | 68 +- advisories/_posts/2015-09-17-CVE-2015-7225.md | 60 +- advisories/_posts/2015-09-20-CVE-2015-7314.md | 44 +- .../_posts/2015-10-24-CVE-2017-1000042.md | 88 +-- advisories/_posts/2015-11-17-OSVDB-131671.md | 64 +- advisories/_posts/2015-11-23-CVE-2015-7519.md | 50 +- advisories/_posts/2015-12-09-CVE-2015-9097.md | 54 +- advisories/_posts/2015-12-11-CVE-2015-8968.md | 62 +- advisories/_posts/2015-12-15-CVE-2015-5312.md | 192 ++--- advisories/_posts/2015-12-15-CVE-2015-8969.md | 46 +- advisories/_posts/2015-12-18-OSVDB-132234.md | 76 +- advisories/_posts/2016-01-04-CVE-2015-7541.md | 60 +- advisories/_posts/2016-01-08-OSVDB-132800.md | 56 +- .../_posts/2016-01-12-CVE-2017-1000043.md | 86 +-- advisories/_posts/2016-01-14-CVE-2015-7565.md | 80 +-- advisories/_posts/2016-01-18-CVE-2015-8314.md | 48 +- advisories/_posts/2016-01-19-CVE-2015-7499.md | 80 +-- advisories/_posts/2016-01-25-CVE-2015-7576.md | 250 +++---- advisories/_posts/2016-01-25-CVE-2015-7577.md | 230 +++--- advisories/_posts/2016-01-25-CVE-2015-7578.md | 106 +-- advisories/_posts/2016-01-25-CVE-2015-7579.md | 160 ++--- advisories/_posts/2016-01-25-CVE-2015-7580.md | 152 ++-- advisories/_posts/2016-01-25-CVE-2015-7581.md | 124 ++-- advisories/_posts/2016-01-25-CVE-2016-0751.md | 160 ++--- advisories/_posts/2016-01-25-CVE-2016-0752.md | 202 +++--- advisories/_posts/2016-01-25-CVE-2016-0753.md | 200 +++--- advisories/_posts/2016-02-29-CVE-2016-2097.md | 190 ++--- advisories/_posts/2016-02-29-CVE-2016-2098.md | 192 ++--- advisories/_posts/2016-04-01-CVE-2016-3098.md | 44 +- .../_posts/2016-04-13-CVE-2016-10193.md | 44 +- advisories/_posts/2016-04-20-CVE-2016-3693.md | 46 +- .../_posts/2016-04-23-CVE-2016-10194.md | 42 +- advisories/_posts/2016-04-26-CVE-2016-2785.md | 64 +- advisories/_posts/2016-05-18-CVE-2016-4442.md | 48 +- advisories/_posts/2016-06-07-CVE-2015-8806.md | 100 +-- .../_posts/2016-06-16-CVE-2016-10362.md | 56 +- advisories/_posts/2016-06-24-CVE-2016-5697.md | 52 +- .../_posts/2016-07-27-CVE-2016-10735.md | 48 +- advisories/_posts/2016-08-11-CVE-2016-6316.md | 122 ++-- advisories/_posts/2016-08-11-CVE-2016-6317.md | 158 ++-- advisories/_posts/2016-08-18-CVE-2016-6582.md | 96 +-- .../_posts/2016-08-22-CVE-2016-10173.md | 58 +- advisories/_posts/2016-08-27-CVE-2016-7103.md | 58 +- advisories/_posts/2016-10-06-CVE-2016-7954.md | 96 +-- .../_posts/2016-11-09-CVE-2016-10345.md | 46 +- .../_posts/2016-12-21-CVE-2016-10522.md | 64 +- .../_posts/2017-01-11-CVE-2017-18076.md | 50 +- advisories/_posts/2017-02-27-CVE-2017-5946.md | 46 +- advisories/_posts/2017-03-11-CVE-2016-4658.md | 80 +-- advisories/_posts/2017-04-05-CVE-2017-7540.md | 52 +- advisories/_posts/2017-05-01-CVE-2017-8418.md | 48 +- .../_posts/2017-05-08-CVE-2017-1002201.md | 52 +- advisories/_posts/2017-05-09-CVE-2017-5029.md | 106 +-- .../_posts/2017-06-16-CVE-2016-1000221.md | 62 +- .../_posts/2017-07-11-CVE-2017-16833.md | 62 +- advisories/_posts/2017-08-29-CVE-2017-0899.md | 52 +- advisories/_posts/2017-08-29-CVE-2017-0900.md | 52 +- advisories/_posts/2017-08-29-CVE-2017-0901.md | 56 +- advisories/_posts/2017-08-29-CVE-2017-0902.md | 52 +- advisories/_posts/2017-09-19-CVE-2017-9050.md | 138 ++-- advisories/_posts/2017-10-09-CVE-2017-0903.md | 56 +- advisories/_posts/2017-10-24-CVE-2006-4111.md | 64 +- advisories/_posts/2017-10-24-CVE-2006-4112.md | 76 +- advisories/_posts/2017-10-24-CVE-2007-3227.md | 66 +- advisories/_posts/2017-10-24-CVE-2007-5379.md | 68 +- advisories/_posts/2017-10-24-CVE-2007-5380.md | 60 +- advisories/_posts/2017-10-24-CVE-2007-6077.md | 68 +- advisories/_posts/2017-10-24-CVE-2008-4094.md | 76 +- advisories/_posts/2017-10-24-CVE-2008-5189.md | 62 +- advisories/_posts/2017-10-24-CVE-2008-7248.md | 90 +-- advisories/_posts/2017-10-24-CVE-2009-3009.md | 84 +-- advisories/_posts/2017-10-24-CVE-2009-3086.md | 86 +-- advisories/_posts/2017-10-24-CVE-2009-3287.md | 58 +- advisories/_posts/2017-10-24-CVE-2009-4214.md | 80 +-- advisories/_posts/2017-10-24-CVE-2009-4492.md | 72 +- advisories/_posts/2017-10-24-CVE-2010-3933.md | 74 +- advisories/_posts/2017-10-24-CVE-2010-5312.md | 102 +-- advisories/_posts/2017-10-24-CVE-2011-0446.md | 76 +- advisories/_posts/2017-10-24-CVE-2011-0447.md | 90 +-- advisories/_posts/2017-10-24-CVE-2011-0448.md | 72 +- advisories/_posts/2017-10-24-CVE-2011-0449.md | 80 +-- advisories/_posts/2017-10-24-CVE-2011-2197.md | 82 +-- advisories/_posts/2017-10-24-CVE-2011-2929.md | 94 +-- advisories/_posts/2017-10-24-CVE-2011-2930.md | 90 +-- advisories/_posts/2017-10-24-CVE-2011-2931.md | 96 +-- advisories/_posts/2017-10-24-CVE-2011-2932.md | 94 +-- advisories/_posts/2017-10-24-CVE-2011-3187.md | 82 +-- advisories/_posts/2017-10-24-CVE-2011-4319.md | 102 +-- advisories/_posts/2017-10-24-CVE-2012-1989.md | 76 +- advisories/_posts/2017-10-24-CVE-2012-2660.md | 80 +-- advisories/_posts/2017-10-24-CVE-2012-2694.md | 80 +-- advisories/_posts/2017-10-24-CVE-2012-2695.md | 76 +- advisories/_posts/2017-10-24-CVE-2012-3408.md | 60 +- advisories/_posts/2017-10-24-CVE-2012-3865.md | 70 +- advisories/_posts/2017-10-24-CVE-2012-3866.md | 66 +- advisories/_posts/2017-10-24-CVE-2012-3867.md | 74 +- advisories/_posts/2017-10-24-CVE-2012-6662.md | 80 +-- advisories/_posts/2017-10-24-CVE-2013-1655.md | 70 +- advisories/_posts/2017-10-24-CVE-2013-1812.md | 66 +- advisories/_posts/2017-10-24-CVE-2013-3567.md | 68 +- advisories/_posts/2017-10-24-CVE-2013-4761.md | 76 +- advisories/_posts/2017-10-24-CVE-2014-0081.md | 76 +- advisories/_posts/2017-10-24-CVE-2014-3248.md | 78 +- advisories/_posts/2017-10-24-CVE-2016-7798.md | 46 +- .../_posts/2017-10-27-CVE-2017-15928.md | 44 +- .../_posts/2017-10-29-CVE-2017-16229.md | 44 +- .../_posts/2017-11-03-CVE-2017-16516.md | 50 +- advisories/_posts/2017-11-07-CVE-2017-0904.md | 48 +- advisories/_posts/2017-11-09-CVE-2017-0905.md | 76 +- advisories/_posts/2017-11-09-CVE-2017-0909.md | 44 +- .../_posts/2017-11-10-CVE-2017-16792.md | 60 +- advisories/_posts/2017-11-15-CVE-2017-7475.md | 40 +- advisories/_posts/2017-11-16-CVE-2014-9489.md | 66 +- .../_posts/2017-11-16-CVE-2017-1000248.md | 40 +- .../_posts/2017-11-28-CVE-2017-17042.md | 46 +- .../_posts/2017-12-17-CVE-2017-17718.md | 50 +- advisories/_posts/2018-01-04-CVE-2018-5216.md | 42 +- advisories/_posts/2018-01-09-CVE-2018-7212.md | 50 +- .../_posts/2018-01-10-CVE-2017-12097.md | 48 +- .../_posts/2018-01-10-CVE-2017-12098.md | 54 +- .../_posts/2018-01-18-CVE-2016-10707.md | 82 +-- advisories/_posts/2018-01-22-CVE-2015-9251.md | 64 +- advisories/_posts/2018-01-23-CVE-2017-0889.md | 66 +- .../_posts/2018-01-29-CVE-2017-15412.md | 62 +- .../_posts/2018-01-29-CVE-2017-16932.md | 58 +- advisories/_posts/2018-02-18-CVE-2018-7212.md | 40 +- advisories/_posts/2018-02-19-CVE-2018-7261.md | 42 +- .../_posts/2018-02-21-CVE-2018-1000088.md | 84 +-- .../_posts/2018-02-27-CVE-2017-11428.md | 68 +- .../_posts/2018-02-27-CVE-2017-11430.md | 50 +- .../_posts/2018-03-07-CVE-2018-1000119.md | 50 +- advisories/_posts/2018-03-16-CVE-2018-8048.md | 40 +- advisories/_posts/2018-03-19-CVE-2018-3740.md | 62 +- advisories/_posts/2018-03-22-CVE-2018-3741.md | 58 +- advisories/_posts/2018-03-29-CVE-2018-8048.md | 90 +-- .../_posts/2018-04-13-CVE-2017-18258.md | 62 +- advisories/_posts/2018-04-23-CVE-2019-3881.md | 50 +- .../_posts/2018-04-30-CVE-2018-1000539.md | 60 +- advisories/_posts/2018-05-03-CVE-2018-3759.md | 44 +- advisories/_posts/2018-05-23-CVE-2018-3769.md | 56 +- .../_posts/2018-05-31-CVE-2018-11627.md | 46 +- .../_posts/2018-06-12-CVE-2018-12026.md | 60 +- .../_posts/2018-06-12-CVE-2018-12027.md | 68 +- .../_posts/2018-06-12-CVE-2018-12028.md | 64 +- .../_posts/2018-06-12-CVE-2018-12029.md | 64 +- .../_posts/2018-06-14-CVE-2018-1000544.md | 56 +- advisories/_posts/2018-06-19-CVE-2018-3760.md | 62 +- .../_posts/2018-06-22-CVE-2018-1000201.md | 52 +- .../_posts/2018-07-03-CVE-2018-14040.md | 64 +- .../_posts/2018-07-11-CVE-2018-1000211.md | 88 +-- advisories/_posts/2018-07-26-CVE-2018-3721.md | 78 +- advisories/_posts/2018-07-27-CVE-2018-3777.md | 90 +-- advisories/_posts/2018-08-09-CVE-2018-3779.md | 46 +- .../_posts/2018-09-13-CVE-2018-14041.md | 70 +- .../_posts/2018-09-13-CVE-2018-14042.md | 90 +-- .../_posts/2018-09-14-CVE-2018-14643.md | 52 +- .../_posts/2018-09-28-CVE-2018-17567.md | 46 +- .../_posts/2018-10-04-CVE-2018-14404.md | 156 ++-- .../_posts/2018-10-17-CVE-2018-16395.md | 100 +-- .../_posts/2018-10-19-CVE-2018-18476.md | 56 +- .../_posts/2018-10-27-CVE-2018-1000842.md | 60 +- .../_posts/2018-10-30-CVE-2018-16468.md | 46 +- .../_posts/2018-11-05-CVE-2018-16470.md | 124 ++-- .../_posts/2018-11-05-CVE-2018-16471.md | 174 ++--- .../_posts/2018-11-09-CVE-2018-1000855.md | 50 +- .../_posts/2018-11-27-CVE-2018-16476.md | 90 +-- .../_posts/2018-11-27-CVE-2018-16477.md | 100 +-- .../_posts/2019-01-17-CVE-2018-20676.md | 76 +- .../_posts/2019-01-17-CVE-2018-20677.md | 78 +- .../_posts/2019-02-07-CVE-2018-16487.md | 78 +- advisories/_posts/2019-02-07-CVE-2019-5421.md | 48 +- advisories/_posts/2019-02-15-CVE-2019-8331.md | 70 +- advisories/_posts/2019-03-05-CVE-2019-8320.md | 64 +- advisories/_posts/2019-03-05-CVE-2019-8321.md | 54 +- advisories/_posts/2019-03-05-CVE-2019-8322.md | 54 +- advisories/_posts/2019-03-05-CVE-2019-8323.md | 56 +- advisories/_posts/2019-03-05-CVE-2019-8324.md | 56 +- advisories/_posts/2019-03-05-CVE-2019-8325.md | 54 +- advisories/_posts/2019-03-08-CVE-2018-6517.md | 44 +- advisories/_posts/2019-03-13-CVE-2019-5418.md | 210 +++--- advisories/_posts/2019-03-13-CVE-2019-5419.md | 202 +++--- advisories/_posts/2019-03-13-CVE-2019-5420.md | 112 +-- advisories/_posts/2019-03-25-CVE-2019-9837.md | 52 +- .../_posts/2019-04-04-CVE-2019-10842.md | 64 +- .../_posts/2019-04-10-CVE-2019-16060.md | 56 +- .../_posts/2019-04-19-CVE-2019-11358.md | 60 +- .../_posts/2019-04-22-CVE-2019-11068.md | 114 +-- .../_posts/2019-06-04-CVE-2019-12732.md | 60 +- .../_posts/2019-06-13-CVE-2019-11027.md | 46 +- .../_posts/2019-07-01-CVE-2019-13146.md | 58 +- .../_posts/2019-07-02-CVE-2019-1020001.md | 60 +- .../_posts/2019-07-05-CVE-2019-13354.md | 54 +- .../_posts/2019-07-10-CVE-2019-10744.md | 80 +-- .../_posts/2019-07-12-CVE-2019-13574.md | 46 +- .../_posts/2019-07-16-CVE-2019-1010306.md | 46 +- .../_posts/2019-07-16-CVE-2019-13589.md | 46 +- .../_posts/2019-07-19-CVE-2019-1010266.md | 70 +- .../_posts/2019-07-26-CVE-2019-1010191.md | 50 +- .../_posts/2019-07-31-CVE-2018-20857.md | 42 +- .../_posts/2019-07-31-CVE-2019-14281.md | 42 +- .../_posts/2019-07-31-CVE-2019-14282.md | 42 +- advisories/_posts/2019-08-11-CVE-2019-5477.md | 52 +- .../_posts/2019-08-19-CVE-2019-15224.md | 42 +- .../_posts/2019-08-20-CVE-2019-15224.md | 54 +- .../_posts/2019-08-21-CVE-2018-20975.md | 42 +- advisories/_posts/2019-08-29-CVE-2020-8130.md | 44 +- .../_posts/2019-09-08-CVE-2019-16109.md | 44 +- .../_posts/2019-09-12-CVE-2019-16892.md | 44 +- .../_posts/2019-09-23-CVE-2019-16145.md | 38 +- .../_posts/2019-09-23-CVE-2019-16377.md | 48 +- .../_posts/2019-09-27-CVE-2019-16676.md | 48 +- .../_posts/2019-10-07-CVE-2024-22050.md | 106 +-- .../_posts/2019-10-14-CVE-2019-17383.md | 42 +- .../_posts/2019-10-22-CVE-2019-15587.md | 40 +- .../_posts/2019-10-24-CVE-2019-18409.md | 46 +- .../_posts/2019-10-31-CVE-2019-13117.md | 174 ++--- .../_posts/2019-11-09-CVE-2019-18841.md | 44 +- .../_posts/2019-11-14-CVE-2019-18848.md | 44 +- .../_posts/2019-11-15-CVE-2019-18978.md | 42 +- .../_posts/2019-12-05-CVE-2019-16770.md | 52 +- .../_posts/2019-12-16-CVE-2019-16779.md | 58 +- .../_posts/2019-12-18-CVE-2019-16782.md | 78 +- .../_posts/2019-12-26-CVE-2019-19919.md | 56 +- advisories/_posts/2020-01-09-CVE-2014-3211.md | 66 +- advisories/_posts/2020-01-23-CVE-2020-5216.md | 114 +-- advisories/_posts/2020-01-23-CVE-2020-5217.md | 94 +-- advisories/_posts/2020-01-25-CVE-2020-7981.md | 52 +- advisories/_posts/2020-02-10-CVE-2020-5241.md | 46 +- advisories/_posts/2020-02-12-CVE-2020-7595.md | 52 +- .../_posts/2020-02-14-CVE-2019-10780.md | 42 +- advisories/_posts/2020-02-27-CVE-2020-5247.md | 58 +- advisories/_posts/2020-03-03-CVE-2020-5249.md | 80 +-- advisories/_posts/2020-03-10-CVE-2020-5243.md | 74 +- .../_posts/2020-03-14-CVE-2020-36190.md | 42 +- advisories/_posts/2020-03-14-CVE-2020-5257.md | 62 +- .../_posts/2020-03-19-CVE-2020-10663.md | 86 +-- advisories/_posts/2020-03-19-CVE-2020-5267.md | 156 ++-- advisories/_posts/2020-04-29-CVE-2015-4411.md | 50 +- .../_posts/2020-04-29-CVE-2020-11020.md | 190 ++--- .../_posts/2020-04-29-CVE-2020-11022.md | 202 +++--- .../_posts/2020-04-29-CVE-2020-11023.md | 68 +- .../_posts/2020-05-02-CVE-2020-10187.md | 74 +- advisories/_posts/2020-05-05-CVE-2020-8151.md | 116 +-- advisories/_posts/2020-05-06-CVE-2020-8159.md | 98 +-- .../_posts/2020-05-07-CVE-2020-11052.md | 66 +- advisories/_posts/2020-05-12-CVE-2020-8161.md | 82 +-- advisories/_posts/2020-05-15-CVE-2020-8163.md | 78 +- advisories/_posts/2020-05-18-CVE-2020-8162.md | 78 +- advisories/_posts/2020-05-18-CVE-2020-8164.md | 114 +-- advisories/_posts/2020-05-18-CVE-2020-8165.md | 104 +-- advisories/_posts/2020-05-18-CVE-2020-8166.md | 82 +-- advisories/_posts/2020-05-18-CVE-2020-8167.md | 108 +-- advisories/_posts/2020-05-20-CVE-2020-7656.md | 64 +- .../_posts/2020-05-22-CVE-2020-11076.md | 54 +- .../_posts/2020-05-22-CVE-2020-11077.md | 72 +- .../_posts/2020-05-28-CVE-2020-11082.md | 80 +-- advisories/_posts/2020-06-05-CVE-2020-7663.md | 80 +-- advisories/_posts/2020-06-15-CVE-2020-8184.md | 118 +-- advisories/_posts/2020-06-16-CVE-2020-4054.md | 142 ++-- advisories/_posts/2020-06-17-CVE-2020-8185.md | 100 +-- .../_posts/2020-06-28-CVE-2020-14001.md | 48 +- advisories/_posts/2020-07-15-CVE-2020-8203.md | 88 +-- .../_posts/2020-07-31-CVE-2020-15133.md | 214 +++--- .../_posts/2020-07-31-CVE-2020-15134.md | 210 +++--- .../_posts/2020-08-04-CVE-2020-15109.md | 154 ++-- .../_posts/2020-08-04-CVE-2020-16252.md | 60 +- .../_posts/2020-08-04-CVE-2020-16253.md | 66 +- .../_posts/2020-08-04-CVE-2020-16254.md | 52 +- advisories/_posts/2020-09-01-CVE-2012-6708.md | 80 +-- .../_posts/2020-09-09-CVE-2020-15169.md | 102 +-- .../_posts/2020-09-18-CVE-2020-25739.md | 48 +- .../_posts/2020-09-23-GHSA-vp9c-fpxx-744v.md | 58 +- .../_posts/2020-09-29-CVE-2020-25613.md | 44 +- .../_posts/2020-09-30-CVE-2020-36327.md | 72 +- .../_posts/2020-10-05-CVE-2020-15237.md | 100 +-- advisories/_posts/2020-10-07-CVE-2020-8264.md | 90 +-- .../_posts/2020-10-20-CVE-2020-15269.md | 64 +- advisories/_posts/2020-10-20-CVE-2020-7670.md | 52 +- .../_posts/2020-11-03-CVE-2020-15240.md | 76 +- .../_posts/2020-11-13-CVE-2020-26222.md | 148 ++-- .../_posts/2020-11-13-CVE-2020-26223.md | 66 +- .../_posts/2020-12-08-CVE-2020-26254.md | 104 +-- .../_posts/2020-12-30-CVE-2020-26247.md | 150 ++-- .../_posts/2021-01-11-CVE-2020-26298.md | 50 +- .../_posts/2021-01-26-CVE-2021-26271.md | 96 +-- .../_posts/2021-02-01-CVE-2021-21289.md | 92 +-- .../_posts/2021-02-08-CVE-2021-21288.md | 64 +- .../_posts/2021-02-08-CVE-2021-21305.md | 86 +-- .../_posts/2021-02-10-CVE-2021-22880.md | 142 ++-- .../_posts/2021-02-10-CVE-2021-22881.md | 152 ++-- .../_posts/2021-03-08-CVE-2019-25025.md | 66 +- .../_posts/2021-03-29-CVE-2020-24392.md | 38 +- .../_posts/2021-03-29-CVE-2021-28834.md | 52 +- .../_posts/2021-04-05-CVE-2021-28965.md | 46 +- .../_posts/2021-04-05-CVE-2021-28966.md | 54 +- .../_posts/2021-04-12-CVE-2021-23369.md | 44 +- .../_posts/2021-04-13-CVE-2020-24393.md | 38 +- advisories/_posts/2021-04-13-CVE-2020-7942.md | 58 +- .../_posts/2021-04-14-CVE-2021-29435.md | 62 +- .../_posts/2021-04-22-CVE-2016-11086.md | 42 +- .../_posts/2021-04-26-CVE-2021-31671.md | 70 +- .../_posts/2021-05-02-CVE-2021-31799.md | 54 +- .../_posts/2021-05-04-CVE-2021-23383.md | 42 +- .../_posts/2021-05-05-CVE-2021-22885.md | 152 ++-- .../_posts/2021-05-05-CVE-2021-22902.md | 100 +-- .../_posts/2021-05-05-CVE-2021-22903.md | 120 ++-- .../_posts/2021-05-05-CVE-2021-22904.md | 142 ++-- .../_posts/2021-05-06-CVE-2021-23337.md | 80 +-- advisories/_posts/2021-05-07-CVE-2020-9281.md | 68 +- .../_posts/2021-05-11-CVE-2021-29509.md | 104 +-- .../_posts/2021-05-17-GHSA-7rrm-v45f-jp64.md | 278 +++---- .../_posts/2021-05-18-CVE-2021-32823.md | 48 +- .../_posts/2021-05-24-CVE-2020-13163.md | 38 +- .../_posts/2021-05-24-CVE-2020-13482.md | 42 +- advisories/_posts/2021-05-24-CVE-2020-7659.md | 44 +- advisories/_posts/2021-05-24-CVE-2020-7671.md | 42 +- .../_posts/2021-06-02-CVE-2021-33564.md | 46 +- .../_posts/2021-06-10-CVE-2021-20259.md | 48 +- .../_posts/2021-06-21-CVE-2021-33829.md | 72 +- .../_posts/2021-07-02-CVE-2021-35514.md | 40 +- .../_posts/2021-07-12-CVE-2021-32740.md | 50 +- .../_posts/2021-08-02-CVE-2021-28796.md | 40 +- .../_posts/2021-08-02-CVE-2021-28833.md | 40 +- .../_posts/2021-08-19-CVE-2021-22942.md | 170 ++--- .../_posts/2021-08-23-CVE-2021-32808.md | 94 +-- .../_posts/2021-08-23-CVE-2021-32809.md | 108 +-- .../_posts/2021-08-23-CVE-2021-37695.md | 106 +-- .../_posts/2021-09-07-CVE-2021-39197.md | 74 +- .../_posts/2021-09-13-CVE-2021-23435.md | 46 +- .../_posts/2021-09-27-CVE-2021-41098.md | 84 +-- .../_posts/2021-10-06-CVE-2021-30151.md | 42 +- .../_posts/2021-10-06-CVE-2021-33575.md | 42 +- .../_posts/2021-10-12-CVE-2021-41136.md | 108 +-- .../_posts/2021-10-13-CVE-2021-26272.md | 62 +- .../_posts/2021-10-26-CVE-2021-41182.md | 144 ++-- .../_posts/2021-10-26-CVE-2021-41183.md | 162 ++--- .../_posts/2021-10-26-CVE-2021-41184.md | 144 ++-- .../_posts/2021-11-01-CVE-2021-41186.md | 70 +- .../_posts/2021-11-03-CVE-2021-25973.md | 52 +- .../_posts/2021-11-15-CVE-2021-41263.md | 48 +- .../_posts/2021-11-15-CVE-2021-41817.md | 70 +- .../_posts/2021-11-17-CVE-2021-41164.md | 92 +-- .../_posts/2021-11-17-CVE-2021-41165.md | 86 +-- .../_posts/2021-11-18-CVE-2021-41274.md | 134 ++-- .../_posts/2021-11-18-CVE-2021-41275.md | 146 ++-- .../_posts/2021-11-18-GHSA-5629-8855-gf4g.md | 76 +- .../_posts/2021-11-24-CVE-2021-41816.md | 62 +- .../_posts/2021-11-24-CVE-2021-41819.md | 90 +-- .../_posts/2021-12-02-CVE-2021-27023.md | 50 +- .../_posts/2021-12-02-CVE-2021-27025.md | 44 +- .../_posts/2021-12-07-CVE-2021-43805.md | 144 ++-- .../_posts/2021-12-08-CVE-2021-28680.md | 70 +- .../_posts/2021-12-08-CVE-2021-43809.md | 156 ++-- .../_posts/2021-12-14-CVE-2021-44528.md | 138 ++-- .../_posts/2021-12-17-CVE-2021-43840.md | 72 +- .../_posts/2022-01-06-CVE-2020-28500.md | 136 ++-- .../_posts/2022-01-06-CVE-2021-43846.md | 678 +++++++++--------- .../_posts/2022-01-07-CVE-2021-22569.md | 104 +-- .../_posts/2022-01-27-CVE-2022-23837.md | 52 +- advisories/_posts/2022-02-09-CVE-2022-0524.md | 48 +- .../_posts/2022-02-11-CVE-2022-23633.md | 140 ++-- .../_posts/2022-02-11-CVE-2022-23634.md | 124 ++-- advisories/_posts/2022-02-15-CVE-2014-0177.md | 58 +- .../_posts/2022-02-21-CVE-2021-30560.md | 178 ++--- .../_posts/2022-03-01-CVE-2022-24720.md | 96 +-- .../_posts/2022-03-02-CVE-2022-24722.md | 70 +- .../_posts/2022-03-03-CVE-2024-22051.md | 134 ++-- .../_posts/2022-03-08-CVE-2022-21831.md | 120 ++-- .../_posts/2022-03-16-CVE-2022-24728.md | 88 +-- advisories/_posts/2022-03-24-CVE-2021-3589.md | 54 +- advisories/_posts/2022-03-26-CVE-2022-0759.md | 56 +- .../_posts/2022-03-30-CVE-2022-24790.md | 122 ++-- .../_posts/2022-03-31-CVE-2022-24803.md | 114 +-- .../_posts/2022-04-02-CVE-2022-21223.md | 46 +- .../_posts/2022-04-02-CVE-2022-24440.md | 58 +- .../_posts/2022-04-05-CVE-2022-24795.md | 106 +-- .../_posts/2022-04-07-CVE-2021-43177.md | 70 +- .../_posts/2022-04-11-CVE-2018-25032.md | 102 +-- .../_posts/2022-04-11-CVE-2022-23437.md | 102 +-- .../_posts/2022-04-11-CVE-2022-24836.md | 64 +- .../_posts/2022-04-11-CVE-2022-24839.md | 102 +-- .../_posts/2022-04-20-CVE-2022-25648.md | 50 +- .../_posts/2022-04-20-CVE-2022-29498.md | 56 +- advisories/_posts/2022-04-22-CVE-2011-1497.md | 58 +- .../_posts/2022-04-26-CVE-2022-27311.md | 40 +- .../_posts/2022-04-26-CVE-2022-27777.md | 120 ++-- .../_posts/2022-04-27-CVE-2022-22577.md | 98 +-- advisories/_posts/2022-05-01-CVE-2007-6612.md | 66 +- advisories/_posts/2022-05-02-CVE-2010-0156.md | 82 +-- .../_posts/2022-05-03-CVE-2022-28481.md | 54 +- .../_posts/2022-05-03-CVE-2022-29970.md | 42 +- advisories/_posts/2022-05-05-CVE-2013-2095.md | 58 +- .../_posts/2022-05-13-CVE-2017-1000026.md | 48 +- .../_posts/2022-05-13-CVE-2017-10689.md | 64 +- .../_posts/2022-05-13-CVE-2017-10906.md | 56 +- .../_posts/2022-05-13-CVE-2017-14506.md | 50 +- .../_posts/2022-05-13-CVE-2017-14683.md | 50 +- .../_posts/2022-05-13-CVE-2017-16355.md | 56 +- advisories/_posts/2022-05-13-CVE-2017-2096.md | 50 +- advisories/_posts/2022-05-13-CVE-2017-2662.md | 54 +- advisories/_posts/2022-05-13-CVE-2017-2667.md | 56 +- .../_posts/2022-05-13-CVE-2018-1000073.md | 84 +-- .../_posts/2022-05-13-CVE-2018-1000075.md | 90 +-- .../_posts/2022-05-13-CVE-2018-12615.md | 44 +- .../_posts/2022-05-13-CVE-2018-14040.md | 110 +-- .../_posts/2022-05-13-CVE-2018-14623.md | 50 +- .../_posts/2022-05-13-CVE-2018-18260.md | 44 +- .../_posts/2022-05-13-CVE-2018-18385.md | 48 +- advisories/_posts/2022-05-14-CVE-2011-0528.md | 64 +- advisories/_posts/2022-05-14-CVE-2011-3869.md | 70 +- advisories/_posts/2022-05-14-CVE-2012-1987.md | 96 +-- advisories/_posts/2022-05-14-CVE-2012-1988.md | 88 +-- advisories/_posts/2022-05-14-CVE-2014-4326.md | 62 +- advisories/_posts/2022-05-14-CVE-2016-3072.md | 54 +- .../_posts/2022-05-14-CVE-2017-10784.md | 92 +-- .../_posts/2022-05-14-CVE-2017-14033.md | 78 +- advisories/_posts/2022-05-14-CVE-2018-0499.md | 48 +- .../_posts/2022-05-14-CVE-2018-1000074.md | 92 +-- .../_posts/2022-05-14-CVE-2018-1000076.md | 94 +-- .../_posts/2022-05-14-CVE-2018-1000077.md | 88 +-- .../_posts/2022-05-14-CVE-2018-1000078.md | 90 +-- .../_posts/2022-05-14-CVE-2018-1000079.md | 88 +-- .../_posts/2022-05-14-CVE-2018-16887.md | 54 +- .../_posts/2022-05-14-CVE-2018-18307.md | 66 +- advisories/_posts/2022-05-17-CVE-2012-3503.md | 72 +- advisories/_posts/2022-05-17-CVE-2014-0084.md | 62 +- .../_posts/2022-05-17-CVE-2017-15364.md | 38 +- advisories/_posts/2022-05-17-CVE-2022-0574.md | 48 +- advisories/_posts/2022-05-17-CVE-2022-0578.md | 46 +- advisories/_posts/2022-05-17-CVE-2022-1553.md | 50 +- .../_posts/2022-05-18-GHSA-cgx6-hpwq-fhv5.md | 132 ++-- .../_posts/2022-05-19-CVE-2019-25061.md | 48 +- .../_posts/2022-05-23-CVE-2022-29181.md | 86 +-- advisories/_posts/2022-05-24-CVE-2015-2784.md | 40 +- .../_posts/2022-05-24-CVE-2019-10226.md | 36 +- .../_posts/2022-05-24-CVE-2019-12408.md | 58 +- .../_posts/2022-05-24-CVE-2019-12410.md | 60 +- .../_posts/2022-05-24-CVE-2019-13118.md | 138 ++-- .../_posts/2022-05-24-CVE-2019-14825.md | 62 +- .../_posts/2022-05-24-CVE-2019-16751.md | 52 +- .../_posts/2022-05-24-CVE-2019-17268.md | 54 +- .../_posts/2022-05-24-CVE-2019-18197.md | 102 +-- advisories/_posts/2022-05-24-CVE-2019-5815.md | 68 +- advisories/_posts/2022-05-24-CVE-2019-7615.md | 54 +- .../_posts/2022-05-24-CVE-2020-13353.md | 56 +- .../_posts/2022-05-24-CVE-2020-27193.md | 64 +- advisories/_posts/2022-05-24-CVE-2020-7385.md | 72 +- .../_posts/2022-05-24-CVE-2021-25969.md | 54 +- .../_posts/2022-05-24-CVE-2021-25970.md | 56 +- .../_posts/2022-05-24-CVE-2021-25971.md | 52 +- .../_posts/2022-05-24-CVE-2021-25972.md | 58 +- .../_posts/2022-05-24-CVE-2021-25974.md | 52 +- .../_posts/2022-05-24-CVE-2021-25975.md | 52 +- advisories/_posts/2022-05-24-CVE-2021-3517.md | 78 +- advisories/_posts/2022-05-24-CVE-2021-3518.md | 72 +- advisories/_posts/2022-05-24-CVE-2021-3537.md | 84 +-- .../_posts/2022-05-24-CVE-2021-35440.md | 52 +- .../_posts/2022-05-24-CVE-2021-39880.md | 62 +- advisories/_posts/2022-05-24-CVE-2022-1810.md | 46 +- advisories/_posts/2022-05-24-CVE-2022-1811.md | 46 +- .../_posts/2022-06-01-CVE-2022-31000.md | 88 +-- .../_posts/2022-06-03-CVE-2021-33473.md | 48 +- .../_posts/2022-06-06-CVE-2022-31026.md | 68 +- .../_posts/2022-06-07-CVE-2022-32511.md | 48 +- .../_posts/2022-06-09-CVE-2022-31033.md | 92 +-- .../_posts/2022-06-09-CVE-2022-32209.md | 140 ++-- .../_posts/2022-06-15-CVE-2022-31071.md | 84 +-- .../_posts/2022-06-15-CVE-2022-31072.md | 94 +-- .../_posts/2022-06-24-CVE-2022-33127.md | 50 +- .../_posts/2022-06-27-CVE-2022-30122.md | 108 +-- .../_posts/2022-06-27-CVE-2022-30123.md | 106 +-- advisories/_posts/2022-06-28-CVE-2021-3779.md | 50 +- .../_posts/2022-07-05-CVE-2022-31115.md | 62 +- .../_posts/2022-07-12-CVE-2022-32224.md | 174 ++--- .../_posts/2022-07-15-CVE-2022-31160.md | 98 +-- .../_posts/2022-07-16-CVE-2020-35305.md | 50 +- .../_posts/2022-07-21-CVE-2022-31163.md | 172 ++--- .../_posts/2022-08-11-CVE-2022-35956.md | 46 +- .../_posts/2022-08-19-CVE-2020-36599.md | 46 +- .../_posts/2022-09-10-CVE-2022-25765.md | 48 +- .../_posts/2022-09-15-GHSA-qcqv-38jg-2r43.md | 76 +- .../_posts/2022-09-15-GHSA-wrrw-crp8-979q.md | 82 +-- .../_posts/2022-09-21-CVE-2022-39224.md | 112 +-- .../_posts/2022-09-21-GHSA-4qw4-jpp4-8gvp.md | 86 +-- .../_posts/2022-10-03-GHSA-mgvv-5mxp-xq67.md | 124 ++-- advisories/_posts/2022-10-04-CVE-2022-3171.md | 120 ++-- .../_posts/2022-10-07-CVE-2022-39281.md | 116 +-- .../_posts/2022-10-18-GHSA-2qc6-mcvw-92cw.md | 190 ++--- .../_posts/2022-11-02-CVE-2022-39379.md | 92 +-- .../_posts/2022-11-18-CVE-2021-33621.md | 50 +- advisories/_posts/2022-11-19-CVE-2022-4064.md | 54 +- .../_posts/2022-11-30-CVE-2022-45442.md | 58 +- .../_posts/2022-12-07-CVE-2022-23476.md | 96 +-- .../_posts/2022-12-13-CVE-2022-23514.md | 58 +- .../_posts/2022-12-13-CVE-2022-23515.md | 68 +- .../_posts/2022-12-13-CVE-2022-23516.md | 64 +- .../_posts/2022-12-13-CVE-2022-23517.md | 60 +- .../_posts/2022-12-13-CVE-2022-23518.md | 68 +- .../_posts/2022-12-13-CVE-2022-23519.md | 168 ++--- .../_posts/2022-12-13-CVE-2022-23520.md | 130 ++-- advisories/_posts/2022-12-19-CVE-2021-4250.md | 66 +- .../_posts/2022-12-22-CVE-2020-36624.md | 66 +- .../_posts/2022-12-27-CVE-2019-25088.md | 52 +- .../_posts/2022-12-31-CVE-2017-20159.md | 58 +- .../_posts/2023-01-03-CVE-2024-22049.md | 70 +- .../_posts/2023-01-04-CVE-2023-22626.md | 46 +- .../_posts/2023-01-05-CVE-2022-46648.md | 64 +- .../_posts/2023-01-07-CVE-2020-36644.md | 62 +- advisories/_posts/2023-01-14-CVE-2022-1812.md | 46 +- advisories/_posts/2023-01-14-CVE-2022-2815.md | 48 +- advisories/_posts/2023-01-14-CVE-2023-0299.md | 48 +- .../_posts/2023-01-16-CVE-2015-10053.md | 60 +- .../_posts/2023-01-17-CVE-2022-47318.md | 50 +- advisories/_posts/2023-01-17-CVE-2022-4891.md | 62 +- .../_posts/2023-01-18-CVE-2022-44566.md | 88 +-- .../_posts/2023-01-18-CVE-2022-44570.md | 78 +- .../_posts/2023-01-18-CVE-2022-44571.md | 80 +-- .../_posts/2023-01-18-CVE-2022-44572.md | 76 +- .../_posts/2023-01-18-CVE-2023-22792.md | 92 +-- .../_posts/2023-01-18-CVE-2023-22794.md | 142 ++-- .../_posts/2023-01-18-CVE-2023-22795.md | 92 +-- .../_posts/2023-01-18-CVE-2023-22796.md | 98 +-- .../_posts/2023-01-18-CVE-2023-22797.md | 100 +-- .../_posts/2023-01-18-CVE-2023-22799.md | 74 +- .../_posts/2023-01-20-GHSA-q95h-cqrv-8jv5.md | 62 +- .../_posts/2023-01-24-GHSA-636f-xm5j-pj9m.md | 92 +-- .../_posts/2023-01-28-CVE-2023-23627.md | 84 +-- advisories/_posts/2023-01-29-CVE-2023-0569.md | 46 +- .../_posts/2023-02-01-CVE-2023-25015.md | 46 +- .../_posts/2023-02-24-CVE-2022-36231.md | 48 +- .../_posts/2023-03-03-CVE-2023-27530.md | 64 +- .../_posts/2023-03-13-CVE-2023-23913.md | 172 ++--- .../_posts/2023-03-13-CVE-2023-27531.md | 116 +-- .../_posts/2023-03-13-CVE-2023-27539.md | 56 +- .../_posts/2023-03-13-CVE-2023-28120.md | 78 +- .../_posts/2023-03-27-CVE-2023-28102.md | 54 +- .../_posts/2023-03-30-CVE-2023-28846.md | 148 ++-- .../_posts/2023-03-31-CVE-2023-28755.md | 52 +- .../_posts/2023-03-31-CVE-2023-28756.md | 52 +- .../_posts/2023-03-31-GHSA-48wp-p9qv-4j64.md | 102 +-- .../_posts/2023-04-04-CVE-2020-21514.md | 50 +- .../_posts/2023-04-11-CVE-2024-22048.md | 96 +-- .../_posts/2023-04-11-GHSA-pxvg-2qj5-37jq.md | 124 ++-- .../_posts/2023-04-20-CVE-2023-30614.md | 76 +- advisories/_posts/2023-04-21-CVE-2023-1892.md | 58 +- .../_posts/2023-04-24-CVE-2023-30618.md | 82 +-- .../_posts/2023-04-26-CVE-2022-37454.md | 110 +-- .../_posts/2023-05-01-CVE-2024-22047.md | 90 +-- .../_posts/2023-05-23-CVE-2023-25309.md | 60 +- .../_posts/2023-05-26-CVE-2023-30145.md | 66 +- .../_posts/2023-06-06-CVE-2023-31606.md | 66 +- .../_posts/2023-06-06-CVE-2023-34102.md | 120 ++-- .../_posts/2023-06-06-CVE-2023-34103.md | 122 ++-- .../_posts/2023-06-12-CVE-2023-34246.md | 84 +-- .../_posts/2023-06-26-CVE-2020-23064.md | 72 +- .../_posts/2023-06-26-CVE-2023-28362.md | 88 +-- advisories/_posts/2023-06-28-CVE-2023-3445.md | 52 +- .../_posts/2023-06-29-CVE-2023-36617.md | 122 ++-- .../_posts/2023-07-05-CVE-2023-32731.md | 72 +- advisories/_posts/2023-07-06-CVE-2023-1428.md | 78 +- .../_posts/2023-07-06-CVE-2023-32732.md | 58 +- .../_posts/2023-07-06-CVE-2023-36823.md | 110 +-- .../_posts/2023-07-11-CVE-2023-32693.md | 72 +- .../_posts/2023-07-11-CVE-2023-34089.md | 72 +- .../_posts/2023-07-11-CVE-2023-34090.md | 82 +-- .../_posts/2023-07-15-CVE-2023-38337.md | 56 +- .../_posts/2023-08-03-CVE-2023-38697.md | 132 ++-- .../_posts/2023-08-08-GHSA-7vh7-fw88-wj87.md | 86 +-- .../_posts/2023-08-09-CVE-2023-33953.md | 108 +-- .../_posts/2023-08-18-CVE-2023-40175.md | 94 +-- .../_posts/2023-08-23-CVE-2023-38037.md | 124 ++-- advisories/_posts/2023-09-13-CVE-2023-4785.md | 90 +-- .../_posts/2023-09-14-CVE-2023-26141.md | 64 +- .../_posts/2023-10-05-CVE-2023-36465.md | 68 +- .../_posts/2023-10-06-CVE-2023-26153.md | 72 +- advisories/_posts/2023-10-06-CVE-2023-5214.md | 52 +- .../_posts/2023-10-19-CVE-2023-46035.md | 40 +- advisories/_posts/2023-10-24-CVE-2024-0241.md | 132 ++-- advisories/_posts/2023-10-30-CVE-2023-5349.md | 66 +- .../_posts/2023-11-29-CVE-2023-49090.md | 116 +-- .../_posts/2023-12-06-CVE-2023-26154.md | 120 ++-- .../_posts/2023-12-15-CVE-2023-50448.md | 88 +-- .../_posts/2023-12-18-CVE-2022-44303.md | 104 +-- .../_posts/2023-12-18-CVE-2023-50724.md | 90 +-- .../_posts/2023-12-18-CVE-2023-50725.md | 96 +-- .../_posts/2023-12-18-CVE-2023-50727.md | 84 +-- .../_posts/2023-12-24-CVE-2023-51763.md | 54 +- .../_posts/2024-01-03-CVE-2024-21632.md | 68 +- .../_posts/2024-01-04-CVE-2024-21636.md | 146 ++-- .../_posts/2024-01-08-CVE-2024-21647.md | 100 +-- .../_posts/2024-01-16-CVE-2024-22191.md | 104 +-- .../_posts/2024-01-17-CVE-2024-22411.md | 68 +- .../_posts/2024-02-04-GHSA-xc9x-jj77-9p9j.md | 126 ++-- advisories/_posts/2024-02-07-CVE-2023-4771.md | 78 +- .../_posts/2024-02-07-CVE-2024-24815.md | 88 +-- .../_posts/2024-02-07-CVE-2024-24816.md | 90 +-- .../_posts/2024-02-13-CVE-2024-25122.md | 108 +-- .../_posts/2024-02-20-CVE-2023-47634.md | 76 +- .../_posts/2024-02-20-CVE-2023-47635.md | 100 +-- .../_posts/2024-02-20-CVE-2023-48220.md | 160 ++--- .../_posts/2024-02-20-CVE-2023-51447.md | 110 +-- .../_posts/2024-02-21-CVE-2024-25126.md | 134 ++-- .../_posts/2024-02-21-CVE-2024-26141.md | 96 +-- .../_posts/2024-02-21-CVE-2024-26142.md | 90 +-- .../_posts/2024-02-21-CVE-2024-26143.md | 134 ++-- .../_posts/2024-02-21-CVE-2024-26144.md | 124 ++-- .../_posts/2024-02-21-CVE-2024-26146.md | 100 +-- .../_posts/2024-02-26-CVE-2024-27456.md | 52 +- .../_posts/2024-02-28-CVE-2024-27285.md | 152 ++-- .../_posts/2024-02-29-CVE-2023-51774.md | 56 +- .../_posts/2024-03-01-CVE-2023-46950.md | 66 +- .../_posts/2024-03-12-CVE-2024-28121.md | 200 +++--- .../_posts/2024-03-12-CVE-2024-28199.md | 184 ++--- .../_posts/2024-03-15-CVE-2024-28181.md | 138 ++-- .../_posts/2024-03-18-CVE-2024-28862.md | 62 +- .../_posts/2024-03-21-CVE-2024-27280.md | 72 +- .../_posts/2024-03-21-CVE-2024-27281.md | 86 +-- .../_posts/2024-03-25-CVE-2024-29034.md | 148 ++-- .../_posts/2024-04-16-CVE-2024-32463.md | 126 ++-- .../_posts/2024-04-26-CVE-2024-32887.md | 56 +- .../_posts/2024-05-01-CVE-2024-32970.md | 166 ++--- .../_posts/2024-05-07-CVE-2024-34341.md | 166 ++--- .../_posts/2024-05-13-GHSA-r95h-9x8f-r3f7.md | 92 +-- .../_posts/2024-05-16-CVE-2024-35176.md | 90 +-- .../_posts/2024-05-27-CVE-2024-32978.md | 138 ++-- .../_posts/2024-05-27-CVE-2024-35231.md | 90 +-- .../_posts/2024-06-02-CVE-2024-37031.md | 170 ++--- .../_posts/2024-06-04-CVE-2024-28103.md | 154 ++-- .../_posts/2024-06-04-CVE-2024-32464.md | 136 ++-- .../_posts/2024-07-03-CVE-2024-39316.md | 82 +-- .../_posts/2024-07-08-CVE-2024-39308.md | 110 +-- .../_posts/2024-07-10-CVE-2024-27090.md | 84 +-- .../_posts/2024-07-10-CVE-2024-27095.md | 100 +-- .../_posts/2024-07-10-CVE-2024-32469.md | 94 +-- advisories/_posts/2024-07-11-CVE-2024-6531.md | 62 +- .../_posts/2024-07-16-CVE-2024-39908.md | 92 +-- advisories/_posts/2024-07-25-CVE-2024-7106.md | 84 +-- .../_posts/2024-08-01-CVE-2024-41123.md | 86 +-- .../_posts/2024-08-01-CVE-2024-41946.md | 86 +-- .../_posts/2024-08-13-CVE-2024-42360.md | 72 +- .../_posts/2024-08-19-CVE-2024-43380.md | 98 +-- .../_posts/2024-08-21-CVE-2024-43407.md | 96 +-- .../_posts/2024-08-21-CVE-2024-43411.md | 82 +-- .../_posts/2024-08-22-CVE-2024-43398.md | 122 ++-- .../_posts/2024-08-23-CVE-2024-43791.md | 92 +-- .../_posts/2024-08-28-CVE-2024-45409.md | 48 +- .../_posts/2024-09-11-CVE-2024-45409.md | 72 +- .../_posts/2024-09-16-CVE-2024-32034.md | 90 +-- .../_posts/2024-09-16-CVE-2024-39910.md | 94 +-- advisories/_posts/2024-09-17-CVE-2024-8796.md | 140 ++-- .../_posts/2024-09-18-CVE-2024-46986.md | 222 +++--- .../_posts/2024-09-18-CVE-2024-46987.md | 172 ++--- .../_posts/2024-09-18-GHSA-7x4w-cj9r-h4v9.md | 178 ++--- .../_posts/2024-09-18-GHSA-r9cr-qmfw-pmrc.md | 120 ++-- advisories/_posts/2024-09-19-CVE-2024-7254.md | 144 ++-- .../_posts/2024-09-20-CVE-2024-45614.md | 102 +-- .../_posts/2024-09-22-CVE-2024-47220.md | 64 +- .../_posts/2024-09-23-GHSA-8fx8-3rg2-79xw.md | 120 ++-- .../_posts/2024-09-25-CVE-2024-46488.md | 58 +- .../_posts/2024-09-25-GHSA-75j2-9gmc-m855.md | 122 ++-- .../_posts/2024-10-01-CVE-2024-41673.md | 86 +-- .../_posts/2024-10-02-CVE-2024-43795.md | 78 +- .../_posts/2024-10-02-CVE-2024-46977.md | 82 +-- .../_posts/2024-10-02-CVE-2024-47529.md | 80 +-- .../_posts/2024-10-15-CVE-2024-41128.md | 116 +-- .../_posts/2024-10-15-CVE-2024-47887.md | 114 +-- .../_posts/2024-10-15-CVE-2024-47888.md | 116 +-- .../_posts/2024-10-15-CVE-2024-47889.md | 112 +-- .../_posts/2024-10-23-CVE-2024-48652.md | 56 +- .../_posts/2024-10-28-CVE-2024-49761.md | 98 +-- .../_posts/2024-10-28-CVE-2024-49771.md | 84 +-- .../_posts/2024-11-01-CVE-2024-21510.md | 80 +-- .../_posts/2024-11-12-CVE-2024-43415.md | 150 ++-- .../_posts/2024-11-13-CVE-2024-45594.md | 94 +-- .../_posts/2024-11-20-CVE-2024-52796.md | 112 +-- .../_posts/2024-12-02-CVE-2024-53985.md | 282 ++++---- .../_posts/2024-12-02-CVE-2024-53986.md | 252 +++---- .../_posts/2024-12-02-CVE-2024-53987.md | 250 +++---- .../_posts/2024-12-02-CVE-2024-53988.md | 268 +++---- .../_posts/2024-12-02-CVE-2024-53989.md | 248 +++---- .../_posts/2024-12-10-CVE-2024-54133.md | 110 +-- .../_posts/2024-12-30-CVE-2024-56733.md | 164 ++--- .../_posts/2025-02-10-CVE-2025-25186.md | 332 ++++----- .../_posts/2025-02-12-CVE-2025-25184.md | 112 +-- .../_posts/2025-02-18-GHSA-vvfq-8hwr-qm4m.md | 94 +-- .../_posts/2025-02-24-CVE-2025-26803.md | 64 +- .../_posts/2025-02-26-CVE-2025-27219.md | 92 +-- .../_posts/2025-02-26-CVE-2025-27220.md | 90 +-- .../_posts/2025-02-26-CVE-2025-27221.md | 104 +-- .../_posts/2025-03-03-CVE-2025-27590.md | 58 +- .../_posts/2025-03-04-CVE-2025-27111.md | 100 +-- .../_posts/2025-03-10-CVE-2025-27610.md | 88 +-- .../_posts/2025-03-12-CVE-2025-25291.md | 84 +-- .../_posts/2025-03-12-CVE-2025-25292.md | 84 +-- .../_posts/2025-03-12-CVE-2025-25293.md | 84 +-- .../_posts/2025-03-12-CVE-2025-27407.md | 98 +-- .../_posts/2025-03-12-CVE-2025-27788.md | 82 +-- .../_posts/2025-03-12-GHSA-hw46-3hmr-x9xv.md | 78 +- advisories/_posts/2025-03-14-CVE-2025-2304.md | 66 +- .../_posts/2025-03-14-GHSA-mrxw-mxhj-p664.md | 104 +-- .../_posts/2025-03-27-CVE-2025-30221.md | 66 +- .../_posts/2025-03-28-CVE-2024-39311.md | 100 +-- .../_posts/2025-04-21-GHSA-5w6v-399v-w3cc.md | 136 ++-- .../_posts/2025-04-28-CVE-2025-43857.md | 264 +++---- .../_posts/2025-05-07-CVE-2025-46551.md | 104 +-- .../_posts/2025-05-08-CVE-2025-32441.md | 128 ++-- .../_posts/2025-05-08-CVE-2025-46336.md | 130 ++-- .../_posts/2025-05-08-CVE-2025-46727.md | 120 ++-- .../_posts/2025-05-21-CVE-2025-48069.md | 110 +-- .../_posts/2025-06-05-CVE-2025-49007.md | 92 +-- .../_posts/2025-06-13-CVE-2025-28382.md | 56 +- .../_posts/2025-06-13-CVE-2025-28384.md | 58 +- advisories/_posts/2025-06-26-CVE-2025-6442.md | 72 +- .../_posts/2025-07-02-CVE-2025-34075.md | 98 +-- .../_posts/2025-07-09-CVE-2025-24294.md | 116 +-- .../_posts/2025-07-14-CVE-2025-53623.md | 96 +-- .../_posts/2025-07-15-GHSA-29g5-m8v7-v564.md | 64 +- .../_posts/2025-07-20-CVE-2025-54314.md | 58 +- .../_posts/2025-07-21-GHSA-353f-x4gh-cqq8.md | 228 +++--- .../_posts/2025-07-30-CVE-2025-54572.md | 192 ++--- .../_posts/2025-08-07-CVE-2025-45765.md | 82 +-- .../_posts/2025-08-07-CVE-2025-54887.md | 108 +-- .../_posts/2025-08-13-CVE-2025-55193.md | 92 +-- .../_posts/2025-08-14-CVE-2025-24293.md | 158 ++-- .../_posts/2025-08-20-CVE-2011-10026.md | 78 +- .../_posts/2025-08-27-CVE-2025-57821.md | 126 ++-- .../_posts/2025-08-29-CVE-2025-58067.md | 120 ++-- .../_posts/2025-09-17-CVE-2025-58767.md | 92 +-- .../_posts/2025-09-25-CVE-2025-59830.md | 132 ++-- .../_posts/2025-10-07-CVE-2025-61594.md | 100 +-- .../_posts/2025-10-07-CVE-2025-61770.md | 136 ++-- .../_posts/2025-10-07-CVE-2025-61771.md | 136 ++-- .../_posts/2025-10-07-CVE-2025-61772.md | 134 ++-- .../_posts/2025-10-10-CVE-2025-61780.md | 176 ++--- .../_posts/2025-10-10-CVE-2025-61919.md | 136 ++-- .../_posts/2025-10-10-CVE-2025-61921.md | 98 +-- .../_posts/2025-11-06-CVE-2025-12790.md | 58 +- .../_posts/2025-11-06-CVE-2025-64501.md | 176 ++--- .../_posts/2025-11-13-GHSA-4249-gjr8-jpq3.md | 166 ++--- .../_posts/2025-12-08-CVE-2025-66567.md | 82 +-- .../_posts/2025-12-08-CVE-2025-66568.md | 104 +-- .../_posts/2025-12-16-CVE-2025-68113.md | 132 ++-- .../_posts/2025-12-18-CVE-2025-14762.md | 174 ++--- .../_posts/2025-12-23-CVE-2025-68696.md | 236 +++--- .../_posts/2025-12-31-GHSA-g9jg-w8vm-g96v.md | 88 +-- .../_posts/2026-01-08-CVE-2026-22588.md | 138 ++-- .../_posts/2026-01-08-CVE-2026-22589.md | 164 ++--- .../_posts/2026-01-08-GHSA-96qw-h329-v5rg.md | 198 ++--- .../_posts/2026-01-13-CVE-2025-68271.md | 76 +- .../_posts/2026-01-21-CVE-2026-23885.md | 106 +-- advisories/_posts/2026-02-02-CVE-2026-1530.md | 74 +- advisories/_posts/2026-02-02-CVE-2026-1531.md | 68 +- .../_posts/2026-02-03-CVE-2025-65017.md | 280 ++++---- .../_posts/2026-02-05-CVE-2026-25757.md | 180 ++--- .../_posts/2026-02-05-CVE-2026-25758.md | 212 +++--- .../_posts/2026-02-06-GHSA-w67g-2h6v-vjgq.md | 144 ++-- .../_posts/2026-02-09-CVE-2026-25765.md | 170 ++--- .../_posts/2026-02-10-GHSA-q66h-m87m-j2q6.md | 106 +-- .../_posts/2026-02-17-CVE-2026-22860.md | 100 +-- .../_posts/2026-02-17-CVE-2026-25500.md | 122 ++-- .../_posts/2026-02-18-GHSA-wx95-c6cv-8532.md | 108 +-- advisories/_posts/2026-02-27-CVE-2026-0980.md | 62 +- .../_posts/2026-03-05-CVE-2026-27820.md | 110 +-- advisories/_posts/2026-03-10-CVE-2026-1776.md | 82 +-- .../_posts/2026-03-11-CVE-2026-31830.md | 128 ++-- .../_posts/2026-03-12-GHSA-qmpg-8xg6-ph5q.md | 92 +-- .../_posts/2026-03-16-CVE-2026-32700.md | 138 ++-- advisories/_posts/2026-03-17-CVE-2026-4324.md | 70 +- .../_posts/2026-03-18-CVE-2026-33209.md | 80 +-- .../_posts/2026-03-18-GHSA-46fp-8f5p-pf2m.md | 124 ++-- .../_posts/2026-03-19-CVE-2026-33210.md | 84 +-- .../_posts/2026-03-19-CVE-2026-33306.md | 102 +-- .../_posts/2026-03-20-CVE-2026-33286.md | 122 ++-- .../_posts/2026-03-24-CVE-2026-33635.md | 118 +-- .../_posts/2026-03-25-CVE-2026-33658.md | 76 +- .../_posts/2026-03-27-CVE-2026-33946.md | 122 ++-- .../_posts/2026-03-27-CVE-2026-34060.md | 132 ++-- .../_posts/2026-03-29-GHSA-53p3-c7vp-4mcc.md | 52 ++ 1027 files changed, 41184 insertions(+), 41132 deletions(-) create mode 100644 advisories/_posts/2026-03-29-GHSA-53p3-c7vp-4mcc.md diff --git a/advisories/_posts/2006-05-14-CVE-2006-2581.md b/advisories/_posts/2006-05-14-CVE-2006-2581.md index 1348a39c..2b318998 100644 --- a/advisories/_posts/2006-05-14-CVE-2006-2581.md +++ b/advisories/_posts/2006-05-14-CVE-2006-2581.md @@ -1,46 +1,46 @@ ---- -layout: advisory -title: 'CVE-2006-2581 (rwiki): RWiki before 2.1.1 has cross-site scripting vulnerability' -comments: false -categories: -- rwiki -advisory: - gem: rwiki - cve: 2006-2581 - ghsa: gvhx-gj42-m28v - url: https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html - title: RWiki before 2.1.1 has cross-site scripting vulnerability - date: 2006-05-14 - description: | - Cross-site scripting (XSS) vulnerability in Wiki content in - RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to inject - arbitrary web script or HTML via unknown attack vectors. - cvss_v2: 4.3 - unaffected_versions: - - "< 2.1.0pre1" - patched_versions: - - ">= 2.1.1" - related: - cve: - - 2006-2582 - ghsa: - - wwmf-6p58-6vj2 - url: - - https://nvd.nist.gov/vuln/detail/CVE-2006-2581 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/26664 - - https://github.com/advisories/GHSA-wwmf-6p58-6vj2 - - https://github.com/advisories/GHSA-gvhx-gj42-m28v - - https://rubygems.org/gems/rwiki - - https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html - - https://web.archive.org/web/20090504061152/http://pub.cozmixng.org/~the-rwiki/rw-cgi.rb?cmd=view;name=top - - https://web.archive.org/web/20081201080215/http://secunia.com/advisories/20264 - - https://web.archive.org/web/20090524010623/http://www.vupen.com/english/advisories/2006/1949 - notes: | - - Best references are in Japanese. - - Source code link on rubygems.org goes to - lucassus/rwiki (last version 0.2.5, not 2.1.1). - - Found two other repos: - - https://github.com/rwiki/rwiki - - https://github.com/ytakhs/rwiki - - CWE: [NVD-CWE-Other] MODERATE ---- +--- +layout: advisory +title: 'CVE-2006-2581 (rwiki): RWiki before 2.1.1 has cross-site scripting vulnerability' +comments: false +categories: +- rwiki +advisory: + gem: rwiki + cve: 2006-2581 + ghsa: gvhx-gj42-m28v + url: https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html + title: RWiki before 2.1.1 has cross-site scripting vulnerability + date: 2006-05-14 + description: | + Cross-site scripting (XSS) vulnerability in Wiki content in + RWiki 2.1.0pre1 through 2.1.0 allows remote attackers to inject + arbitrary web script or HTML via unknown attack vectors. + cvss_v2: 4.3 + unaffected_versions: + - "< 2.1.0pre1" + patched_versions: + - ">= 2.1.1" + related: + cve: + - 2006-2582 + ghsa: + - wwmf-6p58-6vj2 + url: + - https://nvd.nist.gov/vuln/detail/CVE-2006-2581 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/26664 + - https://github.com/advisories/GHSA-wwmf-6p58-6vj2 + - https://github.com/advisories/GHSA-gvhx-gj42-m28v + - https://rubygems.org/gems/rwiki + - https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html + - https://web.archive.org/web/20090504061152/http://pub.cozmixng.org/~the-rwiki/rw-cgi.rb?cmd=view;name=top + - https://web.archive.org/web/20081201080215/http://secunia.com/advisories/20264 + - https://web.archive.org/web/20090524010623/http://www.vupen.com/english/advisories/2006/1949 + notes: | + - Best references are in Japanese. + - Source code link on rubygems.org goes to + lucassus/rwiki (last version 0.2.5, not 2.1.1). + - Found two other repos: + - https://github.com/rwiki/rwiki + - https://github.com/ytakhs/rwiki + - CWE: [NVD-CWE-Other] MODERATE +--- diff --git a/advisories/_posts/2006-05-14-CVE-2006-2582.md b/advisories/_posts/2006-05-14-CVE-2006-2582.md index 9b39c62f..cf59da90 100644 --- a/advisories/_posts/2006-05-14-CVE-2006-2582.md +++ b/advisories/_posts/2006-05-14-CVE-2006-2582.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2006-2582 (rwiki): High severity vulnerability that affects rwiki' -comments: false -categories: -- rwiki -advisory: - gem: rwiki - cve: 2006-2582 - ghsa: wwmf-6p58-6vj2 - url: https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html - title: High severity vulnerability that affects rwiki - date: 2006-05-14 - description: | - The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote - attackers to execute arbitrary Ruby code via unknown attack vectors. - cvss_v2: 7.5 - unaffected_versions: - - "< 2.1.0pre1" - patched_versions: - - ">= 2.1.1" - related: - cve: - - 2006-2581 - ghsa: - - gvhx-gj42-m28v - url: - - https://nvd.nist.gov/vuln/detail/CVE-2006-2582 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/26664 - - https://github.com/advisories/GHSA-wwmf-6p58-6vj2 - - https://github.com/advisories/GHSA-gvhx-gj42-m28v - - https://rubygems.org/gems/rwiki - - https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html - - https://web.archive.org/web/20090504061152/http://pub.cozmixng.org/~the-rwiki/rw-cgi.rb?cmd=view;name=top - - https://web.archive.org/web/20081201080215/http://secunia.com/advisories/20264 - - https://web.archive.org/web/20090524010623/http://www.vupen.com/english/advisories/2006/1949 - notes: | - - Best references are in Japanese. - - Source code link on rubygems.org goes to - lucassus/rwiki (last version 0.2.5, not 2.1.1). - - Found two other repos: - - https://github.com/rwiki/rwiki - - https://github.com/ytakhs/rwiki - - CWE: [NVD-CWE-Other] MODERATE ---- +--- +layout: advisory +title: 'CVE-2006-2582 (rwiki): High severity vulnerability that affects rwiki' +comments: false +categories: +- rwiki +advisory: + gem: rwiki + cve: 2006-2582 + ghsa: wwmf-6p58-6vj2 + url: https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html + title: High severity vulnerability that affects rwiki + date: 2006-05-14 + description: | + The editing form in RWiki 2.1.0pre1 through 2.1.0 allows remote + attackers to execute arbitrary Ruby code via unknown attack vectors. + cvss_v2: 7.5 + unaffected_versions: + - "< 2.1.0pre1" + patched_versions: + - ">= 2.1.1" + related: + cve: + - 2006-2581 + ghsa: + - gvhx-gj42-m28v + url: + - https://nvd.nist.gov/vuln/detail/CVE-2006-2582 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/26664 + - https://github.com/advisories/GHSA-wwmf-6p58-6vj2 + - https://github.com/advisories/GHSA-gvhx-gj42-m28v + - https://rubygems.org/gems/rwiki + - https://web.archive.org/web/20090501134922/http://www2a.biglobe.ne.jp/~seki/ruby/rwiki.html + - https://web.archive.org/web/20090504061152/http://pub.cozmixng.org/~the-rwiki/rw-cgi.rb?cmd=view;name=top + - https://web.archive.org/web/20081201080215/http://secunia.com/advisories/20264 + - https://web.archive.org/web/20090524010623/http://www.vupen.com/english/advisories/2006/1949 + notes: | + - Best references are in Japanese. + - Source code link on rubygems.org goes to + lucassus/rwiki (last version 0.2.5, not 2.1.1). + - Found two other repos: + - https://github.com/rwiki/rwiki + - https://github.com/ytakhs/rwiki + - CWE: [NVD-CWE-Other] MODERATE +--- diff --git a/advisories/_posts/2007-01-22-CVE-2007-0469.md b/advisories/_posts/2007-01-22-CVE-2007-0469.md index 1dd3975d..ada57e47 100644 --- a/advisories/_posts/2007-01-22-CVE-2007-0469.md +++ b/advisories/_posts/2007-01-22-CVE-2007-0469.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2007-0469 (rubygems-update): CVE-2007-0469 RubyGems: Specially-crafted - Gem archive can overwrite system files' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2007-0469 - osvdb: 33561 - ghsa: 95vx-q4c2-64gr - url: https://nvd.nist.gov/vuln/detail/CVE-2007-0469 - title: 'CVE-2007-0469 RubyGems: Specially-crafted Gem archive can overwrite system - files' - date: 2007-01-22 - description: | - The extract_files function in installer.rb in RubyGems before 0.9.1 does - not check whether files exist before overwriting them, which allows user-assisted - remote attackers to overwrite arbitrary files, cause a denial of service, or execute - arbitrary code via crafted GEM packages. - cvss_v2: 9.3 - patched_versions: - - ">= 0.9.1" ---- +--- +layout: advisory +title: 'CVE-2007-0469 (rubygems-update): CVE-2007-0469 RubyGems: Specially-crafted + Gem archive can overwrite system files' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2007-0469 + osvdb: 33561 + ghsa: 95vx-q4c2-64gr + url: https://nvd.nist.gov/vuln/detail/CVE-2007-0469 + title: 'CVE-2007-0469 RubyGems: Specially-crafted Gem archive can overwrite system + files' + date: 2007-01-22 + description: | + The extract_files function in installer.rb in RubyGems before 0.9.1 does + not check whether files exist before overwriting them, which allows user-assisted + remote attackers to overwrite arbitrary files, cause a denial of service, or execute + arbitrary code via crafted GEM packages. + cvss_v2: 9.3 + patched_versions: + - ">= 0.9.1" +--- diff --git a/advisories/_posts/2007-05-21-OSVDB-101157.md b/advisories/_posts/2007-05-21-OSVDB-101157.md index df4b2e1f..34acf1bf 100644 --- a/advisories/_posts/2007-05-21-OSVDB-101157.md +++ b/advisories/_posts/2007-05-21-OSVDB-101157.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-101157 (json): json Gem for Ruby Data Handling Stack Buffer Overflow' -comments: false -categories: -- json -advisory: - gem: json - osvdb: 101157 - url: https://security.snyk.io/vuln/SNYK-RUBY-JSON-20000 - title: json Gem for Ruby Data Handling Stack Buffer Overflow - date: 2007-05-21 - description: | - json Gem for Ruby contains an overflow condition that is triggered as - user-supplied input is not properly validated when handling specially crafted - data. This may allow a remote attacker to cause a stack-based buffer - overflow, resulting in a denial of service or potentially allowing the - execution of arbitrary code. - patched_versions: - - ">= 1.1.0" - related: - url: - - https://security.snyk.io/vuln/SNYK-RUBY-JSON-20000 - - http://osvdb.org/show/osvdb/101157 ---- +--- +layout: advisory +title: 'OSVDB-101157 (json): json Gem for Ruby Data Handling Stack Buffer Overflow' +comments: false +categories: +- json +advisory: + gem: json + osvdb: 101157 + url: https://security.snyk.io/vuln/SNYK-RUBY-JSON-20000 + title: json Gem for Ruby Data Handling Stack Buffer Overflow + date: 2007-05-21 + description: | + json Gem for Ruby contains an overflow condition that is triggered as + user-supplied input is not properly validated when handling specially crafted + data. This may allow a remote attacker to cause a stack-based buffer + overflow, resulting in a denial of service or potentially allowing the + execution of arbitrary code. + patched_versions: + - ">= 1.1.0" + related: + url: + - https://security.snyk.io/vuln/SNYK-RUBY-JSON-20000 + - http://osvdb.org/show/osvdb/101157 +--- diff --git a/advisories/_posts/2007-06-15-OSVDB-95668.md b/advisories/_posts/2007-06-15-OSVDB-95668.md index 8b889e36..1ef6b108 100644 --- a/advisories/_posts/2007-06-15-OSVDB-95668.md +++ b/advisories/_posts/2007-06-15-OSVDB-95668.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-95668 (builder): Builder Gem for Ruby Tag Name Handling Private Method - Exposure' -comments: false -categories: -- builder -advisory: - gem: builder - osvdb: 95668 - url: https://my.diffend.io/gems/builder/2.1.1/2.1.2 - title: Builder Gem for Ruby Tag Name Handling Private Method Exposure - date: 2007-06-15 - description: | - Builder Gem for Ruby contains a flaw in the handling of tag names. The issue - is triggered when the program reads tag names from XML data and then calls a - method with that name. With a specially crafted file, a context-dependent - attacker can call private methods and manipulate data. - patched_versions: - - ">= 2.1.2" - related: - url: - - https://my.diffend.io/gems/builder/2.1.1/2.1.2 - - http://osvdb.org/show/osvdb/95668 ---- +--- +layout: advisory +title: 'OSVDB-95668 (builder): Builder Gem for Ruby Tag Name Handling Private Method + Exposure' +comments: false +categories: +- builder +advisory: + gem: builder + osvdb: 95668 + url: https://my.diffend.io/gems/builder/2.1.1/2.1.2 + title: Builder Gem for Ruby Tag Name Handling Private Method Exposure + date: 2007-06-15 + description: | + Builder Gem for Ruby contains a flaw in the handling of tag names. The issue + is triggered when the program reads tag names from XML data and then calls a + method with that name. With a specially crafted file, a context-dependent + attacker can call private methods and manipulate data. + patched_versions: + - ">= 2.1.2" + related: + url: + - https://my.diffend.io/gems/builder/2.1.1/2.1.2 + - http://osvdb.org/show/osvdb/95668 +--- diff --git a/advisories/_posts/2007-11-27-CVE-2007-6183.md b/advisories/_posts/2007-11-27-CVE-2007-6183.md index 1a0ffd83..e49564e9 100644 --- a/advisories/_posts/2007-11-27-CVE-2007-6183.md +++ b/advisories/_posts/2007-11-27-CVE-2007-6183.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2007-6183 (gtk2): CVE-2007-6183 ruby-gnome2: format string vulnerability' -comments: false -categories: -- gtk2 -advisory: - gem: gtk2 - cve: 2007-6183 - osvdb: 40774 - ghsa: xgj6-pgrm-x4r2 - url: https://nvd.nist.gov/vuln/detail/CVE-2007-6183 - title: 'CVE-2007-6183 ruby-gnome2: format string vulnerability' - date: 2007-11-27 - description: | - Format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c - in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows - context-dependent attackers to execute arbitrary code via format string specifiers - in the message parameter. - cvss_v2: 6.8 - patched_versions: - - "> 0.16.0" ---- +--- +layout: advisory +title: 'CVE-2007-6183 (gtk2): CVE-2007-6183 ruby-gnome2: format string vulnerability' +comments: false +categories: +- gtk2 +advisory: + gem: gtk2 + cve: 2007-6183 + osvdb: 40774 + ghsa: xgj6-pgrm-x4r2 + url: https://nvd.nist.gov/vuln/detail/CVE-2007-6183 + title: 'CVE-2007-6183 ruby-gnome2: format string vulnerability' + date: 2007-11-27 + description: | + Format string vulnerability in the mdiag_initialize function in gtk/src/rbgtkmessagedialog.c + in Ruby-GNOME 2 (aka Ruby/Gnome2) 0.16.0, and SVN versions before 20071127, allows + context-dependent attackers to execute arbitrary code via format string specifiers + in the message parameter. + cvss_v2: 6.8 + patched_versions: + - "> 0.16.0" +--- diff --git a/advisories/_posts/2008-08-12-CVE-2008-7311.md b/advisories/_posts/2008-08-12-CVE-2008-7311.md index 716d1cd7..c93c8bb9 100644 --- a/advisories/_posts/2008-08-12-CVE-2008-7311.md +++ b/advisories/_posts/2008-08-12-CVE-2008-7311.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2008-7311 (spree): Spree Hardcoded config.action_controller_session Hash - Value Cryptographic Protection Weakness' -comments: false -categories: -- spree -advisory: - gem: spree - cve: 2008-7311 - osvdb: 81506 - ghsa: g466-57gh-cqfw - url: https://spreecommerce.com/blog/security-vulernability-session-cookie-store - title: Spree Hardcoded config.action_controller_session Hash Value Cryptographic - Protection Weakness - date: 2008-08-12 - description: | - Spree contains a hardcoded flaw related to the - config.action_controller_session hash value. This may allow an attacker to - more easily bypass cryptographic protection. - cvss_v2: 5.0 - patched_versions: - - ">= 0.3.0" ---- +--- +layout: advisory +title: 'CVE-2008-7311 (spree): Spree Hardcoded config.action_controller_session Hash + Value Cryptographic Protection Weakness' +comments: false +categories: +- spree +advisory: + gem: spree + cve: 2008-7311 + osvdb: 81506 + ghsa: g466-57gh-cqfw + url: https://spreecommerce.com/blog/security-vulernability-session-cookie-store + title: Spree Hardcoded config.action_controller_session Hash Value Cryptographic + Protection Weakness + date: 2008-08-12 + description: | + Spree contains a hardcoded flaw related to the + config.action_controller_session hash value. This may allow an attacker to + more easily bypass cryptographic protection. + cvss_v2: 5.0 + patched_versions: + - ">= 0.3.0" +--- diff --git a/advisories/_posts/2008-08-15-OSVDB-95749.md b/advisories/_posts/2008-08-15-OSVDB-95749.md index 8a250277..a62abccf 100644 --- a/advisories/_posts/2008-08-15-OSVDB-95749.md +++ b/advisories/_posts/2008-08-15-OSVDB-95749.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'OSVDB-95749 (activeresource): activeresource Gem for Ruby lib/active_resource/connection.rb - request Function Multiple Variable Format String' -comments: false -categories: -- activeresource -advisory: - gem: activeresource - osvdb: 95749 - url: https://my.diffend.io/gems/activeresource/versions/2.1.0 - title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function - Multiple Variable Format String - date: 2008-08-15 - description: | - activeresource contains a format string flaw in the request function of - lib/active_resource/connection.rb. The issue is triggered as format string - specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input - when passed via the 'result.code' and 'result.message' variables. This may - allow a remote attacker to cause a denial of service or potentially execute - arbitrary code. - patched_versions: - - ">= 2.2.0" - related: - url: - - https://my.diffend.io/gems/activeresource/versions/2.1.0 - - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERESOURCE-20004 - - http://osvdb.org/show/osvdb/95749 ---- +--- +layout: advisory +title: 'OSVDB-95749 (activeresource): activeresource Gem for Ruby lib/active_resource/connection.rb + request Function Multiple Variable Format String' +comments: false +categories: +- activeresource +advisory: + gem: activeresource + osvdb: 95749 + url: https://my.diffend.io/gems/activeresource/versions/2.1.0 + title: activeresource Gem for Ruby lib/active_resource/connection.rb request Function + Multiple Variable Format String + date: 2008-08-15 + description: | + activeresource contains a format string flaw in the request function of + lib/active_resource/connection.rb. The issue is triggered as format string + specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input + when passed via the 'result.code' and 'result.message' variables. This may + allow a remote attacker to cause a denial of service or potentially execute + arbitrary code. + patched_versions: + - ">= 2.2.0" + related: + url: + - https://my.diffend.io/gems/activeresource/versions/2.1.0 + - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERESOURCE-20004 + - http://osvdb.org/show/osvdb/95749 +--- diff --git a/advisories/_posts/2008-09-22-CVE-2008-7310.md b/advisories/_posts/2008-09-22-CVE-2008-7310.md index fc68fd35..78da1c42 100644 --- a/advisories/_posts/2008-09-22-CVE-2008-7310.md +++ b/advisories/_posts/2008-09-22-CVE-2008-7310.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2008-7310 (spree): Spree Hash Restriction Weakness URL Parsing Order State - Value Manipulation' -comments: false -categories: -- spree -advisory: - gem: spree - cve: 2008-7310 - osvdb: 81505 - ghsa: 7h48-m3rw-vr27 - url: https://spreecommerce.com/blog/security-vulnerability-mass-assignment - title: Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation - date: 2008-09-22 - description: | - Spree contains a hash restriction weakness that occurs when parsing a - modified URL. This may allow an attacker to manipulate order state values. - cvss_v2: 5.0 - patched_versions: - - ">= 0.3.0" ---- +--- +layout: advisory +title: 'CVE-2008-7310 (spree): Spree Hash Restriction Weakness URL Parsing Order State + Value Manipulation' +comments: false +categories: +- spree +advisory: + gem: spree + cve: 2008-7310 + osvdb: 81505 + ghsa: 7h48-m3rw-vr27 + url: https://spreecommerce.com/blog/security-vulnerability-mass-assignment + title: Spree Hash Restriction Weakness URL Parsing Order State Value Manipulation + date: 2008-09-22 + description: | + Spree contains a hash restriction weakness that occurs when parsing a + modified URL. This may allow an attacker to manipulate order state values. + cvss_v2: 5.0 + patched_versions: + - ">= 0.3.0" +--- diff --git a/advisories/_posts/2008-10-10-OSVDB-95376.md b/advisories/_posts/2008-10-10-OSVDB-95376.md index c57a2f91..7ada1ad9 100644 --- a/advisories/_posts/2008-10-10-OSVDB-95376.md +++ b/advisories/_posts/2008-10-10-OSVDB-95376.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'OSVDB-95376 (activerecord-oracle_enhanced-adapter): Oracle "enhanced" ActiveRecord - Gem for Ruby :limit / :offset SQL Injection' -comments: false -categories: -- activerecord-oracle_enhanced-adapter -advisory: - gem: activerecord-oracle_enhanced-adapter - osvdb: 95376 - url: https://www.versioneye.com/Ruby/activerecord-oracle_enhanced-adapter/1.1.6 - title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection - date: 2008-10-10 - description: | - Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an - attacker to carry out an SQL injection attack. The issue is due to the - program not properly sanitizing user-supplied input related to the :limit and - :offset functions. This may allow an attacker to inject or manipulate SQL - queries in the back-end database, allowing for the manipulation or disclosure - of arbitrary data. - patched_versions: - - ">= 1.1.8" - related: - url: - - https://www.versioneye.com/Ruby/activerecord-oracle_enhanced-adapter/1.1.6 - - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDORACLEENHANCEDADAPTER-20006 - - http://osvdb.org/show/osvdb/95376 ---- +--- +layout: advisory +title: 'OSVDB-95376 (activerecord-oracle_enhanced-adapter): Oracle "enhanced" ActiveRecord + Gem for Ruby :limit / :offset SQL Injection' +comments: false +categories: +- activerecord-oracle_enhanced-adapter +advisory: + gem: activerecord-oracle_enhanced-adapter + osvdb: 95376 + url: https://www.versioneye.com/Ruby/activerecord-oracle_enhanced-adapter/1.1.6 + title: Oracle "enhanced" ActiveRecord Gem for Ruby :limit / :offset SQL Injection + date: 2008-10-10 + description: | + Oracle "enhanced" ActiveRecord Gem for Ruby contains a flaw that may allow an + attacker to carry out an SQL injection attack. The issue is due to the + program not properly sanitizing user-supplied input related to the :limit and + :offset functions. This may allow an attacker to inject or manipulate SQL + queries in the back-end database, allowing for the manipulation or disclosure + of arbitrary data. + patched_versions: + - ">= 1.1.8" + related: + url: + - https://www.versioneye.com/Ruby/activerecord-oracle_enhanced-adapter/1.1.6 + - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDORACLEENHANCEDADAPTER-20006 + - http://osvdb.org/show/osvdb/95376 +--- diff --git a/advisories/_posts/2008-12-08-CVE-2008-4310.md b/advisories/_posts/2008-12-08-CVE-2008-4310.md index 60c093ed..73f681a7 100644 --- a/advisories/_posts/2008-12-08-CVE-2008-4310.md +++ b/advisories/_posts/2008-12-08-CVE-2008-4310.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2008-4310 (webrick): WEBrick Denial of Service Vulnerability' -comments: false -categories: -- webrick -advisory: - gem: webrick - cve: 2008-4310 - ghsa: wfrc-r6c6-7j9r - url: https://bugzilla.redhat.com/show_bug.cgi?id=470252 - title: WEBrick Denial of Service Vulnerability - date: 2008-12-08 - description: | - httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat - Enterprise Linux 4 and 5, allows remote attackers to cause a - denial of service (CPU consumption) via a crafted HTTP request. - - NOTE: This issue exists because of an incomplete fix for CVE-2008-3656. - cvss_v2: 7.8 - patched_versions: - - ">= 1.3.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2008-4310 - - https://github.com/ruby/webrick/commit/b2ccd5ff7ddd67a4548299e110dcc5a4728a5534 - - http://www.openwall.com/lists/oss-security/2008/12/04/2 - - https://bugzilla.redhat.com/show_bug.cgi?id=470252 - - https://oval.cisecurity.org/repository/search/definition/oval - - http://www.redhat.com/support/errata/RHSA-2008-0981.html - - https://web.archive.org/web/20111230125610/http://secunia.com/advisories/33013 - - https://github.com/advisories/GHSA-wfrc-r6c6-7j9r ---- +--- +layout: advisory +title: 'CVE-2008-4310 (webrick): WEBrick Denial of Service Vulnerability' +comments: false +categories: +- webrick +advisory: + gem: webrick + cve: 2008-4310 + ghsa: wfrc-r6c6-7j9r + url: https://bugzilla.redhat.com/show_bug.cgi?id=470252 + title: WEBrick Denial of Service Vulnerability + date: 2008-12-08 + description: | + httputils.rb in WEBrick in Ruby 1.8.1 and 1.8.5, as used in Red Hat + Enterprise Linux 4 and 5, allows remote attackers to cause a + denial of service (CPU consumption) via a crafted HTTP request. + + NOTE: This issue exists because of an incomplete fix for CVE-2008-3656. + cvss_v2: 7.8 + patched_versions: + - ">= 1.3.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2008-4310 + - https://github.com/ruby/webrick/commit/b2ccd5ff7ddd67a4548299e110dcc5a4728a5534 + - http://www.openwall.com/lists/oss-security/2008/12/04/2 + - https://bugzilla.redhat.com/show_bug.cgi?id=470252 + - https://oval.cisecurity.org/repository/search/definition/oval + - http://www.redhat.com/support/errata/RHSA-2008-0981.html + - https://web.archive.org/web/20111230125610/http://secunia.com/advisories/33013 + - https://github.com/advisories/GHSA-wfrc-r6c6-7j9r +--- diff --git a/advisories/_posts/2009-07-10-CVE-2009-2422.md b/advisories/_posts/2009-07-10-CVE-2009-2422.md index 4bdfc104..255e6202 100644 --- a/advisories/_posts/2009-07-10-CVE-2009-2422.md +++ b/advisories/_posts/2009-07-10-CVE-2009-2422.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2009-2422 (rails): High Security Vulnerability with authenticate_with_http_digest - of Rails' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2009-2422 - ghsa: rxq3-gm4p-5fj4 - url: http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest - title: High Security Vulnerability with authenticate_with_http_digest of Rails - date: 2009-07-10 - description: | - The example code for the digest authentication functionality - (http_authentication.rb) in Ruby on Rails before 2.3.3 defines - an authenticate_or_request_with_http_digest block that returns - nil instead of false when the user does not exist, which allows - context-dependent attackers to bypass authentication for - applications that are derived from this example by sending an - invalid username without a password. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 2.3.3" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2009-2422 - - http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest - - https://lists.apple.com/archives/security-announce/2010/Mar/msg00001.html - - https://exchange.xforce.ibmcloud.com/vulnerabilities/51528 - - http://support.apple.com/kb/HT4077 - - http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s - - https://github.com/advisories/GHSA-rxq3-gm4p-5fj4 ---- +--- +layout: advisory +title: 'CVE-2009-2422 (rails): High Security Vulnerability with authenticate_with_http_digest + of Rails' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2009-2422 + ghsa: rxq3-gm4p-5fj4 + url: http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest + title: High Security Vulnerability with authenticate_with_http_digest of Rails + date: 2009-07-10 + description: | + The example code for the digest authentication functionality + (http_authentication.rb) in Ruby on Rails before 2.3.3 defines + an authenticate_or_request_with_http_digest block that returns + nil instead of false when the user does not exist, which allows + context-dependent attackers to bypass authentication for + applications that are derived from this example by sending an + invalid username without a password. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 2.3.3" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-2422 + - http://weblog.rubyonrails.org/2009/6/3/security-problem-with-authenticate_with_http_digest + - https://lists.apple.com/archives/security-announce/2010/Mar/msg00001.html + - https://exchange.xforce.ibmcloud.com/vulnerabilities/51528 + - http://support.apple.com/kb/HT4077 + - http://n8.tumblr.com/post/117477059/security-hole-found-in-rails-2-3s + - https://github.com/advisories/GHSA-rxq3-gm4p-5fj4 +--- diff --git a/advisories/_posts/2009-12-07-CVE-2009-4123.md b/advisories/_posts/2009-12-07-CVE-2009-4123.md index 499a616a..f92b6694 100644 --- a/advisories/_posts/2009-12-07-CVE-2009-4123.md +++ b/advisories/_posts/2009-12-07-CVE-2009-4123.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2009-4123 (jruby-openssl): jruby-openssl Gem for JRuby fails to do proper - certificate validation' -comments: false -categories: -- jruby-openssl -- jruby -advisory: - gem: jruby-openssl - platform: jruby - cve: 2009-4123 - ghsa: xgv7-pqqh-h2w9 - url: http://jruby.org/2009/12/07/vulnerability-in-jruby-openssl - title: jruby-openssl Gem for JRuby fails to do proper certificate validation - date: 2009-12-07 - description: | - A security problem involving peer certificate verification was found where - failed verification silently did nothing, making affected applications - vulnerable to attackers. Attackers could lead a client application to believe - that a secure connection to a rogue SSL server is legitimate. Attackers could - also penetrate client-validated SSL server applications with a dummy - certificate. - cvss_v3: 7.5 - patched_versions: - - ">= 0.6" ---- +--- +layout: advisory +title: 'CVE-2009-4123 (jruby-openssl): jruby-openssl Gem for JRuby fails to do proper + certificate validation' +comments: false +categories: +- jruby-openssl +- jruby +advisory: + gem: jruby-openssl + platform: jruby + cve: 2009-4123 + ghsa: xgv7-pqqh-h2w9 + url: http://jruby.org/2009/12/07/vulnerability-in-jruby-openssl + title: jruby-openssl Gem for JRuby fails to do proper certificate validation + date: 2009-12-07 + description: | + A security problem involving peer certificate verification was found where + failed verification silently did nothing, making affected applications + vulnerable to attackers. Attackers could lead a client application to believe + that a secure connection to a rogue SSL server is legitimate. Attackers could + also penetrate client-validated SSL server applications with a dummy + certificate. + cvss_v3: 7.5 + patched_versions: + - ">= 0.6" +--- diff --git a/advisories/_posts/2010-02-01-OSVDB-62067.md b/advisories/_posts/2010-02-01-OSVDB-62067.md index 7b414abe..8a4abbae 100644 --- a/advisories/_posts/2010-02-01-OSVDB-62067.md +++ b/advisories/_posts/2010-02-01-OSVDB-62067.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'OSVDB-62067 (bcrypt): bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII - characters (JRuby only)' -comments: false -categories: -- bcrypt -- jruby -advisory: - gem: bcrypt - platform: jruby - osvdb: 62067 - url: http://www.mindrot.org/files/jBCrypt/internat.adv - title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby - only) - date: 2010-02-01 - description: | - In https://security.snyk.io/vuln/SNYK-RUBY-BCRYPT-20009, found - "The advisory has been revoked - it doesn't affect any version of package bcrypt" - - bcrypt-ruby Gem for Ruby suffered from a bug related to character - encoding that substantially reduced the entropy of hashed passwords - containing non US-ASCII characters. An incorrect encoding step - transparently replaced such characters by '?' prior to hashing. - In the worst case of a password consisting solely of non-US-ASCII - characters, this would cause its hash to be equivalent to all other - such passwords of the same length. - - This issue only affects the JRuby implementation. - patched_versions: - - ">= 2.1.4" - related: - url: - - https://github.com/jeremyh/jBCrypt - - http://www.mindrot.org/files/jBCrypt/internat.adv - - https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/ext/jruby/bcrypt_jruby/BCrypt.java ---- +--- +layout: advisory +title: 'OSVDB-62067 (bcrypt): bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII + characters (JRuby only)' +comments: false +categories: +- bcrypt +- jruby +advisory: + gem: bcrypt + platform: jruby + osvdb: 62067 + url: http://www.mindrot.org/files/jBCrypt/internat.adv + title: bcrypt-ruby Gem for Ruby incorrect encoding of non US-ASCII characters (JRuby + only) + date: 2010-02-01 + description: | + In https://security.snyk.io/vuln/SNYK-RUBY-BCRYPT-20009, found + "The advisory has been revoked - it doesn't affect any version of package bcrypt" + + bcrypt-ruby Gem for Ruby suffered from a bug related to character + encoding that substantially reduced the entropy of hashed passwords + containing non US-ASCII characters. An incorrect encoding step + transparently replaced such characters by '?' prior to hashing. + In the worst case of a password consisting solely of non-US-ASCII + characters, this would cause its hash to be equivalent to all other + such passwords of the same length. + + This issue only affects the JRuby implementation. + patched_versions: + - ">= 2.1.4" + related: + url: + - https://github.com/jeremyh/jBCrypt + - http://www.mindrot.org/files/jBCrypt/internat.adv + - https://github.com/bcrypt-ruby/bcrypt-ruby/blob/master/ext/jruby/bcrypt_jruby/BCrypt.java +--- diff --git a/advisories/_posts/2010-04-27-OSVDB-110439.md b/advisories/_posts/2010-04-27-OSVDB-110439.md index b3828ec5..8bfff4ca 100644 --- a/advisories/_posts/2010-04-27-OSVDB-110439.md +++ b/advisories/_posts/2010-04-27-OSVDB-110439.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'OSVDB-110439 (fog-dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing - Remote Command Execution' -comments: false -categories: -- fog-dragonfly -advisory: - gem: fog-dragonfly - osvdb: 110439 - url: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 - title: Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution - date: 2010-04-27 - description: | - Dragonfly Gem for Ruby contains a flaw in Uploading & Processing - that is due to the gem failing to restrict arbitrary commands to - imagemagicks convert. This may allow a remote attacker to gain - read/write access to the filesystem and execute arbitrary commands. - - This gem has been renamed. Please use "dragonfly" from now on. - patched_versions: - - ">= 0.8.4" - related: - url: - - https://github.com/markevans/dragonfly/compare/v0.8.3...v0.8.4 - - https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 - - https://www.mend.io/vulnerability-database/WS-2014-0016 - - http://osvdb.org/show/osvdb/110439 ---- +--- +layout: advisory +title: 'OSVDB-110439 (fog-dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing + Remote Command Execution' +comments: false +categories: +- fog-dragonfly +advisory: + gem: fog-dragonfly + osvdb: 110439 + url: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 + title: Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution + date: 2010-04-27 + description: | + Dragonfly Gem for Ruby contains a flaw in Uploading & Processing + that is due to the gem failing to restrict arbitrary commands to + imagemagicks convert. This may allow a remote attacker to gain + read/write access to the filesystem and execute arbitrary commands. + + This gem has been renamed. Please use "dragonfly" from now on. + patched_versions: + - ">= 0.8.4" + related: + url: + - https://github.com/markevans/dragonfly/compare/v0.8.3...v0.8.4 + - https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 + - https://www.mend.io/vulnerability-database/WS-2014-0016 + - http://osvdb.org/show/osvdb/110439 +--- diff --git a/advisories/_posts/2010-08-12-OSVDB-114600.md b/advisories/_posts/2010-08-12-OSVDB-114600.md index 5ba2b8c1..ab2addf7 100644 --- a/advisories/_posts/2010-08-12-OSVDB-114600.md +++ b/advisories/_posts/2010-08-12-OSVDB-114600.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-114600 (curb): curb Gem for Ruby Empty http_put Body Handling Remote - DoS' -comments: false -categories: -- curb -advisory: - gem: curb - osvdb: 114600 - url: https://my.diffend.io/gems/curb/versions/0.6.4.0 - title: curb Gem for Ruby Empty http_put Body Handling Remote DoS - date: 2010-08-12 - description: | - curb Gem for Ruby contains a flaw that is triggered when handling - an empty http_put body. This may allow a remote attacker to crash - an application linked against the library. - patched_versions: - - ">= 0.7.8" - related: - url: - - https://my.diffend.io/gems/curb/versions/0.6.4.0 - - https://my.diffend.io/gems/curb/0.7.7.1/0.7.8 - - http://osvdb.org/show/osvdb/114600 ---- +--- +layout: advisory +title: 'OSVDB-114600 (curb): curb Gem for Ruby Empty http_put Body Handling Remote + DoS' +comments: false +categories: +- curb +advisory: + gem: curb + osvdb: 114600 + url: https://my.diffend.io/gems/curb/versions/0.6.4.0 + title: curb Gem for Ruby Empty http_put Body Handling Remote DoS + date: 2010-08-12 + description: | + curb Gem for Ruby contains a flaw that is triggered when handling + an empty http_put body. This may allow a remote attacker to crash + an application linked against the library. + patched_versions: + - ">= 0.7.8" + related: + url: + - https://my.diffend.io/gems/curb/versions/0.6.4.0 + - https://my.diffend.io/gems/curb/0.7.7.1/0.7.8 + - http://osvdb.org/show/osvdb/114600 +--- diff --git a/advisories/_posts/2010-11-02-CVE-2010-3978.md b/advisories/_posts/2010-11-02-CVE-2010-3978.md index d5d1f517..f5cd8124 100644 --- a/advisories/_posts/2010-11-02-CVE-2010-3978.md +++ b/advisories/_posts/2010-11-02-CVE-2010-3978.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2010-3978 (spree): Spree Multiple Script JSON Request Validation Weakness - Remote Information Disclosure' -comments: false -categories: -- spree -advisory: - gem: spree - cve: 2010-3978 - osvdb: 69098 - ghsa: hwrx-wc75-mgh7 - url: https://spreecommerce.com/blog/json-hijacking-vulnerability - title: Spree Multiple Script JSON Request Validation Weakness Remote Information - Disclosure - date: 2010-11-02 - description: | - Spree contains a flaw that may lead to an unauthorized information - disclosure. The issue is triggered when the application exchanges data using - the JSON service without validating requests, which will disclose sensitive - user and order information to a context-dependent attacker when a logged-in - user visits a crafted website. - cvss_v2: 5.0 - patched_versions: - - "~> 0.11.2" - - ">= 0.30.0" ---- +--- +layout: advisory +title: 'CVE-2010-3978 (spree): Spree Multiple Script JSON Request Validation Weakness + Remote Information Disclosure' +comments: false +categories: +- spree +advisory: + gem: spree + cve: 2010-3978 + osvdb: 69098 + ghsa: hwrx-wc75-mgh7 + url: https://spreecommerce.com/blog/json-hijacking-vulnerability + title: Spree Multiple Script JSON Request Validation Weakness Remote Information + Disclosure + date: 2010-11-02 + description: | + Spree contains a flaw that may lead to an unauthorized information + disclosure. The issue is triggered when the application exchanges data using + the JSON service without validating requests, which will disclose sensitive + user and order information to a context-dependent attacker when a logged-in + user visits a crafted website. + cvss_v2: 5.0 + patched_versions: + - "~> 0.11.2" + - ">= 0.30.0" +--- diff --git a/advisories/_posts/2011-01-12-OSVDB-106954.md b/advisories/_posts/2011-01-12-OSVDB-106954.md index 396e5517..fc46f5fd 100644 --- a/advisories/_posts/2011-01-12-OSVDB-106954.md +++ b/advisories/_posts/2011-01-12-OSVDB-106954.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'OSVDB-106954 (quick_magick): quick_magick Gem for Ruby QuickMagick::Image.read - Function Crafted String Handling Remote Command Injection' -comments: false -categories: -- quick_magick -advisory: - gem: quick_magick - osvdb: 106954 - url: https://security.snyk.io/vuln/SNYK-RUBY-QUICKMAGICK-20012 - title: quick_magick Gem for Ruby QuickMagick::Image.read Function Crafted String - Handling Remote Command Injection - date: 2011-01-12 - description: | - quick_magick Gem for Ruby contains a flaw in the QuickMagick::Image.read - function. The issue is triggered when handling a specially crafted string. - This may allow a remote attacker to inject arbitrary commands. - notes: Never patched - related: - url: - - https://security.snyk.io/vuln/SNYK-RUBY-QUICKMAGICK-20012 - - http://osvdb.org/show/osvdb/106954 ---- +--- +layout: advisory +title: 'OSVDB-106954 (quick_magick): quick_magick Gem for Ruby QuickMagick::Image.read + Function Crafted String Handling Remote Command Injection' +comments: false +categories: +- quick_magick +advisory: + gem: quick_magick + osvdb: 106954 + url: https://security.snyk.io/vuln/SNYK-RUBY-QUICKMAGICK-20012 + title: quick_magick Gem for Ruby QuickMagick::Image.read Function Crafted String + Handling Remote Command Injection + date: 2011-01-12 + description: | + quick_magick Gem for Ruby contains a flaw in the QuickMagick::Image.read + function. The issue is triggered when handling a specially crafted string. + This may allow a remote attacker to inject arbitrary commands. + notes: Never patched + related: + url: + - https://security.snyk.io/vuln/SNYK-RUBY-QUICKMAGICK-20012 + - http://osvdb.org/show/osvdb/106954 +--- diff --git a/advisories/_posts/2011-01-25-CVE-2011-0739.md b/advisories/_posts/2011-01-25-CVE-2011-0739.md index d176fbc5..e3b7036f 100644 --- a/advisories/_posts/2011-01-25-CVE-2011-0739.md +++ b/advisories/_posts/2011-01-25-CVE-2011-0739.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2011-0739 (mail): Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb - Email From: Address Arbitrary Shell Command Injection' -comments: false -categories: -- mail -advisory: - gem: mail - cve: 2011-0739 - osvdb: 70667 - ghsa: cpjc-p7fc-j9xh - url: https://nvd.nist.gov/vuln/detail/CVE-2011-0739 - title: 'Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: - Address Arbitrary Shell Command Injection' - date: 2011-01-25 - description: | - Mail Gem for Ruby contains a flaw related to the failure to properly sanitise - input passed from an email from address in the 'deliver()' function in - 'lib/mail/network/delivery_methods/sendmail.rb' before being used as a - command line argument. This may allow a remote attacker to inject arbitrary - shell commands. - cvss_v2: 6.8 - patched_versions: - - ">= 2.2.15" ---- +--- +layout: advisory +title: 'CVE-2011-0739 (mail): Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb + Email From: Address Arbitrary Shell Command Injection' +comments: false +categories: +- mail +advisory: + gem: mail + cve: 2011-0739 + osvdb: 70667 + ghsa: cpjc-p7fc-j9xh + url: https://nvd.nist.gov/vuln/detail/CVE-2011-0739 + title: 'Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: + Address Arbitrary Shell Command Injection' + date: 2011-01-25 + description: | + Mail Gem for Ruby contains a flaw related to the failure to properly sanitise + input passed from an email from address in the 'deliver()' function in + 'lib/mail/network/delivery_methods/sendmail.rb' before being used as a + command line argument. This may allow a remote attacker to inject arbitrary + shell commands. + cvss_v2: 6.8 + patched_versions: + - ">= 2.2.15" +--- diff --git a/advisories/_posts/2011-02-10-CVE-2011-10019.md b/advisories/_posts/2011-02-10-CVE-2011-10019.md index 3488128a..eb2d64a7 100644 --- a/advisories/_posts/2011-02-10-CVE-2011-10019.md +++ b/advisories/_posts/2011-02-10-CVE-2011-10019.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2011-10019 (spree): Remote Command Execution in Spree search functionality' -comments: false -categories: -- spree -advisory: - gem: spree - cve: 2011-10019 - ghsa: 97vm-c39p-jr86 - url: https://github.com/advisories/GHSA-97vm-c39p-jr86 - title: Remote Command Execution in Spree search functionality - date: 2011-02-10 - description: | - Spree versions prior to 0.60.2 contain a remote command execution - vulnerability in the search functionality. The application fails to - properly sanitize input passed via the `search[:send][]` parameter, - which is dynamically invoked using Ruby’s `send` method. This allows - attackers to execute arbitrary shell commands on the server without - authentication. - cvss_v2: 9.0 - cvss_v3: 9.8 - patched_versions: - - ">= 0.60.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-10019 - - https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb - - https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group - - https://www.exploit-db.com/exploits/17941 - - https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce - - https://github.com/orgs/spree/spree - - https://github.com/advisories/GHSA-97vm-c39p-jr86 ---- +--- +layout: advisory +title: 'CVE-2011-10019 (spree): Remote Command Execution in Spree search functionality' +comments: false +categories: +- spree +advisory: + gem: spree + cve: 2011-10019 + ghsa: 97vm-c39p-jr86 + url: https://github.com/advisories/GHSA-97vm-c39p-jr86 + title: Remote Command Execution in Spree search functionality + date: 2011-02-10 + description: | + Spree versions prior to 0.60.2 contain a remote command execution + vulnerability in the search functionality. The application fails to + properly sanitize input passed via the `search[:send][]` parameter, + which is dynamically invoked using Ruby’s `send` method. This allows + attackers to execute arbitrary shell commands on the server without + authentication. + cvss_v2: 9.0 + cvss_v3: 9.8 + patched_versions: + - ">= 0.60.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-10019 + - https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb + - https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group + - https://www.exploit-db.com/exploits/17941 + - https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce + - https://github.com/orgs/spree/spree + - https://github.com/advisories/GHSA-97vm-c39p-jr86 +--- diff --git a/advisories/_posts/2011-04-19-OSVDB-73751.md b/advisories/_posts/2011-04-19-OSVDB-73751.md index d897a11b..a6e1ad7d 100644 --- a/advisories/_posts/2011-04-19-OSVDB-73751.md +++ b/advisories/_posts/2011-04-19-OSVDB-73751.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'OSVDB-73751 (spree): Spree Content Controller Unspecified Arbitrary File Disclosure' -comments: false -categories: -- spree -advisory: - gem: spree - osvdb: 73751 - url: https://web.archive.org/web/20160331142302/https://spreecommerce.com/blog/security-fixes - title: Spree Content Controller Unspecified Arbitrary File Disclosure - date: 2011-04-19 - description: | - Spree Gem for Ruby would allow a user to request a specially crafted URL and - expose arbitrary files on the server - patched_versions: - - ">= 0.50.1" - related: - url: - - https://web.archive.org/web/20160331142302/https://spreecommerce.com/blog/security-fixes - - https://seclists.org/oss-sec/2015/q3/275 - - https://github.com/spree/spree/commit/0a2ee5fc68b22b8257e8a6cf1811598293416d33 ---- +--- +layout: advisory +title: 'OSVDB-73751 (spree): Spree Content Controller Unspecified Arbitrary File Disclosure' +comments: false +categories: +- spree +advisory: + gem: spree + osvdb: 73751 + url: https://web.archive.org/web/20160331142302/https://spreecommerce.com/blog/security-fixes + title: Spree Content Controller Unspecified Arbitrary File Disclosure + date: 2011-04-19 + description: | + Spree Gem for Ruby would allow a user to request a specially crafted URL and + expose arbitrary files on the server + patched_versions: + - ">= 0.50.1" + related: + url: + - https://web.archive.org/web/20160331142302/https://spreecommerce.com/blog/security-fixes + - https://seclists.org/oss-sec/2015/q3/275 + - https://github.com/spree/spree/commit/0a2ee5fc68b22b8257e8a6cf1811598293416d33 +--- diff --git a/advisories/_posts/2011-05-13-CVE-2011-0995.md b/advisories/_posts/2011-05-13-CVE-2011-0995.md index 29819acc..eb5aed0a 100644 --- a/advisories/_posts/2011-05-13-CVE-2011-0995.md +++ b/advisories/_posts/2011-05-13-CVE-2011-0995.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2011-0995 (sqlite3-ruby): rubygem-sqlite3 gem uses weak file permissions' -comments: false -categories: -- sqlite3-ruby -advisory: - gem: sqlite3-ruby - cve: 2011-0995 - ghsa: 6x46-7rrv-m4h8 - osvdb: 72180 - url: https://www.suse.com/security/cve/CVE-2011-0995.html - title: rubygem-sqlite3 gem uses weak file permissions - date: 2011-05-13 - description: | - The sqlite3-ruby gem in the rubygem-sqlite3 package before - 1.2.4-0.5.1 in SUSE Linux Enterprise (SLE) 11 SP1 uses weak - permissions for unspecified files, which allows local users - to gain privileges via unknown vectors. - cvss_v2: 2.1 - patched_versions: - - ">= 1.2.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-0995 - - https://www.suse.com/security/cve/CVE-2011-0995.html - - http://www.osvdb.org/72180 - - https://github.com/advisories/GHSA-6x46-7rrv-m4h8 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/67263 - - https://ubuntu.com/security/CVE-2011-0995 - - https://cve.circl.lu/cve/CVE-2011-0995 ---- +--- +layout: advisory +title: 'CVE-2011-0995 (sqlite3-ruby): rubygem-sqlite3 gem uses weak file permissions' +comments: false +categories: +- sqlite3-ruby +advisory: + gem: sqlite3-ruby + cve: 2011-0995 + ghsa: 6x46-7rrv-m4h8 + osvdb: 72180 + url: https://www.suse.com/security/cve/CVE-2011-0995.html + title: rubygem-sqlite3 gem uses weak file permissions + date: 2011-05-13 + description: | + The sqlite3-ruby gem in the rubygem-sqlite3 package before + 1.2.4-0.5.1 in SUSE Linux Enterprise (SLE) 11 SP1 uses weak + permissions for unspecified files, which allows local users + to gain privileges via unknown vectors. + cvss_v2: 2.1 + patched_versions: + - ">= 1.2.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-0995 + - https://www.suse.com/security/cve/CVE-2011-0995.html + - http://www.osvdb.org/72180 + - https://github.com/advisories/GHSA-6x46-7rrv-m4h8 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/67263 + - https://ubuntu.com/security/CVE-2011-0995 + - https://cve.circl.lu/cve/CVE-2011-0995 +--- diff --git a/advisories/_posts/2011-08-16-CVE-2011-3186.md b/advisories/_posts/2011-08-16-CVE-2011-3186.md index 33e69265..196a8dfb 100644 --- a/advisories/_posts/2011-08-16-CVE-2011-3186.md +++ b/advisories/_posts/2011-08-16-CVE-2011-3186.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2011-3186 (actionpack): Response Splitting Vulnerability in Ruby on Rails' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2011-3186 - osvdb: 74616 - ghsa: fcqf-h4h4-695m - url: https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g - title: Response Splitting Vulnerability in Ruby on Rails - date: 2011-08-16 - description: | - A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow - a remote attacker to inject arbitrary HTTP headers into a response due to - insufficient sanitization of the values provided for response content types. - cvss_v2: 4.3 - patched_versions: - - ">= 2.3.13" ---- +--- +layout: advisory +title: 'CVE-2011-3186 (actionpack): Response Splitting Vulnerability in Ruby on Rails' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2011-3186 + osvdb: 74616 + ghsa: fcqf-h4h4-695m + url: https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g + title: Response Splitting Vulnerability in Ruby on Rails + date: 2011-08-16 + description: | + A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow + a remote attacker to inject arbitrary HTTP headers into a response due to + insufficient sanitization of the values provided for response content types. + cvss_v2: 4.3 + patched_versions: + - ">= 2.3.13" +--- diff --git a/advisories/_posts/2011-09-01-CVE-2011-4969.md b/advisories/_posts/2011-09-01-CVE-2011-4969.md index 7aa332a2..56a84a28 100644 --- a/advisories/_posts/2011-09-01-CVE-2011-4969.md +++ b/advisories/_posts/2011-09-01-CVE-2011-4969.md @@ -1,36 +1,36 @@ ---- -layout: advisory -title: 'CVE-2011-4969 (jquery-rails): jQuery vulnerable to Cross-Site Scripting (XSS)' -comments: false -categories: -- jquery-rails -- rails -advisory: - gem: jquery-rails - framework: rails - cve: 2011-4969 - ghsa: 579v-mp3v-rrw5 - url: http://blog.jquery.com/2011/09/01/jquery-1-6-3-released - title: jQuery vulnerable to Cross-Site Scripting (XSS) - date: 2011-09-01 - description: | - Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, - when using location.hash to select elements, allows remote attackers - to inject arbitrary web script or HTML via a crafted tag. - cvss_v2: 4.3 - patched_versions: - - ">= 1.6.3" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-4969 - - http://blog.jquery.com/2011/09/01/jquery-1-6-3-released - - http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html - - http://bugs.jquery.com/ticket/9521 - - https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9 - - https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8 - - https://security.netapp.com/advisory/ntap-20190416-0007 - - http://www.openwall.com/lists/oss-security/2013/01/31/3 - - http://www.ubuntu.com/usn/USN-1722-1 - - https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450224 - - https://github.com/advisories/GHSA-579v-mp3v-rrw5 ---- +--- +layout: advisory +title: 'CVE-2011-4969 (jquery-rails): jQuery vulnerable to Cross-Site Scripting (XSS)' +comments: false +categories: +- jquery-rails +- rails +advisory: + gem: jquery-rails + framework: rails + cve: 2011-4969 + ghsa: 579v-mp3v-rrw5 + url: http://blog.jquery.com/2011/09/01/jquery-1-6-3-released + title: jQuery vulnerable to Cross-Site Scripting (XSS) + date: 2011-09-01 + description: | + Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, + when using location.hash to select elements, allows remote attackers + to inject arbitrary web script or HTML via a crafted tag. + cvss_v2: 4.3 + patched_versions: + - ">= 1.6.3" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4969 + - http://blog.jquery.com/2011/09/01/jquery-1-6-3-released + - http://blog.mindedsecurity.com/2011/07/jquery-is-sink.html + - http://bugs.jquery.com/ticket/9521 + - https://github.com/jquery/jquery/commit/db9e023e62c1ff5d8f21ed9868ab6878da2005e9 + - https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8 + - https://security.netapp.com/advisory/ntap-20190416-0007 + - http://www.openwall.com/lists/oss-security/2013/01/31/3 + - http://www.ubuntu.com/usn/USN-1722-1 + - https://security.snyk.io/vuln/SNYK-DOTNET-JQUERY-450224 + - https://github.com/advisories/GHSA-579v-mp3v-rrw5 +--- diff --git a/advisories/_posts/2011-09-01-OSVDB-97854.md b/advisories/_posts/2011-09-01-OSVDB-97854.md index 966b9313..ab6ebdff 100644 --- a/advisories/_posts/2011-09-01-OSVDB-97854.md +++ b/advisories/_posts/2011-09-01-OSVDB-97854.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'OSVDB-97854 (fog-dragonfly): Dragonfly Gem for Ruby on Windows Shell Escaping - Weakness' -comments: false -categories: -- fog-dragonfly -advisory: - gem: fog-dragonfly - osvdb: 97854 - url: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20016 - title: Dragonfly Gem for Ruby on Windows Shell Escaping Weakness - date: 2011-09-01 - description: | - Dragonfly Gem for Ruby contains a flaw that is due to the program - failing to properly escape a shell that contains injected characters. - This may allow a context-dependent attacker to potentially execute - arbitrary commands. - - This gem has been renamed. Please use "dragonfly" from now on. - patched_versions: - - ">= 0.9.6" - related: - url: - - https://github.com/markevans/dragonfly/blob/master/spec/dragonfly/shell_spec.rb#L26 - - https://github.com/markevans/dragonfly/pull/506 - - https://github.com/markevans/dragonfly/commit/f4f8e37a171a34f0ef3a6d80b52f44ed4d66d3bc - - https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20016 - - http://osvdb.org/show/osvdb/97854 ---- +--- +layout: advisory +title: 'OSVDB-97854 (fog-dragonfly): Dragonfly Gem for Ruby on Windows Shell Escaping + Weakness' +comments: false +categories: +- fog-dragonfly +advisory: + gem: fog-dragonfly + osvdb: 97854 + url: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20016 + title: Dragonfly Gem for Ruby on Windows Shell Escaping Weakness + date: 2011-09-01 + description: | + Dragonfly Gem for Ruby contains a flaw that is due to the program + failing to properly escape a shell that contains injected characters. + This may allow a context-dependent attacker to potentially execute + arbitrary commands. + + This gem has been renamed. Please use "dragonfly" from now on. + patched_versions: + - ">= 0.9.6" + related: + url: + - https://github.com/markevans/dragonfly/blob/master/spec/dragonfly/shell_spec.rb#L26 + - https://github.com/markevans/dragonfly/pull/506 + - https://github.com/markevans/dragonfly/commit/f4f8e37a171a34f0ef3a6d80b52f44ed4d66d3bc + - https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20016 + - http://osvdb.org/show/osvdb/97854 +--- diff --git a/advisories/_posts/2011-09-20-OSVDB-115917.md b/advisories/_posts/2011-09-20-OSVDB-115917.md index 17611972..25eda788 100644 --- a/advisories/_posts/2011-09-20-OSVDB-115917.md +++ b/advisories/_posts/2011-09-20-OSVDB-115917.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'OSVDB-115917 (bundler): Bundler Gem for Ruby install Command Process Listing - Local Plaintext Credential Disclosure' -comments: false -categories: -- bundler -advisory: - gem: bundler - osvdb: 115917 - url: https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 - title: Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential - Disclosure - date: 2011-09-20 - description: | - Bundler Gem for Ruby contains a flaw that is due to the program listing - credential information in plaintext in the install command process listing. - This may allow a local attacker to gain access to credential information. - patched_versions: - - ">= 1.1.rc" - related: - url: - - https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 - - https://my.diffend.io/gems/bundler/versions/1.1.rc - - https://github.com/rubygems/bundler/commit/95bb14483cf8af857dc901c22db48cd3057d243e - - https://github.com/rubygems/bundler/pull/1463 - - https://github.com/rubygems/bundler/issues/1440 - - http://www.osvdb.org/show/osvdb/115917 ---- +--- +layout: advisory +title: 'OSVDB-115917 (bundler): Bundler Gem for Ruby install Command Process Listing + Local Plaintext Credential Disclosure' +comments: false +categories: +- bundler +advisory: + gem: bundler + osvdb: 115917 + url: https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 + title: Bundler Gem for Ruby install Command Process Listing Local Plaintext Credential + Disclosure + date: 2011-09-20 + description: | + Bundler Gem for Ruby contains a flaw that is due to the program listing + credential information in plaintext in the install command process listing. + This may allow a local attacker to gain access to credential information. + patched_versions: + - ">= 1.1.rc" + related: + url: + - https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 + - https://my.diffend.io/gems/bundler/versions/1.1.rc + - https://github.com/rubygems/bundler/commit/95bb14483cf8af857dc901c22db48cd3057d243e + - https://github.com/rubygems/bundler/pull/1463 + - https://github.com/rubygems/bundler/issues/1440 + - http://www.osvdb.org/show/osvdb/115917 +--- diff --git a/advisories/_posts/2011-10-05-OSVDB-76011.md b/advisories/_posts/2011-10-05-OSVDB-76011.md index 6dd9072c..510abdc7 100644 --- a/advisories/_posts/2011-10-05-OSVDB-76011.md +++ b/advisories/_posts/2011-10-05-OSVDB-76011.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-76011 (spree): Spree Search ProductScope Class search[send][] Parameter - Arbitrary Command Execution' -comments: false -categories: -- spree -advisory: - gem: spree - osvdb: 76011 - url: https://web.archive.org/web/20121124215359/https://spreecommerce.com/blog/remote-command-product-group - title: Spree Search ProductScope Class search[send][] Parameter Arbitrary Command - Execution - date: 2011-10-05 - description: | - The ProductScope class fails to properly sanitize user-supplied input via the - 'search[send][]' parameter resulting in arbitrary command execution. With a - specially crafted request, a remote attacker can potentially cause arbitrary - command execution. - patched_versions: - - ">= 0.60.2" - related: - url: - - https://web.archive.org/web/20121124215359/https://spreecommerce.com/blog/remote-command-product-group ---- +--- +layout: advisory +title: 'OSVDB-76011 (spree): Spree Search ProductScope Class search[send][] Parameter + Arbitrary Command Execution' +comments: false +categories: +- spree +advisory: + gem: spree + osvdb: 76011 + url: https://web.archive.org/web/20121124215359/https://spreecommerce.com/blog/remote-command-product-group + title: Spree Search ProductScope Class search[send][] Parameter Arbitrary Command + Execution + date: 2011-10-05 + description: | + The ProductScope class fails to properly sanitize user-supplied input via the + 'search[send][]' parameter resulting in arbitrary command execution. With a + specially crafted request, a remote attacker can potentially cause arbitrary + command execution. + patched_versions: + - ">= 0.60.2" + related: + url: + - https://web.archive.org/web/20121124215359/https://spreecommerce.com/blog/remote-command-product-group +--- diff --git a/advisories/_posts/2011-10-27-CVE-2011-3870.md b/advisories/_posts/2011-10-27-CVE-2011-3870.md index f5edf429..a9ef74b2 100644 --- a/advisories/_posts/2011-10-27-CVE-2011-3870.md +++ b/advisories/_posts/2011-10-27-CVE-2011-3870.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2011-3870 (puppet): Puppet allows local users to modify the permissions - of arbitrary files' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2011-3870 - ghsa: qh3g-27jf-3j54 - url: https://puppet.com/security/cve/cve-2011-3870 - title: Puppet allows local users to modify the permissions of arbitrary files - date: 2011-10-27 - description: | - Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x - allows local users to modify the permissions of arbitrary - files via a symlink attack on the SSH authorized_keys file. - cvss_v2: 6.3 - patched_versions: - - "~> 2.6.11" - - ">= 2.7.5" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-3870 - - https://puppet.com/security/cve/cve-2011-3870 - - https://github.com/puppetlabs/puppet/commit/88512e880bd2a03694b5fef42540dc7b3da05d30 - - https://github.com/puppetlabs/puppet/commit/b29b1785d543a3cea961fffa9b3c15f14ab7cce0 - - http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb - - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html - - http://www.debian.org/security/2011/dsa-2314 - - http://www.ubuntu.com/usn/USN-1223-1 - - http://www.ubuntu.com/usn/USN-1223-2 - - https://github.com/advisories/GHSA-qh3g-27jf-3j54 ---- +--- +layout: advisory +title: 'CVE-2011-3870 (puppet): Puppet allows local users to modify the permissions + of arbitrary files' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2011-3870 + ghsa: qh3g-27jf-3j54 + url: https://puppet.com/security/cve/cve-2011-3870 + title: Puppet allows local users to modify the permissions of arbitrary files + date: 2011-10-27 + description: | + Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x + allows local users to modify the permissions of arbitrary + files via a symlink attack on the SSH authorized_keys file. + cvss_v2: 6.3 + patched_versions: + - "~> 2.6.11" + - ">= 2.7.5" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-3870 + - https://puppet.com/security/cve/cve-2011-3870 + - https://github.com/puppetlabs/puppet/commit/88512e880bd2a03694b5fef42540dc7b3da05d30 + - https://github.com/puppetlabs/puppet/commit/b29b1785d543a3cea961fffa9b3c15f14ab7cce0 + - http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb + - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html + - http://www.debian.org/security/2011/dsa-2314 + - http://www.ubuntu.com/usn/USN-1223-1 + - http://www.ubuntu.com/usn/USN-1223-2 + - https://github.com/advisories/GHSA-qh3g-27jf-3j54 +--- diff --git a/advisories/_posts/2011-10-27-CVE-2011-3871.md b/advisories/_posts/2011-10-27-CVE-2011-3871.md index 3d0b7927..d02227c6 100644 --- a/advisories/_posts/2011-10-27-CVE-2011-3871.md +++ b/advisories/_posts/2011-10-27-CVE-2011-3871.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2011-3871 (puppet): Puppet uses predictable filenames, allowing arbitrary - file overwrite' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2011-3871 - ghsa: mpmx-gm5v-q789 - url: https://puppet.com/security/cve/cve-2011-3871 - title: Puppet uses predictable filenames, allowing arbitrary file overwrite - date: 2011-10-27 - description: | - Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, - when running in `--edit` mode, uses a predictable file name, which - allows local users to run arbitrary Puppet code or trick a user - into editing arbitrary files. - cvss_v2: 6.2 - patched_versions: - - "~> 2.6.11" - - ">= 2.7.5" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-3871 - - https://puppet.com/security/cve/cve-2011-3871 - - https://github.com/puppetlabs/puppet/commit/343c7bd381b63e042d437111718918f951d9b30d - - https://github.com/puppetlabs/puppet/commit/d76c30935460ded953792dfe49f72b8c5158e899 - - http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb - - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html - - http://www.debian.org/security/2011/dsa-2314 - - http://www.ubuntu.com/usn/USN-1223-1 - - http://www.ubuntu.com/usn/USN-1223-2 - - https://github.com/advisories/GHSA-mpmx-gm5v-q789 ---- +--- +layout: advisory +title: 'CVE-2011-3871 (puppet): Puppet uses predictable filenames, allowing arbitrary + file overwrite' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2011-3871 + ghsa: mpmx-gm5v-q789 + url: https://puppet.com/security/cve/cve-2011-3871 + title: Puppet uses predictable filenames, allowing arbitrary file overwrite + date: 2011-10-27 + description: | + Puppet 2.7.x before 2.7.5, 2.6.x before 2.6.11, and 0.25.x, + when running in `--edit` mode, uses a predictable file name, which + allows local users to run arbitrary Puppet code or trick a user + into editing arbitrary files. + cvss_v2: 6.2 + patched_versions: + - "~> 2.6.11" + - ">= 2.7.5" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-3871 + - https://puppet.com/security/cve/cve-2011-3871 + - https://github.com/puppetlabs/puppet/commit/343c7bd381b63e042d437111718918f951d9b30d + - https://github.com/puppetlabs/puppet/commit/d76c30935460ded953792dfe49f72b8c5158e899 + - http://groups.google.com/group/puppet-announce/browse_thread/thread/91e3b46d2328a1cb + - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068053.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068061.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-October/068093.html + - http://www.debian.org/security/2011/dsa-2314 + - http://www.ubuntu.com/usn/USN-1223-1 + - http://www.ubuntu.com/usn/USN-1223-2 + - https://github.com/advisories/GHSA-mpmx-gm5v-q789 +--- diff --git a/advisories/_posts/2011-12-28-CVE-2011-5036.md b/advisories/_posts/2011-12-28-CVE-2011-5036.md index 2ec8a99a..690a1291 100644 --- a/advisories/_posts/2011-12-28-CVE-2011-5036.md +++ b/advisories/_posts/2011-12-28-CVE-2011-5036.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2011-5036 (rack): CVE-2011-5036 rubygem-rack: hash table collisions DoS - (oCERT-2011-003)' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2011-5036 - osvdb: 78121 - ghsa: v6j3-7jrw-hq2p - url: https://nvd.nist.gov/vuln/detail/CVE-2011-5036 - title: 'CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)' - date: 2011-12-28 - description: | - Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes - hash values for form parameters without restricting the ability to trigger hash - collisions predictably, which allows remote attackers to cause a denial of service - (CPU consumption) by sending many crafted parameters. - cvss_v2: 5.0 - patched_versions: - - "~> 1.1.3" - - "~> 1.2.5" - - "~> 1.3.6" - - ">= 1.4.0" ---- +--- +layout: advisory +title: 'CVE-2011-5036 (rack): CVE-2011-5036 rubygem-rack: hash table collisions DoS + (oCERT-2011-003)' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2011-5036 + osvdb: 78121 + ghsa: v6j3-7jrw-hq2p + url: https://nvd.nist.gov/vuln/detail/CVE-2011-5036 + title: 'CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)' + date: 2011-12-28 + description: | + Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes + hash values for form parameters without restricting the ability to trigger hash + collisions predictably, which allows remote attackers to cause a denial of service + (CPU consumption) by sending many crafted parameters. + cvss_v2: 5.0 + patched_versions: + - "~> 1.1.3" + - "~> 1.2.5" + - "~> 1.3.6" + - ">= 1.4.0" +--- diff --git a/advisories/_posts/2012-02-01-CVE-2012-6135.md b/advisories/_posts/2012-02-01-CVE-2012-6135.md index 1c7d271c..b0cb7a53 100644 --- a/advisories/_posts/2012-02-01-CVE-2012-6135.md +++ b/advisories/_posts/2012-02-01-CVE-2012-6135.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2012-6135 (passenger): Phusion Passenger Gem for Ruby Arbitrary File Deletion' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2012-6135 - osvdb: 90738 - ghsa: 8mw8-j583-vqfg - url: http://old.blog.phusion.nl/2013/03/05/phusion-passenger-4-0-beta-1-and-2-arbitrary-file-deletion-vulnerability/ - title: Phusion Passenger Gem for Ruby Arbitrary File Deletion - date: 2012-02-01 - description: | - Phusion Passenger Gem for Ruby contains a flaw that is triggered during - application startup. This issue may allow a local attacker to delete arbitrary files - via an application process. If the program has completed the start up process this - vulnerability is no longer exploitable. - cvss_v2: 2.1 - cvss_v3: 7.5 - unaffected_versions: - - "< 4.0.0.beta" - patched_versions: - - ">= 4.0.0" ---- +--- +layout: advisory +title: 'CVE-2012-6135 (passenger): Phusion Passenger Gem for Ruby Arbitrary File Deletion' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2012-6135 + osvdb: 90738 + ghsa: 8mw8-j583-vqfg + url: http://old.blog.phusion.nl/2013/03/05/phusion-passenger-4-0-beta-1-and-2-arbitrary-file-deletion-vulnerability/ + title: Phusion Passenger Gem for Ruby Arbitrary File Deletion + date: 2012-02-01 + description: | + Phusion Passenger Gem for Ruby contains a flaw that is triggered during + application startup. This issue may allow a local attacker to delete arbitrary files + via an application process. If the program has completed the start up process this + vulnerability is no longer exploitable. + cvss_v2: 2.1 + cvss_v3: 7.5 + unaffected_versions: + - "< 4.0.0.beta" + patched_versions: + - ">= 4.0.0" +--- diff --git a/advisories/_posts/2012-02-29-CVE-2012-6684.md b/advisories/_posts/2012-02-29-CVE-2012-6684.md index ac979ed0..84bdcfd9 100644 --- a/advisories/_posts/2012-02-29-CVE-2012-6684.md +++ b/advisories/_posts/2012-02-29-CVE-2012-6684.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2012-6684 (RedCloth): CVE-2012-6684 rubygem-RedCloth: XSS vulnerability' -comments: false -categories: -- RedCloth -advisory: - gem: RedCloth - cve: 2012-6684 - ghsa: r23g-3qw4-gfh2 - osvdb: 115941 - url: https://co3k.org/blog/redcloth-unfixed-xss-en - title: 'CVE-2012-6684 rubygem-RedCloth: XSS vulnerability' - date: 2012-02-29 - description: | - Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 - for Ruby and earlier allows remote attackers to inject arbitrary - web script or HTML via a javascript: URI. - cvss_v2: 4.3 - patched_versions: - - ">= 4.3.0" - related: - url: - - http://co3k.org/blog/redcloth-unfixed-xss-en - - https://gist.github.com/co3k/75b3cb416c342aa1414c - - https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c - - https://github.com/jgarber/redcloth/commit/b24f03db023d1653d60dd33b28e09317cd77c6a0 - - https://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss - - https://web.archive.org/web/20150128115714/http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss - - https://nvd.nist.gov/vuln/detail/CVE-2012-6684 - - https://github.com/advisories/GHSA-r23g-3qw4-gfh2 - - http://seclists.org/fulldisclosure/2014/Dec/50 - - http://www.debian.org/security/2015/dsa-3168 ---- +--- +layout: advisory +title: 'CVE-2012-6684 (RedCloth): CVE-2012-6684 rubygem-RedCloth: XSS vulnerability' +comments: false +categories: +- RedCloth +advisory: + gem: RedCloth + cve: 2012-6684 + ghsa: r23g-3qw4-gfh2 + osvdb: 115941 + url: https://co3k.org/blog/redcloth-unfixed-xss-en + title: 'CVE-2012-6684 rubygem-RedCloth: XSS vulnerability' + date: 2012-02-29 + description: | + Cross-site scripting (XSS) vulnerability in the RedCloth library 4.2.9 + for Ruby and earlier allows remote attackers to inject arbitrary + web script or HTML via a javascript: URI. + cvss_v2: 4.3 + patched_versions: + - ">= 4.3.0" + related: + url: + - http://co3k.org/blog/redcloth-unfixed-xss-en + - https://gist.github.com/co3k/75b3cb416c342aa1414c + - https://github.com/jgarber/redcloth/commit/2f6dab4d6aea5cee778d2f37a135637fe3f1573c + - https://github.com/jgarber/redcloth/commit/b24f03db023d1653d60dd33b28e09317cd77c6a0 + - https://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss + - https://web.archive.org/web/20150128115714/http://jgarber.lighthouseapp.com/projects/13054-redcloth/tickets/243-xss + - https://nvd.nist.gov/vuln/detail/CVE-2012-6684 + - https://github.com/advisories/GHSA-r23g-3qw4-gfh2 + - http://seclists.org/fulldisclosure/2014/Dec/50 + - http://www.debian.org/security/2015/dsa-3168 +--- diff --git a/advisories/_posts/2012-03-01-CVE-2012-1098.md b/advisories/_posts/2012-03-01-CVE-2012-1098.md index 951ae787..7f218231 100644 --- a/advisories/_posts/2012-03-01-CVE-2012-1098.md +++ b/advisories/_posts/2012-03-01-CVE-2012-1098.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2012-1098 (activesupport): CVE-2012-1098 rubygem-activesupport: XSS in - SafeBuffer#[] (unescaped safe buffers can be marked as safe)' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2012-1098 - osvdb: 79726 - ghsa: qv8p-v9qw-wc7g - url: https://nvd.nist.gov/vuln/detail/CVE-2012-1098 - title: 'CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe - buffers can be marked as safe)' - date: 2012-03-01 - description: | - Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before - 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject - arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated - through certain methods. - cvss_v2: 4.3 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - "~> 3.0.12" - - "~> 3.1.4" - - ">= 3.2.2" ---- +--- +layout: advisory +title: 'CVE-2012-1098 (activesupport): CVE-2012-1098 rubygem-activesupport: XSS in + SafeBuffer#[] (unescaped safe buffers can be marked as safe)' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2012-1098 + osvdb: 79726 + ghsa: qv8p-v9qw-wc7g + url: https://nvd.nist.gov/vuln/detail/CVE-2012-1098 + title: 'CVE-2012-1098 rubygem-activesupport: XSS in SafeBuffer#[] (unescaped safe + buffers can be marked as safe)' + date: 2012-03-01 + description: | + Cross-site scripting (XSS) vulnerability in Ruby on Rails 3.0.x before + 3.0.12, 3.1.x before 3.1.4, and 3.2.x before 3.2.2 allows remote attackers to inject + arbitrary web script or HTML via vectors involving a SafeBuffer object that is manipulated + through certain methods. + cvss_v2: 4.3 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - "~> 3.0.12" + - "~> 3.1.4" + - ">= 3.2.2" +--- diff --git a/advisories/_posts/2012-03-01-CVE-2012-1099.md b/advisories/_posts/2012-03-01-CVE-2012-1099.md index 4ff121c1..6edfdf78 100644 --- a/advisories/_posts/2012-03-01-CVE-2012-1099.md +++ b/advisories/_posts/2012-03-01-CVE-2012-1099.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2012-1099 (actionpack): CVE-2012-1099 rubygem-actionpack: XSS in the "select" - helper' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2012-1099 - osvdb: 79727 - ghsa: 2xjj-5x6h-8vmf - url: https://nvd.nist.gov/vuln/detail/CVE-2012-1099 - title: 'CVE-2012-1099 rubygem-actionpack: XSS in the "select" helper' - date: 2012-03-01 - description: | - Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb - in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and - 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML - via vectors involving certain generation of OPTION elements within SELECT elements. - cvss_v2: 4.3 - patched_versions: - - "~> 3.0.12" - - "~> 3.1.4" - - ">= 3.2.2" ---- +--- +layout: advisory +title: 'CVE-2012-1099 (actionpack): CVE-2012-1099 rubygem-actionpack: XSS in the "select" + helper' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2012-1099 + osvdb: 79727 + ghsa: 2xjj-5x6h-8vmf + url: https://nvd.nist.gov/vuln/detail/CVE-2012-1099 + title: 'CVE-2012-1099 rubygem-actionpack: XSS in the "select" helper' + date: 2012-03-01 + description: | + Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb + in the select helper in Ruby on Rails 3.0.x before 3.0.12, 3.1.x before 3.1.4, and + 3.2.x before 3.2.2 allows remote attackers to inject arbitrary web script or HTML + via vectors involving certain generation of OPTION elements within SELECT elements. + cvss_v2: 4.3 + patched_versions: + - "~> 3.0.12" + - "~> 3.1.4" + - ">= 3.2.2" +--- diff --git a/advisories/_posts/2012-03-14-CVE-2012-2139.md b/advisories/_posts/2012-03-14-CVE-2012-2139.md index 07f90098..19621657 100644 --- a/advisories/_posts/2012-03-14-CVE-2012-2139.md +++ b/advisories/_posts/2012-03-14-CVE-2012-2139.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2012-2139 (mail): CVE-2012-2139 rubygem-mail: directory traversal' -comments: false -categories: -- mail -advisory: - gem: mail - cve: 2012-2139 - osvdb: 81631 - ghsa: cj92-c4fj-w9c5 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-2139 - title: 'CVE-2012-2139 rubygem-mail: directory traversal' - date: 2012-03-14 - description: | - Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb - in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary - files via a .. (dot dot) in the to parameter. - cvss_v2: 5.0 - patched_versions: - - ">= 2.4.4" ---- +--- +layout: advisory +title: 'CVE-2012-2139 (mail): CVE-2012-2139 rubygem-mail: directory traversal' +comments: false +categories: +- mail +advisory: + gem: mail + cve: 2012-2139 + osvdb: 81631 + ghsa: cj92-c4fj-w9c5 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-2139 + title: 'CVE-2012-2139 rubygem-mail: directory traversal' + date: 2012-03-14 + description: | + Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb + in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary + files via a .. (dot dot) in the to parameter. + cvss_v2: 5.0 + patched_versions: + - ">= 2.4.4" +--- diff --git a/advisories/_posts/2012-03-14-CVE-2012-2140.md b/advisories/_posts/2012-03-14-CVE-2012-2140.md index 46c71191..dd196cda 100644 --- a/advisories/_posts/2012-03-14-CVE-2012-2140.md +++ b/advisories/_posts/2012-03-14-CVE-2012-2140.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2012-2140 (mail): CVE-2012-2140 rubygem-mail: arbitrary command execution - when using exim or sendmail from commandline' -comments: false -categories: -- mail -advisory: - gem: mail - cve: 2012-2140 - osvdb: 81632 - ghsa: rp63-jfmw-532w - url: https://nvd.nist.gov/vuln/detail/CVE-2012-2140 - title: 'CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim - or sendmail from commandline' - date: 2012-03-14 - description: | - The Mail gem before 2.4.3 for Ruby allows remote attackers to execute - arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery. - cvss_v2: 7.5 - patched_versions: - - ">= 2.4.4" ---- +--- +layout: advisory +title: 'CVE-2012-2140 (mail): CVE-2012-2140 rubygem-mail: arbitrary command execution + when using exim or sendmail from commandline' +comments: false +categories: +- mail +advisory: + gem: mail + cve: 2012-2140 + osvdb: 81632 + ghsa: rp63-jfmw-532w + url: https://nvd.nist.gov/vuln/detail/CVE-2012-2140 + title: 'CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim + or sendmail from commandline' + date: 2012-03-14 + description: | + The Mail gem before 2.4.3 for Ruby allows remote attackers to execute + arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery. + cvss_v2: 7.5 + patched_versions: + - ">= 2.4.4" +--- diff --git a/advisories/_posts/2012-04-20-CVE-2012-2126.md b/advisories/_posts/2012-04-20-CVE-2012-2126.md index e49b030a..a3344ee4 100644 --- a/advisories/_posts/2012-04-20-CVE-2012-2126.md +++ b/advisories/_posts/2012-04-20-CVE-2012-2126.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2012-2126 (rubygems-update): CVE-2012-2125 CVE-2012-2126 rubygems: Two - security fixes in v1.8.23' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2012-2126 - osvdb: 81444 - ghsa: 5mgj-mvv8-46mw - url: https://nvd.nist.gov/vuln/detail/CVE-2012-2126 - title: 'CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23' - date: 2012-04-20 - description: | - RubyGems before 1.8.23 does not verify an SSL certificate, which allows - remote attackers to modify a gem during installation via a man-in-the-middle attack. - cvss_v2: 4.3 - patched_versions: - - ">= 1.8.23" ---- +--- +layout: advisory +title: 'CVE-2012-2126 (rubygems-update): CVE-2012-2125 CVE-2012-2126 rubygems: Two + security fixes in v1.8.23' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2012-2126 + osvdb: 81444 + ghsa: 5mgj-mvv8-46mw + url: https://nvd.nist.gov/vuln/detail/CVE-2012-2126 + title: 'CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23' + date: 2012-04-20 + description: | + RubyGems before 1.8.23 does not verify an SSL certificate, which allows + remote attackers to modify a gem during installation via a man-in-the-middle attack. + cvss_v2: 4.3 + patched_versions: + - ">= 1.8.23" +--- diff --git a/advisories/_posts/2012-05-04-CVE-2012-6109.md b/advisories/_posts/2012-05-04-CVE-2012-6109.md index 6909fa66..42b05001 100644 --- a/advisories/_posts/2012-05-04-CVE-2012-6109.md +++ b/advisories/_posts/2012-05-04-CVE-2012-6109.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2012-6109 (rack): CVE-2012-6109 rubygem-rack: parsing Content-Disposition - header DoS' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2012-6109 - osvdb: 89317 - ghsa: h77x-m5q8-c29h - url: https://nvd.nist.gov/vuln/detail/CVE-2012-6109 - title: 'CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS' - date: 2012-05-04 - description: | - lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x - before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which - allows remote attackers to cause a denial of service (infinite loop) via a crafted - Content-Disposion header. - cvss_v2: 4.3 - patched_versions: - - "~> 1.1.4" - - "~> 1.2.6" - - "~> 1.3.7" - - ">= 1.4.2" ---- +--- +layout: advisory +title: 'CVE-2012-6109 (rack): CVE-2012-6109 rubygem-rack: parsing Content-Disposition + header DoS' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2012-6109 + osvdb: 89317 + ghsa: h77x-m5q8-c29h + url: https://nvd.nist.gov/vuln/detail/CVE-2012-6109 + title: 'CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS' + date: 2012-05-04 + description: | + lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x + before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which + allows remote attackers to cause a denial of service (infinite loop) via a crafted + Content-Disposion header. + cvss_v2: 4.3 + patched_versions: + - "~> 1.1.4" + - "~> 1.2.6" + - "~> 1.3.7" + - ">= 1.4.2" +--- diff --git a/advisories/_posts/2012-05-29-CVE-2012-1053.md b/advisories/_posts/2012-05-29-CVE-2012-1053.md index c825aeae..10fb9395 100644 --- a/advisories/_posts/2012-05-29-CVE-2012-1053.md +++ b/advisories/_posts/2012-05-29-CVE-2012-1053.md @@ -1,44 +1,44 @@ ---- -layout: advisory -title: 'CVE-2012-1053 (puppet): Puppet Privilege Escallation' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2012-1053 - ghsa: 77hg-g8cc-5r37 - url: https://web.archive.org/web/20120504011717/http://puppetlabs.com/security/cve/cve-2012-1053 - title: Puppet Privilege Escallation - date: 2012-05-29 - description: | - The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) - in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) - Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, - which allows local users to gain privileges via vectors related to (1) the change_user - not dropping supplementary groups in certain conditions, (2) changes to the eguid - without associated changes to the egid, or (3) the addition of the real gid to supplementary - groups. - cvss_v2: 6.5 - unaffected_versions: - - "< 2.6" - patched_versions: - - "~> 2.6.14" - - ">= 2.7.11" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-1053 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/73445 - - https://hermes.opensuse.org/messages/15087408 - - https://github.com/puppetlabs/puppet/commit/76d0749f0a9a496b70e7dc7e6d6d6ff692224e36 - - https://lists.opensuse.org/opensuse-security-announce/2012-03/msg00003.html - - https://ubuntu.com/usn/usn-1372-1 - - https://web.archive.org/web/20120504011717/http://puppetlabs.com/security/cve/cve-2012-1053 - - https://web.archive.org/web/20120513215447/http://projects.puppetlabs.com/issues/12458 - - https://web.archive.org/web/20120513215653/http://projects.puppetlabs.com/issues/12457 - - https://web.archive.org/web/20120513223437/http://projects.puppetlabs.com/issues/12459 - - https://web.archive.org/web/20120527071855/http://www.securityfocus.com/bid/52158 - - https://web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 - - https://www.debian.org/security/2012/dsa-2419 - - https://github.com/advisories/GHSA-77hg-g8cc-5r37 ---- +--- +layout: advisory +title: 'CVE-2012-1053 (puppet): Puppet Privilege Escallation' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2012-1053 + ghsa: 77hg-g8cc-5r37 + url: https://web.archive.org/web/20120504011717/http://puppetlabs.com/security/cve/cve-2012-1053 + title: Puppet Privilege Escallation + date: 2012-05-29 + description: | + The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) + in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) + Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, + which allows local users to gain privileges via vectors related to (1) the change_user + not dropping supplementary groups in certain conditions, (2) changes to the eguid + without associated changes to the egid, or (3) the addition of the real gid to supplementary + groups. + cvss_v2: 6.5 + unaffected_versions: + - "< 2.6" + patched_versions: + - "~> 2.6.14" + - ">= 2.7.11" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-1053 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/73445 + - https://hermes.opensuse.org/messages/15087408 + - https://github.com/puppetlabs/puppet/commit/76d0749f0a9a496b70e7dc7e6d6d6ff692224e36 + - https://lists.opensuse.org/opensuse-security-announce/2012-03/msg00003.html + - https://ubuntu.com/usn/usn-1372-1 + - https://web.archive.org/web/20120504011717/http://puppetlabs.com/security/cve/cve-2012-1053 + - https://web.archive.org/web/20120513215447/http://projects.puppetlabs.com/issues/12458 + - https://web.archive.org/web/20120513215653/http://projects.puppetlabs.com/issues/12457 + - https://web.archive.org/web/20120513223437/http://projects.puppetlabs.com/issues/12459 + - https://web.archive.org/web/20120527071855/http://www.securityfocus.com/bid/52158 + - https://web.archive.org/web/20120816020421/http://projects.puppetlabs.com/projects/1/wiki/Release_Notes#2.6.14 + - https://www.debian.org/security/2012/dsa-2419 + - https://github.com/advisories/GHSA-77hg-g8cc-5r37 +--- diff --git a/advisories/_posts/2012-05-29-CVE-2012-1906.md b/advisories/_posts/2012-05-29-CVE-2012-1906.md index bb2c4b79..bda10444 100644 --- a/advisories/_posts/2012-05-29-CVE-2012-1906.md +++ b/advisories/_posts/2012-05-29-CVE-2012-1906.md @@ -1,36 +1,36 @@ ---- -layout: advisory -title: 'CVE-2012-1906 (puppet): Puppet uses predictable filenames, allowing arbitrary - file overwrite' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2012-1906 - ghsa: c4mc-49hq-q275 - url: https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 - title: Puppet uses predictable filenames, allowing arbitrary file overwrite - date: 2012-05-29 - description: | - Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise - (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file - names when installing Mac OS X packages from a remote source, which allows local - users to overwrite arbitrary files or install arbitrary packages via a symlink attack - on a temporary file in /tmp. - cvss_v2: 3.3 - unaffected_versions: - - "< 2.6" - patched_versions: - - "~> 2.6.15" - - ">= 2.7.13" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-1906 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 - - https://github.com/puppetlabs/puppet/commit/f7829ec1f1b2c3def8e0eda09c22c3c1fed3a27f - - https://ubuntu.com/usn/usn-1419-1 - - https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975 - - https://www.debian.org/security/2012/dsa-2451 - - https://github.com/advisories/GHSA-c4mc-49hq-q275 ---- +--- +layout: advisory +title: 'CVE-2012-1906 (puppet): Puppet uses predictable filenames, allowing arbitrary + file overwrite' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2012-1906 + ghsa: c4mc-49hq-q275 + url: https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 + title: Puppet uses predictable filenames, allowing arbitrary file overwrite + date: 2012-05-29 + description: | + Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise + (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file + names when installing Mac OS X packages from a remote source, which allows local + users to overwrite arbitrary files or install arbitrary packages via a symlink attack + on a temporary file in /tmp. + cvss_v2: 3.3 + unaffected_versions: + - "< 2.6" + patched_versions: + - "~> 2.6.15" + - ">= 2.7.13" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-1906 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/74793 + - https://github.com/puppetlabs/puppet/commit/f7829ec1f1b2c3def8e0eda09c22c3c1fed3a27f + - https://ubuntu.com/usn/usn-1419-1 + - https://web.archive.org/web/20120415105345/http://www.securityfocus.com/bid/52975 + - https://www.debian.org/security/2012/dsa-2451 + - https://github.com/advisories/GHSA-c4mc-49hq-q275 +--- diff --git a/advisories/_posts/2012-05-31-CVE-2012-2660.md b/advisories/_posts/2012-05-31-CVE-2012-2660.md index fbba268e..df45794b 100644 --- a/advisories/_posts/2012-05-31-CVE-2012-2660.md +++ b/advisories/_posts/2012-05-31-CVE-2012-2660.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2012-2660 (activerecord): CVE-2012-2660 rubygem-actionpack: Unsafe query - generation' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2012-2660 - osvdb: 82610 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-2660 - title: 'CVE-2012-2660 rubygem-actionpack: Unsafe query generation' - date: 2012-05-31 - description: | - actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before - 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences - in parameter handling between the Active Record component and the Rack interface, - which allows remote attackers to bypass intended database-query restrictions and - perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, - a related issue to CVE-2012-2694. - cvss_v2: 7.5 - patched_versions: - - "~> 3.0.13" - - "~> 3.1.5" - - ">= 3.2.4" ---- +--- +layout: advisory +title: 'CVE-2012-2660 (activerecord): CVE-2012-2660 rubygem-actionpack: Unsafe query + generation' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2012-2660 + osvdb: 82610 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-2660 + title: 'CVE-2012-2660 rubygem-actionpack: Unsafe query generation' + date: 2012-05-31 + description: | + actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before + 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly consider differences + in parameter handling between the Active Record component and the Rack interface, + which allows remote attackers to bypass intended database-query restrictions and + perform NULL checks via a crafted request, as demonstrated by certain "[nil]" values, + a related issue to CVE-2012-2694. + cvss_v2: 7.5 + patched_versions: + - "~> 3.0.13" + - "~> 3.1.5" + - ">= 3.2.4" +--- diff --git a/advisories/_posts/2012-05-31-CVE-2012-2661.md b/advisories/_posts/2012-05-31-CVE-2012-2661.md index 73cf139b..4f148901 100644 --- a/advisories/_posts/2012-05-31-CVE-2012-2661.md +++ b/advisories/_posts/2012-05-31-CVE-2012-2661.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2012-2661 (activerecord): CVE-2012-2661 rubygem-activerecord: SQL injection - when processing nested query paramaters' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2012-2661 - osvdb: 82403 - ghsa: fh39-v733-mxfr - url: https://nvd.nist.gov/vuln/detail/CVE-2012-2661 - title: 'CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested - query paramaters' - date: 2012-05-31 - description: | - The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x - before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of - request data to a where method in an ActiveRecord class, which allows remote attackers - to conduct certain SQL injection attacks via nested query parameters that leverage - unintended recursion, a related issue to CVE-2012-2695. - cvss_v2: 5.0 - unaffected_versions: - - "~> 2.3.14" - patched_versions: - - "~> 3.0.13" - - "~> 3.1.5" - - ">= 3.2.4" ---- +--- +layout: advisory +title: 'CVE-2012-2661 (activerecord): CVE-2012-2661 rubygem-activerecord: SQL injection + when processing nested query paramaters' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2012-2661 + osvdb: 82403 + ghsa: fh39-v733-mxfr + url: https://nvd.nist.gov/vuln/detail/CVE-2012-2661 + title: 'CVE-2012-2661 rubygem-activerecord: SQL injection when processing nested + query paramaters' + date: 2012-05-31 + description: | + The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x + before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of + request data to a where method in an ActiveRecord class, which allows remote attackers + to conduct certain SQL injection attacks via nested query parameters that leverage + unintended recursion, a related issue to CVE-2012-2695. + cvss_v2: 5.0 + unaffected_versions: + - "~> 2.3.14" + patched_versions: + - "~> 3.0.13" + - "~> 3.1.5" + - ">= 3.2.4" +--- diff --git a/advisories/_posts/2012-06-06-CVE-2012-2671.md b/advisories/_posts/2012-06-06-CVE-2012-2671.md index 90421f01..7807483a 100644 --- a/advisories/_posts/2012-06-06-CVE-2012-2671.md +++ b/advisories/_posts/2012-06-06-CVE-2012-2671.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2012-2671 (rack-cache): rack-cache Rubygem Sensitive HTTP Header Caching - Weakness' -comments: false -categories: -- rack-cache -advisory: - gem: rack-cache - cve: 2012-2671 - osvdb: 83077 - ghsa: hrp6-w4v2-8737 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-2671 - title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness - date: 2012-06-06 - description: | - Rack::Cache (rack-cache) contains a flaw related to the rubygem caching - sensitive HTTP headers. This will result in a weakness that may make it - easier for an attacker to gain access to a user's session via a specially - crafted header. - cvss_v2: 7.5 - patched_versions: - - ">= 1.2" ---- +--- +layout: advisory +title: 'CVE-2012-2671 (rack-cache): rack-cache Rubygem Sensitive HTTP Header Caching + Weakness' +comments: false +categories: +- rack-cache +advisory: + gem: rack-cache + cve: 2012-2671 + osvdb: 83077 + ghsa: hrp6-w4v2-8737 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-2671 + title: rack-cache Rubygem Sensitive HTTP Header Caching Weakness + date: 2012-06-06 + description: | + Rack::Cache (rack-cache) contains a flaw related to the rubygem caching + sensitive HTTP headers. This will result in a weakness that may make it + easier for an attacker to gain access to a user's session via a specially + crafted header. + cvss_v2: 7.5 + patched_versions: + - ">= 1.2" +--- diff --git a/advisories/_posts/2012-06-08-CVE-2012-6685.md b/advisories/_posts/2012-06-08-CVE-2012-6685.md index 743058e2..2e4a3222 100644 --- a/advisories/_posts/2012-06-08-CVE-2012-6685.md +++ b/advisories/_posts/2012-06-08-CVE-2012-6685.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2012-6685 (nokogiri): CVE-2012-6685 rubygem-nokogiri: XML eXternal Entity - (XXE) flaw' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2012-6685 - osvdb: 90946 - ghsa: 6wj9-77wq-jq7p - url: https://nvd.nist.gov/vuln/detail/CVE-2012-6685 - title: 'CVE-2012-6685 rubygem-nokogiri: XML eXternal Entity (XXE) flaw' - date: 2012-06-08 - description: 'Nokogiri before 1.5.4 is vulnerable to XXE attacks - - ' - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 1.5.4" ---- +--- +layout: advisory +title: 'CVE-2012-6685 (nokogiri): CVE-2012-6685 rubygem-nokogiri: XML eXternal Entity + (XXE) flaw' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2012-6685 + osvdb: 90946 + ghsa: 6wj9-77wq-jq7p + url: https://nvd.nist.gov/vuln/detail/CVE-2012-6685 + title: 'CVE-2012-6685 rubygem-nokogiri: XML eXternal Entity (XXE) flaw' + date: 2012-06-08 + description: 'Nokogiri before 1.5.4 is vulnerable to XXE attacks + + ' + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 1.5.4" +--- diff --git a/advisories/_posts/2012-07-02-OSVDB-125712.md b/advisories/_posts/2012-07-02-OSVDB-125712.md index eb59c787..5f5d033d 100644 --- a/advisories/_posts/2012-07-02-OSVDB-125712.md +++ b/advisories/_posts/2012-07-02-OSVDB-125712.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'OSVDB-125712 (spree): Product Scopes could allow for unauthenticated remote - command execution' -comments: false -categories: -- spree -advisory: - gem: spree - osvdb: 125712 - url: https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions - title: Product Scopes could allow for unauthenticated remote command execution - date: 2012-07-02 - description: | - Product Scopes could allow for unauthenticated remote command execution. - This was corrected by removing conditions_any scope and use ARel query - building instead. - patched_versions: - - "~> 0.11.4" - - "~> 0.70.6" - - "~> 1.0.5" - - ">= 1.1.2" - related: - url: - - https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions - - https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20034 ---- +--- +layout: advisory +title: 'OSVDB-125712 (spree): Product Scopes could allow for unauthenticated remote + command execution' +comments: false +categories: +- spree +advisory: + gem: spree + osvdb: 125712 + url: https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions + title: Product Scopes could allow for unauthenticated remote command execution + date: 2012-07-02 + description: | + Product Scopes could allow for unauthenticated remote command execution. + This was corrected by removing conditions_any scope and use ARel query + building instead. + patched_versions: + - "~> 0.11.4" + - "~> 0.70.6" + - "~> 1.0.5" + - ">= 1.1.2" + related: + url: + - https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions + - https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20034 +--- diff --git a/advisories/_posts/2012-07-02-OSVDB-125713.md b/advisories/_posts/2012-07-02-OSVDB-125713.md index 602ef0d4..59155b75 100644 --- a/advisories/_posts/2012-07-02-OSVDB-125713.md +++ b/advisories/_posts/2012-07-02-OSVDB-125713.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-125713 (spree): Potential XSS vulnerability related to the analytics - dashboard' -comments: false -categories: -- spree -advisory: - gem: spree - osvdb: 125713 - url: https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions - title: Potential XSS vulnerability related to the analytics dashboard - date: 2012-07-02 - description: | - Spree has a flaw in its analytics dashboard where - keywords are not escaped, leading to potential XSS. - patched_versions: - - "~> 0.11.4" - - "~> 0.70.6" - - "~> 1.0.5" - - ">= 1.1.2" - related: - url: - - https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions ---- +--- +layout: advisory +title: 'OSVDB-125713 (spree): Potential XSS vulnerability related to the analytics + dashboard' +comments: false +categories: +- spree +advisory: + gem: spree + osvdb: 125713 + url: https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions + title: Potential XSS vulnerability related to the analytics dashboard + date: 2012-07-02 + description: | + Spree has a flaw in its analytics dashboard where + keywords are not escaped, leading to potential XSS. + patched_versions: + - "~> 0.11.4" + - "~> 0.70.6" + - "~> 1.0.5" + - ">= 1.1.2" + related: + url: + - https://web.archive.org/web/20121126005814/https://spreecommerce.com/blog/security-issue-all-versions +--- diff --git a/advisories/_posts/2012-07-26-CVE-2012-3424.md b/advisories/_posts/2012-07-26-CVE-2012-3424.md index 2de76573..4379064f 100644 --- a/advisories/_posts/2012-07-26-CVE-2012-3424.md +++ b/advisories/_posts/2012-07-26-CVE-2012-3424.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2012-3424 (actionpack): CVE-2012-3424 rubygem-actionpack: DoS vulnerability - in authenticate_or_request_with_http_digest' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2012-3424 - osvdb: 84243 - ghsa: 92w9-2pqw-rhjj - url: https://nvd.nist.gov/vuln/detail/CVE-2012-3424 - title: 'CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest' - date: 2012-07-26 - description: | - The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb - in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts - Digest Authentication strings to symbols, which allows remote attackers to cause - a denial of service by leveraging access to an application that uses a with_http_digest - helper method, as demonstrated by the authenticate_or_request_with_http_digest method. - cvss_v2: 5.0 - unaffected_versions: - - ">= 2.3.5, <= 2.3.14" - patched_versions: - - "~> 3.0.16" - - "~> 3.1.7" - - ">= 3.2.7" ---- +--- +layout: advisory +title: 'CVE-2012-3424 (actionpack): CVE-2012-3424 rubygem-actionpack: DoS vulnerability + in authenticate_or_request_with_http_digest' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2012-3424 + osvdb: 84243 + ghsa: 92w9-2pqw-rhjj + url: https://nvd.nist.gov/vuln/detail/CVE-2012-3424 + title: 'CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest' + date: 2012-07-26 + description: | + The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb + in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts + Digest Authentication strings to symbols, which allows remote attackers to cause + a denial of service by leveraging access to an application that uses a with_http_digest + helper method, as demonstrated by the authenticate_or_request_with_http_digest method. + cvss_v2: 5.0 + unaffected_versions: + - ">= 2.3.5, <= 2.3.14" + patched_versions: + - "~> 3.0.16" + - "~> 3.1.7" + - ">= 3.2.7" +--- diff --git a/advisories/_posts/2012-08-08-CVE-2010-5142.md b/advisories/_posts/2012-08-08-CVE-2010-5142.md index ab123a42..04afc135 100644 --- a/advisories/_posts/2012-08-08-CVE-2010-5142.md +++ b/advisories/_posts/2012-08-08-CVE-2010-5142.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2010-5142 (chef): Chef Improper Access Control Vulnerability' -comments: false -categories: -- chef -advisory: - gem: chef - cve: 2010-5142 - ghsa: f68m-q26r-64f6 - url: https://github.com/advisories/GHSA-f68m-q26r-64f6 - title: Chef Improper Access Control Vulnerability - date: 2012-08-08 - description: | - `chef-server-api/app/controllers/users.rb` in the API in Chef before - 0.9.0 does not require administrative privileges for the create, - destroy, and update methods, which allows remote authenticated - users to manage user accounts via requests to the /users URI. - cvss_v2: 6.5 - patched_versions: - - ">= 0.9.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2010-5142 - - https://vuldb.com/?id.61514 - - http://tickets.opscode.com/browse/CHEF-1289 - - https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8 - - https://github.com/advisories/GHSA-f68m-q26r-64f6 ---- +--- +layout: advisory +title: 'CVE-2010-5142 (chef): Chef Improper Access Control Vulnerability' +comments: false +categories: +- chef +advisory: + gem: chef + cve: 2010-5142 + ghsa: f68m-q26r-64f6 + url: https://github.com/advisories/GHSA-f68m-q26r-64f6 + title: Chef Improper Access Control Vulnerability + date: 2012-08-08 + description: | + `chef-server-api/app/controllers/users.rb` in the API in Chef before + 0.9.0 does not require administrative privileges for the create, + destroy, and update methods, which allows remote authenticated + users to manage user accounts via requests to the /users URI. + cvss_v2: 6.5 + patched_versions: + - ">= 0.9.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2010-5142 + - https://vuldb.com/?id.61514 + - http://tickets.opscode.com/browse/CHEF-1289 + - https://github.com/opscode/chef/commit/c3bb41f727fbe00e5de719d687757b24c8dcdfc8 + - https://github.com/advisories/GHSA-f68m-q26r-64f6 +--- diff --git a/advisories/_posts/2012-08-09-CVE-2012-3463.md b/advisories/_posts/2012-08-09-CVE-2012-3463.md index 2fcaa7a5..c935c302 100644 --- a/advisories/_posts/2012-08-09-CVE-2012-3463.md +++ b/advisories/_posts/2012-08-09-CVE-2012-3463.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2012-3463 (actionpack): CVE-2012-3463 rubygem-actionpack: potential XSS - vulnerability in select_tag prompt' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2012-3463 - osvdb: 84515 - ghsa: 98mf-8f57-64qf - url: https://nvd.nist.gov/vuln/detail/CVE-2012-3463 - title: 'CVE-2012-3463 rubygem-actionpack: potential XSS vulnerability in select_tag - prompt' - date: 2012-08-09 - description: | - Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb - in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows - remote attackers to inject arbitrary web script or HTML via the prompt field to - the select_tag helper. - cvss_v2: 4.3 - unaffected_versions: - - "~> 2.3.0" - patched_versions: - - "~> 3.0.17" - - "~> 3.1.8" - - ">= 3.2.8" ---- +--- +layout: advisory +title: 'CVE-2012-3463 (actionpack): CVE-2012-3463 rubygem-actionpack: potential XSS + vulnerability in select_tag prompt' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2012-3463 + osvdb: 84515 + ghsa: 98mf-8f57-64qf + url: https://nvd.nist.gov/vuln/detail/CVE-2012-3463 + title: 'CVE-2012-3463 rubygem-actionpack: potential XSS vulnerability in select_tag + prompt' + date: 2012-08-09 + description: | + Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb + in Ruby on Rails 3.x before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 allows + remote attackers to inject arbitrary web script or HTML via the prompt field to + the select_tag helper. + cvss_v2: 4.3 + unaffected_versions: + - "~> 2.3.0" + patched_versions: + - "~> 3.0.17" + - "~> 3.1.8" + - ">= 3.2.8" +--- diff --git a/advisories/_posts/2012-08-09-CVE-2012-3464.md b/advisories/_posts/2012-08-09-CVE-2012-3464.md index 846d1fd4..9b85c039 100644 --- a/advisories/_posts/2012-08-09-CVE-2012-3464.md +++ b/advisories/_posts/2012-08-09-CVE-2012-3464.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2012-3464 (activesupport): CVE-2012-3464 rubygem-actionpack: potential - XSS vulnerability' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2012-3464 - osvdb: 84516 - ghsa: h835-75hw-pj89 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-3464 - title: 'CVE-2012-3464 rubygem-actionpack: potential XSS vulnerability' - date: 2012-08-09 - description: | - Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb - in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might - allow remote attackers to inject arbitrary web script or HTML via vectors involving - a ' (quote) character. - cvss_v2: 4.3 - patched_versions: - - "~> 3.0.17" - - "~> 3.1.8" - - ">= 3.2.8" ---- +--- +layout: advisory +title: 'CVE-2012-3464 (activesupport): CVE-2012-3464 rubygem-actionpack: potential + XSS vulnerability' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2012-3464 + osvdb: 84516 + ghsa: h835-75hw-pj89 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-3464 + title: 'CVE-2012-3464 rubygem-actionpack: potential XSS vulnerability' + date: 2012-08-09 + description: | + Cross-site scripting (XSS) vulnerability in activesupport/lib/active_support/core_ext/string/output_safety.rb + in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and 3.2.x before 3.2.8 might + allow remote attackers to inject arbitrary web script or HTML via vectors involving + a ' (quote) character. + cvss_v2: 4.3 + patched_versions: + - "~> 3.0.17" + - "~> 3.1.8" + - ">= 3.2.8" +--- diff --git a/advisories/_posts/2012-08-09-CVE-2012-3465.md b/advisories/_posts/2012-08-09-CVE-2012-3465.md index 804174e8..30cd7d39 100644 --- a/advisories/_posts/2012-08-09-CVE-2012-3465.md +++ b/advisories/_posts/2012-08-09-CVE-2012-3465.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2012-3465 (actionpack): CVE-2012-3465 rubygem-actionpack: XSS Vulnerability - in strip_tags' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2012-3465 - osvdb: 84513 - ghsa: 7g65-ghrg-hpf5 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-3465 - title: 'CVE-2012-3465 rubygem-actionpack: XSS Vulnerability in strip_tags' - date: 2012-08-09 - description: | - Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb - in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and - 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML - via malformed HTML markup. - cvss_v2: 4.3 - patched_versions: - - "~> 3.0.17" - - "~> 3.1.8" - - ">= 3.2.8" ---- +--- +layout: advisory +title: 'CVE-2012-3465 (actionpack): CVE-2012-3465 rubygem-actionpack: XSS Vulnerability + in strip_tags' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2012-3465 + osvdb: 84513 + ghsa: 7g65-ghrg-hpf5 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-3465 + title: 'CVE-2012-3465 rubygem-actionpack: XSS Vulnerability in strip_tags' + date: 2012-08-09 + description: | + Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb + in the strip_tags helper in Ruby on Rails before 3.0.17, 3.1.x before 3.1.8, and + 3.2.x before 3.2.8 allows remote attackers to inject arbitrary web script or HTML + via malformed HTML markup. + cvss_v2: 4.3 + patched_versions: + - "~> 3.0.17" + - "~> 3.1.8" + - ">= 3.2.8" +--- diff --git a/advisories/_posts/2012-09-08-CVE-2012-6134.md b/advisories/_posts/2012-09-08-CVE-2012-6134.md index 6f7eba59..37da735d 100644 --- a/advisories/_posts/2012-09-08-CVE-2012-6134.md +++ b/advisories/_posts/2012-09-08-CVE-2012-6134.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2012-6134 (omniauth-oauth2): Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability' -comments: false -categories: -- omniauth-oauth2 -advisory: - gem: omniauth-oauth2 - cve: 2012-6134 - osvdb: 90264 - ghsa: fgmx-8h93-26fh - url: https://nvd.nist.gov/vuln/detail/CVE-2012-6134 - title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability - date: 2012-09-08 - description: | - The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to - inject values into a user's session through a CSRF attack. - cvss_v2: 6.8 - patched_versions: - - ">= 1.1.1" ---- +--- +layout: advisory +title: 'CVE-2012-6134 (omniauth-oauth2): Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability' +comments: false +categories: +- omniauth-oauth2 +advisory: + gem: omniauth-oauth2 + cve: 2012-6134 + osvdb: 90264 + ghsa: fgmx-8h93-26fh + url: https://nvd.nist.gov/vuln/detail/CVE-2012-6134 + title: Ruby on Rails omniauth-oauth2 Gem CSRF vulnerability + date: 2012-09-08 + description: | + The omniauth-oauth2 Ruby Gem contains a flaw that allows an attacker to + inject values into a user's session through a CSRF attack. + cvss_v2: 6.8 + patched_versions: + - ">= 1.1.1" +--- diff --git a/advisories/_posts/2012-09-08-OSVDB-90945.md b/advisories/_posts/2012-09-08-OSVDB-90945.md index cd7f6427..7d25884b 100644 --- a/advisories/_posts/2012-09-08-OSVDB-90945.md +++ b/advisories/_posts/2012-09-08-OSVDB-90945.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'OSVDB-90945 (loofah): Loofah HTML and XSS injection vulnerability' -comments: false -categories: -- loofah -advisory: - gem: loofah - osvdb: 90945 - url: https://security.snyk.io/vuln/SNYK-RUBY-LOOFAH-20039 - title: Loofah HTML and XSS injection vulnerability - date: 2012-09-08 - description: | - Loofah Gem for Ruby contains a flaw that allows a remote cross-site - scripting (XSS) attack. This flaw exists because the - Loofah::HTML::Document\#text function passes properly sanitized - user-supplied input to the Loofah::XssFoliate and - Loofah::Helpers\#strip_tags functions which convert input back to - text. This may allow an attacker to create a specially crafted - request that would execute arbitrary script code in a user's browser - within the trust relationship between their browser and the server. - cvss_v2: 5.0 - patched_versions: - - ">= 0.4.6" - related: - url: - - https://github.com/flavorjones/loofah/compare/v0.4.5...v0.4.6 - - https://security.snyk.io/vuln/SNYK-RUBY-LOOFAH-20039 - - https://www.versioneye.com/Ruby/loofah/0.4.2 - - https://www.mend.io/vulnerability-database/WS-2012-0023 - - http://www.osvdb.org/show/osvdb/90945 ---- +--- +layout: advisory +title: 'OSVDB-90945 (loofah): Loofah HTML and XSS injection vulnerability' +comments: false +categories: +- loofah +advisory: + gem: loofah + osvdb: 90945 + url: https://security.snyk.io/vuln/SNYK-RUBY-LOOFAH-20039 + title: Loofah HTML and XSS injection vulnerability + date: 2012-09-08 + description: | + Loofah Gem for Ruby contains a flaw that allows a remote cross-site + scripting (XSS) attack. This flaw exists because the + Loofah::HTML::Document\#text function passes properly sanitized + user-supplied input to the Loofah::XssFoliate and + Loofah::Helpers\#strip_tags functions which convert input back to + text. This may allow an attacker to create a specially crafted + request that would execute arbitrary script code in a user's browser + within the trust relationship between their browser and the server. + cvss_v2: 5.0 + patched_versions: + - ">= 0.4.6" + related: + url: + - https://github.com/flavorjones/loofah/compare/v0.4.5...v0.4.6 + - https://security.snyk.io/vuln/SNYK-RUBY-LOOFAH-20039 + - https://www.versioneye.com/Ruby/loofah/0.4.2 + - https://www.mend.io/vulnerability-database/WS-2012-0023 + - http://www.osvdb.org/show/osvdb/90945 +--- diff --git a/advisories/_posts/2012-09-25-CVE-2012-2125.md b/advisories/_posts/2012-09-25-CVE-2012-2125.md index 733853ef..2a290230 100644 --- a/advisories/_posts/2012-09-25-CVE-2012-2125.md +++ b/advisories/_posts/2012-09-25-CVE-2012-2125.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2012-2125 (rubygems-update): CVE-2012-2125 CVE-2012-2126 rubygems: Two - security fixes in v1.8.23' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2012-2125 - osvdb: 85809 - ghsa: 228f-g3h7-3fj3 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-2125 - title: 'CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23' - date: 2012-09-25 - description: | - RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which - makes it easier for remote attackers to observe or modify a gem during - installation via a man-in-the-middle attack. - cvss_v2: 5.8 - patched_versions: - - ">= 1.8.23" ---- +--- +layout: advisory +title: 'CVE-2012-2125 (rubygems-update): CVE-2012-2125 CVE-2012-2126 rubygems: Two + security fixes in v1.8.23' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2012-2125 + osvdb: 85809 + ghsa: 228f-g3h7-3fj3 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-2125 + title: 'CVE-2012-2125 CVE-2012-2126 rubygems: Two security fixes in v1.8.23' + date: 2012-09-25 + description: | + RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which + makes it easier for remote attackers to observe or modify a gem during + installation via a man-in-the-middle attack. + cvss_v2: 5.8 + patched_versions: + - ">= 1.8.23" +--- diff --git a/advisories/_posts/2012-12-04-CVE-2012-5604.md b/advisories/_posts/2012-12-04-CVE-2012-5604.md index 7ebdfeac..dd0b57c1 100644 --- a/advisories/_posts/2012-12-04-CVE-2012-5604.md +++ b/advisories/_posts/2012-12-04-CVE-2012-5604.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2012-5604 (ldap_fluff): CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication - bypass when handling anonymous LDAP bind' -comments: false -categories: -- ldap_fluff -advisory: - gem: ldap_fluff - cve: 2012-5604 - osvdb: 90579 - ghsa: 9whh-582r-589h - url: https://nvd.nist.gov/vuln/detail/CVE-2012-5604 - title: 'CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication bypass when - handling anonymous LDAP bind' - date: 2012-12-04 - description: | - The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when - using Active Directory for authentication, allows remote attackers to bypass authentication - via unspecified vectors. - cvss_v2: 5.0 - patched_versions: - - ">= 0.1.3" ---- +--- +layout: advisory +title: 'CVE-2012-5604 (ldap_fluff): CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication + bypass when handling anonymous LDAP bind' +comments: false +categories: +- ldap_fluff +advisory: + gem: ldap_fluff + cve: 2012-5604 + osvdb: 90579 + ghsa: 9whh-582r-589h + url: https://nvd.nist.gov/vuln/detail/CVE-2012-5604 + title: 'CVE-2012-5604 rubygem-ldap_fluff: CloudForms authentication bypass when + handling anonymous LDAP bind' + date: 2012-12-04 + description: | + The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when + using Active Directory for authentication, allows remote attackers to bypass authentication + via unspecified vectors. + cvss_v2: 5.0 + patched_versions: + - ">= 0.1.3" +--- diff --git a/advisories/_posts/2012-12-06-CVE-2013-0284.md b/advisories/_posts/2012-12-06-CVE-2013-0284.md index 68538139..c9b80fb1 100644 --- a/advisories/_posts/2012-12-06-CVE-2013-0284.md +++ b/advisories/_posts/2012-12-06-CVE-2013-0284.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-0284 (newrelic_rpm): Ruby on Rails newrelic_rpm Gem Discloses Sensitive - Information' -comments: false -categories: -- newrelic_rpm -advisory: - gem: newrelic_rpm - cve: 2013-0284 - osvdb: 90189 - ghsa: q6cw-2553-7837 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0284 - title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information - date: 2012-12-06 - description: | - A bug in the Ruby agent causes database connection information and raw SQL - statements to be transmitted to New Relic servers. The database connection - information includes the database IP address, username, and password - cvss_v2: 5.0 - patched_versions: - - ">= 3.5.3.25" ---- +--- +layout: advisory +title: 'CVE-2013-0284 (newrelic_rpm): Ruby on Rails newrelic_rpm Gem Discloses Sensitive + Information' +comments: false +categories: +- newrelic_rpm +advisory: + gem: newrelic_rpm + cve: 2013-0284 + osvdb: 90189 + ghsa: q6cw-2553-7837 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0284 + title: Ruby on Rails newrelic_rpm Gem Discloses Sensitive Information + date: 2012-12-06 + description: | + A bug in the Ruby agent causes database connection information and raw SQL + statements to be transmitted to New Relic servers. The database connection + information includes the database IP address, username, and password + cvss_v2: 5.0 + patched_versions: + - ">= 3.5.3.25" +--- diff --git a/advisories/_posts/2012-12-21-CVE-2012-6497.md b/advisories/_posts/2012-12-21-CVE-2012-6497.md index ef018048..788a6979 100644 --- a/advisories/_posts/2012-12-21-CVE-2012-6497.md +++ b/advisories/_posts/2012-12-21-CVE-2012-6497.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2012-6497 (authlogic): Ruby on Rails Authlogic Gem secret_token.rb Known - secret_token Value Weakness' -comments: false -categories: -- authlogic -advisory: - gem: authlogic - cve: 2012-6497 - osvdb: 89064 - ghsa: rx7j-mw4c-76g9 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-6497 - title: Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness - date: 2012-12-21 - description: | - Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered - when the program makes an unsafe method call for find_by_id. With a specially - crafted parameter in an environment that knows the secret_token value in - secret_token.rb, a remote attacker to more easily conduct SQL injection - attacks. - patched_versions: - - ">= 3.3.0" ---- +--- +layout: advisory +title: 'CVE-2012-6497 (authlogic): Ruby on Rails Authlogic Gem secret_token.rb Known + secret_token Value Weakness' +comments: false +categories: +- authlogic +advisory: + gem: authlogic + cve: 2012-6497 + osvdb: 89064 + ghsa: rx7j-mw4c-76g9 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-6497 + title: Ruby on Rails Authlogic Gem secret_token.rb Known secret_token Value Weakness + date: 2012-12-21 + description: | + Ruby on Rails contains a flaw in the Authlogic gem. The issue is triggered + when the program makes an unsafe method call for find_by_id. With a specially + crafted parameter in an environment that knows the secret_token value in + secret_token.rb, a remote attacker to more easily conduct SQL injection + attacks. + patched_versions: + - ">= 3.3.0" +--- diff --git a/advisories/_posts/2012-12-22-CVE-2012-6496.md b/advisories/_posts/2012-12-22-CVE-2012-6496.md index c4ab0d55..37d69cc9 100644 --- a/advisories/_posts/2012-12-22-CVE-2012-6496.md +++ b/advisories/_posts/2012-12-22-CVE-2012-6496.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2012-6496 (activerecord): Ruby on Rails find_by_* Methods Authlogic SQL - Injection Bypass' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2012-6496 - osvdb: 88661 - ghsa: gh2w-j7cx-2664 - url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM - title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass - date: 2012-12-22 - description: | - Due to the way dynamic finders in Active Record extract options from method - parameters, a method parameter can mistakenly be used as a scope. Carefully - crafted requests can use the scope to inject arbitrary SQL. - cvss_v2: 6.4 - patched_versions: - - "~> 3.0.18" - - "~> 3.1.9" - - ">= 3.2.10" ---- +--- +layout: advisory +title: 'CVE-2012-6496 (activerecord): Ruby on Rails find_by_* Methods Authlogic SQL + Injection Bypass' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2012-6496 + osvdb: 88661 + ghsa: gh2w-j7cx-2664 + url: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/DCNTNp_qjFM + title: Ruby on Rails find_by_* Methods Authlogic SQL Injection Bypass + date: 2012-12-22 + description: | + Due to the way dynamic finders in Active Record extract options from method + parameters, a method parameter can mistakenly be used as a scope. Carefully + crafted requests can use the scope to inject arbitrary SQL. + cvss_v2: 6.4 + patched_versions: + - "~> 3.0.18" + - "~> 3.1.9" + - ">= 3.2.10" +--- diff --git a/advisories/_posts/2013-01-07-CVE-2013-0183.md b/advisories/_posts/2013-01-07-CVE-2013-0183.md index 580d306b..b2ead779 100644 --- a/advisories/_posts/2013-01-07-CVE-2013-0183.md +++ b/advisories/_posts/2013-01-07-CVE-2013-0183.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-0183 (rack): CVE-2013-0183 rubygem-rack: receiving excessively long - lines triggers out-of-memory error' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2013-0183 - osvdb: 89320 - ghsa: 3pxh-h8hw-mj8w - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0183 - title: 'CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory - error' - date: 2013-01-07 - description: | - multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 - allows remote attackers to cause a denial of service (memory consumption and out-of-memory - error) via a long string in a Multipart HTTP packet. - cvss_v2: 5.0 - patched_versions: - - "~> 1.3.8" - - ">= 1.4.3" ---- +--- +layout: advisory +title: 'CVE-2013-0183 (rack): CVE-2013-0183 rubygem-rack: receiving excessively long + lines triggers out-of-memory error' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2013-0183 + osvdb: 89320 + ghsa: 3pxh-h8hw-mj8w + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0183 + title: 'CVE-2013-0183 rubygem-rack: receiving excessively long lines triggers out-of-memory + error' + date: 2013-01-07 + description: | + multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 + allows remote attackers to cause a denial of service (memory consumption and out-of-memory + error) via a long string in a Multipart HTTP packet. + cvss_v2: 5.0 + patched_versions: + - "~> 1.3.8" + - ">= 1.4.3" +--- diff --git a/advisories/_posts/2013-01-08-CVE-2013-0155.md b/advisories/_posts/2013-01-08-CVE-2013-0155.md index 6bb5c252..18f20d8f 100644 --- a/advisories/_posts/2013-01-08-CVE-2013-0155.md +++ b/advisories/_posts/2013-01-08-CVE-2013-0155.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2013-0155 (activerecord): CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: - Unsafe Query Generation Risk in Ruby on Rails' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2013-0155 - osvdb: 89025 - ghsa: gppp-5xc5-wfpx - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0155 - title: 'CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation - Risk in Ruby on Rails' - date: 2013-01-08 - description: | - Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before - 3.2.11 does not properly consider differences in parameter handling between the - Active Record component and the JSON implementation, which allows remote attackers - to bypass intended database-query restrictions and perform NULL checks or trigger - missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" - values, a related issue to CVE-2012-2660 and CVE-2012-2694. - cvss_v2: 10.0 - patched_versions: - - "~> 2.3.16" - - "~> 3.0.19" - - "~> 3.1.10" - - ">= 3.2.11" ---- +--- +layout: advisory +title: 'CVE-2013-0155 (activerecord): CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: + Unsafe Query Generation Risk in Ruby on Rails' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2013-0155 + osvdb: 89025 + ghsa: gppp-5xc5-wfpx + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0155 + title: 'CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation + Risk in Ruby on Rails' + date: 2013-01-08 + description: | + Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before + 3.2.11 does not properly consider differences in parameter handling between the + Active Record component and the JSON implementation, which allows remote attackers + to bypass intended database-query restrictions and perform NULL checks or trigger + missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]" + values, a related issue to CVE-2012-2660 and CVE-2012-2694. + cvss_v2: 10.0 + patched_versions: + - "~> 2.3.16" + - "~> 3.0.19" + - "~> 3.1.10" + - ">= 3.2.11" +--- diff --git a/advisories/_posts/2013-01-08-CVE-2013-0156.md b/advisories/_posts/2013-01-08-CVE-2013-0156.md index 44b9c004..feead995 100644 --- a/advisories/_posts/2013-01-08-CVE-2013-0156.md +++ b/advisories/_posts/2013-01-08-CVE-2013-0156.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2013-0156 (actionpack): CVE-2013-0156 rubygem-activesupport: Multiple - vulnerabilities in parameter parsing in ActionPack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-0156 - osvdb: 89026 - ghsa: jmgw-6vjg-jjwg - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0156 - title: 'CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter - parsing in ActionPack' - date: 2013-01-08 - description: | - active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, - 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly - restrict casts of string values, which allows remote attackers to conduct object-injection - attacks and execute arbitrary code, or cause a denial of service (memory and CPU - consumption) involving nested XML entity references, by leveraging Action Pack support - for (1) YAML type conversion or (2) Symbol type conversion. - cvss_v2: 10.0 - patched_versions: - - "~> 2.3.15" - - "~> 3.0.19" - - "~> 3.1.10" - - ">= 3.2.11" ---- +--- +layout: advisory +title: 'CVE-2013-0156 (actionpack): CVE-2013-0156 rubygem-activesupport: Multiple + vulnerabilities in parameter parsing in ActionPack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-0156 + osvdb: 89026 + ghsa: jmgw-6vjg-jjwg + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0156 + title: 'CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter + parsing in ActionPack' + date: 2013-01-08 + description: | + active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, + 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly + restrict casts of string values, which allows remote attackers to conduct object-injection + attacks and execute arbitrary code, or cause a denial of service (memory and CPU + consumption) involving nested XML entity references, by leveraging Action Pack support + for (1) YAML type conversion or (2) Symbol type conversion. + cvss_v2: 10.0 + patched_versions: + - "~> 2.3.15" + - "~> 3.0.19" + - "~> 3.1.10" + - ">= 3.2.11" +--- diff --git a/advisories/_posts/2013-01-08-CVE-2013-1802.md b/advisories/_posts/2013-01-08-CVE-2013-1802.md index f5166b32..cc864f4c 100644 --- a/advisories/_posts/2013-01-08-CVE-2013-1802.md +++ b/advisories/_posts/2013-01-08-CVE-2013-1802.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-1802 (extlib): extlib Gem for Ruby Type Casting Parameter Parsing - Remote Code Execution' -comments: false -categories: -- extlib -advisory: - gem: extlib - cve: 2013-1802 - osvdb: 90740 - ghsa: 9h36-4jf2-hx53 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1802 - title: extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution - date: 2013-01-08 - description: | - extlib Gem for Ruby contains a flaw that is triggered when a type casting - error occurs during the parsing of parameters. This may allow a - context-dependent attacker to potentially execute arbitrary code. - cvss_v2: 9.3 - patched_versions: - - ">= 0.9.16" ---- +--- +layout: advisory +title: 'CVE-2013-1802 (extlib): extlib Gem for Ruby Type Casting Parameter Parsing + Remote Code Execution' +comments: false +categories: +- extlib +advisory: + gem: extlib + cve: 2013-1802 + osvdb: 90740 + ghsa: 9h36-4jf2-hx53 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1802 + title: extlib Gem for Ruby Type Casting Parameter Parsing Remote Code Execution + date: 2013-01-08 + description: | + extlib Gem for Ruby contains a flaw that is triggered when a type casting + error occurs during the parsing of parameters. This may allow a + context-dependent attacker to potentially execute arbitrary code. + cvss_v2: 9.3 + patched_versions: + - ">= 0.9.16" +--- diff --git a/advisories/_posts/2013-01-09-CVE-2013-1800.md b/advisories/_posts/2013-01-09-CVE-2013-1800.md index 01fc749c..13b1a185 100644 --- a/advisories/_posts/2013-01-09-CVE-2013-1800.md +++ b/advisories/_posts/2013-01-09-CVE-2013-1800.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-1800 (crack): CVE-2013-1800 rubygem-crack: YAML parameter parsing - vulnerability' -comments: false -categories: -- crack -advisory: - gem: crack - cve: 2013-1800 - osvdb: 90742 - ghsa: m7fq-cf8q-35q7 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1800 - title: 'CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability' - date: 2013-01-09 - description: | - The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts - of string values, which might allow remote attackers to conduct object-injection - attacks and execute arbitrary code, or cause a denial of service (memory and CPU - consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) - Symbol type conversion, a similar vulnerability to CVE-2013-0156. - cvss_v2: 7.5 - patched_versions: - - ">= 0.3.2" ---- +--- +layout: advisory +title: 'CVE-2013-1800 (crack): CVE-2013-1800 rubygem-crack: YAML parameter parsing + vulnerability' +comments: false +categories: +- crack +advisory: + gem: crack + cve: 2013-1800 + osvdb: 90742 + ghsa: m7fq-cf8q-35q7 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1800 + title: 'CVE-2013-1800 rubygem-crack: YAML parameter parsing vulnerability' + date: 2013-01-09 + description: | + The crack gem 0.3.1 and earlier for Ruby does not properly restrict casts + of string values, which might allow remote attackers to conduct object-injection + attacks and execute arbitrary code, or cause a denial of service (memory and CPU + consumption) by leveraging Action Pack support for (1) YAML type conversion or (2) + Symbol type conversion, a similar vulnerability to CVE-2013-0156. + cvss_v2: 7.5 + patched_versions: + - ">= 0.3.2" +--- diff --git a/advisories/_posts/2013-01-10-CVE-2013-0285.md b/advisories/_posts/2013-01-10-CVE-2013-0285.md index dc72a6ab..3f91b782 100644 --- a/advisories/_posts/2013-01-10-CVE-2013-0285.md +++ b/advisories/_posts/2013-01-10-CVE-2013-0285.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2013-0285 (nori): Ruby Gem nori Parameter Parsing Remote Code Execution' -comments: false -categories: -- nori -advisory: - gem: nori - cve: 2013-0285 - osvdb: 90196 - ghsa: 4936-rj25-6wm6 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0285 - title: Ruby Gem nori Parameter Parsing Remote Code Execution - date: 2013-01-10 - description: | - The Ruby Gem nori has a parameter parsing error that may allow an attacker - to execute arbitrary code. This vulnerability has to do with type casting - during parsing, and is related to CVE-2013-0156. - cvss_v2: 7.5 - patched_versions: - - "~> 1.0.3" - - "~> 1.1.4" - - ">= 2.0.2" ---- +--- +layout: advisory +title: 'CVE-2013-0285 (nori): Ruby Gem nori Parameter Parsing Remote Code Execution' +comments: false +categories: +- nori +advisory: + gem: nori + cve: 2013-0285 + osvdb: 90196 + ghsa: 4936-rj25-6wm6 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0285 + title: Ruby Gem nori Parameter Parsing Remote Code Execution + date: 2013-01-10 + description: | + The Ruby Gem nori has a parameter parsing error that may allow an attacker + to execute arbitrary code. This vulnerability has to do with type casting + during parsing, and is related to CVE-2013-0156. + cvss_v2: 7.5 + patched_versions: + - "~> 1.0.3" + - "~> 1.1.4" + - ">= 2.0.2" +--- diff --git a/advisories/_posts/2013-01-11-CVE-2013-0175.md b/advisories/_posts/2013-01-11-CVE-2013-0175.md index 1c81a2c1..dfa7ebd7 100644 --- a/advisories/_posts/2013-01-11-CVE-2013-0175.md +++ b/advisories/_posts/2013-01-11-CVE-2013-0175.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-0175 (multi_xml): multi_xml Gem for Ruby XML Parameter Parsing Remote - Command Execution' -comments: false -categories: -- multi_xml -advisory: - gem: multi_xml - cve: 2013-0175 - osvdb: 89148 - ghsa: pchc-949f-53m5 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0175 - title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution - date: 2013-01-11 - description: | - The multi_xml Gem for Ruby contains a flaw that is triggered when an error - occurs during the parsing of the 'XML' parameter. With a crafted request - containing arbitrary symbol and yaml types, a remote attacker can execute - arbitrary commands. - patched_versions: - - ">= 0.5.2" ---- +--- +layout: advisory +title: 'CVE-2013-0175 (multi_xml): multi_xml Gem for Ruby XML Parameter Parsing Remote + Command Execution' +comments: false +categories: +- multi_xml +advisory: + gem: multi_xml + cve: 2013-0175 + osvdb: 89148 + ghsa: pchc-949f-53m5 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0175 + title: multi_xml Gem for Ruby XML Parameter Parsing Remote Command Execution + date: 2013-01-11 + description: | + The multi_xml Gem for Ruby contains a flaw that is triggered when an error + occurs during the parsing of the 'XML' parameter. With a crafted request + containing arbitrary symbol and yaml types, a remote attacker can execute + arbitrary commands. + patched_versions: + - ">= 0.5.2" +--- diff --git a/advisories/_posts/2013-01-13-CVE-2013-0184.md b/advisories/_posts/2013-01-13-CVE-2013-0184.md index 1ca92db5..1c05b2de 100644 --- a/advisories/_posts/2013-01-13-CVE-2013-0184.md +++ b/advisories/_posts/2013-01-13-CVE-2013-0184.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2013-0184 (rack): CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest - DoS' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2013-0184 - osvdb: 89327 - ghsa: v882-ccj6-jc48 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0184 - title: 'CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS' - date: 2013-01-13 - description: | - Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x - before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows - remote attackers to cause a denial of service via unknown vectors related to "symbolized - arbitrary strings." - cvss_v2: 4.3 - patched_versions: - - "~> 1.1.5" - - "~> 1.2.7" - - "~> 1.3.9" - - ">= 1.4.4" ---- +--- +layout: advisory +title: 'CVE-2013-0184 (rack): CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest + DoS' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2013-0184 + osvdb: 89327 + ghsa: v882-ccj6-jc48 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0184 + title: 'CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractRequest DoS' + date: 2013-01-13 + description: | + Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x + before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows + remote attackers to cause a denial of service via unknown vectors related to "symbolized + arbitrary strings." + cvss_v2: 4.3 + patched_versions: + - "~> 1.1.5" + - "~> 1.2.7" + - "~> 1.3.9" + - ">= 1.4.4" +--- diff --git a/advisories/_posts/2013-01-14-CVE-2013-1801.md b/advisories/_posts/2013-01-14-CVE-2013-1801.md index 75803529..aa3f1ad5 100644 --- a/advisories/_posts/2013-01-14-CVE-2013-1801.md +++ b/advisories/_posts/2013-01-14-CVE-2013-1801.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-1801 (httparty): httparty Gem for Ruby Type Casting Parameter Parsing - Remote Code Execution' -comments: false -categories: -- httparty -advisory: - gem: httparty - cve: 2013-1801 - osvdb: 90741 - ghsa: mgx3-27hr-mfgp - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1801 - title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution - date: 2013-01-14 - description: | - httparty Gem for Ruby contains a flaw that is triggered when a type casting - error occurs during the parsing of parameters. This may allow a - context-dependent attacker to potentially execute arbitrary code. - cvss_v2: 7.5 - patched_versions: - - ">= 0.10.0" ---- +--- +layout: advisory +title: 'CVE-2013-1801 (httparty): httparty Gem for Ruby Type Casting Parameter Parsing + Remote Code Execution' +comments: false +categories: +- httparty +advisory: + gem: httparty + cve: 2013-1801 + osvdb: 90741 + ghsa: mgx3-27hr-mfgp + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1801 + title: httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution + date: 2013-01-14 + description: | + httparty Gem for Ruby contains a flaw that is triggered when a type casting + error occurs during the parsing of parameters. This may allow a + context-dependent attacker to potentially execute arbitrary code. + cvss_v2: 7.5 + patched_versions: + - ">= 0.10.0" +--- diff --git a/advisories/_posts/2013-01-28-CVE-2013-0233.md b/advisories/_posts/2013-01-28-CVE-2013-0233.md index ed16fd35..59199325 100644 --- a/advisories/_posts/2013-01-28-CVE-2013-0233.md +++ b/advisories/_posts/2013-01-28-CVE-2013-0233.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-0233 (devise): Devise Database Type Conversion Crafted Request Parsing - Security Bypass' -comments: false -categories: -- devise -advisory: - gem: devise - cve: 2013-0233 - osvdb: 89642 - ghsa: jxhw-mg8m-2pj8 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0233 - title: Devise Database Type Conversion Crafted Request Parsing Security Bypass - date: 2013-01-28 - description: | - Devise contains a flaw that is triggered during when a type conversion error - occurs during the parsing of a malformed request. With a specially crafted - request, a remote attacker can bypass security restrictions. - cvss_v2: 6.8 - patched_versions: - - "~> 1.5.4" - - "~> 2.0.5" - - "~> 2.1.3" - - ">= 2.2.3" ---- +--- +layout: advisory +title: 'CVE-2013-0233 (devise): Devise Database Type Conversion Crafted Request Parsing + Security Bypass' +comments: false +categories: +- devise +advisory: + gem: devise + cve: 2013-0233 + osvdb: 89642 + ghsa: jxhw-mg8m-2pj8 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0233 + title: Devise Database Type Conversion Crafted Request Parsing Security Bypass + date: 2013-01-28 + description: | + Devise contains a flaw that is triggered during when a type conversion error + occurs during the parsing of a malformed request. With a specially crafted + request, a remote attacker can bypass security restrictions. + cvss_v2: 6.8 + patched_versions: + - "~> 1.5.4" + - "~> 2.0.5" + - "~> 2.1.3" + - ">= 2.2.3" +--- diff --git a/advisories/_posts/2013-01-28-CVE-2013-0333.md b/advisories/_posts/2013-01-28-CVE-2013-0333.md index 7f52edd3..568d60eb 100644 --- a/advisories/_posts/2013-01-28-CVE-2013-0333.md +++ b/advisories/_posts/2013-01-28-CVE-2013-0333.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-0333 (activesupport): CVE-2013-0333 rubygem-activesupport: json to - yaml parsing' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2013-0333 - osvdb: 89594 - ghsa: xgr2-v94m-rc9g - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0333 - title: 'CVE-2013-0333 rubygem-activesupport: json to yaml parsing' - date: 2013-01-28 - description: | - lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before - 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data - for processing by a YAML parser, which allows remote attackers to execute arbitrary - code, conduct SQL injection attacks, or bypass authentication via crafted data that - triggers unsafe decoding, a different vulnerability than CVE-2013-0156. - cvss_v2: 9.3 - patched_versions: - - "~> 2.3.16" - - ">= 3.0.20" ---- +--- +layout: advisory +title: 'CVE-2013-0333 (activesupport): CVE-2013-0333 rubygem-activesupport: json to + yaml parsing' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2013-0333 + osvdb: 89594 + ghsa: xgr2-v94m-rc9g + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0333 + title: 'CVE-2013-0333 rubygem-activesupport: json to yaml parsing' + date: 2013-01-28 + description: | + lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before + 2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data + for processing by a YAML parser, which allows remote attackers to execute arbitrary + code, conduct SQL injection attacks, or bypass authentication via crafted data that + triggers unsafe decoding, a different vulnerability than CVE-2013-0156. + cvss_v2: 9.3 + patched_versions: + - "~> 2.3.16" + - ">= 3.0.20" +--- diff --git a/advisories/_posts/2013-02-06-CVE-2013-0256.md b/advisories/_posts/2013-02-06-CVE-2013-0256.md index fff930cb..2e674728 100644 --- a/advisories/_posts/2013-02-06-CVE-2013-0256.md +++ b/advisories/_posts/2013-02-06-CVE-2013-0256.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-0256 (rdoc): CVE-2013-0256 rubygem-rdoc: Cross-site scripting in - the documentation created by Darkfish Rdoc HTML generator / template' -comments: false -categories: -- rdoc -advisory: - gem: rdoc - cve: 2013-0256 - osvdb: 90004 - ghsa: v2r9-c84j-v7xm - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0256 - title: 'CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created - by Darkfish Rdoc HTML generator / template' - date: 2013-02-06 - description: | - darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, - as used in Ruby, does not properly generate documents, which allows remote attackers - to conduct cross-site scripting (XSS) attacks via a crafted URL. - cvss_v2: 4.3 - patched_versions: - - "~> 3.9.5" - - "~> 3.12.1" - - ">= 4.0" ---- +--- +layout: advisory +title: 'CVE-2013-0256 (rdoc): CVE-2013-0256 rubygem-rdoc: Cross-site scripting in + the documentation created by Darkfish Rdoc HTML generator / template' +comments: false +categories: +- rdoc +advisory: + gem: rdoc + cve: 2013-0256 + osvdb: 90004 + ghsa: v2r9-c84j-v7xm + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0256 + title: 'CVE-2013-0256 rubygem-rdoc: Cross-site scripting in the documentation created + by Darkfish Rdoc HTML generator / template' + date: 2013-02-06 + description: | + darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, + as used in Ruby, does not properly generate documents, which allows remote attackers + to conduct cross-site scripting (XSS) attacks via a crafted URL. + cvss_v2: 4.3 + patched_versions: + - "~> 3.9.5" + - "~> 3.12.1" + - ">= 4.0" +--- diff --git a/advisories/_posts/2013-02-07-CVE-2013-0262.md b/advisories/_posts/2013-02-07-CVE-2013-0262.md index c778982d..f002a7ee 100644 --- a/advisories/_posts/2013-02-07-CVE-2013-0262.md +++ b/advisories/_posts/2013-02-07-CVE-2013-0262.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-0262 (rack): CVE-2013-0262 rubygem-rack: Path sanitization information - disclosure' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2013-0262 - osvdb: 89938 - ghsa: 85r7-w5mv-c849 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0262 - title: 'CVE-2013-0262 rubygem-rack: Path sanitization information disclosure' - date: 2013-02-07 - description: | - rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before - 1.4.5 allows attackers to access arbitrary files outside the intended root directory - via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability - that is remotely exploitable, aka "symlink path traversals." - cvss_v2: 4.3 - patched_versions: - - "~> 1.4.5" - - ">= 1.5.2" ---- +--- +layout: advisory +title: 'CVE-2013-0262 (rack): CVE-2013-0262 rubygem-rack: Path sanitization information + disclosure' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2013-0262 + osvdb: 89938 + ghsa: 85r7-w5mv-c849 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0262 + title: 'CVE-2013-0262 rubygem-rack: Path sanitization information disclosure' + date: 2013-02-07 + description: | + rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before + 1.4.5 allows attackers to access arbitrary files outside the intended root directory + via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability + that is remotely exploitable, aka "symlink path traversals." + cvss_v2: 4.3 + patched_versions: + - "~> 1.4.5" + - ">= 1.5.2" +--- diff --git a/advisories/_posts/2013-02-07-CVE-2013-0263.md b/advisories/_posts/2013-02-07-CVE-2013-0263.md index fb4f1ab6..ecde0bbc 100644 --- a/advisories/_posts/2013-02-07-CVE-2013-0263.md +++ b/advisories/_posts/2013-02-07-CVE-2013-0263.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-0263 (rack): CVE-2013-0263 rubygem-rack: Timing attack in cookie - sessions' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2013-0263 - osvdb: 89939 - ghsa: xc85-32mf-xpv8 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0263 - title: 'CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions' - date: 2013-02-07 - description: | - Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, - 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers - to guess the session cookie, gain privileges, and execute arbitrary code via a timing - attack involving an HMAC comparison function that does not run in constant time. - cvss_v2: 5.1 - patched_versions: - - "~> 1.1.6" - - "~> 1.2.8" - - "~> 1.3.10" - - "~> 1.4.5" - - ">= 1.5.2" ---- +--- +layout: advisory +title: 'CVE-2013-0263 (rack): CVE-2013-0263 rubygem-rack: Timing attack in cookie + sessions' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2013-0263 + osvdb: 89939 + ghsa: xc85-32mf-xpv8 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0263 + title: 'CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions' + date: 2013-02-07 + description: | + Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, + 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers + to guess the session cookie, gain privileges, and execute arbitrary code via a timing + attack involving an HMAC comparison function that does not run in constant time. + cvss_v2: 5.1 + patched_versions: + - "~> 1.1.6" + - "~> 1.2.8" + - "~> 1.3.10" + - "~> 1.4.5" + - ">= 1.5.2" +--- diff --git a/advisories/_posts/2013-02-11-CVE-2013-0276.md b/advisories/_posts/2013-02-11-CVE-2013-0276.md index f44a87bb..224a069e 100644 --- a/advisories/_posts/2013-02-11-CVE-2013-0276.md +++ b/advisories/_posts/2013-02-11-CVE-2013-0276.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-0276 (activerecord): CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: - circumvention of attr_protected' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2013-0276 - osvdb: 90072 - ghsa: gr44-7grc-37vq - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0276 - title: 'CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of - attr_protected' - date: 2013-02-11 - description: | - ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and - 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection - mechanism and modify protected model attributes via a crafted request. - cvss_v2: 5.0 - patched_versions: - - "~> 2.3.17" - - "~> 3.1.11" - - ">= 3.2.12" ---- +--- +layout: advisory +title: 'CVE-2013-0276 (activerecord): CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: + circumvention of attr_protected' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2013-0276 + osvdb: 90072 + ghsa: gr44-7grc-37vq + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0276 + title: 'CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of + attr_protected' + date: 2013-02-11 + description: | + ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and + 3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection + mechanism and modify protected model attributes via a crafted request. + cvss_v2: 5.0 + patched_versions: + - "~> 2.3.17" + - "~> 3.1.11" + - ">= 3.2.12" +--- diff --git a/advisories/_posts/2013-02-11-CVE-2013-0277.md b/advisories/_posts/2013-02-11-CVE-2013-0277.md index 6cf7d6a5..ae4700b1 100644 --- a/advisories/_posts/2013-02-11-CVE-2013-0277.md +++ b/advisories/_posts/2013-02-11-CVE-2013-0277.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-0277 (activerecord): CVE-2013-0277 rubygem-activerecord: Serialized - Attributes YAML Vulnerability with Rails 2.3 and 3.0' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2013-0277 - osvdb: 90073 - ghsa: fhj9-cjjh-27vm - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0277 - title: 'CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability - with Rails 2.3 and 3.0' - date: 2013-02-11 - description: | - ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows - remote attackers to cause a denial of service or execute arbitrary code via crafted - serialized attributes that cause the +serialize+ helper to deserialize arbitrary - YAML. - cvss_v2: 10.0 - patched_versions: - - "~> 2.3.17" - - ">= 3.1.0" ---- +--- +layout: advisory +title: 'CVE-2013-0277 (activerecord): CVE-2013-0277 rubygem-activerecord: Serialized + Attributes YAML Vulnerability with Rails 2.3 and 3.0' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2013-0277 + osvdb: 90073 + ghsa: fhj9-cjjh-27vm + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0277 + title: 'CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability + with Rails 2.3 and 3.0' + date: 2013-02-11 + description: | + ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows + remote attackers to cause a denial of service or execute arbitrary code via crafted + serialized attributes that cause the +serialize+ helper to deserialize arbitrary + YAML. + cvss_v2: 10.0 + patched_versions: + - "~> 2.3.17" + - ">= 3.1.0" +--- diff --git a/advisories/_posts/2013-02-12-CVE-2013-0269.md b/advisories/_posts/2013-02-12-CVE-2013-0269.md index e5b172e9..f320c3aa 100644 --- a/advisories/_posts/2013-02-12-CVE-2013-0269.md +++ b/advisories/_posts/2013-02-12-CVE-2013-0269.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-0269 (json): CVE-2013-0269 rubygem-json: Denial of Service and SQL - Injection' -comments: false -categories: -- json -advisory: - gem: json - cve: 2013-0269 - osvdb: 101137 - ghsa: x457-cw4h-hq5f - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0269 - title: 'CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection' - date: 2013-02-12 - description: | - The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 - for Ruby allows remote attackers to cause a denial of service (resource consumption) - or bypass the mass assignment protection mechanism via a crafted JSON document that - triggers the creation of arbitrary Ruby symbols or certain internal objects, as - demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe - Object Creation Vulnerability." - cvss_v2: 9.0 - patched_versions: - - "~> 1.5.5" - - "~> 1.6.8" - - ">= 1.7.7" ---- +--- +layout: advisory +title: 'CVE-2013-0269 (json): CVE-2013-0269 rubygem-json: Denial of Service and SQL + Injection' +comments: false +categories: +- json +advisory: + gem: json + cve: 2013-0269 + osvdb: 101137 + ghsa: x457-cw4h-hq5f + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0269 + title: 'CVE-2013-0269 rubygem-json: Denial of Service and SQL Injection' + date: 2013-02-12 + description: | + The JSON gem before 1.5.5, 1.6.x before 1.6.8, and 1.7.x before 1.7.7 + for Ruby allows remote attackers to cause a denial of service (resource consumption) + or bypass the mass assignment protection mechanism via a crafted JSON document that + triggers the creation of arbitrary Ruby symbols or certain internal objects, as + demonstrated by conducting a SQL injection attack against Ruby on Rails, aka "Unsafe + Object Creation Vulnerability." + cvss_v2: 9.0 + patched_versions: + - "~> 1.5.5" + - "~> 1.6.8" + - ">= 1.7.7" +--- diff --git a/advisories/_posts/2013-02-12-OSVDB-115090.md b/advisories/_posts/2013-02-12-OSVDB-115090.md index 29d0adb9..f8abd992 100644 --- a/advisories/_posts/2013-02-12-OSVDB-115090.md +++ b/advisories/_posts/2013-02-12-OSVDB-115090.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'OSVDB-115090 (bundler): Bundler Gem for Ruby Missing SSL Certificate Validation - MitM Spoofing' -comments: false -categories: -- bundler -advisory: - gem: bundler - osvdb: 115090 - url: https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 - title: Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing - date: 2013-02-12 - description: | - Bundler Gem for Ruby contains a flaw as SSL certificates are not properly - validated. By spoofing the SSL server via a certificate that appears valid, - an attacker with the ability to intercept network traffic (e.g. MiTM, DNS - cache poisoning) can disclose and optionally manipulate transmitted data. - patched_versions: - - ">= 1.3.0.pre.8" - related: - url: - - https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 - - https://my.diffend.io/gems/bundler/1.3.0.pre.7/1.3.0.pre.8 - - https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 - - http://www.osvdb.org/show/osvdb/115090 ---- +--- +layout: advisory +title: 'OSVDB-115090 (bundler): Bundler Gem for Ruby Missing SSL Certificate Validation + MitM Spoofing' +comments: false +categories: +- bundler +advisory: + gem: bundler + osvdb: 115090 + url: https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 + title: Bundler Gem for Ruby Missing SSL Certificate Validation MitM Spoofing + date: 2013-02-12 + description: | + Bundler Gem for Ruby contains a flaw as SSL certificates are not properly + validated. By spoofing the SSL server via a certificate that appears valid, + an attacker with the ability to intercept network traffic (e.g. MiTM, DNS + cache poisoning) can disclose and optionally manipulate transmitted data. + patched_versions: + - ">= 1.3.0.pre.8" + related: + url: + - https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 + - https://my.diffend.io/gems/bundler/1.3.0.pre.7/1.3.0.pre.8 + - https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 + - http://www.osvdb.org/show/osvdb/115090 +--- diff --git a/advisories/_posts/2013-02-12-OSVDB-115091.md b/advisories/_posts/2013-02-12-OSVDB-115091.md index 5e306919..aa5ef63a 100644 --- a/advisories/_posts/2013-02-12-OSVDB-115091.md +++ b/advisories/_posts/2013-02-12-OSVDB-115091.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'OSVDB-115091 (bundler): Bundler Gem for Ruby Redirection Remote HTTP Basic - Authentication Credential Disclosure' -comments: false -categories: -- bundler -advisory: - gem: bundler - osvdb: 115091 - url: https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 - title: Bundler Gem for Ruby Redirection Remote HTTP Basic Authentication Credential - Disclosure - date: 2013-02-12 - description: | - Bundler Gem for Ruby contains a flaw that is triggered during the - redirection to other hosts. This may allow a remote attacker to - gain access to HTTP basic authentication credential information. - patched_versions: - - ">= 1.3.0.pre.8" - related: - url: - - https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 - - https://my.diffend.io/gems/bundler/1.3.0.pre.7/1.3.0.pre.8 - - https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 - - http://www.osvdb.org/show/osvdb/115091 ---- +--- +layout: advisory +title: 'OSVDB-115091 (bundler): Bundler Gem for Ruby Redirection Remote HTTP Basic + Authentication Credential Disclosure' +comments: false +categories: +- bundler +advisory: + gem: bundler + osvdb: 115091 + url: https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 + title: Bundler Gem for Ruby Redirection Remote HTTP Basic Authentication Credential + Disclosure + date: 2013-02-12 + description: | + Bundler Gem for Ruby contains a flaw that is triggered during the + redirection to other hosts. This may allow a remote attacker to + gain access to HTTP basic authentication credential information. + patched_versions: + - ">= 1.3.0.pre.8" + related: + url: + - https://github.com/rubygems/bundler/releases/tag/v1.3.0.pre.8 + - https://my.diffend.io/gems/bundler/1.3.0.pre.7/1.3.0.pre.8 + - https://my.diffend.io/gems/bundler/versions/1.0.0.beta.8 + - http://www.osvdb.org/show/osvdb/115091 +--- diff --git a/advisories/_posts/2013-02-19-CVE-2013-1756.md b/advisories/_posts/2013-02-19-CVE-2013-1756.md index 045386e7..3724c244 100644 --- a/advisories/_posts/2013-02-19-CVE-2013-1756.md +++ b/advisories/_posts/2013-02-19-CVE-2013-1756.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-1756 (fog-dragonfly): Dragonfly Gem for Ruby Crafted Request Parsing - Remote Code Execution' -comments: false -categories: -- fog-dragonfly -advisory: - gem: fog-dragonfly - cve: 2013-1756 - osvdb: 90647 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1756 - title: Dragonfly Gem for Ruby Crafted Request Parsing Remote Code Execution - date: 2013-02-19 - description: | - Dragonfly Gem for Ruby contains a flaw that is triggered during the parsing - of a specially crafted request. This may allow a remote attacker to execute - arbitrary code. - - This gem has been renamed. Please use "dragonfly" from now on. - cvss_v2: 7.5 - unaffected_versions: - - "< 0.7.0" - patched_versions: - - ">= 0.9.14" ---- +--- +layout: advisory +title: 'CVE-2013-1756 (fog-dragonfly): Dragonfly Gem for Ruby Crafted Request Parsing + Remote Code Execution' +comments: false +categories: +- fog-dragonfly +advisory: + gem: fog-dragonfly + cve: 2013-1756 + osvdb: 90647 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1756 + title: Dragonfly Gem for Ruby Crafted Request Parsing Remote Code Execution + date: 2013-02-19 + description: | + Dragonfly Gem for Ruby contains a flaw that is triggered during the parsing + of a specially crafted request. This may allow a remote attacker to execute + arbitrary code. + + This gem has been renamed. Please use "dragonfly" from now on. + cvss_v2: 7.5 + unaffected_versions: + - "< 0.7.0" + patched_versions: + - ">= 0.9.14" +--- diff --git a/advisories/_posts/2013-02-21-CVE-2013-0162.md b/advisories/_posts/2013-02-21-CVE-2013-0162.md index 0c9e6479..c18da56e 100644 --- a/advisories/_posts/2013-02-21-CVE-2013-0162.md +++ b/advisories/_posts/2013-02-21-CVE-2013-0162.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-0162 (ruby_parser): CVE-2013-0162 rubygem-ruby_parser: incorrect - temporary file usage' -comments: false -categories: -- ruby_parser -advisory: - gem: ruby_parser - cve: 2013-0162 - osvdb: 90561 - ghsa: 8mvw-22r7-w6fq - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0162 - title: 'CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage' - date: 2013-02-21 - description: | - The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser - gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via - a symlink attack on a temporary file with a predictable name in /tmp. - cvss_v2: 2.1 - patched_versions: - - ">= 3.1.2" ---- +--- +layout: advisory +title: 'CVE-2013-0162 (ruby_parser): CVE-2013-0162 rubygem-ruby_parser: incorrect + temporary file usage' +comments: false +categories: +- ruby_parser +advisory: + gem: ruby_parser + cve: 2013-0162 + osvdb: 90561 + ghsa: 8mvw-22r7-w6fq + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0162 + title: 'CVE-2013-0162 rubygem-ruby_parser: incorrect temporary file usage' + date: 2013-02-21 + description: | + The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser + gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via + a symlink attack on a temporary file with a predictable name in /tmp. + cvss_v2: 2.1 + patched_versions: + - ">= 3.1.2" +--- diff --git a/advisories/_posts/2013-02-21-CVE-2013-1607.md b/advisories/_posts/2013-02-21-CVE-2013-1607.md index 1089ce24..d80f440f 100644 --- a/advisories/_posts/2013-02-21-CVE-2013-1607.md +++ b/advisories/_posts/2013-02-21-CVE-2013-1607.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2013-1607 (pdfkit): PDFKit Gem for Ruby PDF File Generation Parameter - Handling Remote Code Execution' -comments: false -categories: -- pdfkit -advisory: - gem: pdfkit - cve: 2013-1607 - osvdb: 90867 - ghsa: 39v7-xpq4-8884 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1607 - title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution - date: 2013-02-21 - description: | - PDFKit Gem for Ruby contains a flaw that is due to the program failing - to properly validate input during the handling of parameters when generating PDF - files. This may allow a remote attacker to potentially execute arbitrary code via - the pdfkit generation options. - cvss_v3: 9.8 - patched_versions: - - ">= 0.5.3" ---- +--- +layout: advisory +title: 'CVE-2013-1607 (pdfkit): PDFKit Gem for Ruby PDF File Generation Parameter + Handling Remote Code Execution' +comments: false +categories: +- pdfkit +advisory: + gem: pdfkit + cve: 2013-1607 + osvdb: 90867 + ghsa: 39v7-xpq4-8884 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1607 + title: PDFKit Gem for Ruby PDF File Generation Parameter Handling Remote Code Execution + date: 2013-02-21 + description: | + PDFKit Gem for Ruby contains a flaw that is due to the program failing + to properly validate input during the handling of parameters when generating PDF + files. This may allow a remote attacker to potentially execute arbitrary code via + the pdfkit generation options. + cvss_v3: 9.8 + patched_versions: + - ">= 0.5.3" +--- diff --git a/advisories/_posts/2013-02-21-CVE-2013-1656.md b/advisories/_posts/2013-02-21-CVE-2013-1656.md index 88b3a886..af13d073 100644 --- a/advisories/_posts/2013-02-21-CVE-2013-1656.md +++ b/advisories/_posts/2013-02-21-CVE-2013-1656.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2013-1656 (spree): Spree controller Parameter Arbitrary Ruby Object Instantiation - Command Execution' -comments: false -categories: -- spree -advisory: - gem: spree - cve: 2013-1656 - ghsa: jxx8-v83v-rhw3 - url: https://github.com/advisories/GHSA-jxx8-v83v-rhw3 - title: Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution - date: 2013-02-21 - description: | - Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated - administrators to instantiate arbitrary Ruby objects and executd - arbitrary commands via the - (1) payment_method parameter to core/app/controllers/spree/admin/ - payment_methods_controller.rb; and the - (2) promotion_action parameter to promotion_actions_controller.rb, - (3) promotion_rule parameter to promotion_rules_controller.rb, and - (4) calculator_type parameter to promotions_controller.rb in - promo/app/controllers/spree/admin/, related to unsafe use - of the constantize function. - cvss_v2: 4.3 - patched_versions: - - ">= 2.0.0.rc1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-1656 - - https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7 - - https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt - - https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed - - https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html - - https://github.com/advisories/GHSA-jxx8-v83v-rhw3 ---- +--- +layout: advisory +title: 'CVE-2013-1656 (spree): Spree controller Parameter Arbitrary Ruby Object Instantiation + Command Execution' +comments: false +categories: +- spree +advisory: + gem: spree + cve: 2013-1656 + ghsa: jxx8-v83v-rhw3 + url: https://github.com/advisories/GHSA-jxx8-v83v-rhw3 + title: Spree controller Parameter Arbitrary Ruby Object Instantiation Command Execution + date: 2013-02-21 + description: | + Spree Commerce 1.0.x before 2.0.0.rc1 allows remote authenticated + administrators to instantiate arbitrary Ruby objects and executd + arbitrary commands via the + (1) payment_method parameter to core/app/controllers/spree/admin/ + payment_methods_controller.rb; and the + (2) promotion_action parameter to promotion_actions_controller.rb, + (3) promotion_rule parameter to promotion_rules_controller.rb, and + (4) calculator_type parameter to promotions_controller.rb in + promo/app/controllers/spree/admin/, related to unsafe use + of the constantize function. + cvss_v2: 4.3 + patched_versions: + - ">= 2.0.0.rc1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-1656 + - https://github.com/spree/spree/commit/70092eb55b8be8fe5d21a7658b62da658612fba7 + - https://web.archive.org/web/20130907044454/https://www.conviso.com.br/advisories/CVE-2013-1656.txt + - https://web.archive.org/web/20140329142330/http://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed + - https://web.archive.org/web/20140618100330/http://blog.conviso.com.br/2013/03/spree-commerce-multiple-unsafe.html + - https://github.com/advisories/GHSA-jxx8-v83v-rhw3 +--- diff --git a/advisories/_posts/2013-02-21-CVE-2013-2506.md b/advisories/_posts/2013-02-21-CVE-2013-2506.md index f953232c..a8205d8b 100644 --- a/advisories/_posts/2013-02-21-CVE-2013-2506.md +++ b/advisories/_posts/2013-02-21-CVE-2013-2506.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2013-2506 (spree_auth_devise): Spree app/models/spree/user.rb Mass Role - Assignment Remote Privilege Escalation' -comments: false -categories: -- spree_auth_devise -advisory: - gem: spree_auth_devise - cve: 2013-2506 - osvdb: 90865 - ghsa: jp57-9j37-5476 - url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed - title: Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation - date: 2013-02-21 - description: | - Spree contains a flaw that leads to unauthorized privileges being gained. The - issue is triggered as certain input related to mass role assignment in - app/models/spree/user.rb is not properly verified before being used to update - a user. This may allow a remote attacker to assign arbitrary roles and gain - elevated administrative privileges. - cvss_v2: 4.0 - patched_versions: - - "~> 1.1.6" - - "~> 1.2.0" - - ">= 1.3.0" ---- +--- +layout: advisory +title: 'CVE-2013-2506 (spree_auth_devise): Spree app/models/spree/user.rb Mass Role + Assignment Remote Privilege Escalation' +comments: false +categories: +- spree_auth_devise +advisory: + gem: spree_auth_devise + cve: 2013-2506 + osvdb: 90865 + ghsa: jp57-9j37-5476 + url: https://spreecommerce.com/blog/multiple-security-vulnerabilities-fixed + title: Spree app/models/spree/user.rb Mass Role Assignment Remote Privilege Escalation + date: 2013-02-21 + description: | + Spree contains a flaw that leads to unauthorized privileges being gained. The + issue is triggered as certain input related to mass role assignment in + app/models/spree/user.rb is not properly verified before being used to update + a user. This may allow a remote attacker to assign arbitrary roles and gain + elevated administrative privileges. + cvss_v2: 4.0 + patched_versions: + - "~> 1.1.6" + - "~> 1.2.0" + - ">= 1.3.0" +--- diff --git a/advisories/_posts/2013-02-25-GHSA-5qw5-wf2q-f538.md b/advisories/_posts/2013-02-25-GHSA-5qw5-wf2q-f538.md index 06349f0a..cca3e601 100644 --- a/advisories/_posts/2013-02-25-GHSA-5qw5-wf2q-f538.md +++ b/advisories/_posts/2013-02-25-GHSA-5qw5-wf2q-f538.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'GHSA-5qw5-wf2q-f538 (activerecord-jdbc-adapter): ActiveRecord-JDBC-Adapter - (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection' -comments: false -categories: -- activerecord-jdbc-adapter -- jruby -advisory: - gem: activerecord-jdbc-adapter - platform: jruby - osvdb: 114854 - ghsa: 5qw5-wf2q-f538 - url: https://github.com/advisories/GHSA-5qw5-wf2q-f538 - title: ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() - Function SQL Injection - date: 2013-02-25 - description: | - ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying - out an SQL injection attack. The issue is due to the sql.gsub() function in - lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before - using it in SQL queries. This may allow a remote attacker to inject or - manipulate SQL queries in the back-end database, allowing for the - manipulation or disclosure of arbitrary data. - unaffected_versions: - - "< 1.2.6" - patched_versions: - - ">= 1.2.8" - related: - url: - - https://github.com/jruby/activerecord-jdbc-adapter/issues/322 - - https://github.com/jruby/activerecord-jdbc-adapter/blob/master/lib/arjdbc/jdbc/adapter.rb - - https://my.diffend.io/gems/activerecord-jdbc-adapter/1.2.5/1.2.8 - - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076 - - https://advisories.gitlab.com/pkg/gem/activerecord-jdbc-adapter/GHSA-5qw5-wf2q-f538 - - https://github.com/advisories/GHSA-5qw5-wf2q-f538 - notes: "- No CVE, CVSS values.\n" ---- +--- +layout: advisory +title: 'GHSA-5qw5-wf2q-f538 (activerecord-jdbc-adapter): ActiveRecord-JDBC-Adapter + (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() Function SQL Injection' +comments: false +categories: +- activerecord-jdbc-adapter +- jruby +advisory: + gem: activerecord-jdbc-adapter + platform: jruby + osvdb: 114854 + ghsa: 5qw5-wf2q-f538 + url: https://github.com/advisories/GHSA-5qw5-wf2q-f538 + title: ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() + Function SQL Injection + date: 2013-02-25 + description: | + ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying + out an SQL injection attack. The issue is due to the sql.gsub() function in + lib/arjdbc/jdbc/adapter.rb not properly sanitizing user-supplied input before + using it in SQL queries. This may allow a remote attacker to inject or + manipulate SQL queries in the back-end database, allowing for the + manipulation or disclosure of arbitrary data. + unaffected_versions: + - "< 1.2.6" + patched_versions: + - ">= 1.2.8" + related: + url: + - https://github.com/jruby/activerecord-jdbc-adapter/issues/322 + - https://github.com/jruby/activerecord-jdbc-adapter/blob/master/lib/arjdbc/jdbc/adapter.rb + - https://my.diffend.io/gems/activerecord-jdbc-adapter/1.2.5/1.2.8 + - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076 + - https://advisories.gitlab.com/pkg/gem/activerecord-jdbc-adapter/GHSA-5qw5-wf2q-f538 + - https://github.com/advisories/GHSA-5qw5-wf2q-f538 + notes: "- No CVE, CVSS values.\n" +--- diff --git a/advisories/_posts/2013-02-28-CVE-2013-2512.md b/advisories/_posts/2013-02-28-CVE-2013-2512.md index 74ba5325..c358b803 100644 --- a/advisories/_posts/2013-02-28-CVE-2013-2512.md +++ b/advisories/_posts/2013-02-28-CVE-2013-2512.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-2512 (ftpd): ftpd Gem for Ruby Shell Character Handling Remote Command - Injection' -comments: false -categories: -- ftpd -advisory: - gem: ftpd - cve: 2013-2512 - osvdb: 90784 - ghsa: 7vxr-6cxg-j3x8 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2512 - title: ftpd Gem for Ruby Shell Character Handling Remote Command Injection - date: 2013-02-28 - description: | - ftpd Gem for Ruby contains a flaw that is triggered when handling a - specially crafted option or filename that contains a shell - character. This may allow a remote attacker to inject arbitrary - commands. - cvss_v2: 9.0 - cvss_v3: 9.8 - patched_versions: - - ">= 0.2.2" ---- +--- +layout: advisory +title: 'CVE-2013-2512 (ftpd): ftpd Gem for Ruby Shell Character Handling Remote Command + Injection' +comments: false +categories: +- ftpd +advisory: + gem: ftpd + cve: 2013-2512 + osvdb: 90784 + ghsa: 7vxr-6cxg-j3x8 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2512 + title: ftpd Gem for Ruby Shell Character Handling Remote Command Injection + date: 2013-02-28 + description: | + ftpd Gem for Ruby contains a flaw that is triggered when handling a + specially crafted option or filename that contains a shell + character. This may allow a remote attacker to inject arbitrary + commands. + cvss_v2: 9.0 + cvss_v3: 9.8 + patched_versions: + - ">= 0.2.2" +--- diff --git a/advisories/_posts/2013-02-28-CVE-2013-2516.md b/advisories/_posts/2013-02-28-CVE-2013-2516.md index e2c2a29f..ed274446 100644 --- a/advisories/_posts/2013-02-28-CVE-2013-2516.md +++ b/advisories/_posts/2013-02-28-CVE-2013-2516.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2013-2516 (fileutils): fileutils Gem for Ruby file_utils.rb Crafted URL - Handling Remote Command Execution' -comments: false -categories: -- fileutils -advisory: - gem: fileutils - cve: 2013-2516 - osvdb: 90717 - ghsa: 9x97-x2p9-hvpf - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2516 - title: fileutils Gem for Ruby file_utils.rb Crafted URL Handling Remote Command - Execution - date: 2013-02-28 - description: | - fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is - triggered when handling a specially crafted URL containing a command after a delimiter - (;). This may allow a remote attacker to potentially execute arbitrary commands. - cvss_v3: 8.8 - patched_versions: - - ">= 0.7.1" ---- +--- +layout: advisory +title: 'CVE-2013-2516 (fileutils): fileutils Gem for Ruby file_utils.rb Crafted URL + Handling Remote Command Execution' +comments: false +categories: +- fileutils +advisory: + gem: fileutils + cve: 2013-2516 + osvdb: 90717 + ghsa: 9x97-x2p9-hvpf + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2516 + title: fileutils Gem for Ruby file_utils.rb Crafted URL Handling Remote Command + Execution + date: 2013-02-28 + description: | + fileutils Gem for Ruby contains a flaw in file_utils.rb. The issue is + triggered when handling a specially crafted URL containing a command after a delimiter + (;). This may allow a remote attacker to potentially execute arbitrary commands. + cvss_v3: 8.8 + patched_versions: + - ">= 0.7.1" +--- diff --git a/advisories/_posts/2013-03-04-CVE-2013-2513.md b/advisories/_posts/2013-03-04-CVE-2013-2513.md index 6451252e..9f33979f 100644 --- a/advisories/_posts/2013-03-04-CVE-2013-2513.md +++ b/advisories/_posts/2013-03-04-CVE-2013-2513.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2013-2513 (flash_tool): flash_tool Gem for Ruby File Download Handling - Arbitrary Command Execution' -comments: false -categories: -- flash_tool -advisory: - gem: flash_tool - cve: 2013-2513 - osvdb: 90829 - ghsa: 6325-6g32-7p35 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2513 - title: flash_tool Gem for Ruby File Download Handling Arbitrary Command Execution - date: 2013-03-04 - description: | - flash_tool Gem for Ruby contains a flaw that is triggered during the - handling of downloaded files that contain shell characters. With a specially crafted - file, a context-dependent attacker can execute arbitrary commands. - cvss_v3: 9.8 ---- +--- +layout: advisory +title: 'CVE-2013-2513 (flash_tool): flash_tool Gem for Ruby File Download Handling + Arbitrary Command Execution' +comments: false +categories: +- flash_tool +advisory: + gem: flash_tool + cve: 2013-2513 + osvdb: 90829 + ghsa: 6325-6g32-7p35 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2513 + title: flash_tool Gem for Ruby File Download Handling Arbitrary Command Execution + date: 2013-03-04 + description: | + flash_tool Gem for Ruby contains a flaw that is triggered during the + handling of downloaded files that contain shell characters. With a specially crafted + file, a context-dependent attacker can execute arbitrary commands. + cvss_v3: 9.8 +--- diff --git a/advisories/_posts/2013-03-12-CVE-2013-2616.md b/advisories/_posts/2013-03-12-CVE-2013-2616.md index 64acf68c..7d628441 100644 --- a/advisories/_posts/2013-03-12-CVE-2013-2616.md +++ b/advisories/_posts/2013-03-12-CVE-2013-2616.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2013-2616 (mini_magick): MiniMagick Gem for Ruby URI Handling Arbitrary - Command Injection' -comments: false -categories: -- mini_magick -advisory: - gem: mini_magick - cve: 2013-2616 - osvdb: 91231 - ghsa: w754-gq8r-pf5f - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2616 - title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection - date: 2013-03-12 - description: | - MiniMagick Gem for Ruby contains a flaw that is triggered during the handling - of specially crafted input from an untrusted source passed via a URL that - contains a ';' character. This may allow a context-dependent attacker to - potentially execute arbitrary commands. - cvss_v2: 9.3 - patched_versions: - - ">= 3.6.0" ---- +--- +layout: advisory +title: 'CVE-2013-2616 (mini_magick): MiniMagick Gem for Ruby URI Handling Arbitrary + Command Injection' +comments: false +categories: +- mini_magick +advisory: + gem: mini_magick + cve: 2013-2616 + osvdb: 91231 + ghsa: w754-gq8r-pf5f + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2616 + title: MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection + date: 2013-03-12 + description: | + MiniMagick Gem for Ruby contains a flaw that is triggered during the handling + of specially crafted input from an untrusted source passed via a URL that + contains a ';' character. This may allow a context-dependent attacker to + potentially execute arbitrary commands. + cvss_v2: 9.3 + patched_versions: + - ">= 3.6.0" +--- diff --git a/advisories/_posts/2013-03-12-CVE-2013-2617.md b/advisories/_posts/2013-03-12-CVE-2013-2617.md index 45174d1b..9008e63a 100644 --- a/advisories/_posts/2013-03-12-CVE-2013-2617.md +++ b/advisories/_posts/2013-03-12-CVE-2013-2617.md @@ -1,20 +1,20 @@ ---- -layout: advisory -title: 'CVE-2013-2617 (curl): CVE-2013-2617 rubygem-curl: insufficient URL escaping - command injection' -comments: false -categories: -- curl -advisory: - gem: curl - cve: 2013-2617 - osvdb: 91230 - ghsa: hxx6-p24v-wg8c - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2617 - title: 'CVE-2013-2617 rubygem-curl: insufficient URL escaping command injection' - date: 2013-03-12 - description: | - lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute - arbitrary commands via shell metacharacters in a URL. - cvss_v2: 7.5 ---- +--- +layout: advisory +title: 'CVE-2013-2617 (curl): CVE-2013-2617 rubygem-curl: insufficient URL escaping + command injection' +comments: false +categories: +- curl +advisory: + gem: curl + cve: 2013-2617 + osvdb: 91230 + ghsa: hxx6-p24v-wg8c + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2617 + title: 'CVE-2013-2617 rubygem-curl: insufficient URL escaping command injection' + date: 2013-03-12 + description: | + lib/curl.rb in the Curl Gem for Ruby allows remote attackers to execute + arbitrary commands via shell metacharacters in a URL. + cvss_v2: 7.5 +--- diff --git a/advisories/_posts/2013-03-13-CVE-2013-2615.md b/advisories/_posts/2013-03-13-CVE-2013-2615.md index 416827ea..8fc73fd2 100644 --- a/advisories/_posts/2013-03-13-CVE-2013-2615.md +++ b/advisories/_posts/2013-03-13-CVE-2013-2615.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2013-2615 (fastreader): fastreader Gem for Ruby URI Handling Arbitrary - Command Injection' -comments: false -categories: -- fastreader -advisory: - gem: fastreader - cve: 2013-2615 - osvdb: 91232 - ghsa: w248-xr37-jx8m - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2615 - title: fastreader Gem for Ruby URI Handling Arbitrary Command Injection - date: 2013-03-13 - description: | - fastreader Gem for Ruby contains a flaw that is triggered during the handling - of specially crafted input passed via a URL that contains a ';' character. - This may allow a context-dependent attacker to potentially execute arbitrary - commands. - cvss_v2: 9.3 ---- +--- +layout: advisory +title: 'CVE-2013-2615 (fastreader): fastreader Gem for Ruby URI Handling Arbitrary + Command Injection' +comments: false +categories: +- fastreader +advisory: + gem: fastreader + cve: 2013-2615 + osvdb: 91232 + ghsa: w248-xr37-jx8m + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2615 + title: fastreader Gem for Ruby URI Handling Arbitrary Command Injection + date: 2013-03-13 + description: | + fastreader Gem for Ruby contains a flaw that is triggered during the handling + of specially crafted input passed via a URL that contains a ';' character. + This may allow a context-dependent attacker to potentially execute arbitrary + commands. + cvss_v2: 9.3 +--- diff --git a/advisories/_posts/2013-03-18-CVE-2013-1875.md b/advisories/_posts/2013-03-18-CVE-2013-1875.md index f4be2687..e01ee08a 100644 --- a/advisories/_posts/2013-03-18-CVE-2013-1875.md +++ b/advisories/_posts/2013-03-18-CVE-2013-1875.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2013-1875 (command_wrap): command_wrap Gem for Ruby URI Handling Arbitrary - Command Injection' -comments: false -categories: -- command_wrap -advisory: - gem: command_wrap - cve: 2013-1875 - osvdb: 91450 - ghsa: p673-hjf2-pwfr - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1875 - title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection - date: 2013-03-18 - description: | - command_wrap Gem for Ruby contains a flaw that is triggered during the - handling of input passed via the URL that contains a semicolon character (;). This - will allow a remote attacker to inject arbitrary commands and have them executed - in the context of the user clicking it. - cvss_v2: 7.5 ---- +--- +layout: advisory +title: 'CVE-2013-1875 (command_wrap): command_wrap Gem for Ruby URI Handling Arbitrary + Command Injection' +comments: false +categories: +- command_wrap +advisory: + gem: command_wrap + cve: 2013-1875 + osvdb: 91450 + ghsa: p673-hjf2-pwfr + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1875 + title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection + date: 2013-03-18 + description: | + command_wrap Gem for Ruby contains a flaw that is triggered during the + handling of input passed via the URL that contains a semicolon character (;). This + will allow a remote attacker to inject arbitrary commands and have them executed + in the context of the user clicking it. + cvss_v2: 7.5 +--- diff --git a/advisories/_posts/2013-03-19-CVE-2013-1854.md b/advisories/_posts/2013-03-19-CVE-2013-1854.md index 86d1d241..a0df1d02 100644 --- a/advisories/_posts/2013-03-19-CVE-2013-1854.md +++ b/advisories/_posts/2013-03-19-CVE-2013-1854.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2013-1854 (activerecord): CVE-2013-1854 rubygem-activerecord: attribute_dos - Symbol DoS vulnerability' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2013-1854 - osvdb: 91453 - ghsa: 3crr-9vmg-864v - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1854 - title: 'CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability' - date: 2013-03-19 - description: | - The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x - before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash - keys to symbols, which allows remote attackers to cause a denial of service via - crafted input to a where method. A flaw was found in the way Ruby on Rails handled - hashes in certain queries. A remote attacker could use this flaw to perform a denial - of service (resource consumption) attack by sending specially crafted queries that - would result in the creation of Ruby symbols, which were never garbage collected. - cvss_v2: 7.8 - unaffected_versions: - - "~> 3.0.0" - patched_versions: - - "~> 2.3.18" - - "~> 3.1.12" - - ">= 3.2.13" ---- +--- +layout: advisory +title: 'CVE-2013-1854 (activerecord): CVE-2013-1854 rubygem-activerecord: attribute_dos + Symbol DoS vulnerability' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2013-1854 + osvdb: 91453 + ghsa: 3crr-9vmg-864v + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1854 + title: 'CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability' + date: 2013-03-19 + description: | + The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x + before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash + keys to symbols, which allows remote attackers to cause a denial of service via + crafted input to a where method. A flaw was found in the way Ruby on Rails handled + hashes in certain queries. A remote attacker could use this flaw to perform a denial + of service (resource consumption) attack by sending specially crafted queries that + would result in the creation of Ruby symbols, which were never garbage collected. + cvss_v2: 7.8 + unaffected_versions: + - "~> 3.0.0" + patched_versions: + - "~> 2.3.18" + - "~> 3.1.12" + - ">= 3.2.13" +--- diff --git a/advisories/_posts/2013-03-19-CVE-2013-1855.md b/advisories/_posts/2013-03-19-CVE-2013-1855.md index 4e316e84..cdc8ce8c 100644 --- a/advisories/_posts/2013-03-19-CVE-2013-1855.md +++ b/advisories/_posts/2013-03-19-CVE-2013-1855.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2013-1855 (actionpack): CVE-2013-1855 rubygem-actionpack: css_sanitization: - XSS vulnerability in sanitize_css' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-1855 - osvdb: 91452 - ghsa: q759-hwvc-m3jg - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1855 - title: 'CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in - sanitize_css' - date: 2013-03-19 - description: | - The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb - in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before - 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, - which makes it easier for remote attackers to conduct cross-site scripting (XSS) - attacks via crafted Cascading Style Sheets (CSS) token sequences. A cross-site scripting - (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct - XSS attacks against users of an application using Action Pack. - cvss_v2: 4.3 - patched_versions: - - "~> 2.3.18" - - "~> 3.1.12" - - ">= 3.2.13" ---- +--- +layout: advisory +title: 'CVE-2013-1855 (actionpack): CVE-2013-1855 rubygem-actionpack: css_sanitization: + XSS vulnerability in sanitize_css' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-1855 + osvdb: 91452 + ghsa: q759-hwvc-m3jg + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1855 + title: 'CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in + sanitize_css' + date: 2013-03-19 + description: | + The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb + in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before + 3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters, + which makes it easier for remote attackers to conduct cross-site scripting (XSS) + attacks via crafted Cascading Style Sheets (CSS) token sequences. A cross-site scripting + (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct + XSS attacks against users of an application using Action Pack. + cvss_v2: 4.3 + patched_versions: + - "~> 2.3.18" + - "~> 3.1.12" + - ">= 3.2.13" +--- diff --git a/advisories/_posts/2013-03-19-CVE-2013-1856.md b/advisories/_posts/2013-03-19-CVE-2013-1856.md index 03f4b13d..02c0c97d 100644 --- a/advisories/_posts/2013-03-19-CVE-2013-1856.md +++ b/advisories/_posts/2013-03-19-CVE-2013-1856.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2013-1856 (activesupport): XML Parsing Vulnerability affecting JRuby users' -comments: false -categories: -- activesupport -- rails -- jruby -advisory: - gem: activesupport - framework: rails - platform: jruby - cve: 2013-1856 - osvdb: 91451 - ghsa: 9c2j-593q-3g82 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1856 - title: XML Parsing Vulnerability affecting JRuby users - date: 2013-03-19 - description: | - The ActiveSupport XML parsing functionality supports multiple - pluggable backends. One backend supported for JRuby users is - ActiveSupport::XmlMini_JDOM which makes use of the - javax.xml.parsers.DocumentBuilder class. In some JVM configurations - the default settings of that class can allow an attacker to construct - XML which, when parsed, will contain the contents of arbitrary URLs - including files from the application server. They may also allow for - various denial of service attacks. Action Pack - cvss_v2: 7.8 - unaffected_versions: - - "~> 2.3.0" - patched_versions: - - "~> 3.1.12" - - ">= 3.2.13" ---- +--- +layout: advisory +title: 'CVE-2013-1856 (activesupport): XML Parsing Vulnerability affecting JRuby users' +comments: false +categories: +- activesupport +- rails +- jruby +advisory: + gem: activesupport + framework: rails + platform: jruby + cve: 2013-1856 + osvdb: 91451 + ghsa: 9c2j-593q-3g82 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1856 + title: XML Parsing Vulnerability affecting JRuby users + date: 2013-03-19 + description: | + The ActiveSupport XML parsing functionality supports multiple + pluggable backends. One backend supported for JRuby users is + ActiveSupport::XmlMini_JDOM which makes use of the + javax.xml.parsers.DocumentBuilder class. In some JVM configurations + the default settings of that class can allow an attacker to construct + XML which, when parsed, will contain the contents of arbitrary URLs + including files from the application server. They may also allow for + various denial of service attacks. Action Pack + cvss_v2: 7.8 + unaffected_versions: + - "~> 2.3.0" + patched_versions: + - "~> 3.1.12" + - ">= 3.2.13" +--- diff --git a/advisories/_posts/2013-03-19-CVE-2013-1857.md b/advisories/_posts/2013-03-19-CVE-2013-1857.md index 82abe151..3ac68453 100644 --- a/advisories/_posts/2013-03-19-CVE-2013-1857.md +++ b/advisories/_posts/2013-03-19-CVE-2013-1857.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2013-1857 (actionpack): CVE-2013-1857 rubygem-actionpack: sanitize_protocol: - XSS Vulnerability in the helper of Ruby on Rails' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-1857 - osvdb: 91454 - ghsa: j838-vfpq-fmf2 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1857 - title: 'CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in - the helper of Ruby on Rails' - date: 2013-03-19 - description: | - 'The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb - in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before - 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters - in URLs, which makes it easier for remote attackers to conduct cross-site scripting - (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. - A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could - use this flaw to conduct XSS attacks against users of an application using Action - Pack.' - cvss_v2: 4.3 - patched_versions: - - "~> 2.3.18" - - "~> 3.1.12" - - ">= 3.2.13" ---- +--- +layout: advisory +title: 'CVE-2013-1857 (actionpack): CVE-2013-1857 rubygem-actionpack: sanitize_protocol: + XSS Vulnerability in the helper of Ruby on Rails' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-1857 + osvdb: 91454 + ghsa: j838-vfpq-fmf2 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1857 + title: 'CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in + the helper of Ruby on Rails' + date: 2013-03-19 + description: | + 'The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb + in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before + 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters + in URLs, which makes it easier for remote attackers to conduct cross-site scripting + (XSS) attacks via a crafted scheme name, as demonstrated by including a : sequence. + A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could + use this flaw to conduct XSS attacks against users of an application using Action + Pack.' + cvss_v2: 4.3 + patched_versions: + - "~> 2.3.18" + - "~> 3.1.12" + - ">= 3.2.13" +--- diff --git a/advisories/_posts/2013-03-26-CVE-2013-1898.md b/advisories/_posts/2013-03-26-CVE-2013-1898.md index aa198318..006e1dc9 100644 --- a/advisories/_posts/2013-03-26-CVE-2013-1898.md +++ b/advisories/_posts/2013-03-26-CVE-2013-1898.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-1898 (thumbshooter): Thumbshooter Gem for Ruby thumbshooter.rb URL - Shell Metacharacter Injection Arbitrary Command Execution' -comments: false -categories: -- thumbshooter -advisory: - gem: thumbshooter - cve: 2013-1898 - osvdb: 91839 - ghsa: 7fqj-cg79-f2pv - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1898 - title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection - Arbitrary Command Execution - date: 2013-03-26 - description: | - Thumbshooter Gem for Ruby contains a flaw that is due to the program - failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted - URL that contains shell metacharacters, a context-dependent attacker can execute - arbitrary commands. - cvss_v2: 7.5 ---- +--- +layout: advisory +title: 'CVE-2013-1898 (thumbshooter): Thumbshooter Gem for Ruby thumbshooter.rb URL + Shell Metacharacter Injection Arbitrary Command Execution' +comments: false +categories: +- thumbshooter +advisory: + gem: thumbshooter + cve: 2013-1898 + osvdb: 91839 + ghsa: 7fqj-cg79-f2pv + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1898 + title: Thumbshooter Gem for Ruby thumbshooter.rb URL Shell Metacharacter Injection + Arbitrary Command Execution + date: 2013-03-26 + description: | + Thumbshooter Gem for Ruby contains a flaw that is due to the program + failing to properly sanitize input passed to thumbshooter.rb. With a specially crafted + URL that contains shell metacharacters, a context-dependent attacker can execute + arbitrary commands. + cvss_v2: 7.5 +--- diff --git a/advisories/_posts/2013-04-01-CVE-2013-1911.md b/advisories/_posts/2013-04-01-CVE-2013-1911.md index 6ff4038b..0e07fb1e 100644 --- a/advisories/_posts/2013-04-01-CVE-2013-1911.md +++ b/advisories/_posts/2013-04-01-CVE-2013-1911.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-1911 (ldoce): ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection - Arbitrary Command Execution' -comments: false -categories: -- ldoce -advisory: - gem: ldoce - cve: 2013-1911 - osvdb: 91870 - ghsa: g266-3crh-h7gj - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1911 - title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command - Execution - date: 2013-04-01 - description: | - ldoce Gem for Ruby contains a flaw that is triggered during the handling - of a specially crafted URL or filename for MP3 files that have shell metacharacters - injected in to it. This may allow a context-dependent attacker to execute arbitrary - commands. - cvss_v2: 6.8 ---- +--- +layout: advisory +title: 'CVE-2013-1911 (ldoce): ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection + Arbitrary Command Execution' +comments: false +categories: +- ldoce +advisory: + gem: ldoce + cve: 2013-1911 + osvdb: 91870 + ghsa: g266-3crh-h7gj + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1911 + title: ldoce Gem for Ruby MP3 URL Shell Metacharacter Injection Arbitrary Command + Execution + date: 2013-04-01 + description: | + ldoce Gem for Ruby contains a flaw that is triggered during the handling + of a specially crafted URL or filename for MP3 files that have shell metacharacters + injected in to it. This may allow a context-dependent attacker to execute arbitrary + commands. + cvss_v2: 6.8 +--- diff --git a/advisories/_posts/2013-04-04-CVE-2013-1947.md b/advisories/_posts/2013-04-04-CVE-2013-1947.md index c251c682..88457bf1 100644 --- a/advisories/_posts/2013-04-04-CVE-2013-1947.md +++ b/advisories/_posts/2013-04-04-CVE-2013-1947.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-1947 (kelredd-pruview): kelredd-pruview Gem for Ruby /lib/pruview/document.rb - File Name Shell Metacharacter Injection Arbitrary Command Execution' -comments: false -categories: -- kelredd-pruview -advisory: - gem: kelredd-pruview - cve: 2013-1947 - osvdb: 92228 - ghsa: 78j3-7wpm-qhvp - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1947 - title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter - Injection Arbitrary Command Execution - date: 2013-04-04 - description: | - kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. - The issue is triggered during the handling of a specially crafted file name that - contains injected shell metacharacters. This may allow a context-dependent attacker - to potentially execute arbitrary commands. - cvss_v2: 9.3 ---- +--- +layout: advisory +title: 'CVE-2013-1947 (kelredd-pruview): kelredd-pruview Gem for Ruby /lib/pruview/document.rb + File Name Shell Metacharacter Injection Arbitrary Command Execution' +comments: false +categories: +- kelredd-pruview +advisory: + gem: kelredd-pruview + cve: 2013-1947 + osvdb: 92228 + ghsa: 78j3-7wpm-qhvp + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1947 + title: kelredd-pruview Gem for Ruby /lib/pruview/document.rb File Name Shell Metacharacter + Injection Arbitrary Command Execution + date: 2013-04-04 + description: | + kelredd-pruview Gem for Ruby contains a flaw in /lib/pruview/document.rb. + The issue is triggered during the handling of a specially crafted file name that + contains injected shell metacharacters. This may allow a context-dependent attacker + to potentially execute arbitrary commands. + cvss_v2: 9.3 +--- diff --git a/advisories/_posts/2013-04-08-CVE-2013-1933.md b/advisories/_posts/2013-04-08-CVE-2013-1933.md index caf7e665..805d0690 100644 --- a/advisories/_posts/2013-04-08-CVE-2013-1933.md +++ b/advisories/_posts/2013-04-08-CVE-2013-1933.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-1933 (karteek-docsplit): Karteek Docsplit Gem for Ruby text_extractor.rb - File Name Shell Metacharacter Injection Arbitrary Command Execution' -comments: false -categories: -- karteek-docsplit -advisory: - gem: karteek-docsplit - cve: 2013-1933 - osvdb: 92117 - ghsa: 4fvg-pwv7-v54g - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1933 - title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter - Injection Arbitrary Command Execution - date: 2013-04-08 - description: | - Karteek Docsplit Gem for Ruby contains a flaw that is due to the program - failing to properly sanitize input passed to text_extractor.rb. With a specially - crafted file name that contains shell metacharacters, a context-dependent attacker - can execute arbitrary commands - cvss_v2: 9.3 ---- +--- +layout: advisory +title: 'CVE-2013-1933 (karteek-docsplit): Karteek Docsplit Gem for Ruby text_extractor.rb + File Name Shell Metacharacter Injection Arbitrary Command Execution' +comments: false +categories: +- karteek-docsplit +advisory: + gem: karteek-docsplit + cve: 2013-1933 + osvdb: 92117 + ghsa: 4fvg-pwv7-v54g + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1933 + title: Karteek Docsplit Gem for Ruby text_extractor.rb File Name Shell Metacharacter + Injection Arbitrary Command Execution + date: 2013-04-08 + description: | + Karteek Docsplit Gem for Ruby contains a flaw that is due to the program + failing to properly sanitize input passed to text_extractor.rb. With a specially + crafted file name that contains shell metacharacters, a context-dependent attacker + can execute arbitrary commands + cvss_v2: 9.3 +--- diff --git a/advisories/_posts/2013-04-13-CVE-2013-1948.md b/advisories/_posts/2013-04-13-CVE-2013-1948.md index 450fe12a..c713ea5c 100644 --- a/advisories/_posts/2013-04-13-CVE-2013-1948.md +++ b/advisories/_posts/2013-04-13-CVE-2013-1948.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-1948 (md2pdf): md2pdf Gem for Ruby md2pdf/converter.rb File Name - Shell Metacharacter Injection Arbitrary Command Execution' -comments: false -categories: -- md2pdf -advisory: - gem: md2pdf - cve: 2013-1948 - osvdb: 92290 - ghsa: 99ch-8mvp-g7m5 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-1948 - title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection - Arbitrary Command Execution - date: 2013-04-13 - description: | - md2pdf Gem for Ruby contains a flaw that is due to the program failing - to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted - file name that contains shell metacharacters, a context-dependent attacker can execute - arbitrary commands - cvss_v2: 10.0 ---- +--- +layout: advisory +title: 'CVE-2013-1948 (md2pdf): md2pdf Gem for Ruby md2pdf/converter.rb File Name + Shell Metacharacter Injection Arbitrary Command Execution' +comments: false +categories: +- md2pdf +advisory: + gem: md2pdf + cve: 2013-1948 + osvdb: 92290 + ghsa: 99ch-8mvp-g7m5 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-1948 + title: md2pdf Gem for Ruby md2pdf/converter.rb File Name Shell Metacharacter Injection + Arbitrary Command Execution + date: 2013-04-13 + description: | + md2pdf Gem for Ruby contains a flaw that is due to the program failing + to properly sanitize input passed to md2pdf/converter.rb. With a specially crafted + file name that contains shell metacharacters, a context-dependent attacker can execute + arbitrary commands + cvss_v2: 10.0 +--- diff --git a/advisories/_posts/2013-04-21-CVE-2013-3221.md b/advisories/_posts/2013-04-21-CVE-2013-3221.md index fbdbcc2d..46b98df2 100644 --- a/advisories/_posts/2013-04-21-CVE-2013-3221.md +++ b/advisories/_posts/2013-04-21-CVE-2013-3221.md @@ -1,46 +1,46 @@ ---- -layout: advisory -title: 'CVE-2013-3221 (activerecord): Data-type injection vulnerability' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2013-3221 - ghsa: f57c-hx33-hvh8 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-3221 - title: Data-type injection vulnerability - date: 2013-04-21 - description: | - The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, - and 3.2.x does not ensure that the declared data type of a database - column is used during comparisons of input values to stored values - in that column, which makes it easier for remote attackers to - conduct data-type injection attacks against Ruby on Rails applications - via a crafted value, as demonstrated by unintended interaction - between the "typed XML" feature and a MySQL database. - - ## RELEASE INFO - - Phrack writeup says that 'couple of days after the advisory the - issue was "fixed" in Rails 3.2.12 as by the following commit' 921a296. - But "Indeed the vector is completely fixed as of Rails 4.2 almost - two years after the original advisory." - cvss_v2: 6.4 - patched_versions: - - ">= 4.2.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-3221 - - https://github.com/rails/rails/commit/c9909db9f2f81575ef2ea2ed3b4e8743c8d6f1b9 - - https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8 - - https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce - - http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails - - http://openwall.com/lists/oss-security/2013/02/06/7 - - http://openwall.com/lists/oss-security/2013/04/24/7 - - https://gist.github.com/marianposaceanu/5442275 - - https://web.archive.org/web/20160307143147/http://www.phenoelit.org/blog/archives/2013/02/index.html - - https://github.com/advisories/GHSA-f57c-hx33-hvh8 - - https://phrack.org/issues/69/12 ---- +--- +layout: advisory +title: 'CVE-2013-3221 (activerecord): Data-type injection vulnerability' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2013-3221 + ghsa: f57c-hx33-hvh8 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-3221 + title: Data-type injection vulnerability + date: 2013-04-21 + description: | + The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x, + and 3.2.x does not ensure that the declared data type of a database + column is used during comparisons of input values to stored values + in that column, which makes it easier for remote attackers to + conduct data-type injection attacks against Ruby on Rails applications + via a crafted value, as demonstrated by unintended interaction + between the "typed XML" feature and a MySQL database. + + ## RELEASE INFO + - Phrack writeup says that 'couple of days after the advisory the + issue was "fixed" in Rails 3.2.12 as by the following commit' 921a296. + But "Indeed the vector is completely fixed as of Rails 4.2 almost + two years after the original advisory." + cvss_v2: 6.4 + patched_versions: + - ">= 4.2.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-3221 + - https://github.com/rails/rails/commit/c9909db9f2f81575ef2ea2ed3b4e8743c8d6f1b9 + - https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8 + - https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce + - http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails + - http://openwall.com/lists/oss-security/2013/02/06/7 + - http://openwall.com/lists/oss-security/2013/04/24/7 + - https://gist.github.com/marianposaceanu/5442275 + - https://web.archive.org/web/20160307143147/http://www.phenoelit.org/blog/archives/2013/02/index.html + - https://github.com/advisories/GHSA-f57c-hx33-hvh8 + - https://phrack.org/issues/69/12 +--- diff --git a/advisories/_posts/2013-05-14-CVE-2013-2090.md b/advisories/_posts/2013-05-14-CVE-2013-2090.md index 6dc514c6..a47f44f5 100644 --- a/advisories/_posts/2013-05-14-CVE-2013-2090.md +++ b/advisories/_posts/2013-05-14-CVE-2013-2090.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-2090 (cremefraiche): Creme Fraiche Gem for Ruby File Name Shell Metacharacter - Injection Arbitrary Command Execution' -comments: false -categories: -- cremefraiche -advisory: - gem: cremefraiche - cve: 2013-2090 - osvdb: 93395 - ghsa: m6f7-46hw-grcj - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2090 - title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary - Command Execution - date: 2013-05-14 - description: | - Creme Fraiche Gem for Ruby contains a flaw that is due to the program - failing to properly sanitize input in file names. With a specially crafted file - name that contains shell metacharacters, a context-dependent attacker can execute - arbitrary commands - cvss_v2: 9.3 - patched_versions: - - ">= 0.6.1" ---- +--- +layout: advisory +title: 'CVE-2013-2090 (cremefraiche): Creme Fraiche Gem for Ruby File Name Shell Metacharacter + Injection Arbitrary Command Execution' +comments: false +categories: +- cremefraiche +advisory: + gem: cremefraiche + cve: 2013-2090 + osvdb: 93395 + ghsa: m6f7-46hw-grcj + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2090 + title: Creme Fraiche Gem for Ruby File Name Shell Metacharacter Injection Arbitrary + Command Execution + date: 2013-05-14 + description: | + Creme Fraiche Gem for Ruby contains a flaw that is due to the program + failing to properly sanitize input in file names. With a specially crafted file + name that contains shell metacharacters, a context-dependent attacker can execute + arbitrary commands + cvss_v2: 9.3 + patched_versions: + - ">= 0.6.1" +--- diff --git a/advisories/_posts/2013-05-17-CVE-2013-2105.md b/advisories/_posts/2013-05-17-CVE-2013-2105.md index 40bf3775..b9caf601 100644 --- a/advisories/_posts/2013-05-17-CVE-2013-2105.md +++ b/advisories/_posts/2013-05-17-CVE-2013-2105.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2013-2105 (show_in_browser): Show In Browser Gem for Ruby /tmp/browser.html - Arbitrary Script Injection' -comments: false -categories: -- show_in_browser -advisory: - gem: show_in_browser - cve: 2013-2105 - osvdb: 93490 - ghsa: 9hx9-w2j6-rw76 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2105 - title: Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection - date: 2013-05-17 - description: | - Show In Browser Gem for Ruby contains a flaw that is triggered when the - application does not validate input passed via the /tmp/browser.html file. This - may allow a local attacker to create a specially crafted request that would execute - arbitrary script code in a user's browser. ---- +--- +layout: advisory +title: 'CVE-2013-2105 (show_in_browser): Show In Browser Gem for Ruby /tmp/browser.html + Arbitrary Script Injection' +comments: false +categories: +- show_in_browser +advisory: + gem: show_in_browser + cve: 2013-2105 + osvdb: 93490 + ghsa: 9hx9-w2j6-rw76 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2105 + title: Show In Browser Gem for Ruby /tmp/browser.html Arbitrary Script Injection + date: 2013-05-17 + description: | + Show In Browser Gem for Ruby contains a flaw that is triggered when the + application does not validate input passed via the /tmp/browser.html file. This + may allow a local attacker to create a specially crafted request that would execute + arbitrary script code in a user's browser. +--- diff --git a/advisories/_posts/2013-05-29-CVE-2013-2119.md b/advisories/_posts/2013-05-29-CVE-2013-2119.md index 1bf5f5f8..73226aa8 100644 --- a/advisories/_posts/2013-05-29-CVE-2013-2119.md +++ b/advisories/_posts/2013-05-29-CVE-2013-2119.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-2119 (passenger): CVE-2013-2119 rubygem-passenger: incorrect temporary - file usage' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2013-2119 - osvdb: 93752 - ghsa: 9qj7-jvg4-qr2x - url: https://nvd.nist.gov/vuln/detail/CVE-2013-2119 - title: 'CVE-2013-2119 rubygem-passenger: incorrect temporary file usage' - date: 2013-05-29 - description: | - Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows - local users to cause a denial of service (prevent application start) or gain privileges - by pre-creating a temporary "config" file in a directory with a predictable name - in /tmp/ before it is used by the gem. - cvss_v2: 4.6 - patched_versions: - - "~> 3.0.21" - - ">= 4.0.5" ---- +--- +layout: advisory +title: 'CVE-2013-2119 (passenger): CVE-2013-2119 rubygem-passenger: incorrect temporary + file usage' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2013-2119 + osvdb: 93752 + ghsa: 9qj7-jvg4-qr2x + url: https://nvd.nist.gov/vuln/detail/CVE-2013-2119 + title: 'CVE-2013-2119 rubygem-passenger: incorrect temporary file usage' + date: 2013-05-29 + description: | + Phusion Passenger gem before 3.0.21 and 4.0.x before 4.0.5 for Ruby allows + local users to cause a denial of service (prevent application start) or gain privileges + by pre-creating a temporary "config" file in a directory with a predictable name + in /tmp/ before it is used by the gem. + cvss_v2: 4.6 + patched_versions: + - "~> 3.0.21" + - ">= 4.0.5" +--- diff --git a/advisories/_posts/2013-06-10-CVE-2013-4136.md b/advisories/_posts/2013-06-10-CVE-2013-4136.md index 20a20898..6785ada1 100644 --- a/advisories/_posts/2013-06-10-CVE-2013-4136.md +++ b/advisories/_posts/2013-06-10-CVE-2013-4136.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-4136 (passenger): CVE-2013-4136 rubygem-passenger: insecure temporary - directory usage due toreuse of existing server instance directories' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2013-4136 - osvdb: 94074 - ghsa: w6rc-q387-vpgq - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4136 - title: 'CVE-2013-4136 rubygem-passenger: insecure temporary directory usage due - toreuse of existing server instance directories' - date: 2013-06-10 - description: | - ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 - for Ruby allows local users to gain privileges or possibly change the ownership - of arbitrary directories via a symlink attack on a directory with a predictable - name in /tmp/. - cvss_v2: 4.6 - patched_versions: - - ">= 4.0.8" ---- +--- +layout: advisory +title: 'CVE-2013-4136 (passenger): CVE-2013-4136 rubygem-passenger: insecure temporary + directory usage due toreuse of existing server instance directories' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2013-4136 + osvdb: 94074 + ghsa: w6rc-q387-vpgq + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4136 + title: 'CVE-2013-4136 rubygem-passenger: insecure temporary directory usage due + toreuse of existing server instance directories' + date: 2013-06-10 + description: | + ext/common/ServerInstanceDir.h in Phusion Passenger gem before 4.0.6 + for Ruby allows local users to gain privileges or possibly change the ownership + of arbitrary directories via a symlink attack on a directory with a predictable + name in /tmp/. + cvss_v2: 4.6 + patched_versions: + - ">= 4.0.8" +--- diff --git a/advisories/_posts/2013-06-26-OSVDB-94679.md b/advisories/_posts/2013-06-26-OSVDB-94679.md index 15a5a88c..ea7e0780 100644 --- a/advisories/_posts/2013-06-26-OSVDB-94679.md +++ b/advisories/_posts/2013-06-26-OSVDB-94679.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'OSVDB-94679 (enum_column3): enum_column3 Gem for Ruby Symbol Creation Remote - DoS' -comments: false -categories: -- enum_column3 -advisory: - gem: enum_column3 - osvdb: 94679 - url: https://security.snyk.io/vuln/SNYK-RUBY-ENUMCOLUMN3-20100 - title: enum_column3 Gem for Ruby Symbol Creation Remote DoS - date: 2013-06-26 - description: | - The enum_column3 Gem for Ruby contains a flaw that may allow a remote - denial of service. The issue is due to the program typecasting unexpected - strings to symbols. This may allow a remote attacker to crash the program. - related: - url: - - https://security.snyk.io/vuln/SNYK-RUBY-ENUMCOLUMN3-20100 - - http://osvdb.org/show/osvdb/94679 - notes: Never patched ---- +--- +layout: advisory +title: 'OSVDB-94679 (enum_column3): enum_column3 Gem for Ruby Symbol Creation Remote + DoS' +comments: false +categories: +- enum_column3 +advisory: + gem: enum_column3 + osvdb: 94679 + url: https://security.snyk.io/vuln/SNYK-RUBY-ENUMCOLUMN3-20100 + title: enum_column3 Gem for Ruby Symbol Creation Remote DoS + date: 2013-06-26 + description: | + The enum_column3 Gem for Ruby contains a flaw that may allow a remote + denial of service. The issue is due to the program typecasting unexpected + strings to symbols. This may allow a remote attacker to crash the program. + related: + url: + - https://security.snyk.io/vuln/SNYK-RUBY-ENUMCOLUMN3-20100 + - http://osvdb.org/show/osvdb/94679 + notes: Never patched +--- diff --git a/advisories/_posts/2013-07-09-CVE-2014-2538.md b/advisories/_posts/2013-07-09-CVE-2014-2538.md index c382be2b..b4ffaef0 100644 --- a/advisories/_posts/2013-07-09-CVE-2014-2538.md +++ b/advisories/_posts/2013-07-09-CVE-2014-2538.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-2538 (rack-ssl): CVE-2014-2538 rubygem rack-ssl: URL error display - XSS' -comments: false -categories: -- rack-ssl -advisory: - gem: rack-ssl - cve: 2014-2538 - osvdb: 104734 - ghsa: v3rr-cph9-2g2q - url: https://nvd.nist.gov/vuln/detail/CVE-2014-2538 - title: 'CVE-2014-2538 rubygem rack-ssl: URL error display XSS' - date: 2013-07-09 - description: | - Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl - gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script - or HTML via a URI, which might not be properly handled by third-party adapters such - as JRuby-Rack. - cvss_v2: 4.3 - patched_versions: - - ">= 1.3.4" ---- +--- +layout: advisory +title: 'CVE-2014-2538 (rack-ssl): CVE-2014-2538 rubygem rack-ssl: URL error display + XSS' +comments: false +categories: +- rack-ssl +advisory: + gem: rack-ssl + cve: 2014-2538 + osvdb: 104734 + ghsa: v3rr-cph9-2g2q + url: https://nvd.nist.gov/vuln/detail/CVE-2014-2538 + title: 'CVE-2014-2538 rubygem rack-ssl: URL error display XSS' + date: 2013-07-09 + description: | + Cross-site scripting (XSS) vulnerability in lib/rack/ssl.rb in the rack-ssl + gem before 1.4.0 for Ruby allows remote attackers to inject arbitrary web script + or HTML via a URI, which might not be properly handled by third-party adapters such + as JRuby-Rack. + cvss_v2: 4.3 + patched_versions: + - ">= 1.3.4" +--- diff --git a/advisories/_posts/2013-07-25-CVE-2013-4170.md b/advisories/_posts/2013-07-25-CVE-2013-4170.md index d8ee9c04..0bf72839 100644 --- a/advisories/_posts/2013-07-25-CVE-2013-4170.md +++ b/advisories/_posts/2013-07-25-CVE-2013-4170.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2013-4170 (ember-source): Ember.js Potential XSS Exploit When Binding - `tagName` to User-Supplied Data' -comments: false -categories: -- ember-source -advisory: - gem: ember-source - cve: 2013-4170 - ghsa: 5m48-c37x-f792 - url: https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM - title: Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data - date: 2013-07-25 - description: | - In general, Ember.js escapes or strips any user-supplied content - before inserting it in strings that will be sent to innerHTML. - However, the `tagName` property of an `Ember.View` was inserted into - such a string without being sanitized. This means that if an - application assigns a view's `tagName` to user-supplied data, a - specially-crafted payload could execute arbitrary JavaScript in the - context of the current domain ("XSS"). - - This vulnerability only affects applications that assign or bind - user-provided content to `tagName`. - cvss_v3: 6.1 - patched_versions: - - "~> 1.0.0.rc1.1" - - "~> 1.0.0.rc2.1" - - "~> 1.0.0.rc3.1" - - "~> 1.0.0.rc4.1" - - "~> 1.0.0.rc5.1" - - ">= 1.0.0.rc6.1" ---- +--- +layout: advisory +title: 'CVE-2013-4170 (ember-source): Ember.js Potential XSS Exploit When Binding + `tagName` to User-Supplied Data' +comments: false +categories: +- ember-source +advisory: + gem: ember-source + cve: 2013-4170 + ghsa: 5m48-c37x-f792 + url: https://groups.google.com/forum/#!topic/ember-security/dokLVwwxAdM + title: Ember.js Potential XSS Exploit When Binding `tagName` to User-Supplied Data + date: 2013-07-25 + description: | + In general, Ember.js escapes or strips any user-supplied content + before inserting it in strings that will be sent to innerHTML. + However, the `tagName` property of an `Ember.View` was inserted into + such a string without being sanitized. This means that if an + application assigns a view's `tagName` to user-supplied data, a + specially-crafted payload could execute arbitrary JavaScript in the + context of the current domain ("XSS"). + + This vulnerability only affects applications that assign or bind + user-provided content to `tagName`. + cvss_v3: 6.1 + patched_versions: + - "~> 1.0.0.rc1.1" + - "~> 1.0.0.rc2.1" + - "~> 1.0.0.rc3.1" + - "~> 1.0.0.rc4.1" + - "~> 1.0.0.rc5.1" + - ">= 1.0.0.rc6.1" +--- diff --git a/advisories/_posts/2013-08-02-CVE-2013-4203.md b/advisories/_posts/2013-08-02-CVE-2013-4203.md index 11e25d4f..e2321c56 100644 --- a/advisories/_posts/2013-08-02-CVE-2013-4203.md +++ b/advisories/_posts/2013-08-02-CVE-2013-4203.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2013-4203 (rgpg): rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command - Execution' -comments: false -categories: -- rgpg -advisory: - gem: rgpg - cve: 2013-4203 - osvdb: 95948 - ghsa: jg4m-q6w8-vrjp - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4203 - title: rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution - date: 2013-08-02 - description: | - rgpg Gem for Ruby contains a flaw in the GpgHelper module - (lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly - sanitize user-supplied input before being used in the system() function for - execution. This may allow a remote attacker to execute arbitrary commands. - cvss_v2: 7.5 - patched_versions: - - ">= 0.2.3" ---- +--- +layout: advisory +title: 'CVE-2013-4203 (rgpg): rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command + Execution' +comments: false +categories: +- rgpg +advisory: + gem: rgpg + cve: 2013-4203 + osvdb: 95948 + ghsa: jg4m-q6w8-vrjp + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4203 + title: rgpg Gem for Ruby lib/rgpg/gpg_helper.rb Remote Command Execution + date: 2013-08-02 + description: | + rgpg Gem for Ruby contains a flaw in the GpgHelper module + (lib/rgpg/gpg_helper.rb). The issue is due to the program failing to properly + sanitize user-supplied input before being used in the system() function for + execution. This may allow a remote attacker to execute arbitrary commands. + cvss_v2: 7.5 + patched_versions: + - ">= 0.2.3" +--- diff --git a/advisories/_posts/2013-08-02-OSVDB-114435.md b/advisories/_posts/2013-08-02-OSVDB-114435.md index c7deec48..be1c2606 100644 --- a/advisories/_posts/2013-08-02-OSVDB-114435.md +++ b/advisories/_posts/2013-08-02-OSVDB-114435.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'OSVDB-114435 (devise): CSRF token fixation attacks in Devise' -comments: false -categories: -- devise -advisory: - gem: devise - osvdb: 114435 - url: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/ - title: CSRF token fixation attacks in Devise - date: 2013-08-02 - description: | - Devise contains a flaw that allows a remote, user-assisted attacker to - conduct a CSRF token fixation attack. This issue is triggered as previous - CSRF tokens are not properly invalidated when a new token is created. - If an attacker has knowledge of said token, a specially crafted request can - be made to it, allowing the attacker to conduct CSRF attacks. - patched_versions: - - "~> 2.2.5" - - ">= 3.0.1" - related: - url: - - http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise - - https://github.com/heartcombo/devise/commit/747751a20f50aa8814dcd3eb9a3648f00ab6a707 - - https://github.com/heartcombo/devise/compare/v3.0.0...v3.0.1 - - https://my.diffend.io/gems/devise/3.0.0/3.0.1 - - https://security.snyk.io/vuln/SNYK-RUBY-DEVISE-20103 ---- +--- +layout: advisory +title: 'OSVDB-114435 (devise): CSRF token fixation attacks in Devise' +comments: false +categories: +- devise +advisory: + gem: devise + osvdb: 114435 + url: http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise/ + title: CSRF token fixation attacks in Devise + date: 2013-08-02 + description: | + Devise contains a flaw that allows a remote, user-assisted attacker to + conduct a CSRF token fixation attack. This issue is triggered as previous + CSRF tokens are not properly invalidated when a new token is created. + If an attacker has knowledge of said token, a specially crafted request can + be made to it, allowing the attacker to conduct CSRF attacks. + patched_versions: + - "~> 2.2.5" + - ">= 3.0.1" + related: + url: + - http://blog.plataformatec.com.br/2013/08/csrf-token-fixation-attacks-in-devise + - https://github.com/heartcombo/devise/commit/747751a20f50aa8814dcd3eb9a3648f00ab6a707 + - https://github.com/heartcombo/devise/compare/v3.0.0...v3.0.1 + - https://my.diffend.io/gems/devise/3.0.0/3.0.1 + - https://security.snyk.io/vuln/SNYK-RUBY-DEVISE-20103 +--- diff --git a/advisories/_posts/2013-08-03-OSVDB-96425.md b/advisories/_posts/2013-08-03-OSVDB-96425.md index 4632e2c7..cca910c8 100644 --- a/advisories/_posts/2013-08-03-OSVDB-96425.md +++ b/advisories/_posts/2013-08-03-OSVDB-96425.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'OSVDB-96425 (redis-namespace): redis-namespace Gem for Ruby contains a flaw - in the method_missing implementation' -comments: false -categories: -- redis-namespace -advisory: - gem: redis-namespace - osvdb: 96425 - url: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release - title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation - date: 2013-08-03 - description: | - redis-namespace Gem for Ruby contains a flaw in the method_missing implementation. - The issue is triggered when handling exec commands called via send(). This may allow a - remote attacker to execute arbitrary commands. - patched_versions: - - "~> 1.0.4" - - "~> 1.1.1" - - "~> 1.2.2" - - ">= 1.3.1" - related: - url: - - http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release - - https://github.com/resque/redis-namespace/issues/65 - - https://github.com/resque/redis-namespace/commit/6d839515e8a3fdc17b5fb391500fda3f919689d6 - - https://security.snyk.io/vuln/SNYK-RUBY-REDISNAMESPACE-20105 ---- +--- +layout: advisory +title: 'OSVDB-96425 (redis-namespace): redis-namespace Gem for Ruby contains a flaw + in the method_missing implementation' +comments: false +categories: +- redis-namespace +advisory: + gem: redis-namespace + osvdb: 96425 + url: http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release + title: redis-namespace Gem for Ruby contains a flaw in the method_missing implementation + date: 2013-08-03 + description: | + redis-namespace Gem for Ruby contains a flaw in the method_missing implementation. + The issue is triggered when handling exec commands called via send(). This may allow a + remote attacker to execute arbitrary commands. + patched_versions: + - "~> 1.0.4" + - "~> 1.1.1" + - "~> 1.2.2" + - ">= 1.3.1" + related: + url: + - http://blog.steveklabnik.com/posts/2013-08-03-redis-namespace-1-3-1--security-release + - https://github.com/resque/redis-namespace/issues/65 + - https://github.com/resque/redis-namespace/commit/6d839515e8a3fdc17b5fb391500fda3f919689d6 + - https://security.snyk.io/vuln/SNYK-RUBY-REDISNAMESPACE-20105 +--- diff --git a/advisories/_posts/2013-08-14-CVE-2013-5647.md b/advisories/_posts/2013-08-14-CVE-2013-5647.md index 5295bfc6..de3a2ac0 100644 --- a/advisories/_posts/2013-08-14-CVE-2013-5647.md +++ b/advisories/_posts/2013-08-14-CVE-2013-5647.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-5647 (sounder): Sounder Gem for Ruby File Name Handling Arbitrary - Command Execution' -comments: false -categories: -- sounder -advisory: - gem: sounder - cve: 2013-5647 - osvdb: 96278 - ghsa: rfmf-rx8w-935w - url: https://nvd.nist.gov/vuln/detail/CVE-2013-5647 - title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution - date: 2013-08-14 - description: | - Sounder Gem for Ruby contains a flaw that is triggered during the handling - of file names. This may allow a context-dependent attacker to execute - arbitrary commands. - cvss_v2: 7.5 - patched_versions: - - ">= 1.0.2" ---- +--- +layout: advisory +title: 'CVE-2013-5647 (sounder): Sounder Gem for Ruby File Name Handling Arbitrary + Command Execution' +comments: false +categories: +- sounder +advisory: + gem: sounder + cve: 2013-5647 + osvdb: 96278 + ghsa: rfmf-rx8w-935w + url: https://nvd.nist.gov/vuln/detail/CVE-2013-5647 + title: Sounder Gem for Ruby File Name Handling Arbitrary Command Execution + date: 2013-08-14 + description: | + Sounder Gem for Ruby contains a flaw that is triggered during the handling + of file names. This may allow a context-dependent attacker to execute + arbitrary commands. + cvss_v2: 7.5 + patched_versions: + - ">= 1.0.2" +--- diff --git a/advisories/_posts/2013-09-01-CVE-2013-4318.md b/advisories/_posts/2013-09-01-CVE-2013-4318.md index 665a268e..a58a4913 100644 --- a/advisories/_posts/2013-09-01-CVE-2013-4318.md +++ b/advisories/_posts/2013-09-01-CVE-2013-4318.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2013-4318 (features): Features Gem for Ruby /tmp/out.html Local XSS' -comments: false -categories: -- features -advisory: - gem: features - cve: 2013-4318 - osvdb: 96975 - ghsa: 42gq-h7xj-33r4 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4318 - title: Features Gem for Ruby /tmp/out.html Local XSS - date: 2013-09-01 - description: | - Features Gem for Ruby contains a flaw that allows a local cross-site - scripting (XSS) attack. This flaw exists because the application does not validate - certain input upon submission to /tmp/out.html. This may allow an attacker to create - a specially crafted request that would execute arbitrary script code in a user's - browser within the trust relationship between their browser and the server. - cvss_v3: 5.4 ---- +--- +layout: advisory +title: 'CVE-2013-4318 (features): Features Gem for Ruby /tmp/out.html Local XSS' +comments: false +categories: +- features +advisory: + gem: features + cve: 2013-4318 + osvdb: 96975 + ghsa: 42gq-h7xj-33r4 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4318 + title: Features Gem for Ruby /tmp/out.html Local XSS + date: 2013-09-01 + description: | + Features Gem for Ruby contains a flaw that allows a local cross-site + scripting (XSS) attack. This flaw exists because the application does not validate + certain input upon submission to /tmp/out.html. This may allow an attacker to create + a specially crafted request that would execute arbitrary script code in a user's + browser within the trust relationship between their browser and the server. + cvss_v3: 5.4 +--- diff --git a/advisories/_posts/2013-09-03-CVE-2013-5671.md b/advisories/_posts/2013-09-03-CVE-2013-5671.md index d5badd47..3ac879bc 100644 --- a/advisories/_posts/2013-09-03-CVE-2013-5671.md +++ b/advisories/_posts/2013-09-03-CVE-2013-5671.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-5671 (fog-dragonfly): fog-dragonfly Gem for Ruby imagemagickutils.rb - Remote Command Execution' -comments: false -categories: -- fog-dragonfly -advisory: - gem: fog-dragonfly - cve: 2013-5671 - osvdb: 96798 - ghsa: qrgf-jqqm-x7xv - url: https://nvd.nist.gov/vuln/detail/CVE-2013-5671 - title: fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution - date: 2013-09-03 - description: | - fog-dragonfly Gem for Ruby contains a flaw that is due to the program - failing to properly sanitize input passed via the imagemagickutils.rb script. - This may allow a remote attacker to execute arbitrary commands. - - This gem has been renamed. Please use "dragonfly" from now on. - cvss_v2: 7.5 - patched_versions: - - ">= 0.8.4" ---- +--- +layout: advisory +title: 'CVE-2013-5671 (fog-dragonfly): fog-dragonfly Gem for Ruby imagemagickutils.rb + Remote Command Execution' +comments: false +categories: +- fog-dragonfly +advisory: + gem: fog-dragonfly + cve: 2013-5671 + osvdb: 96798 + ghsa: qrgf-jqqm-x7xv + url: https://nvd.nist.gov/vuln/detail/CVE-2013-5671 + title: fog-dragonfly Gem for Ruby imagemagickutils.rb Remote Command Execution + date: 2013-09-03 + description: | + fog-dragonfly Gem for Ruby contains a flaw that is due to the program + failing to properly sanitize input passed via the imagemagickutils.rb script. + This may allow a remote attacker to execute arbitrary commands. + + This gem has been renamed. Please use "dragonfly" from now on. + cvss_v2: 7.5 + patched_versions: + - ">= 0.8.4" +--- diff --git a/advisories/_posts/2013-09-09-CVE-2013-4287.md b/advisories/_posts/2013-09-09-CVE-2013-4287.md index 06ac347d..1dca78c8 100644 --- a/advisories/_posts/2013-09-09-CVE-2013-4287.md +++ b/advisories/_posts/2013-09-09-CVE-2013-4287.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2013-4287 (rubygems-update): CVE-2013-4287 rubygems: version regex algorithmic - complexity vulnerability' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2013-4287 - osvdb: 97163 - ghsa: 9j7m-rjqx-48vh - url: http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html - title: 'CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability' - date: 2013-09-09 - description: | - Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN - in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x - before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows - remote attackers to cause a denial of service (CPU consumption) via a crafted gem - version that triggers a large amount of backtracking in a regular expression. - cvss_v2: 4.3 - patched_versions: - - "~> 1.8.23.1" - - "~> 1.8.26" - - "~> 2.0.8" - - ">= 2.1.0" ---- +--- +layout: advisory +title: 'CVE-2013-4287 (rubygems-update): CVE-2013-4287 rubygems: version regex algorithmic + complexity vulnerability' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2013-4287 + osvdb: 97163 + ghsa: 9j7m-rjqx-48vh + url: http://blog.rubygems.org/2013/09/09/CVE-2013-4287.html + title: 'CVE-2013-4287 rubygems: version regex algorithmic complexity vulnerability' + date: 2013-09-09 + description: | + Algorithmic complexity vulnerability in Gem::Version::VERSION_PATTERN + in lib/rubygems/version.rb in RubyGems before 1.8.23.1, 1.8.24 through 1.8.25, 2.0.x + before 2.0.8, and 2.1.x before 2.1.0, as used in Ruby 1.9.0 through 2.0.0p247, allows + remote attackers to cause a denial of service (CPU consumption) via a crafted gem + version that triggers a large amount of backtracking in a regular expression. + cvss_v2: 4.3 + patched_versions: + - "~> 1.8.23.1" + - "~> 1.8.26" + - "~> 2.0.8" + - ">= 2.1.0" +--- diff --git a/advisories/_posts/2013-09-19-CVE-2013-6459.md b/advisories/_posts/2013-09-19-CVE-2013-6459.md index 9aba717e..2873042b 100644 --- a/advisories/_posts/2013-09-19-CVE-2013-6459.md +++ b/advisories/_posts/2013-09-19-CVE-2013-6459.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-6459 (will_paginate): CVE-2013-6459 rubygem-will_paginate: XSS vulnerabilities' -comments: false -categories: -- will_paginate -advisory: - gem: will_paginate - cve: 2013-6459 - osvdb: 101138 - ghsa: 8r6h-7x9g-xmw9 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-6459 - title: 'CVE-2013-6459 rubygem-will_paginate: XSS vulnerabilities' - date: 2013-09-19 - description: | - Cross-site scripting (XSS) vulnerability in the will_paginate gem before - 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via - vectors involving generated pagination links. It was found that ruby will_paginate - is vulnerable to a XSS via malformed input that cause pagination to occur on an - improper boundary. This could allow an attacker with the ability to pass data to - the will_paginate gem to display arbitrary HTML including scripting code within - the web interface. - cvss_v2: 4.3 - patched_versions: - - ">= 3.0.5" ---- +--- +layout: advisory +title: 'CVE-2013-6459 (will_paginate): CVE-2013-6459 rubygem-will_paginate: XSS vulnerabilities' +comments: false +categories: +- will_paginate +advisory: + gem: will_paginate + cve: 2013-6459 + osvdb: 101138 + ghsa: 8r6h-7x9g-xmw9 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-6459 + title: 'CVE-2013-6459 rubygem-will_paginate: XSS vulnerabilities' + date: 2013-09-19 + description: | + Cross-site scripting (XSS) vulnerability in the will_paginate gem before + 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via + vectors involving generated pagination links. It was found that ruby will_paginate + is vulnerable to a XSS via malformed input that cause pagination to occur on an + improper boundary. This could allow an attacker with the ability to pass data to + the will_paginate gem to display arbitrary HTML including scripting code within + the web interface. + cvss_v2: 4.3 + patched_versions: + - ">= 3.0.5" +--- diff --git a/advisories/_posts/2013-09-24-CVE-2013-4363.md b/advisories/_posts/2013-09-24-CVE-2013-4363.md index ca1b57cb..c2a988b8 100644 --- a/advisories/_posts/2013-09-24-CVE-2013-4363.md +++ b/advisories/_posts/2013-09-24-CVE-2013-4363.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2013-4363 (rubygems-update): CVE-2013-4363 rubygems: version regex algorithmic - complexity vulnerability, incomplete CVE-2013-4287 fix' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2013-4363 - osvdb: 97163 - ghsa: 9qvm-2vhf-q649 - url: http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html - title: 'CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, - incomplete CVE-2013-4287 fix' - date: 2013-09-24 - description: | - 'Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN - in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x - before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, - allows remote attackers to cause a denial of service (CPU consumption) via a crafted - gem version that triggers a large amount of backtracking in a regular expression. NOTE: - this issue is due to an incomplete fix for CVE-2013-4287.' - cvss_v2: 4.3 - patched_versions: - - "~> 1.8.23.2" - - "~> 1.8.27" - - "~> 2.0.10" - - ">= 2.1.5" ---- +--- +layout: advisory +title: 'CVE-2013-4363 (rubygems-update): CVE-2013-4363 rubygems: version regex algorithmic + complexity vulnerability, incomplete CVE-2013-4287 fix' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2013-4363 + osvdb: 97163 + ghsa: 9qvm-2vhf-q649 + url: http://blog.rubygems.org/2013/09/24/CVE-2013-4363.html + title: 'CVE-2013-4363 rubygems: version regex algorithmic complexity vulnerability, + incomplete CVE-2013-4287 fix' + date: 2013-09-24 + description: | + 'Algorithmic complexity vulnerability in Gem::Version::ANCHORED_VERSION_PATTERN + in lib/rubygems/version.rb in RubyGems before 1.8.23.2, 1.8.24 through 1.8.26, 2.0.x + before 2.0.10, and 2.1.x before 2.1.5, as used in Ruby 1.9.0 through 2.0.0p247, + allows remote attackers to cause a denial of service (CPU consumption) via a crafted + gem version that triggers a large amount of backtracking in a regular expression. NOTE: + this issue is due to an incomplete fix for CVE-2013-4287.' + cvss_v2: 4.3 + patched_versions: + - "~> 1.8.23.2" + - "~> 1.8.27" + - "~> 2.0.10" + - ">= 2.1.5" +--- diff --git a/advisories/_posts/2013-10-01-CVE-2013-7463.md b/advisories/_posts/2013-10-01-CVE-2013-7463.md index 099c1ec0..340a7fea 100644 --- a/advisories/_posts/2013-10-01-CVE-2013-7463.md +++ b/advisories/_posts/2013-10-01-CVE-2013-7463.md @@ -1,19 +1,19 @@ ---- -layout: advisory -title: 'CVE-2013-7463 (aescrypt): Vulnerability in aescrypt because IV is not randomized' -comments: false -categories: -- aescrypt -advisory: - gem: aescrypt - cve: 2013-7463 - ghsa: 4c4w-3q45-hp9j - url: https://github.com/Gurpartap/aescrypt/issues/4 - title: Vulnerability in aescrypt because IV is not randomized - date: 2013-10-01 - description: | - The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the - AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to - defeat cryptographic protection mechanisms via a chosen plaintext attack. - cvss_v3: 7.5 ---- +--- +layout: advisory +title: 'CVE-2013-7463 (aescrypt): Vulnerability in aescrypt because IV is not randomized' +comments: false +categories: +- aescrypt +advisory: + gem: aescrypt + cve: 2013-7463 + ghsa: 4c4w-3q45-hp9j + url: https://github.com/Gurpartap/aescrypt/issues/4 + title: Vulnerability in aescrypt because IV is not randomized + date: 2013-10-01 + description: | + The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the + AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to + defeat cryptographic protection mechanisms via a chosen plaintext attack. + cvss_v3: 7.5 +--- diff --git a/advisories/_posts/2013-10-08-CVE-2013-4413.md b/advisories/_posts/2013-10-08-CVE-2013-4413.md index 34e204fa..58875ae3 100644 --- a/advisories/_posts/2013-10-08-CVE-2013-4413.md +++ b/advisories/_posts/2013-10-08-CVE-2013-4413.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-4413 (wicked): Wicked Gem for Ruby contains a flaw' -comments: false -categories: -- wicked -advisory: - gem: wicked - cve: 2013-4413 - osvdb: 98270 - ghsa: rprj-g6xc-p5gq - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4413 - title: Wicked Gem for Ruby contains a flaw - date: 2013-10-08 - description: | - Wicked Gem for Ruby contains a flaw that is due to the program failing - to properly sanitize input passed via the 'the_step' parameter upon submission to - the render_redirect.rb script. This may allow a remote attacker to gain access to - arbitrary files. - cvss_v2: 5.0 - patched_versions: - - ">= 1.0.1" ---- +--- +layout: advisory +title: 'CVE-2013-4413 (wicked): Wicked Gem for Ruby contains a flaw' +comments: false +categories: +- wicked +advisory: + gem: wicked + cve: 2013-4413 + osvdb: 98270 + ghsa: rprj-g6xc-p5gq + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4413 + title: Wicked Gem for Ruby contains a flaw + date: 2013-10-08 + description: | + Wicked Gem for Ruby contains a flaw that is due to the program failing + to properly sanitize input passed via the 'the_step' parameter upon submission to + the render_redirect.rb script. This may allow a remote attacker to gain access to + arbitrary files. + cvss_v2: 5.0 + patched_versions: + - ">= 1.0.1" +--- diff --git a/advisories/_posts/2013-10-16-CVE-2013-4389.md b/advisories/_posts/2013-10-16-CVE-2013-4389.md index 5f30e922..faf9241f 100644 --- a/advisories/_posts/2013-10-16-CVE-2013-4389.md +++ b/advisories/_posts/2013-10-16-CVE-2013-4389.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-4389 (actionmailer): CVE-2013-4389 rubygem-actionmailer: email address - processing DoS' -comments: false -categories: -- actionmailer -- rails -advisory: - gem: actionmailer - framework: rails - cve: 2013-4389 - osvdb: 98629 - ghsa: rg5m-3fqp-6px8 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4389 - title: 'CVE-2013-4389 rubygem-actionmailer: email address processing DoS' - date: 2013-10-16 - description: | - Multiple format string vulnerabilities in log_subscriber.rb files in - the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 - allow remote attackers to cause a denial of service via a crafted e-mail address - that is improperly handled during construction of a log message. - cvss_v2: 4.3 - unaffected_versions: - - "~> 2.3.2" - patched_versions: - - ">= 3.2.15" ---- +--- +layout: advisory +title: 'CVE-2013-4389 (actionmailer): CVE-2013-4389 rubygem-actionmailer: email address + processing DoS' +comments: false +categories: +- actionmailer +- rails +advisory: + gem: actionmailer + framework: rails + cve: 2013-4389 + osvdb: 98629 + ghsa: rg5m-3fqp-6px8 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4389 + title: 'CVE-2013-4389 rubygem-actionmailer: email address processing DoS' + date: 2013-10-16 + description: | + Multiple format string vulnerabilities in log_subscriber.rb files in + the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 + allow remote attackers to cause a denial of service via a crafted e-mail address + that is improperly handled during construction of a log message. + cvss_v2: 4.3 + unaffected_versions: + - "~> 2.3.2" + patched_versions: + - ">= 3.2.15" +--- diff --git a/advisories/_posts/2013-10-22-CVE-2013-4457.md b/advisories/_posts/2013-10-22-CVE-2013-4457.md index 54929fc4..f30ac9ba 100644 --- a/advisories/_posts/2013-10-22-CVE-2013-4457.md +++ b/advisories/_posts/2013-10-22-CVE-2013-4457.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2013-4457 (cocaine): Cocaine Gem for Ruby contains a flaw' -comments: false -categories: -- cocaine -advisory: - gem: cocaine - cve: 2013-4457 - osvdb: 98835 - ghsa: c43v-hrmg-56r4 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4457 - title: Cocaine Gem for Ruby contains a flaw - date: 2013-10-22 - description: | - Cocaine Gem for Ruby contains a flaw that is due to the method of variable - interpolation used by the program. With a specially crafted object, a context-dependent - attacker can execute arbitrary commands. - cvss_v2: 6.8 - unaffected_versions: - - "< 0.4.0" - patched_versions: - - ">= 0.5.3" ---- +--- +layout: advisory +title: 'CVE-2013-4457 (cocaine): Cocaine Gem for Ruby contains a flaw' +comments: false +categories: +- cocaine +advisory: + gem: cocaine + cve: 2013-4457 + osvdb: 98835 + ghsa: c43v-hrmg-56r4 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4457 + title: Cocaine Gem for Ruby contains a flaw + date: 2013-10-22 + description: | + Cocaine Gem for Ruby contains a flaw that is due to the method of variable + interpolation used by the program. With a specially crafted object, a context-dependent + attacker can execute arbitrary commands. + cvss_v2: 6.8 + unaffected_versions: + - "< 0.4.0" + patched_versions: + - ">= 0.5.3" +--- diff --git a/advisories/_posts/2013-10-29-CVE-2013-4478.md b/advisories/_posts/2013-10-29-CVE-2013-4478.md index a84855cb..1faedc0a 100644 --- a/advisories/_posts/2013-10-29-CVE-2013-4478.md +++ b/advisories/_posts/2013-10-29-CVE-2013-4478.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2013-4478 (sup): Sup wrongly handled the filename of attachments' -comments: false -categories: -- sup -advisory: - gem: sup - cve: 2013-4478 - osvdb: 99074 - ghsa: 5f2p-6vjv-2q2m - url: https://web.archive.org/web/20140524012714/http://rubyforge.org/pipermail/sup-talk/2013-August/004993.html - title: Sup wrongly handled the filename of attachments - date: 2013-10-29 - description: | - Sup MUA contains a flaw that is triggered when handling email attachment - content. This may allow a context-dependent attacker to execute arbitrary commands. - cvss_v2: 6.8 - patched_versions: - - "~> 0.13.2.1" - - ">= 0.14.1.1" - related: - cve: - - 2013-4479 - ghsa: - - hh2x-7mf9-78fr - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-4478 - - https://github.com/sup-heliotrope/sup/blob/develop/History.txt - - https://www.openwall.com/lists/oss-security/2013/10/30/2 - - https://web.archive.org/web/20140524012714/http://rubyforge.org/pipermail/sup-talk/2013-August/004993.html - - https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785 - - https://www.mend.io/vulnerability-database/CVE-2013-4478 - - https://security-tracker.debian.org/tracker/CVE-2013-4478 - - https://lwn.net/Articles/575351 - - https://github.com/advisories/GHSA-5f2p-6vjv-2q2m ---- +--- +layout: advisory +title: 'CVE-2013-4478 (sup): Sup wrongly handled the filename of attachments' +comments: false +categories: +- sup +advisory: + gem: sup + cve: 2013-4478 + osvdb: 99074 + ghsa: 5f2p-6vjv-2q2m + url: https://web.archive.org/web/20140524012714/http://rubyforge.org/pipermail/sup-talk/2013-August/004993.html + title: Sup wrongly handled the filename of attachments + date: 2013-10-29 + description: | + Sup MUA contains a flaw that is triggered when handling email attachment + content. This may allow a context-dependent attacker to execute arbitrary commands. + cvss_v2: 6.8 + patched_versions: + - "~> 0.13.2.1" + - ">= 0.14.1.1" + related: + cve: + - 2013-4479 + ghsa: + - hh2x-7mf9-78fr + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-4478 + - https://github.com/sup-heliotrope/sup/blob/develop/History.txt + - https://www.openwall.com/lists/oss-security/2013/10/30/2 + - https://web.archive.org/web/20140524012714/http://rubyforge.org/pipermail/sup-talk/2013-August/004993.html + - https://github.com/sup-heliotrope/sup/commit/8b46cdbfc14e07ca07d403aa28b0e7bc1c544785 + - https://www.mend.io/vulnerability-database/CVE-2013-4478 + - https://security-tracker.debian.org/tracker/CVE-2013-4478 + - https://lwn.net/Articles/575351 + - https://github.com/advisories/GHSA-5f2p-6vjv-2q2m +--- diff --git a/advisories/_posts/2013-10-29-CVE-2013-4479.md b/advisories/_posts/2013-10-29-CVE-2013-4479.md index f20cefc5..66370b88 100644 --- a/advisories/_posts/2013-10-29-CVE-2013-4479.md +++ b/advisories/_posts/2013-10-29-CVE-2013-4479.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2013-4479 (sup): Sup did not sanitize the content-type of attachments' -comments: false -categories: -- sup -advisory: - gem: sup - cve: 2013-4479 - osvdb: 99074 - ghsa: hh2x-7mf9-78fr - url: https://web.archive.org/web/20140524005344/http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html - title: Sup did not sanitize the content-type of attachments - date: 2013-10-29 - description: | - Sup MUA contains a flaw that is triggered when handling email attachment - content. This may allow a context-dependent attacker to execute arbitrary commands. - cvss_v2: 6.8 - patched_versions: - - "~> 0.13.2.1" - - ">= 0.14.1.1" - related: - cve: - - 2013-4478 - ghsa: - - 5f2p-6vjv-2q2m - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-4479 - - https://web.archive.org/web/20140524005344/http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html - - https://seclists.org/fulldisclosure/2013/Oct/272 - - https://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt - - https://www.openwall.com/lists/oss-security/2013/10/30/2 - - https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42 - - https://security-tracker.debian.org/tracker/CVE-2013-4479 - - https://lwn.net/Articles/575351 - - https://github.com/advisories/GHSA-hh2x-7mf9-78fr ---- +--- +layout: advisory +title: 'CVE-2013-4479 (sup): Sup did not sanitize the content-type of attachments' +comments: false +categories: +- sup +advisory: + gem: sup + cve: 2013-4479 + osvdb: 99074 + ghsa: hh2x-7mf9-78fr + url: https://web.archive.org/web/20140524005344/http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html + title: Sup did not sanitize the content-type of attachments + date: 2013-10-29 + description: | + Sup MUA contains a flaw that is triggered when handling email attachment + content. This may allow a context-dependent attacker to execute arbitrary commands. + cvss_v2: 6.8 + patched_versions: + - "~> 0.13.2.1" + - ">= 0.14.1.1" + related: + cve: + - 2013-4478 + ghsa: + - 5f2p-6vjv-2q2m + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-4479 + - https://web.archive.org/web/20140524005344/http://rubyforge.org/pipermail/sup-talk/2013-October/004996.html + - https://seclists.org/fulldisclosure/2013/Oct/272 + - https://seclists.org/fulldisclosure/2013/Oct/att-272/whatsup.txt + - https://www.openwall.com/lists/oss-security/2013/10/30/2 + - https://github.com/sup-heliotrope/sup/commit/ca0302e0c716682d2de22e9136400c704cc93e42 + - https://security-tracker.debian.org/tracker/CVE-2013-4479 + - https://lwn.net/Articles/575351 + - https://github.com/advisories/GHSA-hh2x-7mf9-78fr +--- diff --git a/advisories/_posts/2013-11-04-CVE-2013-4489.md b/advisories/_posts/2013-11-04-CVE-2013-4489.md index ed152222..60bec8c8 100644 --- a/advisories/_posts/2013-11-04-CVE-2013-4489.md +++ b/advisories/_posts/2013-11-04-CVE-2013-4489.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2013-4489 (gitlab-grit): GitLab Grit Gem for Ruby contains a flaw' -comments: false -categories: -- gitlab-grit -advisory: - gem: gitlab-grit - cve: 2013-4489 - osvdb: 99370 - ghsa: 95xq-v4m2-fq3r - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4489 - title: GitLab Grit Gem for Ruby contains a flaw - date: 2013-11-04 - description: | - GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb - script. The issue is triggered when input passed via the code search box is not - properly sanitized, which allows strings to be evaluated by the Bourne shell. This - may allow a remote attacker to execute arbitrary commands. - patched_versions: - - ">= 2.6.1" ---- +--- +layout: advisory +title: 'CVE-2013-4489 (gitlab-grit): GitLab Grit Gem for Ruby contains a flaw' +comments: false +categories: +- gitlab-grit +advisory: + gem: gitlab-grit + cve: 2013-4489 + osvdb: 99370 + ghsa: 95xq-v4m2-fq3r + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4489 + title: GitLab Grit Gem for Ruby contains a flaw + date: 2013-11-04 + description: | + GitLab Grit Gem for Ruby contains a flaw in the app/contexts/search_context.rb + script. The issue is triggered when input passed via the code search box is not + properly sanitized, which allows strings to be evaluated by the Bourne shell. This + may allow a remote attacker to execute arbitrary commands. + patched_versions: + - ">= 2.6.1" +--- diff --git a/advisories/_posts/2013-11-12-CVE-2013-4562.md b/advisories/_posts/2013-11-12-CVE-2013-4562.md index e9bfd096..64e0ed9b 100644 --- a/advisories/_posts/2013-11-12-CVE-2013-4562.md +++ b/advisories/_posts/2013-11-12-CVE-2013-4562.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-4562 (omniauth-facebook): omniauth-facebook Gem for Ruby Unspecified - CSRF' -comments: false -categories: -- omniauth-facebook -advisory: - gem: omniauth-facebook - cve: 2013-4562 - osvdb: 99693 - ghsa: cf36-985g-v73c - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4562 - title: omniauth-facebook Gem for Ruby Unspecified CSRF - date: 2013-11-12 - description: | - omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not - require multiple steps, explicit confirmation, or a unique token when - performing certain sensitive actions. By tricking a user into following - a specially crafted link, a context-dependent attacker can perform a - Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to - perform an unspecified action. - cvss_v2: 6.8 - unaffected_versions: - - "<= 1.4.0" - patched_versions: - - ">= 1.5.0" ---- +--- +layout: advisory +title: 'CVE-2013-4562 (omniauth-facebook): omniauth-facebook Gem for Ruby Unspecified + CSRF' +comments: false +categories: +- omniauth-facebook +advisory: + gem: omniauth-facebook + cve: 2013-4562 + osvdb: 99693 + ghsa: cf36-985g-v73c + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4562 + title: omniauth-facebook Gem for Ruby Unspecified CSRF + date: 2013-11-12 + description: | + omniauth-facebook Gem for Ruby contains a flaw as HTTP requests do not + require multiple steps, explicit confirmation, or a unique token when + performing certain sensitive actions. By tricking a user into following + a specially crafted link, a context-dependent attacker can perform a + Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to + perform an unspecified action. + cvss_v2: 6.8 + unaffected_versions: + - "<= 1.4.0" + patched_versions: + - ">= 1.5.0" +--- diff --git a/advisories/_posts/2013-11-14-CVE-2013-4593.md b/advisories/_posts/2013-11-14-CVE-2013-4593.md index 44e1d4e5..5cb8ff49 100644 --- a/advisories/_posts/2013-11-14-CVE-2013-4593.md +++ b/advisories/_posts/2013-11-14-CVE-2013-4593.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-4593 (omniauth-facebook): omniauth-facebook Gem for Ruby Insecure - Access Token Handling Authentication Bypass' -comments: false -categories: -- omniauth-facebook -advisory: - gem: omniauth-facebook - cve: 2013-4593 - osvdb: 99888 - ghsa: 33vg-hpx5-pfxg - url: https://nvd.nist.gov/vuln/detail/CVE-2013-4593 - title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication - Bypass - date: 2013-11-14 - description: | - omniauth-facebook Gem for Ruby contains a flaw that is due to the application - supporting passing the access token via the URL. This may allow a remote - attacker to bypass authentication and authenticate as another user. - cvss_v2: 6.8 - cvss_v3: 7.5 - patched_versions: - - ">= 1.5.1" ---- +--- +layout: advisory +title: 'CVE-2013-4593 (omniauth-facebook): omniauth-facebook Gem for Ruby Insecure + Access Token Handling Authentication Bypass' +comments: false +categories: +- omniauth-facebook +advisory: + gem: omniauth-facebook + cve: 2013-4593 + osvdb: 99888 + ghsa: 33vg-hpx5-pfxg + url: https://nvd.nist.gov/vuln/detail/CVE-2013-4593 + title: omniauth-facebook Gem for Ruby Insecure Access Token Handling Authentication + Bypass + date: 2013-11-14 + description: | + omniauth-facebook Gem for Ruby contains a flaw that is due to the application + supporting passing the access token via the URL. This may allow a remote + attacker to bypass authentication and authenticate as another user. + cvss_v2: 6.8 + cvss_v3: 7.5 + patched_versions: + - ">= 1.5.1" +--- diff --git a/advisories/_posts/2013-12-02-CVE-2013-6421.md b/advisories/_posts/2013-12-02-CVE-2013-6421.md index 3a2e11c4..973318e3 100644 --- a/advisories/_posts/2013-12-02-CVE-2013-6421.md +++ b/advisories/_posts/2013-12-02-CVE-2013-6421.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-6421 (sprout): sprout Gem for Ruby archive_unpacker.rb unpack_zip() - Function Multiple Parameter Arbitrary Code Execution' -comments: false -categories: -- sprout -advisory: - gem: sprout - cve: 2013-6421 - osvdb: 100598 - ghsa: 229r-pqp6-8w6g - url: https://nvd.nist.gov/vuln/detail/CVE-2013-6421 - title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter - Arbitrary Code Execution - date: 2013-12-02 - description: | - sprout Gem for Ruby contains a flaw in the unpack_zip() function in - archive_unpacker.rb. The issue is due to the program failing to properly - sanitize input passed via the 'zip_file', 'dir', 'zip_name', and 'output' - parameters. This may allow a context-dependent attacker to execute arbitrary - code. - cvss_v2: 7.5 - unaffected_versions: - - "< 0.7.246" ---- +--- +layout: advisory +title: 'CVE-2013-6421 (sprout): sprout Gem for Ruby archive_unpacker.rb unpack_zip() + Function Multiple Parameter Arbitrary Code Execution' +comments: false +categories: +- sprout +advisory: + gem: sprout + cve: 2013-6421 + osvdb: 100598 + ghsa: 229r-pqp6-8w6g + url: https://nvd.nist.gov/vuln/detail/CVE-2013-6421 + title: sprout Gem for Ruby archive_unpacker.rb unpack_zip() Function Multiple Parameter + Arbitrary Code Execution + date: 2013-12-02 + description: | + sprout Gem for Ruby contains a flaw in the unpack_zip() function in + archive_unpacker.rb. The issue is due to the program failing to properly + sanitize input passed via the 'zip_file', 'dir', 'zip_name', and 'output' + parameters. This may allow a context-dependent attacker to execute arbitrary + code. + cvss_v2: 7.5 + unaffected_versions: + - "< 0.7.246" +--- diff --git a/advisories/_posts/2013-12-03-CVE-2013-4491.md b/advisories/_posts/2013-12-03-CVE-2013-4491.md index ee41ff4e..6a7bfa4b 100644 --- a/advisories/_posts/2013-12-03-CVE-2013-4491.md +++ b/advisories/_posts/2013-12-03-CVE-2013-4491.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-4491 (actionpack): Reflective XSS Vulnerability in Ruby on Rails' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-4491 - osvdb: 100528 - ghsa: 699m-mcjm-9cw8 - url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998 - title: Reflective XSS Vulnerability in Ruby on Rails - date: 2013-12-03 - description: | - There is a vulnerability in the internationalization component of Ruby on - Rails. Under certain common configurations an attacker can provide specially - crafted input which will execute a reflective XSS attack. - - The root cause of this issue is a vulnerability in the i18n gem which has - been assigned the identifier CVE-2013-4492. - cvss_v2: 4.3 - patched_versions: - - "~> 3.2.16" - - ">= 4.0.2" ---- +--- +layout: advisory +title: 'CVE-2013-4491 (actionpack): Reflective XSS Vulnerability in Ruby on Rails' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-4491 + osvdb: 100528 + ghsa: 699m-mcjm-9cw8 + url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998 + title: Reflective XSS Vulnerability in Ruby on Rails + date: 2013-12-03 + description: | + There is a vulnerability in the internationalization component of Ruby on + Rails. Under certain common configurations an attacker can provide specially + crafted input which will execute a reflective XSS attack. + + The root cause of this issue is a vulnerability in the i18n gem which has + been assigned the identifier CVE-2013-4492. + cvss_v2: 4.3 + patched_versions: + - "~> 3.2.16" + - ">= 4.0.2" +--- diff --git a/advisories/_posts/2013-12-03-CVE-2013-4492.md b/advisories/_posts/2013-12-03-CVE-2013-4492.md index 0e151cda..89fadbf1 100644 --- a/advisories/_posts/2013-12-03-CVE-2013-4492.md +++ b/advisories/_posts/2013-12-03-CVE-2013-4492.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2013-4492 (i18n): i18n missing translation error message XSS' -comments: false -categories: -- i18n -advisory: - gem: i18n - cve: 2013-4492 - osvdb: 100528 - ghsa: r5hc-9xx5-97rw - url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998 - title: i18n missing translation error message XSS - date: 2013-12-03 - description: | - The HTML exception message raised by I18n::MissingTranslation fails - to escape the keys. - cvss_v2: 4.3 - patched_versions: - - "~> 0.5.1" - - ">= 0.6.6" ---- +--- +layout: advisory +title: 'CVE-2013-4492 (i18n): i18n missing translation error message XSS' +comments: false +categories: +- i18n +advisory: + gem: i18n + cve: 2013-4492 + osvdb: 100528 + ghsa: r5hc-9xx5-97rw + url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998 + title: i18n missing translation error message XSS + date: 2013-12-03 + description: | + The HTML exception message raised by I18n::MissingTranslation fails + to escape the keys. + cvss_v2: 4.3 + patched_versions: + - "~> 0.5.1" + - ">= 0.6.6" +--- diff --git a/advisories/_posts/2013-12-03-CVE-2013-6414.md b/advisories/_posts/2013-12-03-CVE-2013-6414.md index 2e544b88..defaba71 100644 --- a/advisories/_posts/2013-12-03-CVE-2013-6414.md +++ b/advisories/_posts/2013-12-03-CVE-2013-6414.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-6414 (actionpack): Denial of Service Vulnerability in Action View' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-6414 - osvdb: 100525 - ghsa: mpxf-gcw2-pw5q - url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg - title: Denial of Service Vulnerability in Action View - date: 2013-12-03 - description: | - There is a denial of service vulnerability in the header handling component of - Action View. - cvss_v2: 5.0 - unaffected_versions: - - "~> 2.3.0" - patched_versions: - - "~> 3.2.16" - - ">= 4.0.2" ---- +--- +layout: advisory +title: 'CVE-2013-6414 (actionpack): Denial of Service Vulnerability in Action View' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-6414 + osvdb: 100525 + ghsa: mpxf-gcw2-pw5q + url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg + title: Denial of Service Vulnerability in Action View + date: 2013-12-03 + description: | + There is a denial of service vulnerability in the header handling component of + Action View. + cvss_v2: 5.0 + unaffected_versions: + - "~> 2.3.0" + patched_versions: + - "~> 3.2.16" + - ">= 4.0.2" +--- diff --git a/advisories/_posts/2013-12-03-CVE-2013-6415.md b/advisories/_posts/2013-12-03-CVE-2013-6415.md index 70af34f3..c576807f 100644 --- a/advisories/_posts/2013-12-03-CVE-2013-6415.md +++ b/advisories/_posts/2013-12-03-CVE-2013-6415.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-6415 (actionpack): XSS Vulnerability in number_to_currency' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-6415 - osvdb: 100524 - ghsa: 6h5q-96hp-9jgm - url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0 - title: XSS Vulnerability in number_to_currency - date: 2013-12-03 - description: | - There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile. - The number_to_currency helper allows users to nicely format a numeric value. One - of the parameters to the helper (unit) is not escaped correctly. Applications - which pass user controlled data as the unit parameter are vulnerable to an XSS attack. - cvss_v2: 4.3 - patched_versions: - - "~> 3.2.16" - - ">= 4.0.2" ---- +--- +layout: advisory +title: 'CVE-2013-6415 (actionpack): XSS Vulnerability in number_to_currency' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-6415 + osvdb: 100524 + ghsa: 6h5q-96hp-9jgm + url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0 + title: XSS Vulnerability in number_to_currency + date: 2013-12-03 + description: | + There is an XSS vulnerability in the number_to_currency helper in Ruby on Raile. + The number_to_currency helper allows users to nicely format a numeric value. One + of the parameters to the helper (unit) is not escaped correctly. Applications + which pass user controlled data as the unit parameter are vulnerable to an XSS attack. + cvss_v2: 4.3 + patched_versions: + - "~> 3.2.16" + - ">= 4.0.2" +--- diff --git a/advisories/_posts/2013-12-03-CVE-2013-6416.md b/advisories/_posts/2013-12-03-CVE-2013-6416.md index 500dbc00..c2c81d95 100644 --- a/advisories/_posts/2013-12-03-CVE-2013-6416.md +++ b/advisories/_posts/2013-12-03-CVE-2013-6416.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2013-6416 (actionpack): XSS Vulnerability in simple_format helper' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-6416 - osvdb: 100526 - ghsa: w37c-q653-qg95 - url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM - title: XSS Vulnerability in simple_format helper - date: 2013-12-03 - description: | - There is a vulnerability in the simple_format helper in Ruby on Rails. - The simple_format helper converts user supplied text into html text - which is intended to be safe for display. A change made to the - implementation of this helper means that any user provided HTML - attributes will not be escaped correctly. As a result of this error, - applications which pass user-controlled data to be included as html - attributes will be vulnerable to an XSS attack. - cvss_v2: 4.3 - unaffected_versions: - - "~> 2.3.0" - - "~> 3.1.0" - - "~> 3.2.0" - patched_versions: - - ">= 4.0.2" ---- +--- +layout: advisory +title: 'CVE-2013-6416 (actionpack): XSS Vulnerability in simple_format helper' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-6416 + osvdb: 100526 + ghsa: w37c-q653-qg95 + url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM + title: XSS Vulnerability in simple_format helper + date: 2013-12-03 + description: | + There is a vulnerability in the simple_format helper in Ruby on Rails. + The simple_format helper converts user supplied text into html text + which is intended to be safe for display. A change made to the + implementation of this helper means that any user provided HTML + attributes will not be escaped correctly. As a result of this error, + applications which pass user-controlled data to be included as html + attributes will be vulnerable to an XSS attack. + cvss_v2: 4.3 + unaffected_versions: + - "~> 2.3.0" + - "~> 3.1.0" + - "~> 3.2.0" + patched_versions: + - ">= 4.0.2" +--- diff --git a/advisories/_posts/2013-12-03-CVE-2013-6417.md b/advisories/_posts/2013-12-03-CVE-2013-6417.md index 1bb115ae..e0ee0a45 100644 --- a/advisories/_posts/2013-12-03-CVE-2013-6417.md +++ b/advisories/_posts/2013-12-03-CVE-2013-6417.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2013-6417 (actionpack): Incomplete fix to CVE-2013-0155 (Unsafe Query - Generation Risk)' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2013-6417 - osvdb: 100527 - ghsa: wpw7-wxjm-cw8r - url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4 - title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) - date: 2013-12-03 - description: | - The prior fix to CVE-2013-0155 was incomplete and the use of common - 3rd party libraries can accidentally circumvent the protection. Due - to the way that Rack::Request and Rails::Request interact, it is - possible for a 3rd party or custom rack middleware to parse the - parameters insecurely and store them in the same key that Rails uses - for its own parameters. In the event that happens the application - will receive unsafe parameters and could be vulnerable to the earlier - vulnerability. - cvss_v2: 6.4 - patched_versions: - - "~> 3.2.16" - - ">= 4.0.2" ---- +--- +layout: advisory +title: 'CVE-2013-6417 (actionpack): Incomplete fix to CVE-2013-0155 (Unsafe Query + Generation Risk)' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2013-6417 + osvdb: 100527 + ghsa: wpw7-wxjm-cw8r + url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4 + title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk) + date: 2013-12-03 + description: | + The prior fix to CVE-2013-0155 was incomplete and the use of common + 3rd party libraries can accidentally circumvent the protection. Due + to the way that Rack::Request and Rails::Request interact, it is + possible for a 3rd party or custom rack middleware to parse the + parameters insecurely and store them in the same key that Rails uses + for its own parameters. In the event that happens the application + will receive unsafe parameters and could be vulnerable to the earlier + vulnerability. + cvss_v2: 6.4 + patched_versions: + - "~> 3.2.16" + - ">= 4.0.2" +--- diff --git a/advisories/_posts/2013-12-12-CVE-2013-7086.md b/advisories/_posts/2013-12-12-CVE-2013-7086.md index ed73180b..d9ad5972 100644 --- a/advisories/_posts/2013-12-12-CVE-2013-7086.md +++ b/advisories/_posts/2013-12-12-CVE-2013-7086.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2013-7086 (webbynode): Webbynode Gem for Ruby notify.rb growlnotify Message - Handling Arbitrary Command Execution' -comments: false -categories: -- webbynode -advisory: - gem: webbynode - cve: 2013-7086 - osvdb: 100920 - ghsa: p65m-qr5x-rrqq - url: https://nvd.nist.gov/vuln/detail/CVE-2013-7086 - title: Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command - Execution - date: 2013-12-12 - description: | - Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered - when handling a specially crafted growlnotify message. This may allow a - context-dependent attacker to execute arbitrary commands. - cvss_v2: 7.5 ---- +--- +layout: advisory +title: 'CVE-2013-7086 (webbynode): Webbynode Gem for Ruby notify.rb growlnotify Message + Handling Arbitrary Command Execution' +comments: false +categories: +- webbynode +advisory: + gem: webbynode + cve: 2013-7086 + osvdb: 100920 + ghsa: p65m-qr5x-rrqq + url: https://nvd.nist.gov/vuln/detail/CVE-2013-7086 + title: Webbynode Gem for Ruby notify.rb growlnotify Message Handling Arbitrary Command + Execution + date: 2013-12-12 + description: | + Webbynode Gem for Ruby contains a flaw in notify.rb that is triggered + when handling a specially crafted growlnotify message. This may allow a + context-dependent attacker to execute arbitrary commands. + cvss_v2: 7.5 +--- diff --git a/advisories/_posts/2013-12-14-CVE-2013-6460.md b/advisories/_posts/2013-12-14-CVE-2013-6460.md index 81086b04..c9f7defb 100644 --- a/advisories/_posts/2013-12-14-CVE-2013-6460.md +++ b/advisories/_posts/2013-12-14-CVE-2013-6460.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2013-6460 (nokogiri): CVE-2013-6460 rubygem-nokogiri: DoS while parsing - XML documents' -comments: false -categories: -- nokogiri -- jruby -advisory: - gem: nokogiri - platform: jruby - cve: 2013-6460 - osvdb: 101179 - ghsa: 62qp-3fxm-9wxf - url: https://nvd.nist.gov/vuln/detail/CVE-2013-6460 - title: 'CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents' - date: 2013-12-14 - description: | - Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing - XML documents - cvss_v2: 4.3 - cvss_v3: 6.5 - patched_versions: - - "~> 1.5.11" - - ">= 1.6.1" ---- +--- +layout: advisory +title: 'CVE-2013-6460 (nokogiri): CVE-2013-6460 rubygem-nokogiri: DoS while parsing + XML documents' +comments: false +categories: +- nokogiri +- jruby +advisory: + gem: nokogiri + platform: jruby + cve: 2013-6460 + osvdb: 101179 + ghsa: 62qp-3fxm-9wxf + url: https://nvd.nist.gov/vuln/detail/CVE-2013-6460 + title: 'CVE-2013-6460 rubygem-nokogiri: DoS while parsing XML documents' + date: 2013-12-14 + description: | + Nokogiri gem 1.5.x has Denial of Service via infinite loop when parsing + XML documents + cvss_v2: 4.3 + cvss_v3: 6.5 + patched_versions: + - "~> 1.5.11" + - ">= 1.6.1" +--- diff --git a/advisories/_posts/2013-12-14-CVE-2013-6461.md b/advisories/_posts/2013-12-14-CVE-2013-6461.md index 07f32e30..da45874f 100644 --- a/advisories/_posts/2013-12-14-CVE-2013-6461.md +++ b/advisories/_posts/2013-12-14-CVE-2013-6461.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2013-6461 (nokogiri): CVE-2013-6461 rubygem-nokogiri: DoS while parsing - XML entities' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2013-6461 - osvdb: 101458 - ghsa: jmhh-w7xp-wg39 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-6461 - title: 'CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities' - date: 2013-12-14 - description: | - Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing - to apply limits - cvss_v3: 6.5 - patched_versions: - - "~> 1.5.11" - - ">= 1.6.1" ---- +--- +layout: advisory +title: 'CVE-2013-6461 (nokogiri): CVE-2013-6461 rubygem-nokogiri: DoS while parsing + XML entities' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2013-6461 + osvdb: 101458 + ghsa: jmhh-w7xp-wg39 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-6461 + title: 'CVE-2013-6461 rubygem-nokogiri: DoS while parsing XML entities' + date: 2013-12-14 + description: | + Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing + to apply limits + cvss_v3: 6.5 + patched_versions: + - "~> 1.5.11" + - ">= 1.6.1" +--- diff --git a/advisories/_posts/2013-12-14-CVE-2013-7111.md b/advisories/_posts/2013-12-14-CVE-2013-7111.md index 924817b4..129ee101 100644 --- a/advisories/_posts/2013-12-14-CVE-2013-7111.md +++ b/advisories/_posts/2013-12-14-CVE-2013-7111.md @@ -1,20 +1,20 @@ ---- -layout: advisory -title: 'CVE-2013-7111 (bio-basespace-sdk): Bio Basespace SDK Gem for Ruby Command - Line API Key Disclosure' -comments: false -categories: -- bio-basespace-sdk -advisory: - gem: bio-basespace-sdk - cve: 2013-7111 - osvdb: 101031 - ghsa: xwr3-fmgj-mmfr - url: https://nvd.nist.gov/vuln/detail/CVE-2013-7111 - title: Bio Basespace SDK Gem for Ruby Command Line API Key Disclosure - date: 2013-12-14 - description: | - Bio Basespace SDK Gem for Ruby contains a flaw that is due to the API - client code passing the API_KEY to a curl command. This may allow a local attacker - to gain access to API key information by monitoring the process table. ---- +--- +layout: advisory +title: 'CVE-2013-7111 (bio-basespace-sdk): Bio Basespace SDK Gem for Ruby Command + Line API Key Disclosure' +comments: false +categories: +- bio-basespace-sdk +advisory: + gem: bio-basespace-sdk + cve: 2013-7111 + osvdb: 101031 + ghsa: xwr3-fmgj-mmfr + url: https://nvd.nist.gov/vuln/detail/CVE-2013-7111 + title: Bio Basespace SDK Gem for Ruby Command Line API Key Disclosure + date: 2013-12-14 + description: | + Bio Basespace SDK Gem for Ruby contains a flaw that is due to the API + client code passing the API_KEY to a curl command. This may allow a local attacker + to gain access to API key information by monitoring the process table. +--- diff --git a/advisories/_posts/2013-12-24-CVE-2013-7222.md b/advisories/_posts/2013-12-24-CVE-2013-7222.md index fd1116f5..fa9ec744 100644 --- a/advisories/_posts/2013-12-24-CVE-2013-7222.md +++ b/advisories/_posts/2013-12-24-CVE-2013-7222.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-7222 (fat_free_crm): Fat Free CRM Gem for Ruby lack of support for - cycling the Rails session secret' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2013-7222 - osvdb: 101445 - ghsa: g897-cgfc-7q8v - url: https://nvd.nist.gov/vuln/detail/CVE-2013-7222 - title: Fat Free CRM Gem for Ruby lack of support for cycling the Rails session secret - date: 2013-12-24 - description: | - Fat Free CRM contains a flaw that is due to the application defining a static - security session token in config/initialiers/secret_token.rb. If a remote - attacker has explicit knowledge of this token, they can potentially execute - arbitrary code. - cvss_v2: 5.0 - patched_versions: - - ">= 0.13.0" - - "~> 0.12.1" ---- +--- +layout: advisory +title: 'CVE-2013-7222 (fat_free_crm): Fat Free CRM Gem for Ruby lack of support for + cycling the Rails session secret' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2013-7222 + osvdb: 101445 + ghsa: g897-cgfc-7q8v + url: https://nvd.nist.gov/vuln/detail/CVE-2013-7222 + title: Fat Free CRM Gem for Ruby lack of support for cycling the Rails session secret + date: 2013-12-24 + description: | + Fat Free CRM contains a flaw that is due to the application defining a static + security session token in config/initialiers/secret_token.rb. If a remote + attacker has explicit knowledge of this token, they can potentially execute + arbitrary code. + cvss_v2: 5.0 + patched_versions: + - ">= 0.13.0" + - "~> 0.12.1" +--- diff --git a/advisories/_posts/2013-12-24-CVE-2013-7223.md b/advisories/_posts/2013-12-24-CVE-2013-7223.md index b7ecdb8a..a4f3dc15 100644 --- a/advisories/_posts/2013-12-24-CVE-2013-7223.md +++ b/advisories/_posts/2013-12-24-CVE-2013-7223.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-7223 (fat_free_crm): Fat Free CRM Gem for Ruby contains multiple - cross-site request forgery (CSRF) vulnerabilities' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2013-7223 - osvdb: 101446 - ghsa: mcvq-7xjq-46x6 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-7223 - title: Fat Free CRM Gem for Ruby contains multiple cross-site request forgery (CSRF) - vulnerabilities - date: 2013-12-24 - description: | - Fat Free CRM contains a flaw as the application is missing the protect_from_forgery - statement, therefore HTTP requests to app/controllers/application_controller.rb - do not require multiple steps, explicit confirmation, or a unique token when - performing certain sensitive actions. By tricking a user into following a specially - crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery - (CSRF / XSRF) attack causing the victim to perform unspecified actions. - cvss_v2: 6.8 - patched_versions: - - ">= 0.13.0" - - "~> 0.12.1" ---- +--- +layout: advisory +title: 'CVE-2013-7223 (fat_free_crm): Fat Free CRM Gem for Ruby contains multiple + cross-site request forgery (CSRF) vulnerabilities' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2013-7223 + osvdb: 101446 + ghsa: mcvq-7xjq-46x6 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-7223 + title: Fat Free CRM Gem for Ruby contains multiple cross-site request forgery (CSRF) + vulnerabilities + date: 2013-12-24 + description: | + Fat Free CRM contains a flaw as the application is missing the protect_from_forgery + statement, therefore HTTP requests to app/controllers/application_controller.rb + do not require multiple steps, explicit confirmation, or a unique token when + performing certain sensitive actions. By tricking a user into following a specially + crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery + (CSRF / XSRF) attack causing the victim to perform unspecified actions. + cvss_v2: 6.8 + patched_versions: + - ">= 0.13.0" + - "~> 0.12.1" +--- diff --git a/advisories/_posts/2013-12-24-CVE-2013-7224.md b/advisories/_posts/2013-12-24-CVE-2013-7224.md index 89ae76b6..5d81aded 100644 --- a/advisories/_posts/2013-12-24-CVE-2013-7224.md +++ b/advisories/_posts/2013-12-24-CVE-2013-7224.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2013-7224 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers - to obtain sensitive informations' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2013-7224 - osvdb: 101447 - ghsa: 4xq9-vw89-p5cx - url: https://nvd.nist.gov/vuln/detail/CVE-2013-7224 - title: Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations - date: 2013-12-24 - description: | - Fat Free CRM contains a flaw in user controllers that is triggered as JSON - requests are rendered with a full JSON object. This may allow a remote - attacker to gain access to potentially sensitive information e.g. other - users password hashes. - cvss_v2: 5.0 - patched_versions: - - ">= 0.13.0" - - "~> 0.12.1" ---- +--- +layout: advisory +title: 'CVE-2013-7224 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers + to obtain sensitive informations' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2013-7224 + osvdb: 101447 + ghsa: 4xq9-vw89-p5cx + url: https://nvd.nist.gov/vuln/detail/CVE-2013-7224 + title: Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations + date: 2013-12-24 + description: | + Fat Free CRM contains a flaw in user controllers that is triggered as JSON + requests are rendered with a full JSON object. This may allow a remote + attacker to gain access to potentially sensitive information e.g. other + users password hashes. + cvss_v2: 5.0 + patched_versions: + - ">= 0.13.0" + - "~> 0.12.1" +--- diff --git a/advisories/_posts/2013-12-24-CVE-2013-7225.md b/advisories/_posts/2013-12-24-CVE-2013-7225.md index bf963590..0ce2b06e 100644 --- a/advisories/_posts/2013-12-24-CVE-2013-7225.md +++ b/advisories/_posts/2013-12-24-CVE-2013-7225.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-7225 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers - to inject or manipulate SQL queries' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2013-7225 - osvdb: 101448 - ghsa: 9ggp-5rf4-x7q9 - url: https://nvd.nist.gov/vuln/detail/CVE-2013-7225 - title: Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate - SQL queries - date: 2013-12-24 - description: | - Fat Free CRM contains a flaw that may allow carrying out an SQL injection - attack. The issue is due to the app/controllers/home_controller.rb script - not properly sanitizing user-supplied input to the 'state' parameter or - input passed via comments and emails. This may allow a remote attacker to - inject or manipulate SQL queries in the back-end database, allowing for - the manipulation or disclosure of arbitrary data. - cvss_v2: 6.5 - patched_versions: - - ">= 0.13.0" - - "~> 0.12.1" ---- +--- +layout: advisory +title: 'CVE-2013-7225 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers + to inject or manipulate SQL queries' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2013-7225 + osvdb: 101448 + ghsa: 9ggp-5rf4-x7q9 + url: https://nvd.nist.gov/vuln/detail/CVE-2013-7225 + title: Fat Free CRM Gem for Ruby allows remote attackers to inject or manipulate + SQL queries + date: 2013-12-24 + description: | + Fat Free CRM contains a flaw that may allow carrying out an SQL injection + attack. The issue is due to the app/controllers/home_controller.rb script + not properly sanitizing user-supplied input to the 'state' parameter or + input passed via comments and emails. This may allow a remote attacker to + inject or manipulate SQL queries in the back-end database, allowing for + the manipulation or disclosure of arbitrary data. + cvss_v2: 6.5 + patched_versions: + - ">= 0.13.0" + - "~> 0.12.1" +--- diff --git a/advisories/_posts/2013-12-24-CVE-2013-7249.md b/advisories/_posts/2013-12-24-CVE-2013-7249.md index d5e964e6..f1d6aaa9 100644 --- a/advisories/_posts/2013-12-24-CVE-2013-7249.md +++ b/advisories/_posts/2013-12-24-CVE-2013-7249.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2013-7249 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers - to obtain sensitive informations' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2013-7249 - osvdb: 101700 - ghsa: f25h-3mj6-4jpg - url: https://nvd.nist.gov/vuln/detail/CVE-2013-7249 - title: Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations - date: 2013-12-24 - description: | - Fat Free CRM contains a flaw that is triggered when the attacker sends a - direct request for XML data. This may allow a remote attacker to gain - access to potentially sensitive information. - cvss_v2: 5.0 - patched_versions: - - ">= 0.13.0" - - "~> 0.12.1" ---- +--- +layout: advisory +title: 'CVE-2013-7249 (fat_free_crm): Fat Free CRM Gem for Ruby allows remote attackers + to obtain sensitive informations' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2013-7249 + osvdb: 101700 + ghsa: f25h-3mj6-4jpg + url: https://nvd.nist.gov/vuln/detail/CVE-2013-7249 + title: Fat Free CRM Gem for Ruby allows remote attackers to obtain sensitive informations + date: 2013-12-24 + description: | + Fat Free CRM contains a flaw that is triggered when the attacker sends a + direct request for XML data. This may allow a remote attacker to gain + access to potentially sensitive information. + cvss_v2: 5.0 + patched_versions: + - ">= 0.13.0" + - "~> 0.12.1" +--- diff --git a/advisories/_posts/2013-12-26-CVE-2014-1233.md b/advisories/_posts/2013-12-26-CVE-2014-1233.md index 8e6278da..b1ae321b 100644 --- a/advisories/_posts/2013-12-26-CVE-2014-1233.md +++ b/advisories/_posts/2013-12-26-CVE-2014-1233.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2014-1233 (paratrooper-pingdom): paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb - API Login Credentials Local Disclosure' -comments: false -categories: -- paratrooper-pingdom -advisory: - gem: paratrooper-pingdom - cve: 2014-1233 - osvdb: 101847 - ghsa: fqrr-rrwg-69pv - url: https://nvd.nist.gov/vuln/detail/CVE-2014-1233 - title: paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials - Local Disclosure - date: 2013-12-26 - description: | - paratrooper-pingdom Gem for Ruby contains a flaw in - /lib/paratrooper-pingdom.rb. The issue is triggered when the script exposes - API login credentials, allowing a local attacker to gain access to the API - key, username, and password for the API login by monitoring the process tree. - cvss_v2: 2.1 ---- +--- +layout: advisory +title: 'CVE-2014-1233 (paratrooper-pingdom): paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb + API Login Credentials Local Disclosure' +comments: false +categories: +- paratrooper-pingdom +advisory: + gem: paratrooper-pingdom + cve: 2014-1233 + osvdb: 101847 + ghsa: fqrr-rrwg-69pv + url: https://nvd.nist.gov/vuln/detail/CVE-2014-1233 + title: paratrooper-pingdom Gem for Ruby /lib/paratrooper-pingdom.rb API Login Credentials + Local Disclosure + date: 2013-12-26 + description: | + paratrooper-pingdom Gem for Ruby contains a flaw in + /lib/paratrooper-pingdom.rb. The issue is triggered when the script exposes + API login credentials, allowing a local attacker to gain access to the API + key, username, and password for the API login by monitoring the process tree. + cvss_v2: 2.1 +--- diff --git a/advisories/_posts/2013-12-31-OSVDB-101577.md b/advisories/_posts/2013-12-31-OSVDB-101577.md index 8e3e73b1..e37726ad 100644 --- a/advisories/_posts/2013-12-31-OSVDB-101577.md +++ b/advisories/_posts/2013-12-31-OSVDB-101577.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'OSVDB-101577 (flukso4r): flukso4r Gem for Ruby /lib/flukso/R.rb Arbitrary - Command Execution' -comments: false -categories: -- flukso4r -advisory: - gem: flukso4r - osvdb: 101577 - url: https://vulners.com/seebug/SSV:61267 - title: flukso4r Gem for Ruby /lib/flukso/R.rb Arbitrary Command Execution - date: 2013-12-31 - description: | - flukso4r Gem for Ruby contains a flaw in /lib/flukso/R.rb that is due - to the application failing to properly validate user-supplied input. This may allow - a context-dependent attacker to execute arbitrary commands. - notes: No patched version - related: - url: - - https://security.snyk.io/vuln/SNYK-RUBY-FLUKSO4R-20136 - - https://vulners.com/seebug/SSV:61267 - - http://osvdb.org/show/osvdb/101577 ---- +--- +layout: advisory +title: 'OSVDB-101577 (flukso4r): flukso4r Gem for Ruby /lib/flukso/R.rb Arbitrary + Command Execution' +comments: false +categories: +- flukso4r +advisory: + gem: flukso4r + osvdb: 101577 + url: https://vulners.com/seebug/SSV:61267 + title: flukso4r Gem for Ruby /lib/flukso/R.rb Arbitrary Command Execution + date: 2013-12-31 + description: | + flukso4r Gem for Ruby contains a flaw in /lib/flukso/R.rb that is due + to the application failing to properly validate user-supplied input. This may allow + a context-dependent attacker to execute arbitrary commands. + notes: No patched version + related: + url: + - https://security.snyk.io/vuln/SNYK-RUBY-FLUKSO4R-20136 + - https://vulners.com/seebug/SSV:61267 + - http://osvdb.org/show/osvdb/101577 +--- diff --git a/advisories/_posts/2014-01-08-CVE-2014-1234.md b/advisories/_posts/2014-01-08-CVE-2014-1234.md index a08d1314..9bece973 100644 --- a/advisories/_posts/2014-01-08-CVE-2014-1234.md +++ b/advisories/_posts/2014-01-08-CVE-2014-1234.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2014-1234 (paratrooper-newrelic): Paratrooper-newrelic Gem for Ruby Process - Listing API Key Local Disclosure' -comments: false -categories: -- paratrooper-newrelic -advisory: - gem: paratrooper-newrelic - cve: 2014-1234 - osvdb: 101839 - ghsa: 959j-5g9v-3fpq - url: https://nvd.nist.gov/vuln/detail/CVE-2014-1234 - title: Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure - date: 2014-01-08 - description: | - Paratrooper-newrelic Gem for Ruby contains a flaw in - /lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes - the API key, allowing a local attacker to gain access to it by monitoring the - process tree. - cvss_v2: 2.1 ---- +--- +layout: advisory +title: 'CVE-2014-1234 (paratrooper-newrelic): Paratrooper-newrelic Gem for Ruby Process + Listing API Key Local Disclosure' +comments: false +categories: +- paratrooper-newrelic +advisory: + gem: paratrooper-newrelic + cve: 2014-1234 + osvdb: 101839 + ghsa: 959j-5g9v-3fpq + url: https://nvd.nist.gov/vuln/detail/CVE-2014-1234 + title: Paratrooper-newrelic Gem for Ruby Process Listing API Key Local Disclosure + date: 2014-01-08 + description: | + Paratrooper-newrelic Gem for Ruby contains a flaw in + /lib/paratrooper-newrelic.rb. The issue is triggered when the script exposes + the API key, allowing a local attacker to gain access to it by monitoring the + process tree. + cvss_v2: 2.1 +--- diff --git a/advisories/_posts/2014-01-14-CVE-2014-0013.md b/advisories/_posts/2014-01-14-CVE-2014-0013.md index a7a727c0..bfd4a3f1 100644 --- a/advisories/_posts/2014-01-14-CVE-2014-0013.md +++ b/advisories/_posts/2014-01-14-CVE-2014-0013.md @@ -1,42 +1,42 @@ ---- -layout: advisory -title: 'CVE-2014-0013 (ember-source): Ember.js Potential XSS Exploit With User-Supplied - Data When Binding Primitive Values' -comments: false -categories: -- ember-source -advisory: - gem: ember-source - cve: 2014-0013 - ghsa: 8xm3-gm7c-5fjx - url: https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4 - title: Ember.js Potential XSS Exploit With User-Supplied Data When Binding Primitive - Values - date: 2014-01-14 - description: | - In general, Ember.js escapes or strips any user-supplied content before - inserting it in strings that will be sent to innerHTML. However, we have - identified a vulnerability that could lead to unescaped content being inserted - into the innerHTML string without being sanitized. - - When a primitive value is used as the Handlebars context, that value is not - properly escaped. An example of this would be using the `{{each}}` helper to - iterate over an array of user-supplied strings and using `{{this}}` inside the - block to display each string. - - In applications that contain templates whose context is a primitive value and - use the `{{this}}` keyword to display that value, a specially-crafted payload - could execute arbitrary JavaScript in the context of the current domain - ("XSS"). - - This vulnerability affects applications that contain templates whose context is - set to a user-supplied primitive value (such as a string or number) and also - contain the `{{this}}` special Handlebars variable to display the value. - cvss_v3: 5.4 - patched_versions: - - "~> 1.0.1" - - "~> 1.1.3" - - "~> 1.2.1" - - "~> 1.3.1" - - ">= 1.4.0.beta.2" ---- +--- +layout: advisory +title: 'CVE-2014-0013 (ember-source): Ember.js Potential XSS Exploit With User-Supplied + Data When Binding Primitive Values' +comments: false +categories: +- ember-source +advisory: + gem: ember-source + cve: 2014-0013 + ghsa: 8xm3-gm7c-5fjx + url: https://groups.google.com/forum/#!topic/ember-security/2kpXXCxISS4 + title: Ember.js Potential XSS Exploit With User-Supplied Data When Binding Primitive + Values + date: 2014-01-14 + description: | + In general, Ember.js escapes or strips any user-supplied content before + inserting it in strings that will be sent to innerHTML. However, we have + identified a vulnerability that could lead to unescaped content being inserted + into the innerHTML string without being sanitized. + + When a primitive value is used as the Handlebars context, that value is not + properly escaped. An example of this would be using the `{{each}}` helper to + iterate over an array of user-supplied strings and using `{{this}}` inside the + block to display each string. + + In applications that contain templates whose context is a primitive value and + use the `{{this}}` keyword to display that value, a specially-crafted payload + could execute arbitrary JavaScript in the context of the current domain + ("XSS"). + + This vulnerability affects applications that contain templates whose context is + set to a user-supplied primitive value (such as a string or number) and also + contain the `{{this}}` special Handlebars variable to display the value. + cvss_v3: 5.4 + patched_versions: + - "~> 1.0.1" + - "~> 1.1.3" + - "~> 1.2.1" + - "~> 1.3.1" + - ">= 1.4.0.beta.2" +--- diff --git a/advisories/_posts/2014-01-14-CVE-2014-0014.md b/advisories/_posts/2014-01-14-CVE-2014-0014.md index ea829af0..c090ebae 100644 --- a/advisories/_posts/2014-01-14-CVE-2014-0014.md +++ b/advisories/_posts/2014-01-14-CVE-2014-0014.md @@ -1,39 +1,39 @@ ---- -layout: advisory -title: 'CVE-2014-0014 (ember-source): Ember.js Potential XSS Exploit With User-Supplied - Data When Using {{group}} Helper' -comments: false -categories: -- ember-source -advisory: - gem: ember-source - cve: 2014-0014 - ghsa: rcx6-7jp6-pqf2 - url: https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4 - title: Ember.js Potential XSS Exploit With User-Supplied Data When Using {{group}} - Helper - date: 2014-01-14 - description: | - In general, Ember.js escapes or strips any user-supplied content before - inserting it in strings that will be sent to innerHTML. However, we have - identified a vulnerability that could lead to unescaped content being inserted - into the innerHTML string without being sanitized. - - When using the `{{group}}` helper, user supplied content in the template was not - being sanitized. Though the vulnerability exists in Ember.js proper, it is only - exposed via the use of an experimental plugin. - - In applications that use the `{{group}}` helper, a specially-crafted payload - could execute arbitrary JavaScript in the context of the current domain - ("XSS"). - - This vulnerability only affects applications that use the `{{group}}` helper - to display user-provided content. - cvss_v3: 5.4 - patched_versions: - - "~> 1.0.1" - - "~> 1.1.3" - - "~> 1.2.1" - - "~> 1.3.1" - - ">= 1.4.0.beta.2" ---- +--- +layout: advisory +title: 'CVE-2014-0014 (ember-source): Ember.js Potential XSS Exploit With User-Supplied + Data When Using {{group}} Helper' +comments: false +categories: +- ember-source +advisory: + gem: ember-source + cve: 2014-0014 + ghsa: rcx6-7jp6-pqf2 + url: https://groups.google.com/forum/#!topic/ember-security/PSE4RzTi6l4 + title: Ember.js Potential XSS Exploit With User-Supplied Data When Using {{group}} + Helper + date: 2014-01-14 + description: | + In general, Ember.js escapes or strips any user-supplied content before + inserting it in strings that will be sent to innerHTML. However, we have + identified a vulnerability that could lead to unescaped content being inserted + into the innerHTML string without being sanitized. + + When using the `{{group}}` helper, user supplied content in the template was not + being sanitized. Though the vulnerability exists in Ember.js proper, it is only + exposed via the use of an experimental plugin. + + In applications that use the `{{group}}` helper, a specially-crafted payload + could execute arbitrary JavaScript in the context of the current domain + ("XSS"). + + This vulnerability only affects applications that use the `{{group}}` helper + to display user-provided content. + cvss_v3: 5.4 + patched_versions: + - "~> 1.0.1" + - "~> 1.1.3" + - "~> 1.2.1" + - "~> 1.3.1" + - ">= 1.4.0.beta.2" +--- diff --git a/advisories/_posts/2014-01-14-CVE-2014-1834.md b/advisories/_posts/2014-01-14-CVE-2014-1834.md index aacf51fa..0be93bc7 100644 --- a/advisories/_posts/2014-01-14-CVE-2014-1834.md +++ b/advisories/_posts/2014-01-14-CVE-2014-1834.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2014-1834 (echor): echor Gem for Ruby backplane.rb perform_request Function - Arbitrary Command Execution' -comments: false -categories: -- echor -advisory: - gem: echor - cve: 2014-1834 - osvdb: 102129 - ghsa: 8936-cgj4-phr2 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-1834 - title: echor Gem for Ruby backplane.rb perform_request Function Arbitrary Command - Execution - date: 2014-01-14 - description: | - Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request - function that is triggered when a semi-colon (;) is injected into a username - or password. This may allow a context-dependent attacker to inject arbitrary - commands if the gem is used in a rails application. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-1834 (echor): echor Gem for Ruby backplane.rb perform_request Function + Arbitrary Command Execution' +comments: false +categories: +- echor +advisory: + gem: echor + cve: 2014-1834 + osvdb: 102129 + ghsa: 8936-cgj4-phr2 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-1834 + title: echor Gem for Ruby backplane.rb perform_request Function Arbitrary Command + Execution + date: 2014-01-14 + description: | + Echor Gem for Ruby contains a flaw in backplane.rb in the perform_request + function that is triggered when a semi-colon (;) is injected into a username + or password. This may allow a context-dependent attacker to inject arbitrary + commands if the gem is used in a rails application. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-01-14-CVE-2014-1835.md b/advisories/_posts/2014-01-14-CVE-2014-1835.md index 11b31718..1c0524f0 100644 --- a/advisories/_posts/2014-01-14-CVE-2014-1835.md +++ b/advisories/_posts/2014-01-14-CVE-2014-1835.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2014-1835 (echor): echor Gem for Ruby Process Listing Local Plaintext - Credential Disclosure' -comments: false -categories: -- echor -advisory: - gem: echor - cve: 2014-1835 - osvdb: 102130 - ghsa: j4gx-p3x5-m987 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-1835 - title: echor Gem for Ruby Process Listing Local Plaintext Credential Disclosure - date: 2014-01-14 - description: | - echor Gem for Ruby contains a flaw that is due to the program exposing - credential information in the system process listing. This may allow a local - attacker to gain access to plaintext credential information. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-1835 (echor): echor Gem for Ruby Process Listing Local Plaintext + Credential Disclosure' +comments: false +categories: +- echor +advisory: + gem: echor + cve: 2014-1835 + osvdb: 102130 + ghsa: j4gx-p3x5-m987 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-1835 + title: echor Gem for Ruby Process Listing Local Plaintext Credential Disclosure + date: 2014-01-14 + description: | + echor Gem for Ruby contains a flaw that is due to the program exposing + credential information in the system process listing. This may allow a local + attacker to gain access to plaintext credential information. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-01-28-CVE-2014-1831.md b/advisories/_posts/2014-01-28-CVE-2014-1831.md index f97713df..c0f02ec1 100644 --- a/advisories/_posts/2014-01-28-CVE-2014-1831.md +++ b/advisories/_posts/2014-01-28-CVE-2014-1831.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-1831 (passenger): CVE-2014-1831 CVE-2014-1832 rubygem-passenger: - insecure use of temporary files' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2014-1831 - osvdb: 102613 - ghsa: c7j7-p5jq-26ff - url: https://nvd.nist.gov/vuln/detail/CVE-2014-1831 - title: 'CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary - files' - date: 2014-01-28 - description: | - Phusion Passenger before 4.0.37 allows local users to write to certain - files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* - file. - cvss_v2: 2.1 - patched_versions: - - ">= 4.0.37" ---- +--- +layout: advisory +title: 'CVE-2014-1831 (passenger): CVE-2014-1831 CVE-2014-1832 rubygem-passenger: + insecure use of temporary files' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2014-1831 + osvdb: 102613 + ghsa: c7j7-p5jq-26ff + url: https://nvd.nist.gov/vuln/detail/CVE-2014-1831 + title: 'CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary + files' + date: 2014-01-28 + description: | + Phusion Passenger before 4.0.37 allows local users to write to certain + files and directories via a symlink attack on (1) control_process.pid or a (2) generation-* + file. + cvss_v2: 2.1 + patched_versions: + - ">= 4.0.37" +--- diff --git a/advisories/_posts/2014-01-29-CVE-2014-1832.md b/advisories/_posts/2014-01-29-CVE-2014-1832.md index e0ed3b01..269790d7 100644 --- a/advisories/_posts/2014-01-29-CVE-2014-1832.md +++ b/advisories/_posts/2014-01-29-CVE-2014-1832.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-1832 (passenger): CVE-2014-1831 CVE-2014-1832 rubygem-passenger: - insecure use of temporary files' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2014-1832 - osvdb: 102613 - ghsa: qw8w-2xcp-xg59 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-1832 - title: 'CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary - files' - date: 2014-01-29 - description: | - 'Phusion Passenger 4.0.37 allows local users to write to certain files - and directories via a symlink attack on (1) control_process.pid or a (2) generation-* - file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.' - cvss_v2: 2.1 - patched_versions: - - ">= 4.0.38" ---- +--- +layout: advisory +title: 'CVE-2014-1832 (passenger): CVE-2014-1831 CVE-2014-1832 rubygem-passenger: + insecure use of temporary files' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2014-1832 + osvdb: 102613 + ghsa: qw8w-2xcp-xg59 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-1832 + title: 'CVE-2014-1831 CVE-2014-1832 rubygem-passenger: insecure use of temporary + files' + date: 2014-01-29 + description: | + 'Phusion Passenger 4.0.37 allows local users to write to certain files + and directories via a symlink attack on (1) control_process.pid or a (2) generation-* + file. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1831.' + cvss_v2: 2.1 + patched_versions: + - ">= 4.0.38" +--- diff --git a/advisories/_posts/2014-01-31-OSVDB-103151.md b/advisories/_posts/2014-01-31-OSVDB-103151.md index 75723c53..34b968f6 100644 --- a/advisories/_posts/2014-01-31-OSVDB-103151.md +++ b/advisories/_posts/2014-01-31-OSVDB-103151.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-103151 (paperclip): Paperclip: Access Restriction Bypass' -comments: false -categories: -- paperclip -advisory: - gem: paperclip - osvdb: 103151 - url: https://security.snyk.io/vuln/SNYK-RUBY-PAPERCLIP-20144 - title: 'Paperclip: Access Restriction Bypass' - date: 2014-01-31 - description: | - Paperclip Gem for Ruby contains a flaw that is due to the application - failing to properly validate the file extension, instead only validating the Content-Type - header during file uploads. This may allow a remote attacker to bypass restrictions - on file types for uploaded files by spoofing the content-type. - patched_versions: - - ">= 4.0.0" - related: - url: - - https://thoughtbot.com/blog/prevent-spoofing-with-paperclip - - https://www.theregister.com/2014/02/09/content_type_spoofing_bug_in_ror_paperclip - - https://security.snyk.io/vuln/SNYK-RUBY-PAPERCLIP-20144 - - http://osvdb.org/show/osvdb/103151 ---- +--- +layout: advisory +title: 'OSVDB-103151 (paperclip): Paperclip: Access Restriction Bypass' +comments: false +categories: +- paperclip +advisory: + gem: paperclip + osvdb: 103151 + url: https://security.snyk.io/vuln/SNYK-RUBY-PAPERCLIP-20144 + title: 'Paperclip: Access Restriction Bypass' + date: 2014-01-31 + description: | + Paperclip Gem for Ruby contains a flaw that is due to the application + failing to properly validate the file extension, instead only validating the Content-Type + header during file uploads. This may allow a remote attacker to bypass restrictions + on file types for uploaded files by spoofing the content-type. + patched_versions: + - ">= 4.0.0" + related: + url: + - https://thoughtbot.com/blog/prevent-spoofing-with-paperclip + - https://www.theregister.com/2014/02/09/content_type_spoofing_bug_in_ror_paperclip + - https://security.snyk.io/vuln/SNYK-RUBY-PAPERCLIP-20144 + - http://osvdb.org/show/osvdb/103151 +--- diff --git a/advisories/_posts/2014-02-07-CVE-2014-0046.md b/advisories/_posts/2014-02-07-CVE-2014-0046.md index d4446109..7e393ba7 100644 --- a/advisories/_posts/2014-02-07-CVE-2014-0046.md +++ b/advisories/_posts/2014-02-07-CVE-2014-0046.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2014-0046 (ember-source): Ember.js XSS Vulnerability With {{link-to}} - Helper in Non-block Form' -comments: false -categories: -- ember-source -advisory: - gem: ember-source - cve: 2014-0046 - ghsa: 4q53-fqhc-cr46 - url: https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ - title: Ember.js XSS Vulnerability With {{link-to}} Helper in Non-block Form - date: 2014-02-07 - description: | - In general, Ember.js escapes or strips any user-supplied content before - inserting it in strings that will be sent to innerHTML. However, a change made - to the implementation of the {{link-to}} helper means that any user-supplied - data bound to the {{link-to}} helper's title attribute will not be escaped - correctly. - - In applications that use the {{link-to}} helper in non-block form and bind - the title attribute to user-supplied content, a specially-crafted payload - could execute arbitrary JavaScript in the context of the current domain - ("XSS"). - - All users running an affected release and binding user-supplied data to the - {{link-to}} helper's title attribute should either upgrade or use one of the - workarounds immediately. - unaffected_versions: - - "< 1.2.0" - patched_versions: - - "~> 1.2.2" - - ">= 1.3.2" ---- +--- +layout: advisory +title: 'CVE-2014-0046 (ember-source): Ember.js XSS Vulnerability With {{link-to}} + Helper in Non-block Form' +comments: false +categories: +- ember-source +advisory: + gem: ember-source + cve: 2014-0046 + ghsa: 4q53-fqhc-cr46 + url: https://groups.google.com/forum/#!topic/ember-security/1h6FRgr8lXQ + title: Ember.js XSS Vulnerability With {{link-to}} Helper in Non-block Form + date: 2014-02-07 + description: | + In general, Ember.js escapes or strips any user-supplied content before + inserting it in strings that will be sent to innerHTML. However, a change made + to the implementation of the {{link-to}} helper means that any user-supplied + data bound to the {{link-to}} helper's title attribute will not be escaped + correctly. + + In applications that use the {{link-to}} helper in non-block form and bind + the title attribute to user-supplied content, a specially-crafted payload + could execute arbitrary JavaScript in the context of the current domain + ("XSS"). + + All users running an affected release and binding user-supplied data to the + {{link-to}} helper's title attribute should either upgrade or use one of the + workarounds immediately. + unaffected_versions: + - "< 1.2.0" + patched_versions: + - "~> 1.2.2" + - ">= 1.3.2" +--- diff --git a/advisories/_posts/2014-02-13-CVE-2014-0083.md b/advisories/_posts/2014-02-13-CVE-2014-0083.md index efecb5e9..3867c493 100644 --- a/advisories/_posts/2014-02-13-CVE-2014-0083.md +++ b/advisories/_posts/2014-02-13-CVE-2014-0083.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-0083 (net-ldap): CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated - by the net-ldap Ruby gem use a weak salt' -comments: false -categories: -- net-ldap -advisory: - gem: net-ldap - cve: 2014-0083 - osvdb: 106108 - ghsa: qwgm-mxm4-3q2c - url: https://nvd.nist.gov/vuln/detail/CVE-2014-0083 - title: 'CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated by the net-ldap - Ruby gem use a weak salt' - date: 2014-02-13 - description: | - The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA - passwords. - cvss_v2: 1.9 - cvss_v3: 5.5 - patched_versions: - - ">= 0.6.0" ---- +--- +layout: advisory +title: 'CVE-2014-0083 (net-ldap): CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated + by the net-ldap Ruby gem use a weak salt' +comments: false +categories: +- net-ldap +advisory: + gem: net-ldap + cve: 2014-0083 + osvdb: 106108 + ghsa: qwgm-mxm4-3q2c + url: https://nvd.nist.gov/vuln/detail/CVE-2014-0083 + title: 'CVE-2014-0083 rubygem-net-ldap: SSHA passwords generated by the net-ldap + Ruby gem use a weak salt' + date: 2014-02-13 + description: | + The Ruby net-ldap gem before 0.11 uses a weak salt when generating SSHA + passwords. + cvss_v2: 1.9 + cvss_v3: 5.5 + patched_versions: + - ">= 0.6.0" +--- diff --git a/advisories/_posts/2014-02-18-CVE-2014-0080.md b/advisories/_posts/2014-02-18-CVE-2014-0080.md index e4cca673..fc3a6efd 100644 --- a/advisories/_posts/2014-02-18-CVE-2014-0080.md +++ b/advisories/_posts/2014-02-18-CVE-2014-0080.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2014-0080 (activerecord): CVE-2014-0080 rubygem-activerecord: PostgreSQL - array data injection vulnerability' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2014-0080 - osvdb: 103438 - ghsa: hqf9-rc9j-5fmj - url: https://nvd.nist.gov/vuln/detail/CVE-2014-0080 - title: 'CVE-2014-0080 rubygem-activerecord: PostgreSQL array data injection vulnerability' - date: 2014-02-18 - description: | - SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb - in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL - is used, allows remote attackers to execute "add data" SQL commands via vectors - involving \ (backslash) characters that are not properly handled in operations on - array columns. - unaffected_versions: - - "< 3.2.0" - - "~> 3.2.0" - patched_versions: - - "~> 4.0.3" - - ">= 4.1.0.beta2" ---- +--- +layout: advisory +title: 'CVE-2014-0080 (activerecord): CVE-2014-0080 rubygem-activerecord: PostgreSQL + array data injection vulnerability' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2014-0080 + osvdb: 103438 + ghsa: hqf9-rc9j-5fmj + url: https://nvd.nist.gov/vuln/detail/CVE-2014-0080 + title: 'CVE-2014-0080 rubygem-activerecord: PostgreSQL array data injection vulnerability' + date: 2014-02-18 + description: | + SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/cast.rb + in Active Record in Ruby on Rails 4.0.x before 4.0.3, and 4.1.0.beta1, when PostgreSQL + is used, allows remote attackers to execute "add data" SQL commands via vectors + involving \ (backslash) characters that are not properly handled in operations on + array columns. + unaffected_versions: + - "< 3.2.0" + - "~> 3.2.0" + patched_versions: + - "~> 4.0.3" + - ">= 4.1.0.beta2" +--- diff --git a/advisories/_posts/2014-02-18-CVE-2014-0081.md b/advisories/_posts/2014-02-18-CVE-2014-0081.md index 8f111831..a3a4c645 100644 --- a/advisories/_posts/2014-02-18-CVE-2014-0081.md +++ b/advisories/_posts/2014-02-18-CVE-2014-0081.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2014-0081 (actionpack): CVE-2014-0081 rubygem-actionpack: number_to_currency, - number_to_percentage and number_to_human XSS vulnerability' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2014-0081 - osvdb: 103439 - ghsa: m46p-ggm5-5j83 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-0081 - title: 'CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage - and number_to_human XSS vulnerability' - date: 2014-02-18 - description: | - Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb - in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 - allow remote attackers to inject arbitrary web script or HTML via the (1) format, - (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, - or (c) number_to_human helper. - cvss_v2: 4.3 - patched_versions: - - "~> 3.2.17" - - "~> 4.0.3" - - ">= 4.1.0.beta2" ---- +--- +layout: advisory +title: 'CVE-2014-0081 (actionpack): CVE-2014-0081 rubygem-actionpack: number_to_currency, + number_to_percentage and number_to_human XSS vulnerability' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2014-0081 + osvdb: 103439 + ghsa: m46p-ggm5-5j83 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-0081 + title: 'CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage + and number_to_human XSS vulnerability' + date: 2014-02-18 + description: | + Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb + in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 + allow remote attackers to inject arbitrary web script or HTML via the (1) format, + (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, + or (c) number_to_human helper. + cvss_v2: 4.3 + patched_versions: + - "~> 3.2.17" + - "~> 4.0.3" + - ">= 4.1.0.beta2" +--- diff --git a/advisories/_posts/2014-02-18-CVE-2014-0082.md b/advisories/_posts/2014-02-18-CVE-2014-0082.md index 9ea3e494..7b5aa8f9 100644 --- a/advisories/_posts/2014-02-18-CVE-2014-0082.md +++ b/advisories/_posts/2014-02-18-CVE-2014-0082.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2014-0082 (actionpack): CVE-2014-0082 rubygem-actionpack: Action View - string handling denial of service' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2014-0082 - osvdb: 103440 - ghsa: 7cgp-c3g7-qvrw - url: https://nvd.nist.gov/vuln/detail/CVE-2014-0082 - title: 'CVE-2014-0082 rubygem-actionpack: Action View string handling denial of - service' - date: 2014-02-18 - description: | - actionpack/lib/action_view/template/text.rb in Action View in Ruby on - Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the - :text option to the render method, which allows remote attackers to cause a denial - of service (memory consumption) by including these strings in headers. - cvss_v2: 5.0 - unaffected_versions: - - ">= 4.0.0" - patched_versions: - - ">= 3.2.17" ---- +--- +layout: advisory +title: 'CVE-2014-0082 (actionpack): CVE-2014-0082 rubygem-actionpack: Action View + string handling denial of service' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2014-0082 + osvdb: 103440 + ghsa: 7cgp-c3g7-qvrw + url: https://nvd.nist.gov/vuln/detail/CVE-2014-0082 + title: 'CVE-2014-0082 rubygem-actionpack: Action View string handling denial of + service' + date: 2014-02-18 + description: | + actionpack/lib/action_view/template/text.rb in Action View in Ruby on + Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the + :text option to the render method, which allows remote attackers to cause a denial + of service (memory consumption) by including these strings in headers. + cvss_v2: 5.0 + unaffected_versions: + - ">= 4.0.0" + patched_versions: + - ">= 3.2.17" +--- diff --git a/advisories/_posts/2014-03-05-CVE-2014-0036.md b/advisories/_posts/2014-03-05-CVE-2014-0036.md index d836d7bb..89df6ad2 100644 --- a/advisories/_posts/2014-03-05-CVE-2014-0036.md +++ b/advisories/_posts/2014-03-05-CVE-2014-0036.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2014-0036 (rbovirt): CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client' -comments: false -categories: -- rbovirt -advisory: - gem: rbovirt - cve: 2014-0036 - osvdb: 104080 - ghsa: ww79-8xwv-932x - url: https://nvd.nist.gov/vuln/detail/CVE-2014-0036 - title: 'CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client' - date: 2014-03-05 - description: | - The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with - SSL verification disabled, which allows remote attackers to conduct man-in-the-middle - attacks via unspecified vectors. - cvss_v2: 6.8 - patched_versions: - - ">= 0.0.24" ---- +--- +layout: advisory +title: 'CVE-2014-0036 (rbovirt): CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client' +comments: false +categories: +- rbovirt +advisory: + gem: rbovirt + cve: 2014-0036 + osvdb: 104080 + ghsa: ww79-8xwv-932x + url: https://nvd.nist.gov/vuln/detail/CVE-2014-0036 + title: 'CVE-2014-0036 rubygem-rbovirt: unsafe use of rest-client' + date: 2014-03-05 + description: | + The rbovirt gem before 0.0.24 for Ruby uses the rest-client gem with + SSL verification disabled, which allows remote attackers to conduct man-in-the-middle + attacks via unspecified vectors. + cvss_v2: 6.8 + patched_versions: + - ">= 0.0.24" +--- diff --git a/advisories/_posts/2014-03-10-CVE-2014-2322.md b/advisories/_posts/2014-03-10-CVE-2014-2322.md index 28145d6f..63efafe3 100644 --- a/advisories/_posts/2014-03-10-CVE-2014-2322.md +++ b/advisories/_posts/2014-03-10-CVE-2014-2322.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2014-2322 (Arabic-Prawn): Arabic Prawn Gem for Ruby lib/string_utf_support.rb - User Input Handling Remote Command Injection' -comments: false -categories: -- Arabic-Prawn -advisory: - gem: Arabic-Prawn - cve: 2014-2322 - osvdb: 104365 - ghsa: hgmw-x865-hf9x - url: http://www.openwall.com/lists/oss-security/2014/03/10/8 - title: Arabic Prawn Gem for Ruby lib/string_utf_support.rb User Input Handling Remote - Command Injection - date: 2014-03-10 - description: | - Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb - file. The issue is due to the program failing to sanitize user input. This may - allow a remote attacker to inject arbitrary commands. - - "lib/string_utf_support.rb" in the Arabic Prawn 0.0.1 gem for Ruby - allows remote attackers to execute arbitrary commands via shell - metacharacters in the (1) downloaded_file or (2) url variable. - cvss_v2: 7.5 - notes: Never patched - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2014-2322 - - http://www.openwall.com/lists/oss-security/2014/03/10/8 - - http://www.openwall.com/lists/oss-security/2014/03/12/6 - - https://web.archive.org/web/20160306235714/http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html - - http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html - - http://www.vapidlabs.com/advisory.php?v=16 - - https://github.com/advisories/GHSA-hgmw-x865-hf9x - - https://rubygems.org/gems/Arabic-Prawn ---- +--- +layout: advisory +title: 'CVE-2014-2322 (Arabic-Prawn): Arabic Prawn Gem for Ruby lib/string_utf_support.rb + User Input Handling Remote Command Injection' +comments: false +categories: +- Arabic-Prawn +advisory: + gem: Arabic-Prawn + cve: 2014-2322 + osvdb: 104365 + ghsa: hgmw-x865-hf9x + url: http://www.openwall.com/lists/oss-security/2014/03/10/8 + title: Arabic Prawn Gem for Ruby lib/string_utf_support.rb User Input Handling Remote + Command Injection + date: 2014-03-10 + description: | + Arabic Prawn Gem for Ruby contains a flaw in the lib/string_utf_support.rb + file. The issue is due to the program failing to sanitize user input. This may + allow a remote attacker to inject arbitrary commands. + + "lib/string_utf_support.rb" in the Arabic Prawn 0.0.1 gem for Ruby + allows remote attackers to execute arbitrary commands via shell + metacharacters in the (1) downloaded_file or (2) url variable. + cvss_v2: 7.5 + notes: Never patched + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-2322 + - http://www.openwall.com/lists/oss-security/2014/03/10/8 + - http://www.openwall.com/lists/oss-security/2014/03/12/6 + - https://web.archive.org/web/20160306235714/http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html + - http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html + - http://www.vapidlabs.com/advisory.php?v=16 + - https://github.com/advisories/GHSA-hgmw-x865-hf9x + - https://rubygems.org/gems/Arabic-Prawn +--- diff --git a/advisories/_posts/2014-03-13-CVE-2014-0135.md b/advisories/_posts/2014-03-13-CVE-2014-0135.md index 35c2facf..ad846491 100644 --- a/advisories/_posts/2014-03-13-CVE-2014-0135.md +++ b/advisories/_posts/2014-03-13-CVE-2014-0135.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2014-0135 (kafo): CVE-2014-0135 rubygem-kafo: temporary file creation - vulnerability when creating /tmp/default_values.yaml' -comments: false -categories: -- kafo -advisory: - gem: kafo - cve: 2014-0135 - osvdb: 106826 - ghsa: hxvp-655x-xxqv - url: https://nvd.nist.gov/vuln/detail/CVE-2014-0135 - title: 'CVE-2014-0135 rubygem-kafo: temporary file creation vulnerability when creating - /tmp/default_values.yaml' - date: 2014-03-13 - description: | - Kafo before 0.3.17 and 0.4.x before 0.5.2, as used by Foreman, uses world-readable - permissions for default_values.yaml, which allows local users to obtain passwords - and other sensitive information by reading the file. - cvss_v2: 1.9 - patched_versions: - - "~> 0.3.17" - - ">= 0.5.2" - related: - url: - - https://github.com/rubysec/ruby-advisory-db/issues/238 - - https://sca.analysiscenter.veracode.com/vulnerability-database/security/world-readable-permissions-as-default/ruby/sid-740/summary ---- +--- +layout: advisory +title: 'CVE-2014-0135 (kafo): CVE-2014-0135 rubygem-kafo: temporary file creation + vulnerability when creating /tmp/default_values.yaml' +comments: false +categories: +- kafo +advisory: + gem: kafo + cve: 2014-0135 + osvdb: 106826 + ghsa: hxvp-655x-xxqv + url: https://nvd.nist.gov/vuln/detail/CVE-2014-0135 + title: 'CVE-2014-0135 rubygem-kafo: temporary file creation vulnerability when creating + /tmp/default_values.yaml' + date: 2014-03-13 + description: | + Kafo before 0.3.17 and 0.4.x before 0.5.2, as used by Foreman, uses world-readable + permissions for default_values.yaml, which allows local users to obtain passwords + and other sensitive information by reading the file. + cvss_v2: 1.9 + patched_versions: + - "~> 0.3.17" + - ">= 0.5.2" + related: + url: + - https://github.com/rubysec/ruby-advisory-db/issues/238 + - https://sca.analysiscenter.veracode.com/vulnerability-database/security/world-readable-permissions-as-default/ruby/sid-740/summary +--- diff --git a/advisories/_posts/2014-03-25-CVE-2014-4920.md b/advisories/_posts/2014-03-25-CVE-2014-4920.md index ea2b278b..9f125da8 100644 --- a/advisories/_posts/2014-03-25-CVE-2014-4920.md +++ b/advisories/_posts/2014-03-25-CVE-2014-4920.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2014-4920 (twitter-bootstrap-rails): Reflective XSS Vulnerability in twitter-bootstrap-rails' -comments: false -categories: -- twitter-bootstrap-rails -- rails -advisory: - gem: twitter-bootstrap-rails - framework: rails - cve: 2014-4920 - osvdb: 109206 - ghsa: vpqv-mqvc-pcx2 - url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter - title: Reflective XSS Vulnerability in twitter-bootstrap-rails - date: 2014-03-25 - description: | - The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a - reflected cross-site scripting (XSS) attack. This flaw exists because the - bootstrap_flash helper method does not validate input when handling flash - messages before returning it to users. This may allow a context-dependent - attacker to create a specially crafted request that would execute arbitrary - script code in a user's browser session within the trust relationship between - their browser and the server. - patched_versions: - - ">= 3.2.0" ---- +--- +layout: advisory +title: 'CVE-2014-4920 (twitter-bootstrap-rails): Reflective XSS Vulnerability in twitter-bootstrap-rails' +comments: false +categories: +- twitter-bootstrap-rails +- rails +advisory: + gem: twitter-bootstrap-rails + framework: rails + cve: 2014-4920 + osvdb: 109206 + ghsa: vpqv-mqvc-pcx2 + url: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter + title: Reflective XSS Vulnerability in twitter-bootstrap-rails + date: 2014-03-25 + description: | + The twitter-bootstrap-rails Gem for Rails contains a flaw that enables a + reflected cross-site scripting (XSS) attack. This flaw exists because the + bootstrap_flash helper method does not validate input when handling flash + messages before returning it to users. This may allow a context-dependent + attacker to create a specially crafted request that would execute arbitrary + script code in a user's browser session within the trust relationship between + their browser and the server. + patched_versions: + - ">= 3.2.0" +--- diff --git a/advisories/_posts/2014-03-28-CVE-2014-0156.md b/advisories/_posts/2014-03-28-CVE-2014-0156.md index 06518df3..a4151e79 100644 --- a/advisories/_posts/2014-03-28-CVE-2014-0156.md +++ b/advisories/_posts/2014-03-28-CVE-2014-0156.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-0156 (awesome_spawn): OS command injection flaw in awesome_spawn' -comments: false -categories: -- awesome_spawn -advisory: - gem: awesome_spawn - cve: 2014-0156 - ghsa: qpqw-mc85-qvm9 - url: https://github.com/ManageIQ/awesome_spawn/commit/e524f85f1c6e292ef7d117d7818521307ac269ff - title: OS command injection flaw in awesome_spawn - date: 2014-03-28 - description: | - Awesome spawn contains OS command injection vulnerability, which allows - execution of additional commands passed to Awesome spawn as arguments, e.g. AwesomeSpawn.run('ls',:params - => {'-l' => ";touch haxored"}). If untrusted input was included in command arguments, - attacker could use this flaw to execute arbitrary command. - cvss_v2: 6.8 - cvss_v3: 9.8 - patched_versions: - - "~> 1.2.0" - - ">= 1.3.0" ---- +--- +layout: advisory +title: 'CVE-2014-0156 (awesome_spawn): OS command injection flaw in awesome_spawn' +comments: false +categories: +- awesome_spawn +advisory: + gem: awesome_spawn + cve: 2014-0156 + ghsa: qpqw-mc85-qvm9 + url: https://github.com/ManageIQ/awesome_spawn/commit/e524f85f1c6e292ef7d117d7818521307ac269ff + title: OS command injection flaw in awesome_spawn + date: 2014-03-28 + description: | + Awesome spawn contains OS command injection vulnerability, which allows + execution of additional commands passed to Awesome spawn as arguments, e.g. AwesomeSpawn.run('ls',:params + => {'-l' => ";touch haxored"}). If untrusted input was included in command arguments, + attacker could use this flaw to execute arbitrary command. + cvss_v2: 6.8 + cvss_v3: 9.8 + patched_versions: + - "~> 1.2.0" + - ">= 1.3.0" +--- diff --git a/advisories/_posts/2014-04-16-CVE-2014-2888.md b/advisories/_posts/2014-04-16-CVE-2014-2888.md index d77100c2..e282f66c 100644 --- a/advisories/_posts/2014-04-16-CVE-2014-2888.md +++ b/advisories/_posts/2014-04-16-CVE-2014-2888.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-2888 (sfpagent): sfpagent Gem for Ruby JSON[body] Module Name Remote - Command Execution' -comments: false -categories: -- sfpagent -advisory: - gem: sfpagent - cve: 2014-2888 - osvdb: 105971 - ghsa: vm28-mrm7-fpjq - url: https://nvd.nist.gov/vuln/detail/CVE-2014-2888 - title: sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution - date: 2014-04-16 - description: | - sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] - input is not properly sanitized when handling module names with shell - metacharacters. This may allow a context-dependent attacker to execute - arbitrary commands. - cvss_v2: 7.5 - patched_versions: - - ">= 0.4.15" ---- +--- +layout: advisory +title: 'CVE-2014-2888 (sfpagent): sfpagent Gem for Ruby JSON[body] Module Name Remote + Command Execution' +comments: false +categories: +- sfpagent +advisory: + gem: sfpagent + cve: 2014-2888 + osvdb: 105971 + ghsa: vm28-mrm7-fpjq + url: https://nvd.nist.gov/vuln/detail/CVE-2014-2888 + title: sfpagent Gem for Ruby JSON[body] Module Name Remote Command Execution + date: 2014-04-16 + description: | + sfpagent Gem for Ruby contains a flaw that is triggered as JSON[body] + input is not properly sanitized when handling module names with shell + metacharacters. This may allow a context-dependent attacker to execute + arbitrary commands. + cvss_v2: 7.5 + patched_versions: + - ">= 0.4.15" +--- diff --git a/advisories/_posts/2014-04-24-OSVDB-106279.md b/advisories/_posts/2014-04-24-OSVDB-106279.md index a399de58..0b668f96 100644 --- a/advisories/_posts/2014-04-24-OSVDB-106279.md +++ b/advisories/_posts/2014-04-24-OSVDB-106279.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-106279 (jruby-sandbox): jruby-sandbox Java Class Importation Sandbox - Bypass' -comments: false -categories: -- jruby-sandbox -- jruby -advisory: - gem: jruby-sandbox - platform: jruby - osvdb: 106279 - url: https://security.snyk.io/vuln/SNYK-RUBY-JRUBYSANDBOX-20156 - title: jruby-sandbox Java Class Importation Sandbox Bypass - date: 2014-04-24 - description: | - jruby-sandbox contains a flaw that is triggered when importing Java Classes. - This may allow a remote attacker to bypass the sandbox for code execution. - patched_versions: - - ">= 0.2.3" - related: - url: - - https://www.exploit-db.com/exploits/33028 - - https://security.snyk.io/vuln/SNYK-RUBY-JRUBYSANDBOX-20156 ---- +--- +layout: advisory +title: 'OSVDB-106279 (jruby-sandbox): jruby-sandbox Java Class Importation Sandbox + Bypass' +comments: false +categories: +- jruby-sandbox +- jruby +advisory: + gem: jruby-sandbox + platform: jruby + osvdb: 106279 + url: https://security.snyk.io/vuln/SNYK-RUBY-JRUBYSANDBOX-20156 + title: jruby-sandbox Java Class Importation Sandbox Bypass + date: 2014-04-24 + description: | + jruby-sandbox contains a flaw that is triggered when importing Java Classes. + This may allow a remote attacker to bypass the sandbox for code execution. + patched_versions: + - ">= 0.2.3" + related: + url: + - https://www.exploit-db.com/exploits/33028 + - https://security.snyk.io/vuln/SNYK-RUBY-JRUBYSANDBOX-20156 +--- diff --git a/advisories/_posts/2014-04-30-OSVDB-118481.md b/advisories/_posts/2014-04-30-OSVDB-118481.md index c8350cec..400e34e4 100644 --- a/advisories/_posts/2014-04-30-OSVDB-118481.md +++ b/advisories/_posts/2014-04-30-OSVDB-118481.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'OSVDB-118481 (nokogiri): Nokogiri Gem for JRuby XML Document Root Element - Handling Memory Consumption Remote DoS' -comments: false -categories: -- nokogiri -- jruby -advisory: - gem: nokogiri - platform: jruby - osvdb: 118481 - url: https://github.com/sparklemotion/nokogiri/pull/1087 - title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption - Remote DoS - date: 2014-04-30 - description: | - Nokogiri Gem for JRuby contains a flaw that is triggered when - handling a root element in an XML document. This may allow a - remote attacker to cause a consumption of memory resources. - patched_versions: - - "~> 1.6.2.2" - - ">= 1.6.3" - related: - cve: - - 2013-6461 - url: - - https://github.com/sparklemotion/nokogiri/pull/1087 - - https://github.com/sparklemotion/nokogiri/pull/1087/commits/8293bf6fddecb68b688cf025859afde7609f7bff - - https://github.com/sparklemotion/nokogiri/commit/a098ddfc9990ea79dbc191407d3e83611e5ff1e6 ---- +--- +layout: advisory +title: 'OSVDB-118481 (nokogiri): Nokogiri Gem for JRuby XML Document Root Element + Handling Memory Consumption Remote DoS' +comments: false +categories: +- nokogiri +- jruby +advisory: + gem: nokogiri + platform: jruby + osvdb: 118481 + url: https://github.com/sparklemotion/nokogiri/pull/1087 + title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption + Remote DoS + date: 2014-04-30 + description: | + Nokogiri Gem for JRuby contains a flaw that is triggered when + handling a root element in an XML document. This may allow a + remote attacker to cause a consumption of memory resources. + patched_versions: + - "~> 1.6.2.2" + - ">= 1.6.3" + related: + cve: + - 2013-6461 + url: + - https://github.com/sparklemotion/nokogiri/pull/1087 + - https://github.com/sparklemotion/nokogiri/pull/1087/commits/8293bf6fddecb68b688cf025859afde7609f7bff + - https://github.com/sparklemotion/nokogiri/commit/a098ddfc9990ea79dbc191407d3e83611e5ff1e6 +--- diff --git a/advisories/_posts/2014-05-06-CVE-2014-0130.md b/advisories/_posts/2014-05-06-CVE-2014-0130.md index dfdf62f5..6e628ecc 100644 --- a/advisories/_posts/2014-05-06-CVE-2014-0130.md +++ b/advisories/_posts/2014-05-06-CVE-2014-0130.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2014-0130 (actionpack): Directory Traversal Vulnerability With Certain - Route Configurations' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2014-0130 - ghsa: 6x85-j5j2-27jx - url: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o - title: Directory Traversal Vulnerability With Certain Route Configurations - date: 2014-05-06 - description: | - There is a vulnerability in the 'implicit render' - functionality in Ruby on Rails.The implicit render functionality - allows controllers to render a template, even if there is no - explicit action with the corresponding name. This module does not - perform adequate input sanitization which could allow an attacker to - use a specially crafted request to retrieve arbitrary files from the - rails application server. - cvss_v2: 4.3 - cvss_v3: 7.5 - patched_versions: - - "~> 3.2.18" - - "~> 4.0.5" - - ">= 4.1.1" ---- +--- +layout: advisory +title: 'CVE-2014-0130 (actionpack): Directory Traversal Vulnerability With Certain + Route Configurations' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2014-0130 + ghsa: 6x85-j5j2-27jx + url: https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o + title: Directory Traversal Vulnerability With Certain Route Configurations + date: 2014-05-06 + description: | + There is a vulnerability in the 'implicit render' + functionality in Ruby on Rails.The implicit render functionality + allows controllers to render a template, even if there is no + explicit action with the corresponding name. This module does not + perform adequate input sanitization which could allow an attacker to + use a specially crafted request to retrieve arbitrary files from the + rails application server. + cvss_v2: 4.3 + cvss_v3: 7.5 + patched_versions: + - "~> 3.2.18" + - "~> 4.0.5" + - ">= 4.1.1" +--- diff --git a/advisories/_posts/2014-06-07-OSVDB-107783.md b/advisories/_posts/2014-06-07-OSVDB-107783.md index 472d1327..2ab3a422 100644 --- a/advisories/_posts/2014-06-07-OSVDB-107783.md +++ b/advisories/_posts/2014-06-07-OSVDB-107783.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'OSVDB-107783 (screen_capture): Screen Capture Gem for Ruby screen_capture.rb - URL Handling Arbitrary Command Execution' -comments: false -categories: -- screen_capture -advisory: - gem: screen_capture - osvdb: 107783 - url: https://github.com/jamster/screen_capture/blob/master/lib/screen_capture.rb - title: Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command - Execution - date: 2014-06-07 - description: | - Screen Capture Gem for Ruby contains a flaw in screen_capture.rb that - is triggered when handling input passed via the URL. This may allow - a context-dependent attacker to execute arbitrary commands. - notes: Never patched - related: - url: - - https://github.com/jamster/screen_capture/blob/master/lib/screen_capture.rb - - http://osvdb.org/show/osvdb/107783 ---- +--- +layout: advisory +title: 'OSVDB-107783 (screen_capture): Screen Capture Gem for Ruby screen_capture.rb + URL Handling Arbitrary Command Execution' +comments: false +categories: +- screen_capture +advisory: + gem: screen_capture + osvdb: 107783 + url: https://github.com/jamster/screen_capture/blob/master/lib/screen_capture.rb + title: Screen Capture Gem for Ruby screen_capture.rb URL Handling Arbitrary Command + Execution + date: 2014-06-07 + description: | + Screen Capture Gem for Ruby contains a flaw in screen_capture.rb that + is triggered when handling input passed via the URL. This may allow + a context-dependent attacker to execute arbitrary commands. + notes: Never patched + related: + url: + - https://github.com/jamster/screen_capture/blob/master/lib/screen_capture.rb + - http://osvdb.org/show/osvdb/107783 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-10075.md b/advisories/_posts/2014-06-30-CVE-2014-10075.md index 35182194..7a3e7f04 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-10075.md +++ b/advisories/_posts/2014-06-30-CVE-2014-10075.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2014-10075 (karo): karo Gem for Ruby db.rb Metacharacter Handling Remote - Command Execution' -comments: false -categories: -- karo -advisory: - gem: karo - cve: 2014-10075 - osvdb: 108573 - ghsa: qfwq-chf4-jvwg - url: https://github.com/advisories/GHSA-qfwq-chf4-jvwg - title: karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution - date: 2014-06-30 - description: | - The karo gem 2.3.8 for Ruby allows Remote command injection via - the host field. - - karo Gem for Ruby contains a flaw in db.rb that is triggered when handling - metacharacters. This may allow a remote attacker to execute arbitrary - commands. - - * CWE-77 - Improper Neutralization of Special Elements used - in a Command ('Command Injection') - - * Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss_v2: 7.5 - cvss_v3: 9.8 - notes: Never patched - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2014-10075 - - https://github.com/rahult/karo - - https://github.com/rahult/karo/blob/master/CHANGELOG.md - - https://web.archive.org/web/20250421021935/http://www.vapid.dhs.org/advisories/karo-2.3.8.html - - http://www.vapidlabs.com/advisory.php?v=63 - - https://www.openwall.com/lists/oss-security/2014/07/07/22 - - https://github.com/advisories/GHSA-qfwq-chf4-jvwg ---- +--- +layout: advisory +title: 'CVE-2014-10075 (karo): karo Gem for Ruby db.rb Metacharacter Handling Remote + Command Execution' +comments: false +categories: +- karo +advisory: + gem: karo + cve: 2014-10075 + osvdb: 108573 + ghsa: qfwq-chf4-jvwg + url: https://github.com/advisories/GHSA-qfwq-chf4-jvwg + title: karo Gem for Ruby db.rb Metacharacter Handling Remote Command Execution + date: 2014-06-30 + description: | + The karo gem 2.3.8 for Ruby allows Remote command injection via + the host field. + + karo Gem for Ruby contains a flaw in db.rb that is triggered when handling + metacharacters. This may allow a remote attacker to execute arbitrary + commands. + + * CWE-77 - Improper Neutralization of Special Elements used + in a Command ('Command Injection') + + * Severity: CRITICAL - CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss_v2: 7.5 + cvss_v3: 9.8 + notes: Never patched + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-10075 + - https://github.com/rahult/karo + - https://github.com/rahult/karo/blob/master/CHANGELOG.md + - https://web.archive.org/web/20250421021935/http://www.vapid.dhs.org/advisories/karo-2.3.8.html + - http://www.vapidlabs.com/advisory.php?v=63 + - https://www.openwall.com/lists/oss-security/2014/07/07/22 + - https://github.com/advisories/GHSA-qfwq-chf4-jvwg +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4991.md b/advisories/_posts/2014-06-30-CVE-2014-4991.md index 4c296b66..36511de7 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4991.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4991.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2014-4991 (codders-dataset): codders-dataset Gem for Ruby lib/dataset/database/mysql.rb - and lib/dataset/database/postgresql.rb Process Table Local Plaintext Credential - Disclosure' -comments: false -categories: -- codders-dataset -advisory: - gem: codders-dataset - cve: 2014-4991 - osvdb: 108582 - ghsa: w9vv-fvw8-j6q3 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4991 - title: codders-dataset Gem for Ruby lib/dataset/database/mysql.rb and lib/dataset/database/postgresql.rb - Process Table Local Plaintext Credential Disclosure - date: 2014-06-30 - description: | - "(1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb - in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command - line, which allows local users to obtain sensitive information by listing the process." - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-4991 (codders-dataset): codders-dataset Gem for Ruby lib/dataset/database/mysql.rb + and lib/dataset/database/postgresql.rb Process Table Local Plaintext Credential + Disclosure' +comments: false +categories: +- codders-dataset +advisory: + gem: codders-dataset + cve: 2014-4991 + osvdb: 108582 + ghsa: w9vv-fvw8-j6q3 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4991 + title: codders-dataset Gem for Ruby lib/dataset/database/mysql.rb and lib/dataset/database/postgresql.rb + Process Table Local Plaintext Credential Disclosure + date: 2014-06-30 + description: | + "(1) lib/dataset/database/mysql.rb and (2) lib/dataset/database/postgresql.rb + in the codders-dataset gem 1.3.2.1 for Ruby place credentials on the mysqldump command + line, which allows local users to obtain sensitive information by listing the process." + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4992.md b/advisories/_posts/2014-06-30-CVE-2014-4992.md index cdef48fa..29c1ba58 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4992.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4992.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2014-4992 (cap-strap): cap-strap Gem for Ruby Process Table Local Plaintext - Credential Disclosure' -comments: false -categories: -- cap-strap -advisory: - gem: cap-strap - cve: 2014-4992 - osvdb: 108574 - ghsa: pcm6-g2qp-9gw8 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4992 - title: cap-strap Gem for Ruby Process Table Local Plaintext Credential Disclosure - date: 2014-06-30 - description: | - cap-strap Gem for Ruby contains a flaw that is due to the application - exposing credential information in plaintext in the process table listing. This - may allow a local attacker to gain access to credential information. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-4992 (cap-strap): cap-strap Gem for Ruby Process Table Local Plaintext + Credential Disclosure' +comments: false +categories: +- cap-strap +advisory: + gem: cap-strap + cve: 2014-4992 + osvdb: 108574 + ghsa: pcm6-g2qp-9gw8 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4992 + title: cap-strap Gem for Ruby Process Table Local Plaintext Credential Disclosure + date: 2014-06-30 + description: | + cap-strap Gem for Ruby contains a flaw that is due to the application + exposing credential information in plaintext in the process table listing. This + may allow a local attacker to gain access to credential information. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4993.md b/advisories/_posts/2014-06-30-CVE-2014-4993.md index bfe595e6..d2a51b2a 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4993.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4993.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2014-4993 (backup_checksum): backup_checksum Gem for Ruby /lib/backup/cli/utility.rb - Process List Local Plaintext Password Disclosure' -comments: false -categories: -- backup_checksum -advisory: - gem: backup_checksum - cve: 2014-4993 - osvdb: 108569 - ghsa: wr5j-q359-6vr2 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4993 - title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Process List Local - Plaintext Password Disclosure - date: 2014-06-30 - description: | - backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb - that is triggered as the program displays password information in plaintext - in the process list. This may allow a local attacker to gain access to - password information. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-4993 (backup_checksum): backup_checksum Gem for Ruby /lib/backup/cli/utility.rb + Process List Local Plaintext Password Disclosure' +comments: false +categories: +- backup_checksum +advisory: + gem: backup_checksum + cve: 2014-4993 + osvdb: 108569 + ghsa: wr5j-q359-6vr2 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4993 + title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Process List Local + Plaintext Password Disclosure + date: 2014-06-30 + description: | + backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb + that is triggered as the program displays password information in plaintext + in the process list. This may allow a local attacker to gain access to + password information. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4994.md b/advisories/_posts/2014-06-30-CVE-2014-4994.md index c56f29aa..669e7755 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4994.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4994.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2014-4994 (gyazo): gyazo Gem for Ruby client.rb Metacharacter Handling - Remote Command Execution' -comments: false -categories: -- gyazo -advisory: - gem: gyazo - cve: 2014-4994 - osvdb: 108563 - ghsa: 6x45-86q6-rcmr - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4994 - title: gyazo Gem for Ruby client.rb Metacharacter Handling Remote Command Execution - date: 2014-06-30 - description: | - gyazo Gem for Ruby contains a flaw in client.rb that is triggered when - handling metacharacters. This may allow a remote attacker to execute arbitrary commands. - cvss_v3: 5.5 - patched_versions: - - ">= 2.0.0" ---- +--- +layout: advisory +title: 'CVE-2014-4994 (gyazo): gyazo Gem for Ruby client.rb Metacharacter Handling + Remote Command Execution' +comments: false +categories: +- gyazo +advisory: + gem: gyazo + cve: 2014-4994 + osvdb: 108563 + ghsa: 6x45-86q6-rcmr + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4994 + title: gyazo Gem for Ruby client.rb Metacharacter Handling Remote Command Execution + date: 2014-06-30 + description: | + gyazo Gem for Ruby contains a flaw in client.rb that is triggered when + handling metacharacters. This may allow a remote attacker to execute arbitrary commands. + cvss_v3: 5.5 + patched_versions: + - ">= 2.0.0" +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4995.md b/advisories/_posts/2014-06-30-CVE-2014-4995.md index b3a71451..67fe9aa2 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4995.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4995.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-4995 (VladTheEnterprising): VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} - Symlink Multiple Impact' -comments: false -categories: -- VladTheEnterprising -advisory: - gem: VladTheEnterprising - cve: 2014-4995 - osvdb: 108728 - ghsa: 86cf-g34f-7462 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4995 - title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple - Impact - date: 2014-06-30 - description: | - VladTheEnterprising Gem for Ruby contains a flaw as the program creates - temporary files insecurely. It is possible for a local attacker to use - a symlink attack against the /tmp/my.cnf.#{target_host} file they can - overwrite arbitrary files, gain access to the MySQL root password, - or inject arbitrary commands. - cvss_v3: 7.0 ---- +--- +layout: advisory +title: 'CVE-2014-4995 (VladTheEnterprising): VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} + Symlink Multiple Impact' +comments: false +categories: +- VladTheEnterprising +advisory: + gem: VladTheEnterprising + cve: 2014-4995 + osvdb: 108728 + ghsa: 86cf-g34f-7462 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4995 + title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple + Impact + date: 2014-06-30 + description: | + VladTheEnterprising Gem for Ruby contains a flaw as the program creates + temporary files insecurely. It is possible for a local attacker to use + a symlink attack against the /tmp/my.cnf.#{target_host} file they can + overwrite arbitrary files, gain access to the MySQL root password, + or inject arbitrary commands. + cvss_v3: 7.0 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4996.md b/advisories/_posts/2014-06-30-CVE-2014-4996.md index 26da606d..8d87d05f 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4996.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4996.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-4996 (VladTheEnterprising): VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} - Symlink Multiple Impact' -comments: false -categories: -- VladTheEnterprising -advisory: - gem: VladTheEnterprising - cve: 2014-4996 - osvdb: 108728 - ghsa: x4vj-279x-qwf2 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4996 - title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple - Impact - date: 2014-06-30 - description: | - VladTheEnterprising Gem for Ruby contains a flaw as the program creates - temporary files insecurely. It is possible for a local attacker to use - a symlink attack against the /tmp/my.cnf.#{target_host} file they can - overwrite arbitrary files, gain access to the MySQL root password, - or inject arbitrary commands. - cvss_v3: 5.5 ---- +--- +layout: advisory +title: 'CVE-2014-4996 (VladTheEnterprising): VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} + Symlink Multiple Impact' +comments: false +categories: +- VladTheEnterprising +advisory: + gem: VladTheEnterprising + cve: 2014-4996 + osvdb: 108728 + ghsa: x4vj-279x-qwf2 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4996 + title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple + Impact + date: 2014-06-30 + description: | + VladTheEnterprising Gem for Ruby contains a flaw as the program creates + temporary files insecurely. It is possible for a local attacker to use + a symlink attack against the /tmp/my.cnf.#{target_host} file they can + overwrite arbitrary files, gain access to the MySQL root password, + or inject arbitrary commands. + cvss_v3: 5.5 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4997.md b/advisories/_posts/2014-06-30-CVE-2014-4997.md index 061fd41a..ff0433bb 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4997.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4997.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2014-4997 (point-cli): point-cli Gem for Ruby /lib/commands/setup.rb Process - Table Local Plaintext Credential Disclosure' -comments: false -categories: -- point-cli -advisory: - gem: point-cli - cve: 2014-4997 - osvdb: 108577 - ghsa: mc8m-x6hf-cw2g - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4997 - title: point-cli Gem for Ruby /lib/commands/setup.rb Process Table Local Plaintext - Credential Disclosure - date: 2014-06-30 - description: | - point-cli Gem for Ruby contains a flaw in /lib/commands/setup.rb that - is due to the application exposing credential information in plaintext in the process - table. This may allow a local attacker to gain access to credential information. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-4997 (point-cli): point-cli Gem for Ruby /lib/commands/setup.rb Process + Table Local Plaintext Credential Disclosure' +comments: false +categories: +- point-cli +advisory: + gem: point-cli + cve: 2014-4997 + osvdb: 108577 + ghsa: mc8m-x6hf-cw2g + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4997 + title: point-cli Gem for Ruby /lib/commands/setup.rb Process Table Local Plaintext + Credential Disclosure + date: 2014-06-30 + description: | + point-cli Gem for Ruby contains a flaw in /lib/commands/setup.rb that + is due to the application exposing credential information in plaintext in the process + table. This may allow a local attacker to gain access to credential information. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4998.md b/advisories/_posts/2014-06-30-CVE-2014-4998.md index 10ef1259..2bf22915 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4998.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4998.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2014-4998 (lean-ruport): lean-ruport Gem for Ruby /test/tc_database.rb - Process Table Local Plaintext MySQL Password Disclosure' -comments: false -categories: -- lean-ruport -advisory: - gem: lean-ruport - cve: 2014-4998 - osvdb: 108581 - ghsa: 5g7f-p7jg-v6mv - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4998 - title: lean-ruport Gem for Ruby /test/tc_database.rb Process Table Local Plaintext - MySQL Password Disclosure - date: 2014-06-30 - description: | - lean-ruport Gem for Ruby contains a flaw in /test/tc_database.rb that - is due to the application exposing MySQL password information in plaintext in the - process table. This may allow a local attacker to gain access to MySQL password - information. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-4998 (lean-ruport): lean-ruport Gem for Ruby /test/tc_database.rb + Process Table Local Plaintext MySQL Password Disclosure' +comments: false +categories: +- lean-ruport +advisory: + gem: lean-ruport + cve: 2014-4998 + osvdb: 108581 + ghsa: 5g7f-p7jg-v6mv + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4998 + title: lean-ruport Gem for Ruby /test/tc_database.rb Process Table Local Plaintext + MySQL Password Disclosure + date: 2014-06-30 + description: | + lean-ruport Gem for Ruby contains a flaw in /test/tc_database.rb that + is due to the application exposing MySQL password information in plaintext in the + process table. This may allow a local attacker to gain access to MySQL password + information. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-4999.md b/advisories/_posts/2014-06-30-CVE-2014-4999.md index ac217304..292bf5a7 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-4999.md +++ b/advisories/_posts/2014-06-30-CVE-2014-4999.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2014-4999 (kajam): kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb - Process List Local Plaintext Password Disclosure' -comments: false -categories: -- kajam -advisory: - gem: kajam - cve: 2014-4999 - osvdb: 108529 - ghsa: 4ph7-5c44-pppv - url: https://nvd.nist.gov/vuln/detail/CVE-2014-4999 - title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Process List - Local Plaintext Password Disclosure - date: 2014-06-30 - description: | - kajam Gem for Ruby contains a flaw in - /dataset/lib/dataset/database/postgresql.rb that is triggered as the program - exposes the MySQL or PostgreSQL password in the process list. This may allow - a local attacker to gain access to password information. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-4999 (kajam): kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb + Process List Local Plaintext Password Disclosure' +comments: false +categories: +- kajam +advisory: + gem: kajam + cve: 2014-4999 + osvdb: 108529 + ghsa: 4ph7-5c44-pppv + url: https://nvd.nist.gov/vuln/detail/CVE-2014-4999 + title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Process List + Local Plaintext Password Disclosure + date: 2014-06-30 + description: | + kajam Gem for Ruby contains a flaw in + /dataset/lib/dataset/database/postgresql.rb that is triggered as the program + exposes the MySQL or PostgreSQL password in the process list. This may allow + a local attacker to gain access to password information. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-5000.md b/advisories/_posts/2014-06-30-CVE-2014-5000.md index 5533867e..169676c1 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-5000.md +++ b/advisories/_posts/2014-06-30-CVE-2014-5000.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2014-5000 (lawn-login): lawn-login Gem for Ruby /lib/lawn.rb Process Table - Local Plaintext Password Disclosure' -comments: false -categories: -- lawn-login -advisory: - gem: lawn-login - cve: 2014-5000 - osvdb: 108576 - ghsa: rhgq-vv9x-j4p5 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-5000 - title: lawn-login Gem for Ruby /lib/lawn.rb Process Table Local Plaintext Password - Disclosure - date: 2014-06-30 - description: | - lawn-login Gem for Ruby contains a flaw in /lib/lawn.rb that is due to - the application exposing password information in plaintext in the process table. - This may allow a local attacker to gain access to password information. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2014-5000 (lawn-login): lawn-login Gem for Ruby /lib/lawn.rb Process Table + Local Plaintext Password Disclosure' +comments: false +categories: +- lawn-login +advisory: + gem: lawn-login + cve: 2014-5000 + osvdb: 108576 + ghsa: rhgq-vv9x-j4p5 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-5000 + title: lawn-login Gem for Ruby /lib/lawn.rb Process Table Local Plaintext Password + Disclosure + date: 2014-06-30 + description: | + lawn-login Gem for Ruby contains a flaw in /lib/lawn.rb that is due to + the application exposing password information in plaintext in the process table. + This may allow a local attacker to gain access to password information. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-5001.md b/advisories/_posts/2014-06-30-CVE-2014-5001.md index e7ff5f8b..3c1bbbd4 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-5001.md +++ b/advisories/_posts/2014-06-30-CVE-2014-5001.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2014-5001 (kcapifony): kcapifony Gem for Ruby /lib/ksymfony1.rb Process - List Local Plaintext Password Disclosure' -comments: false -categories: -- kcapifony -advisory: - gem: kcapifony - cve: 2014-5001 - osvdb: 108571 - ghsa: 6fcq-3cm2-j3j5 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-5001 - title: kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password - Disclosure - date: 2014-06-30 - description: | - kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered - as the program displays password information in plaintext in the process list. This - may allow a local attacker to gain access to password information. - cvss_v2: 2.1 - cvss_v3: 7.8 - notes: Never patched - related: - url: - - http://www.vapid.dhs.org/advisories/kcapifony-2.1.6.html - - http://www.vapidlabs.com/advisory.php?v=65 ---- +--- +layout: advisory +title: 'CVE-2014-5001 (kcapifony): kcapifony Gem for Ruby /lib/ksymfony1.rb Process + List Local Plaintext Password Disclosure' +comments: false +categories: +- kcapifony +advisory: + gem: kcapifony + cve: 2014-5001 + osvdb: 108571 + ghsa: 6fcq-3cm2-j3j5 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-5001 + title: kcapifony Gem for Ruby /lib/ksymfony1.rb Process List Local Plaintext Password + Disclosure + date: 2014-06-30 + description: | + kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that is triggered + as the program displays password information in plaintext in the process list. This + may allow a local attacker to gain access to password information. + cvss_v2: 2.1 + cvss_v3: 7.8 + notes: Never patched + related: + url: + - http://www.vapid.dhs.org/advisories/kcapifony-2.1.6.html + - http://www.vapidlabs.com/advisory.php?v=65 +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-5002.md b/advisories/_posts/2014-06-30-CVE-2014-5002.md index 2835a57a..93445635 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-5002.md +++ b/advisories/_posts/2014-06-30-CVE-2014-5002.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2014-5002 (lynx): lynx Gem for Ruby command/basic.rb Process Table Local - Plaintext Password Disclosure' -comments: false -categories: -- lynx -advisory: - gem: lynx - cve: 2014-5002 - osvdb: 108580 - ghsa: 94cq-7ccq-cmcm - url: https://nvd.nist.gov/vuln/detail/CVE-2014-5002 - title: lynx Gem for Ruby command/basic.rb Process Table Local Plaintext Password - Disclosure - date: 2014-06-30 - description: | - lynx Gem for Ruby contains a flaw in command/basic.rb that is due to - the application exposing password information in plaintext in the process table. - This may allow a local attacker to gain access to password information. - cvss_v3: 7.8 - patched_versions: - - ">= 1.0.0" ---- +--- +layout: advisory +title: 'CVE-2014-5002 (lynx): lynx Gem for Ruby command/basic.rb Process Table Local + Plaintext Password Disclosure' +comments: false +categories: +- lynx +advisory: + gem: lynx + cve: 2014-5002 + osvdb: 108580 + ghsa: 94cq-7ccq-cmcm + url: https://nvd.nist.gov/vuln/detail/CVE-2014-5002 + title: lynx Gem for Ruby command/basic.rb Process Table Local Plaintext Password + Disclosure + date: 2014-06-30 + description: | + lynx Gem for Ruby contains a flaw in command/basic.rb that is due to + the application exposing password information in plaintext in the process table. + This may allow a local attacker to gain access to password information. + cvss_v3: 7.8 + patched_versions: + - ">= 1.0.0" +--- diff --git a/advisories/_posts/2014-06-30-CVE-2014-5003.md b/advisories/_posts/2014-06-30-CVE-2014-5003.md index 2177980d..9fa5c14f 100644 --- a/advisories/_posts/2014-06-30-CVE-2014-5003.md +++ b/advisories/_posts/2014-06-30-CVE-2014-5003.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2014-5003 (ciborg): ciborg Gem for Ruby default.rb /tmp/perlbrew-installer - Local Symlink File Overwrite' -comments: false -categories: -- ciborg -advisory: - gem: ciborg - cve: 2014-5003 - osvdb: 108586 - ghsa: g982-9r8g-6qxw - url: https://nvd.nist.gov/vuln/detail/CVE-2014-5003 - title: ciborg Gem for Ruby default.rb /tmp/perlbrew-installer Local Symlink File - Overwrite - date: 2014-06-30 - description: | - ciborg Gem for Ruby contains a flaw as default.rb creates temporary files - insecurely. It is possible for a local attacker to use a symlink attack against - the /tmp/perlbrew-installer file to cause the program to unexpectedly overwrite - an arbitrary file. - cvss_v3: 5.5 ---- +--- +layout: advisory +title: 'CVE-2014-5003 (ciborg): ciborg Gem for Ruby default.rb /tmp/perlbrew-installer + Local Symlink File Overwrite' +comments: false +categories: +- ciborg +advisory: + gem: ciborg + cve: 2014-5003 + osvdb: 108586 + ghsa: g982-9r8g-6qxw + url: https://nvd.nist.gov/vuln/detail/CVE-2014-5003 + title: ciborg Gem for Ruby default.rb /tmp/perlbrew-installer Local Symlink File + Overwrite + date: 2014-06-30 + description: | + ciborg Gem for Ruby contains a flaw as default.rb creates temporary files + insecurely. It is possible for a local attacker to use a symlink attack against + the /tmp/perlbrew-installer file to cause the program to unexpectedly overwrite + an arbitrary file. + cvss_v3: 5.5 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108530.md b/advisories/_posts/2014-06-30-OSVDB-108530.md index 720f0594..24d96c71 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108530.md +++ b/advisories/_posts/2014-06-30-OSVDB-108530.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-108530 (kajam): kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb - Metacharacter Handling Remote Command Execution' -comments: false -categories: -- kajam -advisory: - gem: kajam - osvdb: 108530 - url: https://security.snyk.io/vuln/SNYK-RUBY-KAJAM-20171 - title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Metacharacter - Handling Remote Command Execution - date: 2014-06-30 - description: | - kajam Gem for Ruby contains a flaw in - /dataset/lib/dataset/database/postgresql.rb that is triggered - when handling metacharacters. This may allow a remote attacker - to execute arbitrary commands. - notes: Never patched - related: - url: - - https://security.snyk.io/vuln/SNYK-RUBY-KAJAM-20171 - - https://my.diffend.io/gems/kajam/1.0.3.rc2 - - http://osvdb.org/show/osvdb/108530 ---- +--- +layout: advisory +title: 'OSVDB-108530 (kajam): kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb + Metacharacter Handling Remote Command Execution' +comments: false +categories: +- kajam +advisory: + gem: kajam + osvdb: 108530 + url: https://security.snyk.io/vuln/SNYK-RUBY-KAJAM-20171 + title: kajam Gem for Ruby /dataset/lib/dataset/database/postgresql.rb Metacharacter + Handling Remote Command Execution + date: 2014-06-30 + description: | + kajam Gem for Ruby contains a flaw in + /dataset/lib/dataset/database/postgresql.rb that is triggered + when handling metacharacters. This may allow a remote attacker + to execute arbitrary commands. + notes: Never patched + related: + url: + - https://security.snyk.io/vuln/SNYK-RUBY-KAJAM-20171 + - https://my.diffend.io/gems/kajam/1.0.3.rc2 + - http://osvdb.org/show/osvdb/108530 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108570.md b/advisories/_posts/2014-06-30-OSVDB-108570.md index e661ba40..1f61d252 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108570.md +++ b/advisories/_posts/2014-06-30-OSVDB-108570.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-108570 (backup_checksum): backup_checksum Gem for Ruby /lib/backup/cli/utility.rb - Metacharacter Handling Remote Command Execution' -comments: false -categories: -- backup_checksum -advisory: - gem: backup_checksum - osvdb: 108570 - url: https://www.openwall.com/lists/oss-security/2014/07/07/12 - title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Metacharacter Handling - Remote Command Execution - date: 2014-06-30 - description: | - backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb - that is triggered when handling metacharacters. This may allow a remote - attacker to execute arbitrary commands. - notes: Never patched - related: - url: - - https://www.openwall.com/lists/oss-security/2014/07/07/12 - - https://my.diffend.io/gems/backup_checksum/3.0.23 - - https://github.com/backup/backup - - http://osvdb.org/show/osvdb/108570 ---- +--- +layout: advisory +title: 'OSVDB-108570 (backup_checksum): backup_checksum Gem for Ruby /lib/backup/cli/utility.rb + Metacharacter Handling Remote Command Execution' +comments: false +categories: +- backup_checksum +advisory: + gem: backup_checksum + osvdb: 108570 + url: https://www.openwall.com/lists/oss-security/2014/07/07/12 + title: backup_checksum Gem for Ruby /lib/backup/cli/utility.rb Metacharacter Handling + Remote Command Execution + date: 2014-06-30 + description: | + backup_checksum Gem for Ruby contains a flaw in /lib/backup/cli/utility.rb + that is triggered when handling metacharacters. This may allow a remote + attacker to execute arbitrary commands. + notes: Never patched + related: + url: + - https://www.openwall.com/lists/oss-security/2014/07/07/12 + - https://my.diffend.io/gems/backup_checksum/3.0.23 + - https://github.com/backup/backup + - http://osvdb.org/show/osvdb/108570 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108572.md b/advisories/_posts/2014-06-30-OSVDB-108572.md index 28f231f9..16846db4 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108572.md +++ b/advisories/_posts/2014-06-30-OSVDB-108572.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'OSVDB-108572 (kcapifony): kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter - Handling Remote Command Execution' -comments: false -categories: -- kcapifony -advisory: - gem: kcapifony - osvdb: 108572 - url: https://www.mend.io/vulnerability-database/WS-2014-0019 - title: kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter Handling Remote Command - Execution - date: 2014-06-30 - description: | - kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that - is triggered when handling metacharacters. This may allow a remote - attacker to execute arbitrary commands. - notes: Never patched - related: - url: - - https://www.mend.io/vulnerability-database/WS-2014-0019 - - https://github.com/Kunstmaan/kCapifony/blob/master/lib/ksymfony1.rb - - http://www.vapid.dhs.org/advisories/kcapifony-2.1.6.html - - http://www.vapidlabs.com/advisory.php?v=65 - - http://osvdb.org/show/osvdb/108572 ---- +--- +layout: advisory +title: 'OSVDB-108572 (kcapifony): kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter + Handling Remote Command Execution' +comments: false +categories: +- kcapifony +advisory: + gem: kcapifony + osvdb: 108572 + url: https://www.mend.io/vulnerability-database/WS-2014-0019 + title: kcapifony Gem for Ruby /lib/ksymfony1.rb Metacharacter Handling Remote Command + Execution + date: 2014-06-30 + description: | + kcapifony Gem for Ruby contains a flaw in /lib/ksymfony1.rb that + is triggered when handling metacharacters. This may allow a remote + attacker to execute arbitrary commands. + notes: Never patched + related: + url: + - https://www.mend.io/vulnerability-database/WS-2014-0019 + - https://github.com/Kunstmaan/kCapifony/blob/master/lib/ksymfony1.rb + - http://www.vapid.dhs.org/advisories/kcapifony-2.1.6.html + - http://www.vapidlabs.com/advisory.php?v=65 + - http://osvdb.org/show/osvdb/108572 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108575.md b/advisories/_posts/2014-06-30-OSVDB-108575.md index 091fb562..8c53f954 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108575.md +++ b/advisories/_posts/2014-06-30-OSVDB-108575.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-108575 (cap-strap): cap-strap Gem for Ruby Hardcoded Password Crypt - Hash Salt Weakness' -comments: false -categories: -- cap-strap -advisory: - gem: cap-strap - osvdb: 108575 - url: https://www.openwall.com/lists/oss-security/2014/07/07/9 - title: cap-strap Gem for Ruby Hardcoded Password Crypt Hash Salt Weakness - date: 2014-06-30 - description: | - cap-strap Gem for Ruby contains a flaw that is due to the application - using a hardcoded default 'sa' salt for password encryption. This may - allow a local attacker to more easily decrypt passwords. - notes: Never patched - related: - url: - - https://www.openwall.com/lists/oss-security/2014/07/07/9 - - https://github.com/substantial/cap-strap - - http://www.vapid.dhs.org/advisories/cap-strap-0.1.5.html - - http://www.vapidlabs.com/advisory.php?v=27 - - http://osvdb.org/show/osvdb/108575 ---- +--- +layout: advisory +title: 'OSVDB-108575 (cap-strap): cap-strap Gem for Ruby Hardcoded Password Crypt + Hash Salt Weakness' +comments: false +categories: +- cap-strap +advisory: + gem: cap-strap + osvdb: 108575 + url: https://www.openwall.com/lists/oss-security/2014/07/07/9 + title: cap-strap Gem for Ruby Hardcoded Password Crypt Hash Salt Weakness + date: 2014-06-30 + description: | + cap-strap Gem for Ruby contains a flaw that is due to the application + using a hardcoded default 'sa' salt for password encryption. This may + allow a local attacker to more easily decrypt passwords. + notes: Never patched + related: + url: + - https://www.openwall.com/lists/oss-security/2014/07/07/9 + - https://github.com/substantial/cap-strap + - http://www.vapid.dhs.org/advisories/cap-strap-0.1.5.html + - http://www.vapidlabs.com/advisory.php?v=27 + - http://osvdb.org/show/osvdb/108575 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108579.md b/advisories/_posts/2014-06-30-OSVDB-108579.md index a89fd571..8388d45f 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108579.md +++ b/advisories/_posts/2014-06-30-OSVDB-108579.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'OSVDB-108579 (lynx): lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command - Execution' -comments: false -categories: -- lynx -advisory: - gem: lynx - osvdb: 108579 - url: https://www.openwall.com/lists/oss-security/2014/07/07/23 - title: lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command Execution - date: 2014-06-30 - description: | - lynx Gem for Ruby contains a flaw in lib/lynx/pipe/run.rb that - may allow a remote attacker to execute arbitrary commands. - notes: Never patched - related: - url: - - https://www.openwall.com/lists/oss-security/2014/07/07/23 - - https://security.snyk.io/vuln/SNYK-RUBY-LYNX-20160 - - https://github.com/panthomakos/lynx/blob/master/lib/lynx/pipe/run.rb - - http://osvdb.org/show/osvdb/108579 ---- +--- +layout: advisory +title: 'OSVDB-108579 (lynx): lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command + Execution' +comments: false +categories: +- lynx +advisory: + gem: lynx + osvdb: 108579 + url: https://www.openwall.com/lists/oss-security/2014/07/07/23 + title: lynx Gem for Ruby lib/lynx/pipe/run.rb Remote Command Execution + date: 2014-06-30 + description: | + lynx Gem for Ruby contains a flaw in lib/lynx/pipe/run.rb that + may allow a remote attacker to execute arbitrary commands. + notes: Never patched + related: + url: + - https://www.openwall.com/lists/oss-security/2014/07/07/23 + - https://security.snyk.io/vuln/SNYK-RUBY-LYNX-20160 + - https://github.com/panthomakos/lynx/blob/master/lib/lynx/pipe/run.rb + - http://osvdb.org/show/osvdb/108579 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108585.md b/advisories/_posts/2014-06-30-OSVDB-108585.md index d9de9ee1..8c482081 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108585.md +++ b/advisories/_posts/2014-06-30-OSVDB-108585.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-108585 (lingq): lingq Gem for Ruby client.rb Metacharacter Handling - Remote Command Execution' -comments: false -categories: -- lingq -advisory: - gem: lingq - osvdb: 108585 - url: https://www.versioneye.com/Ruby/lingq/0.3.1 - title: lingq Gem for Ruby client.rb Metacharacter Handling Remote Command Execution - date: 2014-06-30 - description: | - lingq Gem for Ruby contains a flaw in client.rb that is triggered - when handling metacharacters. This may allow a remote attacker - to execute arbitrary commands. - notes: Never patched - related: - url: - - https://www.versioneye.com/Ruby/lingq/0.3.1 - - http://www.vapid.dhs.org/advisories/lingq-0.3.1.html - - http://www.vapidlabs.com/advisory.php?v=71 - - http://osvdb.org/show/osvdb/108585 ---- +--- +layout: advisory +title: 'OSVDB-108585 (lingq): lingq Gem for Ruby client.rb Metacharacter Handling + Remote Command Execution' +comments: false +categories: +- lingq +advisory: + gem: lingq + osvdb: 108585 + url: https://www.versioneye.com/Ruby/lingq/0.3.1 + title: lingq Gem for Ruby client.rb Metacharacter Handling Remote Command Execution + date: 2014-06-30 + description: | + lingq Gem for Ruby contains a flaw in client.rb that is triggered + when handling metacharacters. This may allow a remote attacker + to execute arbitrary commands. + notes: Never patched + related: + url: + - https://www.versioneye.com/Ruby/lingq/0.3.1 + - http://www.vapid.dhs.org/advisories/lingq-0.3.1.html + - http://www.vapidlabs.com/advisory.php?v=71 + - http://osvdb.org/show/osvdb/108585 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108593.md b/advisories/_posts/2014-06-30-OSVDB-108593.md index dfd4d873..36ac3daf 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108593.md +++ b/advisories/_posts/2014-06-30-OSVDB-108593.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'OSVDB-108593 (kompanee-recipes): kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb - Multiple Variable Handling Remote Command Execution Weakness' -comments: false -categories: -- kompanee-recipes -advisory: - gem: kompanee-recipes - osvdb: 108593 - url: https://www.openwall.com/lists/oss-security/2014/07/07/17 - title: kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb Multiple Variable - Handling Remote Command Execution Weakness - date: 2014-06-30 - description: | - kompanee-recipes Gem for Ruby contains a flaw in - /lib/kompanee-recipes/heroku.rb that is triggered when handling shell - metacharacters passed via the 'password', 'user', 'deploy_name', and - 'application' variables. This may allow a remote attacker to execute - arbitrary commands. - notes: Never patched - related: - url: - - https://www.openwall.com/lists/oss-security/2014/07/07/17 - - https://seclists.org/oss-sec/2014/q3/162 - - https://www.mend.io/vulnerability-database/WS-2014-0025 - - https://security.snyk.io/vuln/SNYK-RUBY-KOMPANEERECIPES-20177 - - http://www.vapid.dhs.org/advisories/kompanee-recipes-0.1.4.html - - http://www.vapidlabs.com/advisory.php?v=67 - - http://osvdb.org/show/osvdb/108593 ---- +--- +layout: advisory +title: 'OSVDB-108593 (kompanee-recipes): kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb + Multiple Variable Handling Remote Command Execution Weakness' +comments: false +categories: +- kompanee-recipes +advisory: + gem: kompanee-recipes + osvdb: 108593 + url: https://www.openwall.com/lists/oss-security/2014/07/07/17 + title: kompanee-recipes Gem for Ruby /lib/kompanee-recipes/heroku.rb Multiple Variable + Handling Remote Command Execution Weakness + date: 2014-06-30 + description: | + kompanee-recipes Gem for Ruby contains a flaw in + /lib/kompanee-recipes/heroku.rb that is triggered when handling shell + metacharacters passed via the 'password', 'user', 'deploy_name', and + 'application' variables. This may allow a remote attacker to execute + arbitrary commands. + notes: Never patched + related: + url: + - https://www.openwall.com/lists/oss-security/2014/07/07/17 + - https://seclists.org/oss-sec/2014/q3/162 + - https://www.mend.io/vulnerability-database/WS-2014-0025 + - https://security.snyk.io/vuln/SNYK-RUBY-KOMPANEERECIPES-20177 + - http://www.vapid.dhs.org/advisories/kompanee-recipes-0.1.4.html + - http://www.vapidlabs.com/advisory.php?v=67 + - http://osvdb.org/show/osvdb/108593 +--- diff --git a/advisories/_posts/2014-06-30-OSVDB-108594.md b/advisories/_posts/2014-06-30-OSVDB-108594.md index 44ec6e6a..465bcc76 100644 --- a/advisories/_posts/2014-06-30-OSVDB-108594.md +++ b/advisories/_posts/2014-06-30-OSVDB-108594.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-108594 (gnms): gnms Gem for Ruby /lib/cmd_parse.rb ip Variable Shell - Metacharacter Handling Remote Command Injection' -comments: false -categories: -- gnms -advisory: - gem: gnms - osvdb: 108594 - url: http://www.vapidlabs.com/advisories/gnms-2.1.1.html - title: gnms Gem for Ruby /lib/cmd_parse.rb ip Variable Shell Metacharacter Handling - Remote Command Injection - date: 2014-06-30 - description: | - gnms Gem for Ruby contains a flaw in /lib/cmd_parse.rb that is triggered - when handling shell metacharacters passed via the 'ip' variable. - This may allow a remote attacker to inject arbitrary commands. - notes: Never patched - related: - url: - - http://www.vapidlabs.com/advisories/gnms-2.1.1.html - - http://www.vapidlabs.com/advisory.php?v=55 - - http://osvdb.org/show/osvdb/108594 ---- +--- +layout: advisory +title: 'OSVDB-108594 (gnms): gnms Gem for Ruby /lib/cmd_parse.rb ip Variable Shell + Metacharacter Handling Remote Command Injection' +comments: false +categories: +- gnms +advisory: + gem: gnms + osvdb: 108594 + url: http://www.vapidlabs.com/advisories/gnms-2.1.1.html + title: gnms Gem for Ruby /lib/cmd_parse.rb ip Variable Shell Metacharacter Handling + Remote Command Injection + date: 2014-06-30 + description: | + gnms Gem for Ruby contains a flaw in /lib/cmd_parse.rb that is triggered + when handling shell metacharacters passed via the 'ip' variable. + This may allow a remote attacker to inject arbitrary commands. + notes: Never patched + related: + url: + - http://www.vapidlabs.com/advisories/gnms-2.1.1.html + - http://www.vapidlabs.com/advisory.php?v=55 + - http://osvdb.org/show/osvdb/108594 +--- diff --git a/advisories/_posts/2014-07-02-CVE-2014-3482.md b/advisories/_posts/2014-07-02-CVE-2014-3482.md index 56e696b4..f9da9962 100644 --- a/advisories/_posts/2014-07-02-CVE-2014-3482.md +++ b/advisories/_posts/2014-07-02-CVE-2014-3482.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2014-3482 (activerecord): CVE-2014-3482 rubygem-activerecord: SQL injection - vulnerability in ''bitstring'' quoting' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2014-3482 - osvdb: 108664 - ghsa: mhwp-qhpc-h3jm - url: https://nvd.nist.gov/vuln/detail/CVE-2014-3482 - title: 'CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in ''bitstring'' - quoting' - date: 2014-07-02 - description: | - SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb - in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before - 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper - bitstring quoting. It was discovered that Active Record did not properly quote values - of the bitstring type attributes when using the PostgreSQL database adapter. A remote - attacker could possibly use this flaw to conduct an SQL injection attack against - applications using Active Record. - unaffected_versions: - - ">= 4.0.0" - patched_versions: - - "~> 3.2.19" ---- +--- +layout: advisory +title: 'CVE-2014-3482 (activerecord): CVE-2014-3482 rubygem-activerecord: SQL injection + vulnerability in ''bitstring'' quoting' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2014-3482 + osvdb: 108664 + ghsa: mhwp-qhpc-h3jm + url: https://nvd.nist.gov/vuln/detail/CVE-2014-3482 + title: 'CVE-2014-3482 rubygem-activerecord: SQL injection vulnerability in ''bitstring'' + quoting' + date: 2014-07-02 + description: | + SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql_adapter.rb + in the PostgreSQL adapter for Active Record in Ruby on Rails 2.x and 3.x before + 3.2.19 allows remote attackers to execute arbitrary SQL commands by leveraging improper + bitstring quoting. It was discovered that Active Record did not properly quote values + of the bitstring type attributes when using the PostgreSQL database adapter. A remote + attacker could possibly use this flaw to conduct an SQL injection attack against + applications using Active Record. + unaffected_versions: + - ">= 4.0.0" + patched_versions: + - "~> 3.2.19" +--- diff --git a/advisories/_posts/2014-07-02-CVE-2014-3483.md b/advisories/_posts/2014-07-02-CVE-2014-3483.md index 698c457d..ac9d0efa 100644 --- a/advisories/_posts/2014-07-02-CVE-2014-3483.md +++ b/advisories/_posts/2014-07-02-CVE-2014-3483.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2014-3483 (activerecord): CVE-2014-3483 rubygem-activerecord: SQL injection - vulnerability in ''range'' quoting' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2014-3483 - osvdb: 108665 - ghsa: r8fh-hq2p-7qhq - url: https://nvd.nist.gov/vuln/detail/CVE-2014-3483 - title: 'CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in ''range'' - quoting' - date: 2014-07-02 - description: | - SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb - in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and - 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by - leveraging improper range quoting. It was discovered that Active Record did not - properly quote values of the range type attributes when using the PostgreSQL database - adapter. A remote attacker could possibly use this flaw to conduct an SQL injection - attack against applications using Active Record. - unaffected_versions: - - "< 4.0.0" - patched_versions: - - "~> 4.0.7" - - ">= 4.1.3" ---- +--- +layout: advisory +title: 'CVE-2014-3483 (activerecord): CVE-2014-3483 rubygem-activerecord: SQL injection + vulnerability in ''range'' quoting' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2014-3483 + osvdb: 108665 + ghsa: r8fh-hq2p-7qhq + url: https://nvd.nist.gov/vuln/detail/CVE-2014-3483 + title: 'CVE-2014-3483 rubygem-activerecord: SQL injection vulnerability in ''range'' + quoting' + date: 2014-07-02 + description: | + SQL injection vulnerability in activerecord/lib/active_record/connection_adapters/postgresql/quoting.rb + in the PostgreSQL adapter for Active Record in Ruby on Rails 4.x before 4.0.7 and + 4.1.x before 4.1.3 allows remote attackers to execute arbitrary SQL commands by + leveraging improper range quoting. It was discovered that Active Record did not + properly quote values of the range type attributes when using the PostgreSQL database + adapter. A remote attacker could possibly use this flaw to conduct an SQL injection + attack against applications using Active Record. + unaffected_versions: + - "< 4.0.0" + patched_versions: + - "~> 4.0.7" + - ">= 4.1.3" +--- diff --git a/advisories/_posts/2014-07-09-CVE-2014-5004.md b/advisories/_posts/2014-07-09-CVE-2014-5004.md index 15d6356b..58d4a0ab 100644 --- a/advisories/_posts/2014-07-09-CVE-2014-5004.md +++ b/advisories/_posts/2014-07-09-CVE-2014-5004.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2014-5004 (brbackup): brbackup Gem for Ruby Process List Local Plaintext - Password Disclosure' -comments: false -categories: -- brbackup -advisory: - gem: brbackup - cve: 2014-5004 - osvdb: 108901 - ghsa: vqcm-7f7f-r539 - url: http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html - title: brbackup Gem for Ruby Process List Local Plaintext Password Disclosure - date: 2014-07-09 - description: | - brbackup Gem for Ruby contains a flaw that is due to the program exposing - password information in plaintext in the process list. This may allow a - local attacker to gain access to password information. - cvss_v2: 2.1 - cvss_v3: 7.8 - notes: Never patched - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2014-5004 - - http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html - - http://www.vapidlabs.com/advisory.php?v=25 - - http://www.openwall.com/lists/oss-security/2014/07/10/6 - - http://www.openwall.com/lists/oss-security/2014/07/17/5 - - http://www.securityfocus.com/bid/68506 - - https://web.archive.org/web/20200229055655/https://www.securityfocus.com/bid/68506/ ---- +--- +layout: advisory +title: 'CVE-2014-5004 (brbackup): brbackup Gem for Ruby Process List Local Plaintext + Password Disclosure' +comments: false +categories: +- brbackup +advisory: + gem: brbackup + cve: 2014-5004 + osvdb: 108901 + ghsa: vqcm-7f7f-r539 + url: http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html + title: brbackup Gem for Ruby Process List Local Plaintext Password Disclosure + date: 2014-07-09 + description: | + brbackup Gem for Ruby contains a flaw that is due to the program exposing + password information in plaintext in the process list. This may allow a + local attacker to gain access to password information. + cvss_v2: 2.1 + cvss_v3: 7.8 + notes: Never patched + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-5004 + - http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html + - http://www.vapidlabs.com/advisory.php?v=25 + - http://www.openwall.com/lists/oss-security/2014/07/10/6 + - http://www.openwall.com/lists/oss-security/2014/07/17/5 + - http://www.securityfocus.com/bid/68506 + - https://web.archive.org/web/20200229055655/https://www.securityfocus.com/bid/68506/ +--- diff --git a/advisories/_posts/2014-07-09-OSVDB-108899.md b/advisories/_posts/2014-07-09-OSVDB-108899.md index 2eb2060b..df605a6f 100644 --- a/advisories/_posts/2014-07-09-OSVDB-108899.md +++ b/advisories/_posts/2014-07-09-OSVDB-108899.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'OSVDB-108899 (brbackup): brbackup Gem for Ruby /lib/brbackup.rb name Parameter - SQL Injection' -comments: false -categories: -- brbackup -advisory: - gem: brbackup - osvdb: 108899 - url: https://www.openwall.com/lists/oss-security/2014/07/10/6 - title: brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection - date: 2014-07-09 - description: | - brbackup Gem for Ruby contains a flaw that may allow carrying out an SQL - injection attack. The issue is due to the /lib/brbackup.rb script not - properly sanitizing user-supplied input to the 'name' parameter. This may - allow a remote attacker to inject or manipulate SQL queries in the back-end - database, allowing for the manipulation or disclosure of arbitrary data. - notes: Never patched - related: - url: - - https://www.openwall.com/lists/oss-security/2014/07/10/6 - - https://raw.githubusercontent.com/codesake/codesake-dawn/master/Roadmap.md - - https://github.com/tongueroo/brbackup/blob/master/lib/brbackup.rb - - http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html - - http://www.vapidlabs.com/advisory.php?v=25 - - http://osvdb.org/show/osvdb/108899 ---- +--- +layout: advisory +title: 'OSVDB-108899 (brbackup): brbackup Gem for Ruby /lib/brbackup.rb name Parameter + SQL Injection' +comments: false +categories: +- brbackup +advisory: + gem: brbackup + osvdb: 108899 + url: https://www.openwall.com/lists/oss-security/2014/07/10/6 + title: brbackup Gem for Ruby /lib/brbackup.rb name Parameter SQL Injection + date: 2014-07-09 + description: | + brbackup Gem for Ruby contains a flaw that may allow carrying out an SQL + injection attack. The issue is due to the /lib/brbackup.rb script not + properly sanitizing user-supplied input to the 'name' parameter. This may + allow a remote attacker to inject or manipulate SQL queries in the back-end + database, allowing for the manipulation or disclosure of arbitrary data. + notes: Never patched + related: + url: + - https://www.openwall.com/lists/oss-security/2014/07/10/6 + - https://raw.githubusercontent.com/codesake/codesake-dawn/master/Roadmap.md + - https://github.com/tongueroo/brbackup/blob/master/lib/brbackup.rb + - http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html + - http://www.vapidlabs.com/advisory.php?v=25 + - http://osvdb.org/show/osvdb/108899 +--- diff --git a/advisories/_posts/2014-07-09-OSVDB-108900.md b/advisories/_posts/2014-07-09-OSVDB-108900.md index abb5a05c..9a92cfea 100644 --- a/advisories/_posts/2014-07-09-OSVDB-108900.md +++ b/advisories/_posts/2014-07-09-OSVDB-108900.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'OSVDB-108900 (brbackup): brbackup Gem for Ruby dbuser Variable Shell Metacharacter - Injection Remote Command Execution' -comments: false -categories: -- brbackup -advisory: - gem: brbackup - osvdb: 108900 - url: https://www.openwall.com/lists/oss-security/2014/07/10/6 - title: brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote - Command Execution - date: 2014-07-09 - description: | - brbackup Gem for Ruby contains a flaw that is triggered as input passed - via the 'dbuser' variable is not properly sanitized. This may allow a - remote attacker to inject shell metacharacters and execute arbitrary - commands. - notes: Never patched - related: - url: - - https://www.openwall.com/lists/oss-security/2014/07/10/6 - - https://raw.githubusercontent.com/codesake/codesake-dawn/master/Roadmap.md - - http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html - - http://www.vapidlabs.com/advisory.php?v=25 - - http://osvdb.org/show/osvdb/108900 ---- +--- +layout: advisory +title: 'OSVDB-108900 (brbackup): brbackup Gem for Ruby dbuser Variable Shell Metacharacter + Injection Remote Command Execution' +comments: false +categories: +- brbackup +advisory: + gem: brbackup + osvdb: 108900 + url: https://www.openwall.com/lists/oss-security/2014/07/10/6 + title: brbackup Gem for Ruby dbuser Variable Shell Metacharacter Injection Remote + Command Execution + date: 2014-07-09 + description: | + brbackup Gem for Ruby contains a flaw that is triggered as input passed + via the 'dbuser' variable is not properly sanitized. This may allow a + remote attacker to inject shell metacharacters and execute arbitrary + commands. + notes: Never patched + related: + url: + - https://www.openwall.com/lists/oss-security/2014/07/10/6 + - https://raw.githubusercontent.com/codesake/codesake-dawn/master/Roadmap.md + - http://www.vapid.dhs.org/advisories/brbackup-0.1.1.html + - http://www.vapidlabs.com/advisory.php?v=25 + - http://osvdb.org/show/osvdb/108900 +--- diff --git a/advisories/_posts/2014-08-13-CVE-2013-0334.md b/advisories/_posts/2014-08-13-CVE-2013-0334.md index 6fc45283..11d86d58 100644 --- a/advisories/_posts/2014-08-13-CVE-2013-0334.md +++ b/advisories/_posts/2014-08-13-CVE-2013-0334.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2013-0334 (bundler): CVE-2013-0334 rubygem-bundler: ''bundle install'' - may install a gem from a source other than expected' -comments: false -categories: -- bundler -advisory: - gem: bundler - cve: 2013-0334 - osvdb: 110004 - ghsa: 49jx-9cmc-xjxm - url: https://nvd.nist.gov/vuln/detail/CVE-2013-0334 - title: 'CVE-2013-0334 rubygem-bundler: ''bundle install'' may install a gem from - a source other than expected' - date: 2014-08-13 - description: | - Bundler before 1.7, when multiple top-level source lines are used, allows - remote attackers to install arbitrary gems by creating a gem with the same name - as another gem in a different source. A flaw was found in the way Bundler handled - gems available from multiple sources. An attacker with access to one of the sources - could create a malicious gem with the same name, which they could then use to trick - a user into installing, potentially resulting in execution of code from the attacker-supplied - malicious gem. - cvss_v2: 5.0 - patched_versions: - - ">= 1.7.0" ---- +--- +layout: advisory +title: 'CVE-2013-0334 (bundler): CVE-2013-0334 rubygem-bundler: ''bundle install'' + may install a gem from a source other than expected' +comments: false +categories: +- bundler +advisory: + gem: bundler + cve: 2013-0334 + osvdb: 110004 + ghsa: 49jx-9cmc-xjxm + url: https://nvd.nist.gov/vuln/detail/CVE-2013-0334 + title: 'CVE-2013-0334 rubygem-bundler: ''bundle install'' may install a gem from + a source other than expected' + date: 2014-08-13 + description: | + Bundler before 1.7, when multiple top-level source lines are used, allows + remote attackers to install arbitrary gems by creating a gem with the same name + as another gem in a different source. A flaw was found in the way Bundler handled + gems available from multiple sources. An attacker with access to one of the sources + could create a malicious gem with the same name, which they could then use to trick + a user into installing, potentially resulting in execution of code from the attacker-supplied + malicious gem. + cvss_v2: 5.0 + patched_versions: + - ">= 1.7.0" +--- diff --git a/advisories/_posts/2014-08-18-CVE-2014-3514.md b/advisories/_posts/2014-08-18-CVE-2014-3514.md index 2d6defdb..ff3dc5d5 100644 --- a/advisories/_posts/2014-08-18-CVE-2014-3514.md +++ b/advisories/_posts/2014-08-18-CVE-2014-3514.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2014-3514 (activerecord): Data Injection Vulnerability in Active Record' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2014-3514 - ghsa: 9rf5-jm6f-2fmm - url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ - title: Data Injection Vulnerability in Active Record - date: 2014-08-18 - description: | - The create_with functionality in Active Record was implemented incorrectly - and completely bypasses the strong parameters protection. Applications which pass - user-controlled values to create_with could allow attackers to set arbitrary attributes - on models. - cvss_v2: 8.7 - unaffected_versions: - - "< 4.0.0" - patched_versions: - - "~> 4.0.9" - - ">= 4.1.5" ---- +--- +layout: advisory +title: 'CVE-2014-3514 (activerecord): Data Injection Vulnerability in Active Record' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2014-3514 + ghsa: 9rf5-jm6f-2fmm + url: https://groups.google.com/forum/#!msg/rubyonrails-security/M4chq5Sb540/CC1Fh0Y_NWwJ + title: Data Injection Vulnerability in Active Record + date: 2014-08-18 + description: | + The create_with functionality in Active Record was implemented incorrectly + and completely bypasses the strong parameters protection. Applications which pass + user-controlled values to create_with could allow attackers to set arbitrary attributes + on models. + cvss_v2: 8.7 + unaffected_versions: + - "< 4.0.0" + patched_versions: + - "~> 4.0.9" + - ">= 4.1.5" +--- diff --git a/advisories/_posts/2014-08-22-CVE-2014-5441.md b/advisories/_posts/2014-08-22-CVE-2014-5441.md index a3f6befc..f9b3a6d5 100644 --- a/advisories/_posts/2014-08-22-CVE-2014-5441.md +++ b/advisories/_posts/2014-08-22-CVE-2014-5441.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2014-5441 (fat_free_crm): Fat Free CRM Gem contains a javascript cross-site - scripting (XSS) vulnerability' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2014-5441 - osvdb: 110420 - ghsa: wcfx-3m6v-4frg - url: https://nvd.nist.gov/vuln/detail/CVE-2014-5441 - title: Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability - date: 2014-08-22 - description: | - Fat Free CRM Gem contains a javascript cross-site scripting (XSS) - vulnerability. When a user is created/updated using a specifically - crafted username, first name or last name, it is possible for - arbitrary javascript to be executed on all Fat Free CRM pages. - This code would be executed for all logged in users. - cvss_v2: 4.3 - unaffected_versions: - - "<= 0.11.0" - patched_versions: - - ">= 0.13.3" ---- +--- +layout: advisory +title: 'CVE-2014-5441 (fat_free_crm): Fat Free CRM Gem contains a javascript cross-site + scripting (XSS) vulnerability' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2014-5441 + osvdb: 110420 + ghsa: wcfx-3m6v-4frg + url: https://nvd.nist.gov/vuln/detail/CVE-2014-5441 + title: Fat Free CRM Gem contains a javascript cross-site scripting (XSS) vulnerability + date: 2014-08-22 + description: | + Fat Free CRM Gem contains a javascript cross-site scripting (XSS) + vulnerability. When a user is created/updated using a specifically + crafted username, first name or last name, it is possible for + arbitrary javascript to be executed on all Fat Free CRM pages. + This code would be executed for all logged in users. + cvss_v2: 4.3 + unaffected_versions: + - "<= 0.11.0" + patched_versions: + - ">= 0.13.3" +--- diff --git a/advisories/_posts/2014-08-25-OSVDB-110439.md b/advisories/_posts/2014-08-25-OSVDB-110439.md index a2150f26..2d71b57f 100644 --- a/advisories/_posts/2014-08-25-OSVDB-110439.md +++ b/advisories/_posts/2014-08-25-OSVDB-110439.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'OSVDB-110439 (dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing - Remote Command Execution' -comments: false -categories: -- dragonfly -advisory: - gem: dragonfly - osvdb: 110439 - url: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 - title: Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution - date: 2014-08-25 - description: | - Dragonfly Gem for Ruby contains a flaw in Uploading & Processing - that is due to the gem failing to restrict arbitrary commands to - imagemagicks convert. This may allow a remote attacker to gain - read/write access to the filesystem and execute arbitrary commands. - patched_versions: - - ">= 1.0.7" - related: - url: - - https://github.com/markevans/dragonfly/compare/v1.0.6...v1.0.7 - - https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 - - https://www.mend.io/vulnerability-database/WS-2014-0016 - - http://osvdb.org/show/osvdb/110439 ---- +--- +layout: advisory +title: 'OSVDB-110439 (dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing + Remote Command Execution' +comments: false +categories: +- dragonfly +advisory: + gem: dragonfly + osvdb: 110439 + url: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 + title: Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution + date: 2014-08-25 + description: | + Dragonfly Gem for Ruby contains a flaw in Uploading & Processing + that is due to the gem failing to restrict arbitrary commands to + imagemagicks convert. This may allow a remote attacker to gain + read/write access to the filesystem and execute arbitrary commands. + patched_versions: + - ">= 1.0.7" + related: + url: + - https://github.com/markevans/dragonfly/compare/v1.0.6...v1.0.7 + - https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193 + - https://www.mend.io/vulnerability-database/WS-2014-0016 + - http://osvdb.org/show/osvdb/110439 +--- diff --git a/advisories/_posts/2014-09-04-OSVDB-110796.md b/advisories/_posts/2014-09-04-OSVDB-110796.md index f7391656..8fc075f6 100644 --- a/advisories/_posts/2014-09-04-OSVDB-110796.md +++ b/advisories/_posts/2014-09-04-OSVDB-110796.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'OSVDB-110796 (flavour_saver): FlavourSaver handlebars helper remote code execution.' -comments: false -categories: -- flavour_saver -advisory: - gem: flavour_saver - osvdb: 110796 - url: https://security.snyk.io/vuln/SNYK-RUBY-FLAVOURSAVER-5457859 - title: FlavourSaver handlebars helper remote code execution. - date: 2014-09-04 - description: | - FlavourSaver contains a flaw in helper method dispatch where it uses - Kernel::send to call helpers without checking that they are defined - within the template context first. This allows expressions such as - {{system "ls"}} or {{eval "puts 1 + 1"}} to be executed. - patched_versions: - - ">= 0.3.3" - related: - url: - - https://github.com/FlavourSaver/FlavourSaver/compare/v0.3.2...v0.3.3 - - https://github.com/FlavourSaver/FlavourSaver/commit/04a8ff444a9a9668a75b01b20b4974d398087a64 - - https://raw.githubusercontent.com/codesake/codesake-dawn/master/Roadmap.md - - https://github.com/slowmistio/dawnscanner-analysis-security-scanner-for-ruby-/blob/master/Roadmap.md - - https://security.snyk.io/vuln/SNYK-RUBY-FLAVOURSAVER-5457859 - - http://osvdb.org/show/osvdb/110796 ---- +--- +layout: advisory +title: 'OSVDB-110796 (flavour_saver): FlavourSaver handlebars helper remote code execution.' +comments: false +categories: +- flavour_saver +advisory: + gem: flavour_saver + osvdb: 110796 + url: https://security.snyk.io/vuln/SNYK-RUBY-FLAVOURSAVER-5457859 + title: FlavourSaver handlebars helper remote code execution. + date: 2014-09-04 + description: | + FlavourSaver contains a flaw in helper method dispatch where it uses + Kernel::send to call helpers without checking that they are defined + within the template context first. This allows expressions such as + {{system "ls"}} or {{eval "puts 1 + 1"}} to be executed. + patched_versions: + - ">= 0.3.3" + related: + url: + - https://github.com/FlavourSaver/FlavourSaver/compare/v0.3.2...v0.3.3 + - https://github.com/FlavourSaver/FlavourSaver/commit/04a8ff444a9a9668a75b01b20b4974d398087a64 + - https://raw.githubusercontent.com/codesake/codesake-dawn/master/Roadmap.md + - https://github.com/slowmistio/dawnscanner-analysis-security-scanner-for-ruby-/blob/master/Roadmap.md + - https://security.snyk.io/vuln/SNYK-RUBY-FLAVOURSAVER-5457859 + - http://osvdb.org/show/osvdb/110796 +--- diff --git a/advisories/_posts/2014-09-25-OSVDB-112683.md b/advisories/_posts/2014-09-25-OSVDB-112683.md index 0ed84a22..7cc310c9 100644 --- a/advisories/_posts/2014-09-25-OSVDB-112683.md +++ b/advisories/_posts/2014-09-25-OSVDB-112683.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'OSVDB-112683 (as): as Gem for Ruby Process List Local Plaintext Credentials - Disclosure' -comments: false -categories: -- as -advisory: - gem: as - osvdb: 112683 - url: https://security.snyk.io/vuln/SNYK-RUBY-AS-20195 - title: as Gem for Ruby Process List Local Plaintext Credentials Disclosure - date: 2014-09-25 - description: | - as Gem for Ruby contains a flaw that is due to the program displaying - credential information in plaintext in the process list. This may - allow a local attacker to gain access to credential information. - notes: Never patched - related: - url: - - https://security.snyk.io/vuln/SNYK-RUBY-AS-20195 - - http://www.vapid.dhs.org/advisories/as-v1.0.html - - http://www.vapidlabs.com/advisory.php?v=17 - - http://osvdb.org/show/osvdb/112683 ---- +--- +layout: advisory +title: 'OSVDB-112683 (as): as Gem for Ruby Process List Local Plaintext Credentials + Disclosure' +comments: false +categories: +- as +advisory: + gem: as + osvdb: 112683 + url: https://security.snyk.io/vuln/SNYK-RUBY-AS-20195 + title: as Gem for Ruby Process List Local Plaintext Credentials Disclosure + date: 2014-09-25 + description: | + as Gem for Ruby contains a flaw that is due to the program displaying + credential information in plaintext in the process list. This may + allow a local attacker to gain access to credential information. + notes: Never patched + related: + url: + - https://security.snyk.io/vuln/SNYK-RUBY-AS-20195 + - http://www.vapid.dhs.org/advisories/as-v1.0.html + - http://www.vapidlabs.com/advisory.php?v=17 + - http://osvdb.org/show/osvdb/112683 +--- diff --git a/advisories/_posts/2014-09-27-CVE-2014-10077.md b/advisories/_posts/2014-09-27-CVE-2014-10077.md index fc5b48d6..a3c825d7 100644 --- a/advisories/_posts/2014-09-27-CVE-2014-10077.md +++ b/advisories/_posts/2014-09-27-CVE-2014-10077.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2014-10077 (i18n): i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() - Function Hash Handling DoS' -comments: false -categories: -- i18n -advisory: - gem: i18n - cve: 2014-10077 - ghsa: 34hf-g744-jw64 - url: https://github.com/svenfuchs/i18n/pull/289 - title: i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling - DoS - date: 2014-09-27 - description: | - i18n Gem for Ruby contains a flaw in the Hash#slice() function in - lib/i18n/core_ext/hash.rb that is triggered when calling a hash when - :some_key is in keep_keys but not in the hash. This may allow an attacker - to cause the program to crash. - cvss_v3: 7.5 - patched_versions: - - ">= 0.8.0" - related: - osvdb: - - 121500 ---- +--- +layout: advisory +title: 'CVE-2014-10077 (i18n): i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() + Function Hash Handling DoS' +comments: false +categories: +- i18n +advisory: + gem: i18n + cve: 2014-10077 + ghsa: 34hf-g744-jw64 + url: https://github.com/svenfuchs/i18n/pull/289 + title: i18n Gem for Ruby lib/i18n/core_ext/hash.rb Hash#slice() Function Hash Handling + DoS + date: 2014-09-27 + description: | + i18n Gem for Ruby contains a flaw in the Hash#slice() function in + lib/i18n/core_ext/hash.rb that is triggered when calling a hash when + :some_key is in keep_keys but not in the hash. This may allow an attacker + to cause the program to crash. + cvss_v3: 7.5 + patched_versions: + - ">= 0.8.0" + related: + osvdb: + - 121500 +--- diff --git a/advisories/_posts/2014-09-29-GHSA-mpwp-4h2m-765c.md b/advisories/_posts/2014-09-29-GHSA-mpwp-4h2m-765c.md index 6ecba118..95400efe 100644 --- a/advisories/_posts/2014-09-29-GHSA-mpwp-4h2m-765c.md +++ b/advisories/_posts/2014-09-29-GHSA-mpwp-4h2m-765c.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'GHSA-mpwp-4h2m-765c (activejob): Active Job - Object injection security vulnerability - if Global IDs' -comments: false -categories: -- activejob -- rails -advisory: - gem: activejob - framework: rails - ghsa: mpwp-4h2m-765c - osvdb: 112347 - url: https://github.com/advisories/GHSA-mpwp-4h2m-765c - title: Active Job - Object injection security vulnerability if Global IDs - date: 2014-09-29 - description: | - Active Job vulnerability: An Active Job bug allowed String - arguments to be deserialized as if they were Global IDs, an - object injection security vulnerability. - - * In release post: "Active Job vulnerability: - We also fixed an Active Job bug that allowed String - arguments to be deserialized as if they were Global IDs, - an object injection security vulnerability. - patched_versions: - - ">= 4.2.0.beta2" - related: - url: - - https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347 - - https://rubyonrails.org/2014/9/29/Rails-4-2-0-beta2-has-been-released - - https://advisories.gitlab.com/pkg/gem/activejob/GHSA-mpwp-4h2m-765c - - https://github.com/advisories/GHSA-mpwp-4h2m-765c - notes: "- No CVE or CVSS values.\n" ---- +--- +layout: advisory +title: 'GHSA-mpwp-4h2m-765c (activejob): Active Job - Object injection security vulnerability + if Global IDs' +comments: false +categories: +- activejob +- rails +advisory: + gem: activejob + framework: rails + ghsa: mpwp-4h2m-765c + osvdb: 112347 + url: https://github.com/advisories/GHSA-mpwp-4h2m-765c + title: Active Job - Object injection security vulnerability if Global IDs + date: 2014-09-29 + description: | + Active Job vulnerability: An Active Job bug allowed String + arguments to be deserialized as if they were Global IDs, an + object injection security vulnerability. + + * In release post: "Active Job vulnerability: + We also fixed an Active Job bug that allowed String + arguments to be deserialized as if they were Global IDs, + an object injection security vulnerability. + patched_versions: + - ">= 4.2.0.beta2" + related: + url: + - https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347 + - https://rubyonrails.org/2014/9/29/Rails-4-2-0-beta2-has-been-released + - https://advisories.gitlab.com/pkg/gem/activejob/GHSA-mpwp-4h2m-765c + - https://github.com/advisories/GHSA-mpwp-4h2m-765c + notes: "- No CVE or CVSS values.\n" +--- diff --git a/advisories/_posts/2014-09-29-OSVDB-112346.md b/advisories/_posts/2014-09-29-OSVDB-112346.md index f00bca7a..e142f215 100644 --- a/advisories/_posts/2014-09-29-OSVDB-112346.md +++ b/advisories/_posts/2014-09-29-OSVDB-112346.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-112346 (web-console): Web Console Gem for Ruby contains an unspecified - flaw' -comments: false -categories: -- web-console -advisory: - gem: web-console - osvdb: 112346 - url: https://my.diffend.io/gems/web-console/versions/2.0.0.beta3 - title: Web Console Gem for Ruby contains an unspecified flaw - date: 2014-09-29 - description: | - The Web Console Gem for Ruby on Rails contains an unspecified - flaw that may allow an attacker to have an unspecified impact. - No further details have been provided by the vendor. - patched_versions: - - ">= 2.0.0.beta4" - related: - url: - - https://github.com/rails/web-console/compare/v2.0.0.beta3...v2.0.0.beta4 - - https://my.diffend.io/gems/web-console/versions/2.0.0.beta3 - - https://github.com/slowmistio/dawnscanner-analysis-security-scanner-for-ruby-/blob/master/Roadmap.md - - http://www.osvdb.org/show/osvdb/112346 ---- +--- +layout: advisory +title: 'OSVDB-112346 (web-console): Web Console Gem for Ruby contains an unspecified + flaw' +comments: false +categories: +- web-console +advisory: + gem: web-console + osvdb: 112346 + url: https://my.diffend.io/gems/web-console/versions/2.0.0.beta3 + title: Web Console Gem for Ruby contains an unspecified flaw + date: 2014-09-29 + description: | + The Web Console Gem for Ruby on Rails contains an unspecified + flaw that may allow an attacker to have an unspecified impact. + No further details have been provided by the vendor. + patched_versions: + - ">= 2.0.0.beta4" + related: + url: + - https://github.com/rails/web-console/compare/v2.0.0.beta3...v2.0.0.beta4 + - https://my.diffend.io/gems/web-console/versions/2.0.0.beta3 + - https://github.com/slowmistio/dawnscanner-analysis-security-scanner-for-ruby-/blob/master/Roadmap.md + - http://www.osvdb.org/show/osvdb/112346 +--- diff --git a/advisories/_posts/2014-10-13-OSVDB-126330.md b/advisories/_posts/2014-10-13-OSVDB-126330.md index 4e35f50f..f76c651f 100644 --- a/advisories/_posts/2014-10-13-OSVDB-126330.md +++ b/advisories/_posts/2014-10-13-OSVDB-126330.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'OSVDB-126330 (sidekiq-pro): Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb - Description Element XSS' -comments: false -categories: -- sidekiq-pro -advisory: - gem: sidekiq-pro - osvdb: 126330 - url: https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20197 - title: Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb Description Element XSS - date: 2014-10-13 - description: 'XSS via batch description in Sidekiq::Web - - ' - patched_versions: - - ">= 1.9.1" - related: - url: - - https://github.com/mperham/sidekiq/commit/99b12fb50fe244c5a317f03f1bed9b333ec56ebe - - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20197 ---- +--- +layout: advisory +title: 'OSVDB-126330 (sidekiq-pro): Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb + Description Element XSS' +comments: false +categories: +- sidekiq-pro +advisory: + gem: sidekiq-pro + osvdb: 126330 + url: https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20197 + title: Sidekiq Pro Gem for Ruby web/views/batch{,es}.erb Description Element XSS + date: 2014-10-13 + description: 'XSS via batch description in Sidekiq::Web + + ' + patched_versions: + - ">= 1.9.1" + related: + url: + - https://github.com/mperham/sidekiq/commit/99b12fb50fe244c5a317f03f1bed9b333ec56ebe + - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20197 +--- diff --git a/advisories/_posts/2014-10-30-CVE-2014-7818.md b/advisories/_posts/2014-10-30-CVE-2014-7818.md index d9d1dec7..cc66c7c2 100644 --- a/advisories/_posts/2014-10-30-CVE-2014-7818.md +++ b/advisories/_posts/2014-10-30-CVE-2014-7818.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2014-7818 (actionpack): Arbitrary file existence disclosure in Action - Pack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2014-7818 - ghsa: 29gr-w57f-rpfw - url: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo - title: Arbitrary file existence disclosure in Action Pack - date: 2014-10-30 - description: | - Specially crafted requests can be used to determine whether a file exists on - the filesystem that is outside the Rails application's root directory. The - files will not be served, but attackers can determine whether or not the file - exists. - cvss_v2: 4.3 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - "~> 3.2.20" - - "~> 4.0.11" - - "~> 4.1.7" - - ">= 4.2.0.beta3" ---- +--- +layout: advisory +title: 'CVE-2014-7818 (actionpack): Arbitrary file existence disclosure in Action + Pack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2014-7818 + ghsa: 29gr-w57f-rpfw + url: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo + title: Arbitrary file existence disclosure in Action Pack + date: 2014-10-30 + description: | + Specially crafted requests can be used to determine whether a file exists on + the filesystem that is outside the Rails application's root directory. The + files will not be served, but attackers can determine whether or not the file + exists. + cvss_v2: 4.3 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - "~> 3.2.20" + - "~> 4.0.11" + - "~> 4.1.7" + - ">= 4.2.0.beta3" +--- diff --git a/advisories/_posts/2014-10-30-CVE-2014-7819.md b/advisories/_posts/2014-10-30-CVE-2014-7819.md index 90083454..aa5cd19f 100644 --- a/advisories/_posts/2014-10-30-CVE-2014-7819.md +++ b/advisories/_posts/2014-10-30-CVE-2014-7819.md @@ -1,39 +1,39 @@ ---- -layout: advisory -title: 'CVE-2014-7819 (sprockets): CVE-2014-7819 rubygem-sprockets: arbitrary file - existence disclosure' -comments: false -categories: -- sprockets -advisory: - gem: sprockets - cve: 2014-7819 - osvdb: 113965 - ghsa: 33pp-3763-mrfp - url: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY - title: 'CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure' - date: 2014-10-30 - description: | - Multiple directory traversal vulnerabilities in server.rb in Sprockets - before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x - before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, - 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, - and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow - remote attackers to determine the existence of files outside the application root - via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding. - cvss_v2: 5.0 - patched_versions: - - "~> 2.0.5" - - "~> 2.1.4" - - "~> 2.2.3" - - "~> 2.3.3" - - "~> 2.4.6" - - "~> 2.5.1" - - "~> 2.7.1" - - "~> 2.8.3" - - "~> 2.9.4" - - "~> 2.10.2" - - "~> 2.11.3" - - "~> 2.12.3" - - ">= 3.0.0.beta.3" ---- +--- +layout: advisory +title: 'CVE-2014-7819 (sprockets): CVE-2014-7819 rubygem-sprockets: arbitrary file + existence disclosure' +comments: false +categories: +- sprockets +advisory: + gem: sprockets + cve: 2014-7819 + osvdb: 113965 + ghsa: 33pp-3763-mrfp + url: https://groups.google.com/forum/#!topic/rubyonrails-security/doAVp0YaTqY + title: 'CVE-2014-7819 rubygem-sprockets: arbitrary file existence disclosure' + date: 2014-10-30 + description: | + Multiple directory traversal vulnerabilities in server.rb in Sprockets + before 2.0.5, 2.1.x before 2.1.4, 2.2.x before 2.2.3, 2.3.x before 2.3.3, 2.4.x + before 2.4.6, 2.5.x before 2.5.1, 2.6.x and 2.7.x before 2.7.1, 2.8.x before 2.8.3, + 2.9.x before 2.9.4, 2.10.x before 2.10.2, 2.11.x before 2.11.3, 2.12.x before 2.12.3, + and 3.x before 3.0.0.beta.3, as distributed with Ruby on Rails 3.x and 4.x, allow + remote attackers to determine the existence of files outside the application root + via a ../ (dot dot slash) sequence with (1) double slashes or (2) URL encoding. + cvss_v2: 5.0 + patched_versions: + - "~> 2.0.5" + - "~> 2.1.4" + - "~> 2.2.3" + - "~> 2.3.3" + - "~> 2.4.6" + - "~> 2.5.1" + - "~> 2.7.1" + - "~> 2.8.3" + - "~> 2.9.4" + - "~> 2.10.2" + - "~> 2.11.3" + - "~> 2.12.3" + - ">= 3.0.0.beta.3" +--- diff --git a/advisories/_posts/2014-11-17-CVE-2014-7829.md b/advisories/_posts/2014-11-17-CVE-2014-7829.md index eef47bf2..4f099051 100644 --- a/advisories/_posts/2014-11-17-CVE-2014-7829.md +++ b/advisories/_posts/2014-11-17-CVE-2014-7829.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2014-7829 (actionpack): Arbitrary file existence disclosure in Action - Pack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2014-7829 - ghsa: h56m-vwxc-3qpw - url: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk - title: Arbitrary file existence disclosure in Action Pack - date: 2014-11-17 - description: | - Specially crafted requests can be used to determine whether a file exists on - the filesystem that is outside the Rails application's root directory. The - files will not be served, but attackers can determine whether or not the file - exists. This vulnerability is very similar to CVE-2014-7818, but the - specially crafted string is slightly different. - cvss_v2: 5.0 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - "~> 3.2.21" - - "~> 4.0.11.1" - - "~> 4.0.12" - - "~> 4.1.7.1" - - ">= 4.1.8" ---- +--- +layout: advisory +title: 'CVE-2014-7829 (actionpack): Arbitrary file existence disclosure in Action + Pack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2014-7829 + ghsa: h56m-vwxc-3qpw + url: https://groups.google.com/forum/#!topic/rubyonrails-security/rMTQy4oRCGk + title: Arbitrary file existence disclosure in Action Pack + date: 2014-11-17 + description: | + Specially crafted requests can be used to determine whether a file exists on + the filesystem that is outside the Rails application's root directory. The + files will not be served, but attackers can determine whether or not the file + exists. This vulnerability is very similar to CVE-2014-7818, but the + specially crafted string is slightly different. + cvss_v2: 5.0 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - "~> 3.2.21" + - "~> 4.0.11.1" + - "~> 4.0.12" + - "~> 4.1.7.1" + - ">= 4.1.8" +--- diff --git a/advisories/_posts/2014-12-04-CVE-2014-9489.md b/advisories/_posts/2014-12-04-CVE-2014-9489.md index d53cde8b..60e27e84 100644 --- a/advisories/_posts/2014-12-04-CVE-2014-9489.md +++ b/advisories/_posts/2014-12-04-CVE-2014-9489.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2014-9489 (gollum-grit_adapter): gollum-grit_adapter Search Functionality - Allows Arbitrary Command Execution' -comments: false -categories: -- gollum-grit_adapter -advisory: - gem: gollum-grit_adapter - cve: 2014-9489 - url: https://github.com/gollum/gollum/issues/913 - title: gollum-grit_adapter Search Functionality Allows Arbitrary Command Execution - date: 2014-12-04 - description: | - The gollum-grit_adapter gem contains a flaw that can allow arbitrary - command execution. - - Grit implements its search functionality by shelling out to `git grep`. In - turn, `git grep` takes a `-O` or `--open-files-in-pages` option that will - pipe the results of `grep` to an arbitrary process. By failing to properly - sanitize user input search parameters, an attacker can thus perform command - execution. - - Note that the grep result must find the string 'master' (or - whatever is the default branch that gollum uses) in any of the wiki's - documents for this to succeed. - patched_versions: - - ">= 0.1.1" ---- +--- +layout: advisory +title: 'CVE-2014-9489 (gollum-grit_adapter): gollum-grit_adapter Search Functionality + Allows Arbitrary Command Execution' +comments: false +categories: +- gollum-grit_adapter +advisory: + gem: gollum-grit_adapter + cve: 2014-9489 + url: https://github.com/gollum/gollum/issues/913 + title: gollum-grit_adapter Search Functionality Allows Arbitrary Command Execution + date: 2014-12-04 + description: | + The gollum-grit_adapter gem contains a flaw that can allow arbitrary + command execution. + + Grit implements its search functionality by shelling out to `git grep`. In + turn, `git grep` takes a `-O` or `--open-files-in-pages` option that will + pipe the results of `grep` to an arbitrary process. By failing to properly + sanitize user input search parameters, an attacker can thus perform command + execution. + + Note that the grep result must find the string 'master' (or + whatever is the default branch that gollum uses) in any of the wiki's + documents for this to succeed. + patched_versions: + - ">= 0.1.1" +--- diff --git a/advisories/_posts/2014-12-08-CVE-2014-9490.md b/advisories/_posts/2014-12-08-CVE-2014-9490.md index 36484168..dc25857a 100644 --- a/advisories/_posts/2014-12-08-CVE-2014-9490.md +++ b/advisories/_posts/2014-12-08-CVE-2014-9490.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2014-9490 (sentry-raven): sentry-raven Gem for Ruby contains a flaw that - can result in a denial of service' -comments: false -categories: -- sentry-raven -advisory: - gem: sentry-raven - cve: 2014-9490 - osvdb: 115654 - ghsa: c9c5-9fpr-m882 - url: https://nvd.nist.gov/vuln/detail/CVE-2014-9490 - title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of - service - date: 2014-12-08 - description: | - Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that - is triggered when large numeric values are stored as an exponent or in scientific - notation. With a specially crafted request, an attacker can cause the software to - consume excessive resources resulting in a denial of service. - cvss_v2: 5.0 - patched_versions: - - ">= 0.12.2" ---- +--- +layout: advisory +title: 'CVE-2014-9490 (sentry-raven): sentry-raven Gem for Ruby contains a flaw that + can result in a denial of service' +comments: false +categories: +- sentry-raven +advisory: + gem: sentry-raven + cve: 2014-9490 + osvdb: 115654 + ghsa: c9c5-9fpr-m882 + url: https://nvd.nist.gov/vuln/detail/CVE-2014-9490 + title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of + service + date: 2014-12-08 + description: | + Sentry raven-ruby contains a flaw in the lib/raven/okjson.rb script that + is triggered when large numeric values are stored as an exponent or in scientific + notation. With a specially crafted request, an attacker can cause the software to + consume excessive resources resulting in a denial of service. + cvss_v2: 5.0 + patched_versions: + - ">= 0.12.2" +--- diff --git a/advisories/_posts/2014-12-18-CVE-2014-8144.md b/advisories/_posts/2014-12-18-CVE-2014-8144.md index dc4046be..9088b927 100644 --- a/advisories/_posts/2014-12-18-CVE-2014-8144.md +++ b/advisories/_posts/2014-12-18-CVE-2014-8144.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2014-8144 (doorkeeper): Cross-site request forgery (CSRF) vulnerability - in doorkeeper 1.4.0 and earlier.' -comments: false -categories: -- doorkeeper -advisory: - gem: doorkeeper - cve: 2014-8144 - osvdb: 116010 - ghsa: 685w-vc84-wxcx - url: https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw - title: Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier. - date: 2014-12-18 - description: | - Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 - and earlier allows remote attackers to hijack the user's OAuth - autorization code. This vulnerability has been assigned the CVE - identifier CVE-2014-8144. - - Doorkeeper's endpoints didn't have CSRF protection. Any HTML document - on the Internet can then read a user's authorization code with - arbitrary scope from any Doorkeeper-compatible Rails app you are - logged in. - cvss_v2: 6.8 - patched_versions: - - "~> 1.4.1" - - ">= 2.0.0" ---- +--- +layout: advisory +title: 'CVE-2014-8144 (doorkeeper): Cross-site request forgery (CSRF) vulnerability + in doorkeeper 1.4.0 and earlier.' +comments: false +categories: +- doorkeeper +advisory: + gem: doorkeeper + cve: 2014-8144 + osvdb: 116010 + ghsa: 685w-vc84-wxcx + url: https://groups.google.com/forum/#!topic/ruby-security-ann/5_VqJtNc8jw + title: Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 and earlier. + date: 2014-12-18 + description: | + Cross-site request forgery (CSRF) vulnerability in doorkeeper 1.4.0 + and earlier allows remote attackers to hijack the user's OAuth + autorization code. This vulnerability has been assigned the CVE + identifier CVE-2014-8144. + + Doorkeeper's endpoints didn't have CSRF protection. Any HTML document + on the Internet can then read a user's authorization code with + arbitrary scope from any Doorkeeper-compatible Rails app you are + logged in. + cvss_v2: 6.8 + patched_versions: + - "~> 1.4.1" + - ">= 2.0.0" +--- diff --git a/advisories/_posts/2015-02-03-OSVDB-117903.md b/advisories/_posts/2015-02-03-OSVDB-117903.md index b558a121..837d9004 100644 --- a/advisories/_posts/2015-02-03-OSVDB-117903.md +++ b/advisories/_posts/2015-02-03-OSVDB-117903.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'OSVDB-117903 (ruby-saml): Ruby-Saml Gem is vulnerable to arbitrary code execution' -comments: false -categories: -- ruby-saml -advisory: - gem: ruby-saml - osvdb: 117903 - url: https://advisories.dxw.com/advisories/publicly-exploitable-command-injection-in-ruby-saml-0-7-2-library-can-root-the-host - title: Ruby-Saml Gem is vulnerable to arbitrary code execution - date: 2015-02-03 - description: | - ruby-saml contains a flaw that is triggered as the URI value of a - SAML response is not properly sanitized through a prepared statement. - This may allow a remote attacker to execute arbitrary shell commands - on the host machine. - patched_versions: - - ">= 0.8.2" - related: - url: - - https://advisories.dxw.com/advisories/publicly-exploitable-command-injection-in-ruby-saml-0-7-2-library-can-root-the-host - - https://seclists.org/oss-sec/2015/q3/282 - - https://github.com/SAML-Toolkits/ruby-saml/pull/225#issuecomment-120084288 - - https://github.com/SAML-Toolkits/ruby-saml/commit/1b4e3dd6d2d44efa629144b2180842456bfb2a0f#diff-661b9d9743a3ff77661f224c6191165cL242 - - https://www.mend.io/vulnerability-database/WS-2015-0040 - - http://www.osvdb.org/show/osvdb/117903 ---- +--- +layout: advisory +title: 'OSVDB-117903 (ruby-saml): Ruby-Saml Gem is vulnerable to arbitrary code execution' +comments: false +categories: +- ruby-saml +advisory: + gem: ruby-saml + osvdb: 117903 + url: https://advisories.dxw.com/advisories/publicly-exploitable-command-injection-in-ruby-saml-0-7-2-library-can-root-the-host + title: Ruby-Saml Gem is vulnerable to arbitrary code execution + date: 2015-02-03 + description: | + ruby-saml contains a flaw that is triggered as the URI value of a + SAML response is not properly sanitized through a prepared statement. + This may allow a remote attacker to execute arbitrary shell commands + on the host machine. + patched_versions: + - ">= 0.8.2" + related: + url: + - https://advisories.dxw.com/advisories/publicly-exploitable-command-injection-in-ruby-saml-0-7-2-library-can-root-the-host + - https://seclists.org/oss-sec/2015/q3/282 + - https://github.com/SAML-Toolkits/ruby-saml/pull/225#issuecomment-120084288 + - https://github.com/SAML-Toolkits/ruby-saml/commit/1b4e3dd6d2d44efa629144b2180842456bfb2a0f#diff-661b9d9743a3ff77661f224c6191165cL242 + - https://www.mend.io/vulnerability-database/WS-2015-0040 + - http://www.osvdb.org/show/osvdb/117903 +--- diff --git a/advisories/_posts/2015-02-10-CVE-2015-1426.md b/advisories/_posts/2015-02-10-CVE-2015-1426.md index 37c53c74..c08d9b8e 100644 --- a/advisories/_posts/2015-02-10-CVE-2015-1426.md +++ b/advisories/_posts/2015-02-10-CVE-2015-1426.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2015-1426 (facter): Puppet Labs Facter allows local users to obtains sensitive - Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.' -comments: false -categories: -- facter -advisory: - gem: facter - cve: 2015-1426 - ghsa: j436-h7hm-rx46 - url: https://www.puppet.com/security/cve/cve-2015-1426-potential-sensitive-information-leakage-facters-amazon-ec2-metadata - title: Puppet Labs Facter allows local users to obtains sensitive Amazon EC2 IAM - instance metadata by reading a fact for an Amazon EC2 node. - date: 2015-02-10 - description: | - Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to - obtains sensitive Amazon EC2 IAM instance metadata by reading - a fact for an Amazon EC2 node. - cvss_v2: 2.1 - cvss_v3: 1.3 - unaffected_versions: - - "< 1.6.0" - patched_versions: - - ">= 2.4.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2015-1426 - - https://www.puppet.com/security/cve/cve-2015-1426-potential-sensitive-information-leakage-facters-amazon-ec2-metadata - - https://sca.analysiscenter.veracode.com/vulnerability-database/security/disclosure-amazon-ec2-iam-instance/ruby/sid-1508/summary - - https://srcclr.com/security/disclosure-amazon-ec2-iam-instance/ruby/s-1508 - - https://github.com/rubysec/ruby-advisory-db/issues/238 - - https://github.com/advisories/GHSA-j436-h7hm-rx46 ---- +--- +layout: advisory +title: 'CVE-2015-1426 (facter): Puppet Labs Facter allows local users to obtains sensitive + Amazon EC2 IAM instance metadata by reading a fact for an Amazon EC2 node.' +comments: false +categories: +- facter +advisory: + gem: facter + cve: 2015-1426 + ghsa: j436-h7hm-rx46 + url: https://www.puppet.com/security/cve/cve-2015-1426-potential-sensitive-information-leakage-facters-amazon-ec2-metadata + title: Puppet Labs Facter allows local users to obtains sensitive Amazon EC2 IAM + instance metadata by reading a fact for an Amazon EC2 node. + date: 2015-02-10 + description: | + Puppet Labs Facter 1.6.0 through 2.4.0 allows local users to + obtains sensitive Amazon EC2 IAM instance metadata by reading + a fact for an Amazon EC2 node. + cvss_v2: 2.1 + cvss_v3: 1.3 + unaffected_versions: + - "< 1.6.0" + patched_versions: + - ">= 2.4.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2015-1426 + - https://www.puppet.com/security/cve/cve-2015-1426-potential-sensitive-information-leakage-facters-amazon-ec2-metadata + - https://sca.analysiscenter.veracode.com/vulnerability-database/security/disclosure-amazon-ec2-iam-instance/ruby/sid-1508/summary + - https://srcclr.com/security/disclosure-amazon-ec2-iam-instance/ruby/s-1508 + - https://github.com/rubysec/ruby-advisory-db/issues/238 + - https://github.com/advisories/GHSA-j436-h7hm-rx46 +--- diff --git a/advisories/_posts/2015-02-10-OSVDB-118830.md b/advisories/_posts/2015-02-10-OSVDB-118830.md index 43d1945f..37420667 100644 --- a/advisories/_posts/2015-02-10-OSVDB-118830.md +++ b/advisories/_posts/2015-02-10-OSVDB-118830.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'OSVDB-118830 (doorkeeper): Doorkeeper Gem for Ruby stores sensitive information - in production logs' -comments: false -categories: -- doorkeeper -advisory: - gem: doorkeeper - osvdb: 118830 - url: https://www.versioneye.com/Ruby/doorkeeper/2.1.1 - title: Doorkeeper Gem for Ruby stores sensitive information in production logs - date: 2015-02-10 - description: | - Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb. - The issue is due to the program storing sensitive information in - production logs. This may allow a local attacker to gain access to - sensitive information. - patched_versions: - - "~> 1.4.2" - - ">= 2.1.2" - related: - url: - - https://www.versioneye.com/Ruby/doorkeeper/2.1.1 - - https://github.com/doorkeeper-gem/doorkeeper/commit/d6bca5f32b741b8cee83a4aeb818338b919181fe - - https://github.com/doorkeeper-gem/doorkeeper/blob/main/lib/doorkeeper/engine.rb - - https://github.com/doorkeeper-gem/doorkeeper/issues/576 - - https://github.com/rubysec/ruby-advisory-db/pull/128 - - https://my.diffend.io/gems/doorkeeper/versions/0.3.0 - - https://security.snyk.io/vuln/SNYK-RUBY-DOORKEEPER-20206 - - https://www.mend.io/vulnerability-database/WS-2015-0039 - - http://www.osvdb.org/show/osvdb/118830 - notes: 'Issue #576 backported to 1.4.x on March 2, 2015.' ---- +--- +layout: advisory +title: 'OSVDB-118830 (doorkeeper): Doorkeeper Gem for Ruby stores sensitive information + in production logs' +comments: false +categories: +- doorkeeper +advisory: + gem: doorkeeper + osvdb: 118830 + url: https://www.versioneye.com/Ruby/doorkeeper/2.1.1 + title: Doorkeeper Gem for Ruby stores sensitive information in production logs + date: 2015-02-10 + description: | + Doorkeeper Gem for Ruby contains a flaw in lib/doorkeeper/engine.rb. + The issue is due to the program storing sensitive information in + production logs. This may allow a local attacker to gain access to + sensitive information. + patched_versions: + - "~> 1.4.2" + - ">= 2.1.2" + related: + url: + - https://www.versioneye.com/Ruby/doorkeeper/2.1.1 + - https://github.com/doorkeeper-gem/doorkeeper/commit/d6bca5f32b741b8cee83a4aeb818338b919181fe + - https://github.com/doorkeeper-gem/doorkeeper/blob/main/lib/doorkeeper/engine.rb + - https://github.com/doorkeeper-gem/doorkeeper/issues/576 + - https://github.com/rubysec/ruby-advisory-db/pull/128 + - https://my.diffend.io/gems/doorkeeper/versions/0.3.0 + - https://security.snyk.io/vuln/SNYK-RUBY-DOORKEEPER-20206 + - https://www.mend.io/vulnerability-database/WS-2015-0039 + - http://www.osvdb.org/show/osvdb/118830 + notes: 'Issue #576 backported to 1.4.x on March 2, 2015.' +--- diff --git a/advisories/_posts/2015-02-16-CVE-2015-1585.md b/advisories/_posts/2015-02-16-CVE-2015-1585.md index 563972f4..b94069fe 100644 --- a/advisories/_posts/2015-02-16-CVE-2015-1585.md +++ b/advisories/_posts/2015-02-16-CVE-2015-1585.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2015-1585 (fat_free_crm): Fat Free CRM Gem being vulnerable to CSRF-type - attacks' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2015-1585 - osvdb: 118465 - ghsa: wx7c-8j35-mpg8 - url: https://nvd.nist.gov/vuln/detail/CVE-2015-1585 - title: Fat Free CRM Gem being vulnerable to CSRF-type attacks - date: 2015-02-16 - description: | - Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require - multiple steps, explicit confirmation, or a unique token when performing - certain sensitive actions. By tricking a user into following a specially - crafted link, a context-dependent attacker can perform a Cross-Site Request - Forgery (CSRF / XSRF) attack causing the victim to creating administrative - users. - cvss_v2: 6.8 - patched_versions: - - ">= 0.13.6" ---- +--- +layout: advisory +title: 'CVE-2015-1585 (fat_free_crm): Fat Free CRM Gem being vulnerable to CSRF-type + attacks' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2015-1585 + osvdb: 118465 + ghsa: wx7c-8j35-mpg8 + url: https://nvd.nist.gov/vuln/detail/CVE-2015-1585 + title: Fat Free CRM Gem being vulnerable to CSRF-type attacks + date: 2015-02-16 + description: | + Fat Free CRM contains a flaw as HTTP requests to /admin/users do not require + multiple steps, explicit confirmation, or a unique token when performing + certain sensitive actions. By tricking a user into following a specially + crafted link, a context-dependent attacker can perform a Cross-Site Request + Forgery (CSRF / XSRF) attack causing the victim to creating administrative + users. + cvss_v2: 6.8 + patched_versions: + - ">= 0.13.6" +--- diff --git a/advisories/_posts/2015-02-17-CVE-2015-2179.md b/advisories/_posts/2015-02-17-CVE-2015-2179.md index ae71115c..07ce0420 100644 --- a/advisories/_posts/2015-02-17-CVE-2015-2179.md +++ b/advisories/_posts/2015-02-17-CVE-2015-2179.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2015-2179 (xaviershay-dm-rails): xaviershay-dm-rails Gem for Ruby exposes - sensitive information via the process table' -comments: false -categories: -- xaviershay-dm-rails -advisory: - gem: xaviershay-dm-rails - cve: 2015-2179 - osvdb: 118579 - ghsa: 88p8-4vv5-82j7 - url: https://nvd.nist.gov/vuln/detail/CVE-2015-2179 - title: xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process - table - date: 2015-02-17 - description: | - xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function - in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is - due to the function exposing sensitive information via the process table. - This may allow a local attack to gain access to MySQL credential information. - cvss_v3: 5.5 ---- +--- +layout: advisory +title: 'CVE-2015-2179 (xaviershay-dm-rails): xaviershay-dm-rails Gem for Ruby exposes + sensitive information via the process table' +comments: false +categories: +- xaviershay-dm-rails +advisory: + gem: xaviershay-dm-rails + cve: 2015-2179 + osvdb: 118579 + ghsa: 88p8-4vv5-82j7 + url: https://nvd.nist.gov/vuln/detail/CVE-2015-2179 + title: xaviershay-dm-rails Gem for Ruby exposes sensitive information via the process + table + date: 2015-02-17 + description: | + xaviershay-dm-rails Gem for Ruby contains a flaw in the execute() function + in /datamapper/dm-rails/blob/master/lib/dm-rails/storage.rb. The issue is + due to the function exposing sensitive information via the process table. + This may allow a local attack to gain access to MySQL credential information. + cvss_v3: 5.5 +--- diff --git a/advisories/_posts/2015-03-05-OSVDB-119205.md b/advisories/_posts/2015-03-05-OSVDB-119205.md index de99b1e3..184183d8 100644 --- a/advisories/_posts/2015-03-05-OSVDB-119205.md +++ b/advisories/_posts/2015-03-05-OSVDB-119205.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'OSVDB-119205 (spree): Spree API Information Disclosure CSRF' -comments: false -categories: -- spree -advisory: - gem: spree - osvdb: 119205 - url: https://web.archive.org/web/20150920092934/https://spreecommerce.com/blog/security-updates-2015-3-3 - title: Spree API Information Disclosure CSRF - date: 2015-03-05 - description: | - Spree contains a flaw in the API as HTTP requests do not require - multiple steps, explicit confirmation, or a unique token when - performing certain sensitive actions. By tricking a user into - following a specially crafted link, a context-dependent attacker - can perform a Cross-Site Request Forgery (CSRF / XSRF) attack - causing the victim to disclose potentially sensitive information - to attackers. - patched_versions: - - "~> 2.2.10" - - "~> 2.3.8" - - "~> 2.4.5" - - ">= 3.0.0.rc4" - related: - url: - - https://web.archive.org/web/20150920092934/https://spreecommerce.com/blog/security-updates-2015-3-3 - - https://seclists.org/oss-sec/2015/q3/275 - - https://github.com/spree/spree/commit/bfb5f907219d6f8f879ca940882befe89b58a1a4 - - https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20360 - - https://github.com/rubysec/bundler-audit/issues/106 ---- +--- +layout: advisory +title: 'OSVDB-119205 (spree): Spree API Information Disclosure CSRF' +comments: false +categories: +- spree +advisory: + gem: spree + osvdb: 119205 + url: https://web.archive.org/web/20150920092934/https://spreecommerce.com/blog/security-updates-2015-3-3 + title: Spree API Information Disclosure CSRF + date: 2015-03-05 + description: | + Spree contains a flaw in the API as HTTP requests do not require + multiple steps, explicit confirmation, or a unique token when + performing certain sensitive actions. By tricking a user into + following a specially crafted link, a context-dependent attacker + can perform a Cross-Site Request Forgery (CSRF / XSRF) attack + causing the victim to disclose potentially sensitive information + to attackers. + patched_versions: + - "~> 2.2.10" + - "~> 2.3.8" + - "~> 2.4.5" + - ">= 3.0.0.rc4" + related: + url: + - https://web.archive.org/web/20150920092934/https://spreecommerce.com/blog/security-updates-2015-3-3 + - https://seclists.org/oss-sec/2015/q3/275 + - https://github.com/spree/spree/commit/bfb5f907219d6f8f879ca940882befe89b58a1a4 + - https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20360 + - https://github.com/rubysec/bundler-audit/issues/106 +--- diff --git a/advisories/_posts/2015-03-24-CVE-2015-1820.md b/advisories/_posts/2015-03-24-CVE-2015-1820.md index 65eed0d2..c22750bc 100644 --- a/advisories/_posts/2015-03-24-CVE-2015-1820.md +++ b/advisories/_posts/2015-03-24-CVE-2015-1820.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2015-1820 (rest-client): CVE-2015-1820 rubygem-rest-client: session fixation - vulnerability Set-Cookie headers present in an HTTP 30x redirection responses' -comments: false -categories: -- rest-client -advisory: - gem: rest-client - cve: 2015-1820 - osvdb: 119878 - ghsa: 3fhf-6939-qg8p - url: https://github.com/rest-client/rest-client/issues/369 - title: 'CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie - headers present in an HTTP 30x redirection responses' - date: 2015-03-24 - description: | - REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers - to conduct session fixation attacks or obtain sensitive cookie information by leveraging - passage of cookies set in a response to a redirect. - cvss_v3: 9.8 - unaffected_versions: - - "<= 1.6.0" - patched_versions: - - ">= 1.8.0" ---- +--- +layout: advisory +title: 'CVE-2015-1820 (rest-client): CVE-2015-1820 rubygem-rest-client: session fixation + vulnerability Set-Cookie headers present in an HTTP 30x redirection responses' +comments: false +categories: +- rest-client +advisory: + gem: rest-client + cve: 2015-1820 + osvdb: 119878 + ghsa: 3fhf-6939-qg8p + url: https://github.com/rest-client/rest-client/issues/369 + title: 'CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie + headers present in an HTTP 30x redirection responses' + date: 2015-03-24 + description: | + REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers + to conduct session fixation attacks or obtain sensitive cookie information by leveraging + passage of cookies set in a response to a redirect. + cvss_v3: 9.8 + unaffected_versions: + - "<= 1.6.0" + patched_versions: + - ">= 1.8.0" +--- diff --git a/advisories/_posts/2015-03-24-CVE-2015-1828.md b/advisories/_posts/2015-03-24-CVE-2015-1828.md index 434e1e25..950e7e00 100644 --- a/advisories/_posts/2015-03-24-CVE-2015-1828.md +++ b/advisories/_posts/2015-03-24-CVE-2015-1828.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2015-1828 (http): HTTPS MitM vulnerability in http.rb' -comments: false -categories: -- http -advisory: - gem: http - cve: 2015-1828 - osvdb: 119927 - ghsa: 6wpv-cj6x-v3jw - url: https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU - title: HTTPS MitM vulnerability in http.rb - date: 2015-03-24 - description: | - http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. - Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack. - cvss_v2: 5.0 - cvss_v3: 5.9 - patched_versions: - - ">= 0.7.3" - - "~> 0.6.4" ---- +--- +layout: advisory +title: 'CVE-2015-1828 (http): HTTPS MitM vulnerability in http.rb' +comments: false +categories: +- http +advisory: + gem: http + cve: 2015-1828 + osvdb: 119927 + ghsa: 6wpv-cj6x-v3jw + url: https://groups.google.com/forum/#!topic/httprb/jkb4oxwZjkU + title: HTTPS MitM vulnerability in http.rb + date: 2015-03-24 + description: | + http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. + Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack. + cvss_v2: 5.0 + cvss_v3: 5.9 + patched_versions: + - ">= 0.7.3" + - "~> 0.6.4" +--- diff --git a/advisories/_posts/2015-04-07-OSVDB-120415.md b/advisories/_posts/2015-04-07-OSVDB-120415.md index d66d2522..1d3c3625 100644 --- a/advisories/_posts/2015-04-07-OSVDB-120415.md +++ b/advisories/_posts/2015-04-07-OSVDB-120415.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'OSVDB-120415 (redcarpet): redcarpet Gem for Ruby markdown.c parse_inline() - Function XSS' -comments: false -categories: -- redcarpet -advisory: - gem: redcarpet - osvdb: 120415 - url: http://danlec.com/blog/bug-in-sundown-and-redcarpet - title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS - date: 2015-04-07 - description: | - redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting - (XSS) attack. This flaw exists because the parse_inline() function in - markdown.c does not validate input before returning it to users. This may - allow a remote attacker to create a specially crafted request that would - execute arbitrary script code in a user's browser session within the trust - relationship between their browser and the server. - patched_versions: - - ">= 3.2.3" - related: - url: - - https://github.com/vmg/redcarpet/releases/tag/v3.2.3 - - http://danlec.com/blog/bug-in-sundown-and-redcarpet - - https://hackerone.com/reports/46916 - - https://github.com/vmg/redcarpet/blob/master/ext/redcarpet/markdown.c - - https://github.com/Homebrew/brew.sh/issues/75 - - https://git.revreso.de/gigadoc2/diaspora/-/tags/v0.4.1.3 - - https://www.rapid7.com/db/vulnerabilities/freebsd-vid-c368155a-fa83-11e4-bc58-001e67150279 - - https://www.mend.io/vulnerability-database/WS-2015-0038 ---- +--- +layout: advisory +title: 'OSVDB-120415 (redcarpet): redcarpet Gem for Ruby markdown.c parse_inline() + Function XSS' +comments: false +categories: +- redcarpet +advisory: + gem: redcarpet + osvdb: 120415 + url: http://danlec.com/blog/bug-in-sundown-and-redcarpet + title: redcarpet Gem for Ruby markdown.c parse_inline() Function XSS + date: 2015-04-07 + description: | + redcarpet Gem for Ruby contains a flaw that allows a cross-site scripting + (XSS) attack. This flaw exists because the parse_inline() function in + markdown.c does not validate input before returning it to users. This may + allow a remote attacker to create a specially crafted request that would + execute arbitrary script code in a user's browser session within the trust + relationship between their browser and the server. + patched_versions: + - ">= 3.2.3" + related: + url: + - https://github.com/vmg/redcarpet/releases/tag/v3.2.3 + - http://danlec.com/blog/bug-in-sundown-and-redcarpet + - https://hackerone.com/reports/46916 + - https://github.com/vmg/redcarpet/blob/master/ext/redcarpet/markdown.c + - https://github.com/Homebrew/brew.sh/issues/75 + - https://git.revreso.de/gigadoc2/diaspora/-/tags/v0.4.1.3 + - https://www.rapid7.com/db/vulnerabilities/freebsd-vid-c368155a-fa83-11e4-bc58-001e67150279 + - https://www.mend.io/vulnerability-database/WS-2015-0038 +--- diff --git a/advisories/_posts/2015-04-14-CVE-2015-1819.md b/advisories/_posts/2015-04-14-CVE-2015-1819.md index 6a6740a7..77ed9446 100644 --- a/advisories/_posts/2015-04-14-CVE-2015-1819.md +++ b/advisories/_posts/2015-04-14-CVE-2015-1819.md @@ -1,61 +1,61 @@ ---- -layout: advisory -title: 'CVE-2015-1819 (nokogiri): Nokogiri gem contains several vulnerabilities in - libxml2 and libxslt' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2015-1819 - ghsa: q7wx-62r7-j2x7 - url: https://github.com/sparklemotion/nokogiri/issues/1374 - title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt - date: 2015-04-14 - description: | - Several vulnerabilities were discovered in the libxml2 and libxslt libraries - that the Nokogiri gem depends on. - - CVE-2015-1819 - A denial of service flaw was found in the way libxml2 parsed XML - documents. This flaw could cause an application that uses libxml2 to use an - excessive amount of memory. - - CVE-2015-7941 - libxml2 does not properly stop parsing invalid input, which allows - context-dependent attackers to cause a denial of service (out-of-bounds read - and libxml2 crash) via crafted specially XML data. - - CVE-2015-7942 - The xmlParseConditionalSections function in parser.c in libxml2 - does not properly skip intermediary entities when it stops parsing invalid - input, which allows context-dependent attackers to cause a denial of service - (out-of-bounds read and crash) via crafted XML data. - - CVE-2015-7995 - The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not - check whether the parent node is an element, which allows attackers to cause - a denial of service using a specially crafted XML document. - - CVE-2015-8035 - The xz_decomp function in xzlib.c in libxml2 2.9.1 does not - properly detect compression errors, which allows context-dependent attackers - to cause a denial of service (process hang) via crafted XML data. - - Another vulnerability was discoverd in libxml2 that could cause parsing - of unclosed comments to result in "conditional jump or move depends on - uninitialized value(s)" and unsafe memory access. This issue does not have a - CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4. - patched_versions: - - "~> 1.6.6.4" - - ">= 1.6.7.rc4" - related: - cve: - - 2015-7941 - - 2015-7942 - - 2015-7995 - - 2015-8035 - url: - - https://github.com/sparklemotion/nokogiri/pull/1376 - - https://github.com/sparklemotion/nokogiri/commit/8f3de6d88d0da11fb62a45daa61b85ce71b4af59 ---- +--- +layout: advisory +title: 'CVE-2015-1819 (nokogiri): Nokogiri gem contains several vulnerabilities in + libxml2 and libxslt' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2015-1819 + ghsa: q7wx-62r7-j2x7 + url: https://github.com/sparklemotion/nokogiri/issues/1374 + title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt + date: 2015-04-14 + description: | + Several vulnerabilities were discovered in the libxml2 and libxslt libraries + that the Nokogiri gem depends on. + + CVE-2015-1819 + A denial of service flaw was found in the way libxml2 parsed XML + documents. This flaw could cause an application that uses libxml2 to use an + excessive amount of memory. + + CVE-2015-7941 + libxml2 does not properly stop parsing invalid input, which allows + context-dependent attackers to cause a denial of service (out-of-bounds read + and libxml2 crash) via crafted specially XML data. + + CVE-2015-7942 + The xmlParseConditionalSections function in parser.c in libxml2 + does not properly skip intermediary entities when it stops parsing invalid + input, which allows context-dependent attackers to cause a denial of service + (out-of-bounds read and crash) via crafted XML data. + + CVE-2015-7995 + The xsltStylePreCompute function in preproc.c in libxslt 1.1.28 does not + check whether the parent node is an element, which allows attackers to cause + a denial of service using a specially crafted XML document. + + CVE-2015-8035 + The xz_decomp function in xzlib.c in libxml2 2.9.1 does not + properly detect compression errors, which allows context-dependent attackers + to cause a denial of service (process hang) via crafted XML data. + + Another vulnerability was discoverd in libxml2 that could cause parsing + of unclosed comments to result in "conditional jump or move depends on + uninitialized value(s)" and unsafe memory access. This issue does not have a + CVE assigned yet. See related URLs for details. Patched in v1.6.7.rc4. + patched_versions: + - "~> 1.6.6.4" + - ">= 1.6.7.rc4" + related: + cve: + - 2015-7941 + - 2015-7942 + - 2015-7995 + - 2015-8035 + url: + - https://github.com/sparklemotion/nokogiri/pull/1376 + - https://github.com/sparklemotion/nokogiri/commit/8f3de6d88d0da11fb62a45daa61b85ce71b4af59 +--- diff --git a/advisories/_posts/2015-04-14-CVE-2015-1866.md b/advisories/_posts/2015-04-14-CVE-2015-1866.md index bc01e298..a6c81762 100644 --- a/advisories/_posts/2015-04-14-CVE-2015-1866.md +++ b/advisories/_posts/2015-04-14-CVE-2015-1866.md @@ -1,36 +1,36 @@ ---- -layout: advisory -title: 'CVE-2015-1866 (ember-source): Ember.js XSS Vulnerability With {{view "select"}} - Options' -comments: false -categories: -- ember-source -advisory: - gem: ember-source - cve: 2015-1866 - ghsa: mp78-r56v-45qc - url: https://groups.google.com/forum/#!topic/ember-security/nbntfs2EbRU - title: Ember.js XSS Vulnerability With {{view "select"}} Options - date: 2015-04-14 - description: | - In general, Ember.js escapes or strips any user-supplied content before - inserting it in strings that will be sent to innerHTML. However, a - change made to the implementation of the select view means that any - user-supplied data bound to an option's label will not be escaped - correctly. - - In applications that use Ember's select view and pass user-supplied - content to the label, a specially-crafted payload could execute - arbitrary JavaScript in the context of the current domain ("XSS"). - - All users running an affected release and binding user-supplied data to - the select options should either upgrade or use one of the workarounds - immediately. - cvss_v3: 6.1 - unaffected_versions: - - "< 1.10.0" - patched_versions: - - "~> 1.10.1" - - "~> 1.11.2" - - ">= 1.12.0" ---- +--- +layout: advisory +title: 'CVE-2015-1866 (ember-source): Ember.js XSS Vulnerability With {{view "select"}} + Options' +comments: false +categories: +- ember-source +advisory: + gem: ember-source + cve: 2015-1866 + ghsa: mp78-r56v-45qc + url: https://groups.google.com/forum/#!topic/ember-security/nbntfs2EbRU + title: Ember.js XSS Vulnerability With {{view "select"}} Options + date: 2015-04-14 + description: | + In general, Ember.js escapes or strips any user-supplied content before + inserting it in strings that will be sent to innerHTML. However, a + change made to the implementation of the select view means that any + user-supplied data bound to an option's label will not be escaped + correctly. + + In applications that use Ember's select view and pass user-supplied + content to the label, a specially-crafted payload could execute + arbitrary JavaScript in the context of the current domain ("XSS"). + + All users running an affected release and binding user-supplied data to + the select options should either upgrade or use one of the workarounds + immediately. + cvss_v3: 6.1 + unaffected_versions: + - "< 1.10.0" + patched_versions: + - "~> 1.10.1" + - "~> 1.11.2" + - ">= 1.12.0" +--- diff --git a/advisories/_posts/2015-04-15-OSVDB-120857.md b/advisories/_posts/2015-04-15-OSVDB-120857.md index 32ed8450..617acbf2 100644 --- a/advisories/_posts/2015-04-15-OSVDB-120857.md +++ b/advisories/_posts/2015-04-15-OSVDB-120857.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-120857 (refile): refile Gem for Ruby contains a remote code execution - vulnerability' -comments: false -categories: -- refile -advisory: - gem: refile - osvdb: 120857 - url: https://groups.google.com/g/ruby-security-ann/c/VIfMO2LvzNs - title: refile Gem for Ruby contains a remote code execution vulnerability - date: 2015-04-15 - description: | - refile Gem for Ruby contains a flaw that is triggered when input is not - sanitized when handling the 'remote_image_url' field in a form, where - 'image' is the name of the attachment. This may allow a remote attacker - to execute arbitrary shell commands. - unaffected_versions: - - "< 0.5.0" - patched_versions: - - ">= 0.5.4" - related: - url: - - https://groups.google.com/g/ruby-security-ann/c/VIfMO2LvzNs ---- +--- +layout: advisory +title: 'OSVDB-120857 (refile): refile Gem for Ruby contains a remote code execution + vulnerability' +comments: false +categories: +- refile +advisory: + gem: refile + osvdb: 120857 + url: https://groups.google.com/g/ruby-security-ann/c/VIfMO2LvzNs + title: refile Gem for Ruby contains a remote code execution vulnerability + date: 2015-04-15 + description: | + refile Gem for Ruby contains a flaw that is triggered when input is not + sanitized when handling the 'remote_image_url' field in a form, where + 'image' is the name of the attachment. This may allow a remote attacker + to execute arbitrary shell commands. + unaffected_versions: + - "< 0.5.0" + patched_versions: + - ">= 0.5.4" + related: + url: + - https://groups.google.com/g/ruby-security-ann/c/VIfMO2LvzNs +--- diff --git a/advisories/_posts/2015-04-21-OSVDB-125678.md b/advisories/_posts/2015-04-21-OSVDB-125678.md index 5ea6dbd9..48826926 100644 --- a/advisories/_posts/2015-04-21-OSVDB-125678.md +++ b/advisories/_posts/2015-04-21-OSVDB-125678.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'OSVDB-125678 (sidekiq): Sidekiq Gem for Ruby web/views/queue.erb msg.display_class - Element XSS' -comments: false -categories: -- sidekiq -advisory: - gem: sidekiq - osvdb: 125678 - url: https://seclists.org/oss-sec/2015/q3/267 - title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS - date: 2015-04-21 - description: 'XSS via job arguments display class in Sidekiq::Web - - ' - patched_versions: - - ">= 3.4.0" - related: - url: - - https://seclists.org/oss-sec/2015/q3/267 - - https://github.com/mperham/sidekiq/pull/2309 - - https://github.com/sidekiq/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 ---- +--- +layout: advisory +title: 'OSVDB-125678 (sidekiq): Sidekiq Gem for Ruby web/views/queue.erb msg.display_class + Element XSS' +comments: false +categories: +- sidekiq +advisory: + gem: sidekiq + osvdb: 125678 + url: https://seclists.org/oss-sec/2015/q3/267 + title: Sidekiq Gem for Ruby web/views/queue.erb msg.display_class Element XSS + date: 2015-04-21 + description: 'XSS via job arguments display class in Sidekiq::Web + + ' + patched_versions: + - ">= 3.4.0" + related: + url: + - https://seclists.org/oss-sec/2015/q3/267 + - https://github.com/mperham/sidekiq/pull/2309 + - https://github.com/sidekiq/sidekiq/commit/54766f336620ca0ce3b0b87a7a56382496e64b61 +--- diff --git a/advisories/_posts/2015-04-29-CVE-2015-20108.md b/advisories/_posts/2015-04-29-CVE-2015-20108.md index 31709554..26312a8e 100644 --- a/advisories/_posts/2015-04-29-CVE-2015-20108.md +++ b/advisories/_posts/2015-04-29-CVE-2015-20108.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2015-20108 (ruby-saml): ruby-saml gem is vulnerable to XPath injection' -comments: false -categories: -- ruby-saml -advisory: - gem: ruby-saml - osvdb: 124991 - cve: 2015-20108 - ghsa: r364-2pj4-pf7f - url: https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217 - title: ruby-saml gem is vulnerable to XPath injection - date: 2015-04-29 - description: | - xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby - allows XPath injection and code execution because prepared - statements are not used. - - The lack of prepared statements allows for possibly command - injection, leading to arbitrary code execution. - cvss_v2: 6.7 - cvss_v3: 9.8 - patched_versions: - - ">= 1.0.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2015-20108 - - https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0 - - https://github.com/SAML-Toolkits/ruby-saml/pull/225 - - https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448 - - https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217 - - https://www.mend.io/vulnerability-database/WS-2015-0036 - - https://github.com/advisories/GHSA-r364-2pj4-pf7f ---- +--- +layout: advisory +title: 'CVE-2015-20108 (ruby-saml): ruby-saml gem is vulnerable to XPath injection' +comments: false +categories: +- ruby-saml +advisory: + gem: ruby-saml + osvdb: 124991 + cve: 2015-20108 + ghsa: r364-2pj4-pf7f + url: https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217 + title: ruby-saml gem is vulnerable to XPath injection + date: 2015-04-29 + description: | + xml_security.rb in the ruby-saml gem before 1.0.0 for Ruby + allows XPath injection and code execution because prepared + statements are not used. + + The lack of prepared statements allows for possibly command + injection, leading to arbitrary code execution. + cvss_v2: 6.7 + cvss_v3: 9.8 + patched_versions: + - ">= 1.0.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2015-20108 + - https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0 + - https://github.com/SAML-Toolkits/ruby-saml/pull/225 + - https://github.com/SAML-Toolkits/ruby-saml/commit/9853651b96b99653ea8627d757d46bfe62ab6448 + - https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20217 + - https://www.mend.io/vulnerability-database/WS-2015-0036 + - https://github.com/advisories/GHSA-r364-2pj4-pf7f +--- diff --git a/advisories/_posts/2015-04-29-CVE-2015-3448.md b/advisories/_posts/2015-04-29-CVE-2015-3448.md index 5b964047..abfdee0d 100644 --- a/advisories/_posts/2015-04-29-CVE-2015-3448.md +++ b/advisories/_posts/2015-04-29-CVE-2015-3448.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2015-3448 (rest-client): rest-client ruby gem logs sensitive information' -comments: false -categories: -- rest-client -advisory: - gem: rest-client - cve: 2015-3448 - ghsa: mx9f-w8qq-q5jf - url: https://github.com/rest-client/rest-client/issues/349 - title: rest-client ruby gem logs sensitive information - date: 2015-04-29 - description: | - REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and - passwords, which allows local users to obtain sensitive information by reading the - log. - cvss_v2: 2.1 - patched_versions: - - ">= 1.7.3" ---- +--- +layout: advisory +title: 'CVE-2015-3448 (rest-client): rest-client ruby gem logs sensitive information' +comments: false +categories: +- rest-client +advisory: + gem: rest-client + cve: 2015-3448 + ghsa: mx9f-w8qq-q5jf + url: https://github.com/rest-client/rest-client/issues/349 + title: rest-client ruby gem logs sensitive information + date: 2015-04-29 + description: | + REST client for Ruby (aka rest-client) before 1.7.3 logs usernames and + passwords, which allows local users to obtain sensitive information by reading the + log. + cvss_v2: 2.1 + patched_versions: + - ">= 1.7.3" +--- diff --git a/advisories/_posts/2015-05-05-CVE-2015-3649.md b/advisories/_posts/2015-05-05-CVE-2015-3649.md index 27bc76df..a24df4cf 100644 --- a/advisories/_posts/2015-05-05-CVE-2015-3649.md +++ b/advisories/_posts/2015-05-05-CVE-2015-3649.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2015-3649 (open-uri-cached): open-uri-cached Gem for Ruby Unsafe Temporary - File Creation Local Privilege Escalation' -comments: false -categories: -- open-uri-cached -advisory: - gem: open-uri-cached - cve: 2015-3649 - osvdb: 121701 - ghsa: 7m2w-9gw7-c3xp - url: http://seclists.org/oss-sec/2015/q2/373 - title: open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege - Escalation - date: 2015-05-05 - description: | - open-uri-cached Gem for Ruby contains a flaw that is due to the - program creating temporary files in a predictable, unsafe manner when using - YAML. This may allow a local attacker to gain elevated privileges. - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2015-3649 (open-uri-cached): open-uri-cached Gem for Ruby Unsafe Temporary + File Creation Local Privilege Escalation' +comments: false +categories: +- open-uri-cached +advisory: + gem: open-uri-cached + cve: 2015-3649 + osvdb: 121701 + ghsa: 7m2w-9gw7-c3xp + url: http://seclists.org/oss-sec/2015/q2/373 + title: open-uri-cached Gem for Ruby Unsafe Temporary File Creation Local Privilege + Escalation + date: 2015-05-05 + description: | + open-uri-cached Gem for Ruby contains a flaw that is due to the + program creating temporary files in a predictable, unsafe manner when using + YAML. This may allow a local attacker to gain elevated privileges. + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2015-05-11-OSVDB-126329.md b/advisories/_posts/2015-05-11-OSVDB-126329.md index ccbddb1e..ce06c6c3 100644 --- a/advisories/_posts/2015-05-11-OSVDB-126329.md +++ b/advisories/_posts/2015-05-11-OSVDB-126329.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-126329 (sidekiq-pro): Sidekiq Pro Gem for Ruby web/views/batch.erb Class - and ErrorMessage Elements Reflected XSS' -comments: false -categories: -- sidekiq-pro -advisory: - gem: sidekiq-pro - osvdb: 126329 - url: https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#202 - title: Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements - Reflected XSS - date: 2015-05-11 - description: 'XSS via batch failure error_class and error_message in Sidekiq::Web - - ' - patched_versions: - - ">= 2.0.2" - related: - url: - - https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#202 - - https://github.com/mperham/sidekiq/commit/a695ff347ae50f641dfc35189131b232ea0aa1db - - https://github.com/sidekiq/sidekiq/issues/2467 - - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20219 ---- +--- +layout: advisory +title: 'OSVDB-126329 (sidekiq-pro): Sidekiq Pro Gem for Ruby web/views/batch.erb Class + and ErrorMessage Elements Reflected XSS' +comments: false +categories: +- sidekiq-pro +advisory: + gem: sidekiq-pro + osvdb: 126329 + url: https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#202 + title: Sidekiq Pro Gem for Ruby web/views/batch.erb Class and ErrorMessage Elements + Reflected XSS + date: 2015-05-11 + description: 'XSS via batch failure error_class and error_message in Sidekiq::Web + + ' + patched_versions: + - ">= 2.0.2" + related: + url: + - https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#202 + - https://github.com/mperham/sidekiq/commit/a695ff347ae50f641dfc35189131b232ea0aa1db + - https://github.com/sidekiq/sidekiq/issues/2467 + - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20219 +--- diff --git a/advisories/_posts/2015-05-14-CVE-2015-3900.md b/advisories/_posts/2015-05-14-CVE-2015-3900.md index 740257db..07fb8187 100644 --- a/advisories/_posts/2015-05-14-CVE-2015-3900.md +++ b/advisories/_posts/2015-05-14-CVE-2015-3900.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2015-3900 (rubygems-update): CVE-2015-3900 rubygems: DNS hijacking vulnerability - in api_endpoint()' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2015-3900 - osvdb: 122162 - ghsa: wp3j-rvfp-624h - url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356 - title: 'CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()' - date: 2015-05-14 - description: | - RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 - does not validate the hostname when fetching gems or making API requests, which - allows remote attackers to redirect requests to arbitrary domains via a crafted - DNS SRV record, aka a "DNS hijack attack." A flaw was found in a way rubygems verified - the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle - attacker could use this flaw to force a client to download content from an untrusted - domain. - cvss_v2: 5.0 - patched_versions: - - "~> 2.0.16" - - "~> 2.2.4" - - ">= 2.4.7" ---- +--- +layout: advisory +title: 'CVE-2015-3900 (rubygems-update): CVE-2015-3900 rubygems: DNS hijacking vulnerability + in api_endpoint()' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2015-3900 + osvdb: 122162 + ghsa: wp3j-rvfp-624h + url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356 + title: 'CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()' + date: 2015-05-14 + description: | + RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before 2.4.7 + does not validate the hostname when fetching gems or making API requests, which + allows remote attackers to redirect requests to arbitrary domains via a crafted + DNS SRV record, aka a "DNS hijack attack." A flaw was found in a way rubygems verified + the API endpoint hostname retrieved through a DNS SRV record. A man-in-the-middle + attacker could use this flaw to force a client to download content from an untrusted + domain. + cvss_v2: 5.0 + patched_versions: + - "~> 2.0.16" + - "~> 2.2.4" + - ">= 2.4.7" +--- diff --git a/advisories/_posts/2015-05-25-CVE-2015-9284.md b/advisories/_posts/2015-05-25-CVE-2015-9284.md index a406d8b6..ccdb0ddf 100644 --- a/advisories/_posts/2015-05-25-CVE-2015-9284.md +++ b/advisories/_posts/2015-05-25-CVE-2015-9284.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2015-9284 (omniauth): CSRF vulnerability in OmniAuth''s request phase' -comments: false -categories: -- omniauth -advisory: - gem: omniauth - cve: 2015-9284 - ghsa: ww4x-rwq6-qpgf - url: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 - title: CSRF vulnerability in OmniAuth's request phase - date: 2015-05-25 - description: | - The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site - Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing - accounts to be connected without user intent, user interaction, or feedback to - the user. This permits a secondary account to be able to sign into the web - application as the primary account. - - In order to mitigate this vulnerability, Rails users should consider using the - `omniauth-rails_csrf_protection` gem. - - More info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 - cvss_v2: 6.8 - cvss_v3: 8.8 - patched_versions: - - ">= 2.0.0" - related: - url: - - https://github.com/omniauth/omniauth/pull/809 - - https://github.com/cookpad/omniauth-rails_csrf_protection ---- +--- +layout: advisory +title: 'CVE-2015-9284 (omniauth): CSRF vulnerability in OmniAuth''s request phase' +comments: false +categories: +- omniauth +advisory: + gem: omniauth + cve: 2015-9284 + ghsa: ww4x-rwq6-qpgf + url: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 + title: CSRF vulnerability in OmniAuth's request phase + date: 2015-05-25 + description: | + The request phase of the OmniAuth Ruby gem is vulnerable to Cross-Site + Request Forgery (CSRF) when used as part of the Ruby on Rails framework, allowing + accounts to be connected without user intent, user interaction, or feedback to + the user. This permits a secondary account to be able to sign into the web + application as the primary account. + + In order to mitigate this vulnerability, Rails users should consider using the + `omniauth-rails_csrf_protection` gem. + + More info is available here: https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284 + cvss_v2: 6.8 + cvss_v3: 8.8 + patched_versions: + - ">= 2.0.0" + related: + url: + - https://github.com/omniauth/omniauth/pull/809 + - https://github.com/cookpad/omniauth-rails_csrf_protection +--- diff --git a/advisories/_posts/2015-06-04-CVE-2015-4410.md b/advisories/_posts/2015-06-04-CVE-2015-4410.md index e5e0634c..58e10a1d 100644 --- a/advisories/_posts/2015-06-04-CVE-2015-4410.md +++ b/advisories/_posts/2015-06-04-CVE-2015-4410.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2015-4410 (moped): Data Injection Vulnerability in moped Rubygem' -comments: false -categories: -- moped -advisory: - gem: moped - cve: 2015-4410 - ghsa: f93j-hmcr-jcwh - url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html - title: Data Injection Vulnerability in moped Rubygem - date: 2015-06-04 - description: | - A flaw in the ObjectId validation regular expression can enable attackers - to inject arbitrary information into a given BSON object. - cvss_v3: 7.5 - patched_versions: - - "~> 1.5.3" - - ">= 2.0.5" - related: - url: - - https://github.com/mongoid/moped/compare/e5fc928bcb5b7b89d171e31e31483be4185971b9...32cba17ad7d3da326778b4d8cd4b52e75bca9d40 - - https://github.com/mongoid/moped/commit/276fbfd23c5ffb65e6bd18d564c8b6878c2498ac ---- +--- +layout: advisory +title: 'CVE-2015-4410 (moped): Data Injection Vulnerability in moped Rubygem' +comments: false +categories: +- moped +advisory: + gem: moped + cve: 2015-4410 + ghsa: f93j-hmcr-jcwh + url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html + title: Data Injection Vulnerability in moped Rubygem + date: 2015-06-04 + description: | + A flaw in the ObjectId validation regular expression can enable attackers + to inject arbitrary information into a given BSON object. + cvss_v3: 7.5 + patched_versions: + - "~> 1.5.3" + - ">= 2.0.5" + related: + url: + - https://github.com/mongoid/moped/compare/e5fc928bcb5b7b89d171e31e31483be4185971b9...32cba17ad7d3da326778b4d8cd4b52e75bca9d40 + - https://github.com/mongoid/moped/commit/276fbfd23c5ffb65e6bd18d564c8b6878c2498ac +--- diff --git a/advisories/_posts/2015-06-04-CVE-2015-4412.md b/advisories/_posts/2015-06-04-CVE-2015-4412.md index 101cfc72..be7327f0 100644 --- a/advisories/_posts/2015-06-04-CVE-2015-4412.md +++ b/advisories/_posts/2015-06-04-CVE-2015-4412.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2015-4412 (bson): Data Injection Vulnerability in bson Rubygem' -comments: false -categories: -- bson -advisory: - gem: bson - cve: 2015-4412 - ghsa: h6rj-8r3c-9gpj - url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html - title: Data Injection Vulnerability in bson Rubygem - date: 2015-06-04 - description: | - A flaw in the ObjectId validation regular expression can enable attackers - to inject arbitrary information into a given BSON object. - cvss_v3: 9.8 - patched_versions: - - "~> 1.12.3" - - ">= 3.0.4" - related: - url: - - https://github.com/mongodb/mongo-ruby-driver/compare/6ae981167759d5819ba3d41e374e5b2af5b79077~1...9859a3ab9773a8a883eb8438b665a921cc991c71 - - https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7 ---- +--- +layout: advisory +title: 'CVE-2015-4412 (bson): Data Injection Vulnerability in bson Rubygem' +comments: false +categories: +- bson +advisory: + gem: bson + cve: 2015-4412 + ghsa: h6rj-8r3c-9gpj + url: http://sakurity.com/blog/2015/06/04/mongo_ruby_regexp.html + title: Data Injection Vulnerability in bson Rubygem + date: 2015-06-04 + description: | + A flaw in the ObjectId validation regular expression can enable attackers + to inject arbitrary information into a given BSON object. + cvss_v3: 9.8 + patched_versions: + - "~> 1.12.3" + - ">= 3.0.4" + related: + url: + - https://github.com/mongodb/mongo-ruby-driver/compare/6ae981167759d5819ba3d41e374e5b2af5b79077~1...9859a3ab9773a8a883eb8438b665a921cc991c71 + - https://github.com/mongodb/bson-ruby/compare/7446d7c6764dfda8dc4480ce16d5c023e74be5ca...28f34978a85b689a4480b4d343389bf4886522e7 +--- diff --git a/advisories/_posts/2015-06-04-OSVDB-125676.md b/advisories/_posts/2015-06-04-OSVDB-125676.md index 29b71507..bae99436 100644 --- a/advisories/_posts/2015-06-04-OSVDB-125676.md +++ b/advisories/_posts/2015-06-04-OSVDB-125676.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'OSVDB-125676 (sidekiq): Sidekiq Gem for Ruby web/views/queue.erb Element Reflected - XSS' -comments: false -categories: -- sidekiq -advisory: - gem: sidekiq - osvdb: 125676 - url: https://seclists.org/oss-sec/2015/q3/267 - title: Sidekiq Gem for Ruby web/views/queue.erb Element Reflected XSS - date: 2015-06-04 - description: | - Sidekiq Gem for Ruby web/views/queue.erb [CurrentMessagesInQueue, - AreYouSureDeleteQueue] Element Reflected XSS - patched_versions: - - ">= 3.4.0" - related: - osvdb: - - 125677 - url: - - https://seclists.org/oss-sec/2015/q3/267 - - https://github.com/mperham/sidekiq/issues/2330 - - https://github.com/sidekiq/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 - - https://github.com/rubysec/ruby-advisory-db/pull/196 - - https://github.com/rubysec/ruby-advisory-db/commit/19a8fc075a6cc0702f978219c88d97c666fecdbd ---- +--- +layout: advisory +title: 'OSVDB-125676 (sidekiq): Sidekiq Gem for Ruby web/views/queue.erb Element Reflected + XSS' +comments: false +categories: +- sidekiq +advisory: + gem: sidekiq + osvdb: 125676 + url: https://seclists.org/oss-sec/2015/q3/267 + title: Sidekiq Gem for Ruby web/views/queue.erb Element Reflected XSS + date: 2015-06-04 + description: | + Sidekiq Gem for Ruby web/views/queue.erb [CurrentMessagesInQueue, + AreYouSureDeleteQueue] Element Reflected XSS + patched_versions: + - ">= 3.4.0" + related: + osvdb: + - 125677 + url: + - https://seclists.org/oss-sec/2015/q3/267 + - https://github.com/mperham/sidekiq/issues/2330 + - https://github.com/sidekiq/sidekiq/commit/2178d66b6686fbf4430223c34c184a64c9906828 + - https://github.com/rubysec/ruby-advisory-db/pull/196 + - https://github.com/rubysec/ruby-advisory-db/commit/19a8fc075a6cc0702f978219c88d97c666fecdbd +--- diff --git a/advisories/_posts/2015-06-05-CVE-2015-2963.md b/advisories/_posts/2015-06-05-CVE-2015-2963.md index ffd44c4b..7efc1a79 100644 --- a/advisories/_posts/2015-06-05-CVE-2015-2963.md +++ b/advisories/_posts/2015-06-05-CVE-2015-2963.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2015-2963 (paperclip): Paperclip Gem for Ruby vulnerable to content type - spoofing' -comments: false -categories: -- paperclip -advisory: - gem: paperclip - cve: 2015-2963 - ghsa: 6jvm-3j5h-79f6 - url: https://robots.thoughtbot.com/paperclip-security-release - title: Paperclip Gem for Ruby vulnerable to content type spoofing - date: 2015-06-05 - description: | - There is an issue where if an HTML file is uploaded with a .html - extension, but the content type is listed as being `image/jpeg`, this - will bypass a validation checking for images. But it will also pass the - spoof check, because a file named .html and containing actual HTML - passes the spoof check. - cvss_v2: 4.3 - patched_versions: - - ">= 4.2.2" ---- +--- +layout: advisory +title: 'CVE-2015-2963 (paperclip): Paperclip Gem for Ruby vulnerable to content type + spoofing' +comments: false +categories: +- paperclip +advisory: + gem: paperclip + cve: 2015-2963 + ghsa: 6jvm-3j5h-79f6 + url: https://robots.thoughtbot.com/paperclip-security-release + title: Paperclip Gem for Ruby vulnerable to content type spoofing + date: 2015-06-05 + description: | + There is an issue where if an HTML file is uploaded with a .html + extension, but the content type is listed as being `image/jpeg`, this + will bypass a validation checking for images. But it will also pass the + spoof check, because a file named .html and containing actual HTML + passes the spoof check. + cvss_v2: 4.3 + patched_versions: + - ">= 4.2.2" +--- diff --git a/advisories/_posts/2015-06-08-CVE-2015-4020.md b/advisories/_posts/2015-06-08-CVE-2015-4020.md index f383325c..3348cb5b 100644 --- a/advisories/_posts/2015-06-08-CVE-2015-4020.md +++ b/advisories/_posts/2015-06-08-CVE-2015-4020.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2015-4020 (rubygems-update): RubyGems remote_fetcher.rb api_endpoint() - Function Missing SRV Record Hostname Validation Request Hijacking' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2015-4020 - ghsa: qv62-xfj6-32xm - url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 - title: RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname - Validation Request Hijacking - date: 2015-06-08 - description: | - RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb - that is triggered when handling hostnames in SRV records. With a specially - crafted response, a context-dependent attacker may conduct DNS hijacking - attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900, - which allowed redirection to an arbitrary gem server in any security domain. - cvss_v2: 5.0 - patched_versions: - - "~> 2.0.17" - - "~> 2.2.5" - - ">= 2.4.8" ---- +--- +layout: advisory +title: 'CVE-2015-4020 (rubygems-update): RubyGems remote_fetcher.rb api_endpoint() + Function Missing SRV Record Hostname Validation Request Hijacking' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2015-4020 + ghsa: qv62-xfj6-32xm + url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-009/?fid=6478 + title: RubyGems remote_fetcher.rb api_endpoint() Function Missing SRV Record Hostname + Validation Request Hijacking + date: 2015-06-08 + description: | + RubyGems contains a flaw in the api_endpoint() function in remote_fetcher.rb + that is triggered when handling hostnames in SRV records. With a specially + crafted response, a context-dependent attacker may conduct DNS hijacking + attacks. This vulnerability is due to an incomplete fix for CVE-2015-3900, + which allowed redirection to an arbitrary gem server in any security domain. + cvss_v2: 5.0 + patched_versions: + - "~> 2.0.17" + - "~> 2.2.5" + - ">= 2.4.8" +--- diff --git a/advisories/_posts/2015-06-16-CVE-2015-1840.md b/advisories/_posts/2015-06-16-CVE-2015-1840.md index 28cb4603..fbd07dd2 100644 --- a/advisories/_posts/2015-06-16-CVE-2015-1840.md +++ b/advisories/_posts/2015-06-16-CVE-2015-1840.md @@ -1,43 +1,43 @@ ---- -layout: advisory -title: 'CVE-2015-1840 (jquery-ujs): CSRF Vulnerability in jquery-ujs' -comments: false -categories: -- jquery-ujs -advisory: - gem: jquery-ujs - cve: 2015-1840 - ghsa: 4whc-pp4x-9pf3 - url: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY - title: CSRF Vulnerability in jquery-ujs - date: 2015-06-16 - description: | - In the scenario where an attacker might be able to control the href attribute - of an anchor tag or the action attribute of a form tag that will trigger a - POST action, the attacker can set the href or action to - " https://attacker.com" (note the leading space) that will be passed to - JQuery, who will see this as a same origin request, and send the user's CSRF - token to the attacker domain. - - To work around this problem, change code that allows users to control the - href attribute of an anchor tag or the action attribute of a form tag to - filter the user parameters. - - For example, code like this: - - link_to params - - to code like this: - - link_to filtered_params - - def filtered_params - \# Filter just the parameters that you trust - end - - See also: - - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/ - cvss_v2: 5.0 - patched_versions: - - ">= 1.0.4" ---- +--- +layout: advisory +title: 'CVE-2015-1840 (jquery-ujs): CSRF Vulnerability in jquery-ujs' +comments: false +categories: +- jquery-ujs +advisory: + gem: jquery-ujs + cve: 2015-1840 + ghsa: 4whc-pp4x-9pf3 + url: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY + title: CSRF Vulnerability in jquery-ujs + date: 2015-06-16 + description: | + In the scenario where an attacker might be able to control the href attribute + of an anchor tag or the action attribute of a form tag that will trigger a + POST action, the attacker can set the href or action to + " https://attacker.com" (note the leading space) that will be passed to + JQuery, who will see this as a same origin request, and send the user's CSRF + token to the attacker domain. + + To work around this problem, change code that allows users to control the + href attribute of an anchor tag or the action attribute of a form tag to + filter the user parameters. + + For example, code like this: + + link_to params + + to code like this: + + link_to filtered_params + + def filtered_params + \# Filter just the parameters that you trust + end + + See also: + - http://blog.honeybadger.io/understanding-the-rails-jquery-csrf-vulnerability-cve-2015-1840/ + cvss_v2: 5.0 + patched_versions: + - ">= 1.0.4" +--- diff --git a/advisories/_posts/2015-06-16-CVE-2015-3224.md b/advisories/_posts/2015-06-16-CVE-2015-3224.md index 1a719657..8c7fe385 100644 --- a/advisories/_posts/2015-06-16-CVE-2015-3224.md +++ b/advisories/_posts/2015-06-16-CVE-2015-3224.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2015-3224 (web-console): IP whitelist bypass in Web Console' -comments: false -categories: -- web-console -advisory: - gem: web-console - cve: 2015-3224 - ghsa: 67j6-xv27-w6ww - url: https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw - title: IP whitelist bypass in Web Console - date: 2015-06-16 - description: | - Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default). - - Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved. - - All affected users should either upgrade or use one of the work arounds immediately. - - To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile. - patched_versions: - - ">= 2.1.3" ---- +--- +layout: advisory +title: 'CVE-2015-3224 (web-console): IP whitelist bypass in Web Console' +comments: false +categories: +- web-console +advisory: + gem: web-console + cve: 2015-3224 + ghsa: 67j6-xv27-w6ww + url: https://groups.google.com/forum/#!topic/ruby-security-ann/lzmz9_ijUFw + title: IP whitelist bypass in Web Console + date: 2015-06-16 + description: | + Specially crafted remote requests can spoof their origin, bypassing the IP whitelist, in any environment where Web Console is enabled (development and test, by default). + + Users whose application is only accessible from localhost (as is the default behaviour in Rails 4.2) are not affected, unless a local proxy is involved. + + All affected users should either upgrade or use one of the work arounds immediately. + + To work around this issue, turn off web-console in all environments, by removing/commenting it from the application's Gemfile. + patched_versions: + - ">= 2.1.3" +--- diff --git a/advisories/_posts/2015-06-16-CVE-2015-3225.md b/advisories/_posts/2015-06-16-CVE-2015-3225.md index 217bba83..74063412 100644 --- a/advisories/_posts/2015-06-16-CVE-2015-3225.md +++ b/advisories/_posts/2015-06-16-CVE-2015-3225.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2015-3225 (rack): Potential Denial of Service Vulnerability in Rack' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2015-3225 - ghsa: rgr4-9jh5-j4j6 - url: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc - title: Potential Denial of Service Vulnerability in Rack - date: 2015-06-16 - description: | - Carefully crafted requests can cause a `SystemStackError` and potentially - cause a denial of service attack. - - All users running an affected release should upgrade. - patched_versions: - - ">= 1.6.2" - - "~> 1.5.4" - - "~> 1.4.6" ---- +--- +layout: advisory +title: 'CVE-2015-3225 (rack): Potential Denial of Service Vulnerability in Rack' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2015-3225 + ghsa: rgr4-9jh5-j4j6 + url: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc + title: Potential Denial of Service Vulnerability in Rack + date: 2015-06-16 + description: | + Carefully crafted requests can cause a `SystemStackError` and potentially + cause a denial of service attack. + + All users running an affected release should upgrade. + patched_versions: + - ">= 1.6.2" + - "~> 1.5.4" + - "~> 1.4.6" +--- diff --git a/advisories/_posts/2015-06-16-CVE-2015-3226.md b/advisories/_posts/2015-06-16-CVE-2015-3226.md index 9074ed63..21d256e9 100644 --- a/advisories/_posts/2015-06-16-CVE-2015-3226.md +++ b/advisories/_posts/2015-06-16-CVE-2015-3226.md @@ -1,58 +1,58 @@ ---- -layout: advisory -title: 'CVE-2015-3226 (activesupport): XSS Vulnerability in ActiveSupport::JSON.encode' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2015-3226 - ghsa: vxvp-4xwc-jpp6 - url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU - title: XSS Vulnerability in ActiveSupport::JSON.encode - date: 2015-06-16 - description: | - When a `Hash` containing user-controlled data is encode as JSON (either through - `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate - escaping that matches the guarantee implied by the `escape_html_entities_in_json` - option (which is enabled by default). If this resulting JSON string is subsequently - inserted directly into an HTML page, the page will be vulnerable to XSS attacks. - - For example, the following code snippet is vulnerable to this attack: - - <%= javascript_tag "var data = #{user_supplied_data.to_json};" %> - - Similarly, the following is also vulnerable: - - - - All applications that renders JSON-encoded strings that contains user-controlled - data in their views should either upgrade to one of the FIXED versions or use - the suggested workaround immediately. - - Workarounds - ----------- - To work around this problem add an initializer with the following code: - - module ActiveSupport - module JSON - module Encoding - private - class EscapedString - def to_s - self - end - end - end - end - end - unaffected_versions: - - "< 4.1.0" - patched_versions: - - ">= 4.2.2" - - "~> 4.1.11" ---- +--- +layout: advisory +title: 'CVE-2015-3226 (activesupport): XSS Vulnerability in ActiveSupport::JSON.encode' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2015-3226 + ghsa: vxvp-4xwc-jpp6 + url: https://groups.google.com/forum/#!topic/ruby-security-ann/7VlB_pck3hU + title: XSS Vulnerability in ActiveSupport::JSON.encode + date: 2015-06-16 + description: | + When a `Hash` containing user-controlled data is encode as JSON (either through + `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate + escaping that matches the guarantee implied by the `escape_html_entities_in_json` + option (which is enabled by default). If this resulting JSON string is subsequently + inserted directly into an HTML page, the page will be vulnerable to XSS attacks. + + For example, the following code snippet is vulnerable to this attack: + + <%= javascript_tag "var data = #{user_supplied_data.to_json};" %> + + Similarly, the following is also vulnerable: + + + + All applications that renders JSON-encoded strings that contains user-controlled + data in their views should either upgrade to one of the FIXED versions or use + the suggested workaround immediately. + + Workarounds + ----------- + To work around this problem add an initializer with the following code: + + module ActiveSupport + module JSON + module Encoding + private + class EscapedString + def to_s + self + end + end + end + end + end + unaffected_versions: + - "< 4.1.0" + patched_versions: + - ">= 4.2.2" + - "~> 4.1.11" +--- diff --git a/advisories/_posts/2015-06-16-CVE-2015-3227.md b/advisories/_posts/2015-06-16-CVE-2015-3227.md index c49fdcc4..501aa833 100644 --- a/advisories/_posts/2015-06-16-CVE-2015-3227.md +++ b/advisories/_posts/2015-06-16-CVE-2015-3227.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2015-3227 (activesupport): Possible Denial of Service attack in Active - Support' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2015-3227 - ghsa: j96r-xvjq-r9pg - url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk - title: Possible Denial of Service attack in Active Support - date: 2015-06-16 - description: | - Specially crafted XML documents can cause applications to raise a - `SystemStackError` and potentially cause a denial of service attack. This - only impacts applications using REXML or JDOM as their XML processor. Other - XML processors that Rails supports are not impacted. - - All users running an affected release should either upgrade or use one of the work arounds immediately. - - Workarounds - ----------- - Use an XML parser that is not impacted by this problem, such as Nokogiri or - LibXML. You can change the processor like this: - - ActiveSupport::XmlMini.backend = 'Nokogiri' - - If you cannot change XML parsers, then adjust - `RUBY_THREAD_MACHINE_STACK_SIZE`. - patched_versions: - - ">= 4.2.2" - - "~> 4.1.11" - - "~> 3.2.22" ---- +--- +layout: advisory +title: 'CVE-2015-3227 (activesupport): Possible Denial of Service attack in Active + Support' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2015-3227 + ghsa: j96r-xvjq-r9pg + url: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk + title: Possible Denial of Service attack in Active Support + date: 2015-06-16 + description: | + Specially crafted XML documents can cause applications to raise a + `SystemStackError` and potentially cause a denial of service attack. This + only impacts applications using REXML or JDOM as their XML processor. Other + XML processors that Rails supports are not impacted. + + All users running an affected release should either upgrade or use one of the work arounds immediately. + + Workarounds + ----------- + Use an XML parser that is not impacted by this problem, such as Nokogiri or + LibXML. You can change the processor like this: + + ActiveSupport::XmlMini.backend = 'Nokogiri' + + If you cannot change XML parsers, then adjust + `RUBY_THREAD_MACHINE_STACK_SIZE`. + patched_versions: + - ">= 4.2.2" + - "~> 4.1.11" + - "~> 3.2.22" +--- diff --git a/advisories/_posts/2015-06-16-CVE-2015-4619.md b/advisories/_posts/2015-06-16-CVE-2015-4619.md index 8b3fe482..21d5b265 100644 --- a/advisories/_posts/2015-06-16-CVE-2015-4619.md +++ b/advisories/_posts/2015-06-16-CVE-2015-4619.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2015-4619 (spina): Cross-site request forgery (CSRF) vulnerability in - Spina gem' -comments: false -categories: -- spina -advisory: - gem: spina - cve: 2015-4619 - ghsa: 2hxv-mx8x-mcj9 - url: http://www.openwall.com/lists/oss-security/2015/06/16/11 - title: Cross-site request forgery (CSRF) vulnerability in Spina gem - date: 2015-06-16 - description: | - "`Spina::ApplicationController` actions didn't have CSRF protection. - This causes a CSRF vulnerability across the entire engine which includes administrative - functionality such as creating users, changing passwords, and media management." - cvss_v3: 8.8 - patched_versions: - - ">= 0.6.29" - related: - url: - - https://sca.analysiscenter.veracode.com/vulnerability-database/security/cross-site-request-forgery-csrf/ruby/sid-1686/summary - - https://github.com/rubysec/ruby-advisory-db/issues/238 ---- +--- +layout: advisory +title: 'CVE-2015-4619 (spina): Cross-site request forgery (CSRF) vulnerability in + Spina gem' +comments: false +categories: +- spina +advisory: + gem: spina + cve: 2015-4619 + ghsa: 2hxv-mx8x-mcj9 + url: http://www.openwall.com/lists/oss-security/2015/06/16/11 + title: Cross-site request forgery (CSRF) vulnerability in Spina gem + date: 2015-06-16 + description: | + "`Spina::ApplicationController` actions didn't have CSRF protection. + This causes a CSRF vulnerability across the entire engine which includes administrative + functionality such as creating users, changing passwords, and media management." + cvss_v3: 8.8 + patched_versions: + - ">= 0.6.29" + related: + url: + - https://sca.analysiscenter.veracode.com/vulnerability-database/security/cross-site-request-forgery-csrf/ruby/sid-1686/summary + - https://github.com/rubysec/ruby-advisory-db/issues/238 +--- diff --git a/advisories/_posts/2015-06-22-CVE-2015-5147.md b/advisories/_posts/2015-06-22-CVE-2015-5147.md index 14de4e1a..c96a2806 100644 --- a/advisories/_posts/2015-06-22-CVE-2015-5147.md +++ b/advisories/_posts/2015-06-22-CVE-2015-5147.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2015-5147 (redcarpet): redcarpet Gem for Ruby html.c header_anchor() Function - Stack Overflow' -comments: false -categories: -- redcarpet -advisory: - gem: redcarpet - cve: 2015-5147 - osvdb: 123859 - ghsa: 7322-9mx6-5j2m - url: http://seclists.org/oss-sec/2015/q2/818 - title: redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow - date: 2015-06-22 - description: | - redcarpet Gem for Ruby contains a flaw that allows a stack overflow. - This flaw exists because the header_anchor() function in html.c uses - variable length arrays (VLA) without any range checking. This may - allow a remote attacker to execute arbitrary code. - cvss_v2: 7.5 - unaffected_versions: - - "< 3.3.0" - patched_versions: - - ">= 3.3.2" ---- +--- +layout: advisory +title: 'CVE-2015-5147 (redcarpet): redcarpet Gem for Ruby html.c header_anchor() Function + Stack Overflow' +comments: false +categories: +- redcarpet +advisory: + gem: redcarpet + cve: 2015-5147 + osvdb: 123859 + ghsa: 7322-9mx6-5j2m + url: http://seclists.org/oss-sec/2015/q2/818 + title: redcarpet Gem for Ruby html.c header_anchor() Function Stack Overflow + date: 2015-06-22 + description: | + redcarpet Gem for Ruby contains a flaw that allows a stack overflow. + This flaw exists because the header_anchor() function in html.c uses + variable length arrays (VLA) without any range checking. This may + allow a remote attacker to execute arbitrary code. + cvss_v2: 7.5 + unaffected_versions: + - "< 3.3.0" + patched_versions: + - ">= 3.3.2" +--- diff --git a/advisories/_posts/2015-06-30-OSVDB-124383.md b/advisories/_posts/2015-06-30-OSVDB-124383.md index 46d0cfc9..df22d66e 100644 --- a/advisories/_posts/2015-06-30-OSVDB-124383.md +++ b/advisories/_posts/2015-06-30-OSVDB-124383.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'OSVDB-124383 (ruby-saml): Ruby-Saml Gem is vulnerable to entity expansion - attacks' -comments: false -categories: -- ruby-saml -advisory: - gem: ruby-saml - osvdb: 124383 - url: https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0 - title: Ruby-Saml Gem is vulnerable to entity expansion attacks - date: 2015-06-30 - description: 'ruby-saml before 1.0.0 is vulnerable to entity expansion attacks. - - ' - cvss_v2: 3.9 - patched_versions: - - ">= 1.0.0" - related: - url: - - https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0 - - https://github.com/SAML-Toolkits/ruby-saml/pull/247 - - https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20232 - - https://github.com/onelogin/ruby-saml/pull/247 ---- +--- +layout: advisory +title: 'OSVDB-124383 (ruby-saml): Ruby-Saml Gem is vulnerable to entity expansion + attacks' +comments: false +categories: +- ruby-saml +advisory: + gem: ruby-saml + osvdb: 124383 + url: https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0 + title: Ruby-Saml Gem is vulnerable to entity expansion attacks + date: 2015-06-30 + description: 'ruby-saml before 1.0.0 is vulnerable to entity expansion attacks. + + ' + cvss_v2: 3.9 + patched_versions: + - ">= 1.0.0" + related: + url: + - https://github.com/SAML-Toolkits/ruby-saml/releases/tag/v1.0.0 + - https://github.com/SAML-Toolkits/ruby-saml/pull/247 + - https://security.snyk.io/vuln/SNYK-RUBY-RUBYSAML-20232 + - https://github.com/onelogin/ruby-saml/pull/247 +--- diff --git a/advisories/_posts/2015-07-06-OSVDB-125675.md b/advisories/_posts/2015-07-06-OSVDB-125675.md index 5f025de6..99358cfe 100644 --- a/advisories/_posts/2015-07-06-OSVDB-125675.md +++ b/advisories/_posts/2015-07-06-OSVDB-125675.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'OSVDB-125675 (sidekiq): Sidekiq Gem for Ruby Multiple Unspecified CSRF' -comments: false -categories: -- sidekiq -advisory: - gem: sidekiq - osvdb: 125675 - url: https://seclists.org/oss-sec/2015/q3/267 - title: Sidekiq Gem for Ruby Multiple Unspecified CSRF - date: 2015-07-06 - description: 'Sidekiq::Web lacks CSRF protection - - ' - patched_versions: - - ">= 3.4.2" - related: - url: - - https://seclists.org/oss-sec/2015/q3/267 - - https://github.com/mperham/sidekiq/pull/2422 - - https://github.com/sidekiq/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad - - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-20233 ---- +--- +layout: advisory +title: 'OSVDB-125675 (sidekiq): Sidekiq Gem for Ruby Multiple Unspecified CSRF' +comments: false +categories: +- sidekiq +advisory: + gem: sidekiq + osvdb: 125675 + url: https://seclists.org/oss-sec/2015/q3/267 + title: Sidekiq Gem for Ruby Multiple Unspecified CSRF + date: 2015-07-06 + description: 'Sidekiq::Web lacks CSRF protection + + ' + patched_versions: + - ">= 3.4.2" + related: + url: + - https://seclists.org/oss-sec/2015/q3/267 + - https://github.com/mperham/sidekiq/pull/2422 + - https://github.com/sidekiq/sidekiq/commit/cf3c43b2410c4573e05ac119494e41115f4140ad + - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQ-20233 +--- diff --git a/advisories/_posts/2015-07-13-CVE-2017-11173.md b/advisories/_posts/2015-07-13-CVE-2017-11173.md index 2e30997e..237d8eac 100644 --- a/advisories/_posts/2015-07-13-CVE-2017-11173.md +++ b/advisories/_posts/2015-07-13-CVE-2017-11173.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2017-11173 (rack-cors): rack-cors Gem Missing Anchor permits unauthorized - CORS requests' -comments: false -categories: -- rack-cors -advisory: - gem: rack-cors - cve: 2017-11173 - ghsa: 2j9c-9vmv-7m39 - url: https://github.com/cyu/rack-cors/issues/86 - title: rack-cors Gem Missing Anchor permits unauthorized CORS requests - date: 2015-07-13 - description: | - Missing anchor in generated regex for rack-cors before 0.4.1 - allows a malicious third-party site to perform CORS requests. - If the configuration were intended to allow only the trusted - example.com domain name and not the malicious example.net domain name, - then example.com.example.net (as well as example.com-example.net) would - be inadvertently allowed. - cvss_v2: 6.8 - cvss_v3: 8.8 - patched_versions: - - ">= 0.4.1" - related: - url: - - https://github.com/cyu/rack-cors/issues/86 - - http://seclists.org/fulldisclosure/2017/Jul/22 ---- +--- +layout: advisory +title: 'CVE-2017-11173 (rack-cors): rack-cors Gem Missing Anchor permits unauthorized + CORS requests' +comments: false +categories: +- rack-cors +advisory: + gem: rack-cors + cve: 2017-11173 + ghsa: 2j9c-9vmv-7m39 + url: https://github.com/cyu/rack-cors/issues/86 + title: rack-cors Gem Missing Anchor permits unauthorized CORS requests + date: 2015-07-13 + description: | + Missing anchor in generated regex for rack-cors before 0.4.1 + allows a malicious third-party site to perform CORS requests. + If the configuration were intended to allow only the trusted + example.com domain name and not the malicious example.net domain name, + then example.com.example.net (as well as example.com-example.net) would + be inadvertently allowed. + cvss_v2: 6.8 + cvss_v3: 8.8 + patched_versions: + - ">= 0.4.1" + related: + url: + - https://github.com/cyu/rack-cors/issues/86 + - http://seclists.org/fulldisclosure/2017/Jul/22 +--- diff --git a/advisories/_posts/2015-07-17-OSVDB-126331.md b/advisories/_posts/2015-07-17-OSVDB-126331.md index 2546d521..5736324a 100644 --- a/advisories/_posts/2015-07-17-OSVDB-126331.md +++ b/advisories/_posts/2015-07-17-OSVDB-126331.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'OSVDB-126331 (sidekiq-pro): Sidekiq Pro Gem for Ruby CSRF in Job Filtering' -comments: false -categories: -- sidekiq-pro -advisory: - gem: sidekiq-pro - osvdb: 126331 - url: https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#206-193 - title: Sidekiq Pro Gem for Ruby CSRF in Job Filtering - date: 2015-07-17 - description: | - Sidekiq::Web job filtering lacks CSRF protection. - This issue is related to OSVDB-125675. - patched_versions: - - "~> 1.9.3" - - ">= 2.0.6" - related: - osvdb: - - 125675 - url: - - https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#206-193 - - https://github.com/sidekiq/sidekiq/issues/2442 - - https://github.com/sidekiq/sidekiq/issues/2467 - - https://github.com/rubysec/ruby-advisory-db/pull/201 - - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20234 ---- +--- +layout: advisory +title: 'OSVDB-126331 (sidekiq-pro): Sidekiq Pro Gem for Ruby CSRF in Job Filtering' +comments: false +categories: +- sidekiq-pro +advisory: + gem: sidekiq-pro + osvdb: 126331 + url: https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#206-193 + title: Sidekiq Pro Gem for Ruby CSRF in Job Filtering + date: 2015-07-17 + description: | + Sidekiq::Web job filtering lacks CSRF protection. + This issue is related to OSVDB-125675. + patched_versions: + - "~> 1.9.3" + - ">= 2.0.6" + related: + osvdb: + - 125675 + url: + - https://github.com/sidekiq/sidekiq/blob/main/Pro-Changes.md#206-193 + - https://github.com/sidekiq/sidekiq/issues/2442 + - https://github.com/sidekiq/sidekiq/issues/2467 + - https://github.com/rubysec/ruby-advisory-db/pull/201 + - https://security.snyk.io/vuln/SNYK-RUBY-SIDEKIQPRO-20234 +--- diff --git a/advisories/_posts/2015-07-20-OSVDB-125701.md b/advisories/_posts/2015-07-20-OSVDB-125701.md index 8884d8a4..e84658de 100644 --- a/advisories/_posts/2015-07-20-OSVDB-125701.md +++ b/advisories/_posts/2015-07-20-OSVDB-125701.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'OSVDB-125701 (spree): Spree RABL templates rendering allows Arbitrary Code - Execution and File Disclosure' -comments: false -categories: -- spree -advisory: - gem: spree - osvdb: 125701 - url: https://web.archive.org/web/20160331140223/https://spreecommerce.com/blog/security-updates-2015-7-20 - title: Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure - date: 2015-07-20 - description: | - Spree contains a flaw where the rendering of arbitrary RABL templates - allows for execution arbitrary files on the host system, as well as - disclosing the existence of files on the system. - patched_versions: - - "~> 2.2.12" - - "~> 2.3.11" - - "~> 2.4.8" - - ">= 3.0.2" - related: - url: - - https://web.archive.org/web/20160331140223/https://spreecommerce.com/blog/security-updates-2015-7-20 - - https://github.com/rubysec/bundler-audit/issues/106 ---- +--- +layout: advisory +title: 'OSVDB-125701 (spree): Spree RABL templates rendering allows Arbitrary Code + Execution and File Disclosure' +comments: false +categories: +- spree +advisory: + gem: spree + osvdb: 125701 + url: https://web.archive.org/web/20160331140223/https://spreecommerce.com/blog/security-updates-2015-7-20 + title: Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure + date: 2015-07-20 + description: | + Spree contains a flaw where the rendering of arbitrary RABL templates + allows for execution arbitrary files on the host system, as well as + disclosing the existence of files on the system. + patched_versions: + - "~> 2.2.12" + - "~> 2.3.11" + - "~> 2.4.8" + - ">= 3.0.2" + related: + url: + - https://web.archive.org/web/20160331140223/https://spreecommerce.com/blog/security-updates-2015-7-20 + - https://github.com/rubysec/bundler-audit/issues/106 +--- diff --git a/advisories/_posts/2015-07-21-CVE-2015-5378.md b/advisories/_posts/2015-07-21-CVE-2015-5378.md index dbb93642..cff67a86 100644 --- a/advisories/_posts/2015-07-21-CVE-2015-5378.md +++ b/advisories/_posts/2015-07-21-CVE-2015-5378.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2015-5378 (logstash-core): Logstash: SSL/TLS FREAK Attack' -comments: false -categories: -- logstash-core -advisory: - gem: logstash-core - cve: 2015-5378 - ghsa: g6rc-3fpq-w2gr - url: https://packetstormsecurity.com/files/132800/Logstash-1.5.2-SSL-TLS-FREAK.html - title: 'Logstash: SSL/TLS FREAK Attack' - date: 2015-07-21 - description: | - Logstash: SSL/TLS FREAK Attack: Logstash 1.5.x before 1.5.3 and - 1.4.x before 1.4.4 allows remote attackers to read communications - between Logstash Forwarder agent and Logstash server. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - "~> 1.4.4" - - ">= 1.5.3" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2015-5378 - - https://packetstormsecurity.com/files/132800/Logstash-1.5.2-SSL-TLS-FREAK.html - - https://sca.analysiscenter.veracode.com/vulnerability-database/security/factoring-attack-rsa-export-keys-freak/ruby/sid-1745/summary - - https://github.com/rubysec/ruby-advisory-db/issues/238 - - https://www.elastic.co/community/security - - https://github.com/advisories/GHSA-g6rc-3fpq-w2gr - - https://web.archive.org/web/20181211080524/http://www.securityfocus.com/bid/76015 ---- +--- +layout: advisory +title: 'CVE-2015-5378 (logstash-core): Logstash: SSL/TLS FREAK Attack' +comments: false +categories: +- logstash-core +advisory: + gem: logstash-core + cve: 2015-5378 + ghsa: g6rc-3fpq-w2gr + url: https://packetstormsecurity.com/files/132800/Logstash-1.5.2-SSL-TLS-FREAK.html + title: 'Logstash: SSL/TLS FREAK Attack' + date: 2015-07-21 + description: | + Logstash: SSL/TLS FREAK Attack: Logstash 1.5.x before 1.5.3 and + 1.4.x before 1.4.4 allows remote attackers to read communications + between Logstash Forwarder agent and Logstash server. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - "~> 1.4.4" + - ">= 1.5.3" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2015-5378 + - https://packetstormsecurity.com/files/132800/Logstash-1.5.2-SSL-TLS-FREAK.html + - https://sca.analysiscenter.veracode.com/vulnerability-database/security/factoring-attack-rsa-export-keys-freak/ruby/sid-1745/summary + - https://github.com/rubysec/ruby-advisory-db/issues/238 + - https://www.elastic.co/community/security + - https://github.com/advisories/GHSA-g6rc-3fpq-w2gr + - https://web.archive.org/web/20181211080524/http://www.securityfocus.com/bid/76015 +--- diff --git a/advisories/_posts/2015-07-21-CVE-2015-8857.md b/advisories/_posts/2015-07-21-CVE-2015-8857.md index ea14f5d0..f671925b 100644 --- a/advisories/_posts/2015-07-21-CVE-2015-8857.md +++ b/advisories/_posts/2015-07-21-CVE-2015-8857.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2015-8857 (uglifier): uglifier incorrectly handles non-boolean comparisons - during minification' -comments: false -categories: -- uglifier -advisory: - gem: uglifier - cve: 2015-8857 - osvdb: 126747 - ghsa: 34r7-q49f-h37c - url: https://github.com/mishoo/UglifyJS2/issues/751 - title: uglifier incorrectly handles non-boolean comparisons during minification - date: 2015-07-21 - description: | - The upstream library for the Ruby uglifier gem, UglifyJS, is - affected by a vulnerability that allows a specially crafted - Javascript file to have altered functionality after minification. - - This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated - to allow potentially malicious code to be hidden within secure code, - and activated by the minification process. - - For more information, consult: - * https://zyan.scripts.mit.edu/blog/backdooring-js - - * CWE: 254 - 7PK - Security Features - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 2.7.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2015-8857 - - https://github.com/mishoo/UglifyJS/issues/751 - - https://blog.azuki.vip/backdooring-js - - https://www.openwall.com/lists/oss-security/2016/04/20/11 - - https://github.com/advisories/GHSA-34r7-q49f-h37c ---- +--- +layout: advisory +title: 'CVE-2015-8857 (uglifier): uglifier incorrectly handles non-boolean comparisons + during minification' +comments: false +categories: +- uglifier +advisory: + gem: uglifier + cve: 2015-8857 + osvdb: 126747 + ghsa: 34r7-q49f-h37c + url: https://github.com/mishoo/UglifyJS2/issues/751 + title: uglifier incorrectly handles non-boolean comparisons during minification + date: 2015-07-21 + description: | + The upstream library for the Ruby uglifier gem, UglifyJS, is + affected by a vulnerability that allows a specially crafted + Javascript file to have altered functionality after minification. + + This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated + to allow potentially malicious code to be hidden within secure code, + and activated by the minification process. + + For more information, consult: + * https://zyan.scripts.mit.edu/blog/backdooring-js + + * CWE: 254 - 7PK - Security Features + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 2.7.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2015-8857 + - https://github.com/mishoo/UglifyJS/issues/751 + - https://blog.azuki.vip/backdooring-js + - https://www.openwall.com/lists/oss-security/2016/04/20/11 + - https://github.com/advisories/GHSA-34r7-q49f-h37c +--- diff --git a/advisories/_posts/2015-07-28-OSVDB-125699.md b/advisories/_posts/2015-07-28-OSVDB-125699.md index f72cad19..d655ce3b 100644 --- a/advisories/_posts/2015-07-28-OSVDB-125699.md +++ b/advisories/_posts/2015-07-28-OSVDB-125699.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'OSVDB-125699 (spree): Spree RABL templates rendering allows Arbitrary Code - Execution and File Disclosure' -comments: false -categories: -- spree -advisory: - gem: spree - osvdb: 125699 - url: https://web.archive.org/web/20160331133641/spreecommerce.com/blog/security-updates-2015-7-28 - title: Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure - date: 2015-07-28 - description: | - Spree contains a flaw where the rendering of arbitrary RABL templates - allows for execution arbitrary files on the host system, as well as - disclosing the existence of files on the system. - This is a different issue than OSVDB-125701. - patched_versions: - - "~> 2.2.13" - - "~> 2.3.12" - - "~> 2.4.9" - - ">= 3.0.3" - related: - osvdb: - - 125701 - url: - - https://github.com/rubysec/bundler-audit/issues/106 - - https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20237 ---- +--- +layout: advisory +title: 'OSVDB-125699 (spree): Spree RABL templates rendering allows Arbitrary Code + Execution and File Disclosure' +comments: false +categories: +- spree +advisory: + gem: spree + osvdb: 125699 + url: https://web.archive.org/web/20160331133641/spreecommerce.com/blog/security-updates-2015-7-28 + title: Spree RABL templates rendering allows Arbitrary Code Execution and File Disclosure + date: 2015-07-28 + description: | + Spree contains a flaw where the rendering of arbitrary RABL templates + allows for execution arbitrary files on the host system, as well as + disclosing the existence of files on the system. + This is a different issue than OSVDB-125701. + patched_versions: + - "~> 2.2.13" + - "~> 2.3.12" + - "~> 2.4.9" + - ">= 3.0.3" + related: + osvdb: + - 125701 + url: + - https://github.com/rubysec/bundler-audit/issues/106 + - https://security.snyk.io/vuln/SNYK-RUBY-SPREE-20237 +--- diff --git a/advisories/_posts/2015-08-20-CVE-2015-5619.md b/advisories/_posts/2015-08-20-CVE-2015-5619.md index 183a649d..39d20b7d 100644 --- a/advisories/_posts/2015-08-20-CVE-2015-5619.md +++ b/advisories/_posts/2015-08-20-CVE-2015-5619.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2015-5619 (logstash-core): Logstash: Man-In-The Middle attack' -comments: false -categories: -- logstash-core -advisory: - gem: logstash-core - cve: 2015-5619 - ghsa: 68pf-743m-hv2w - url: https://www.elastic.co/blog/logstash-1-5-4-and-1-4-5-released - title: 'Logstash: Man-In-The Middle attack' - date: 2015-08-20 - description: | - Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack - output or the Logstash forwarder does not validate SSL/TLS certificates - from the Logstash server, which might allow attackers to obtain - sensitive information via a man-in-the-middle attack. - cvss_v2: 4.3 - cvss_v3: 5.9 - patched_versions: - - "~> 1.4.5" - - ">= 1.5.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2015-5619 - - https://www.elastic.co/blog/logstash-1-5-4-and-1-4-5-released - - https://www.elastic.co/community/security - - https://packetstormsecurity.com/files/133269/Logstash-1.5.3-Man-In-The-Middle.html - - https://sca.analysiscenter.veracode.com/vulnerability-database/security/man-middle-mitm-attacks/ruby/sid-1798/summary - - https://github.com/advisories/GHSA-68pf-743m-hv2w ---- +--- +layout: advisory +title: 'CVE-2015-5619 (logstash-core): Logstash: Man-In-The Middle attack' +comments: false +categories: +- logstash-core +advisory: + gem: logstash-core + cve: 2015-5619 + ghsa: 68pf-743m-hv2w + url: https://www.elastic.co/blog/logstash-1-5-4-and-1-4-5-released + title: 'Logstash: Man-In-The Middle attack' + date: 2015-08-20 + description: | + Logstash 1.4.x before 1.4.5 and 1.5.x before 1.5.4 with Lumberjack + output or the Logstash forwarder does not validate SSL/TLS certificates + from the Logstash server, which might allow attackers to obtain + sensitive information via a man-in-the-middle attack. + cvss_v2: 4.3 + cvss_v3: 5.9 + patched_versions: + - "~> 1.4.5" + - ">= 1.5.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2015-5619 + - https://www.elastic.co/blog/logstash-1-5-4-and-1-4-5-released + - https://www.elastic.co/community/security + - https://packetstormsecurity.com/files/133269/Logstash-1.5.3-Man-In-The-Middle.html + - https://sca.analysiscenter.veracode.com/vulnerability-database/security/man-middle-mitm-attacks/ruby/sid-1798/summary + - https://github.com/advisories/GHSA-68pf-743m-hv2w +--- diff --git a/advisories/_posts/2015-08-24-OSVDB-131671.md b/advisories/_posts/2015-08-24-OSVDB-131671.md index b645be2b..df6d6a17 100644 --- a/advisories/_posts/2015-08-24-OSVDB-131671.md +++ b/advisories/_posts/2015-08-24-OSVDB-131671.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'OSVDB-131671 (handlebars-source): handlebars.js - quoteless attributes in - templates can lead to XSS' -comments: false -categories: -- handlebars-source -advisory: - gem: handlebars-source - osvdb: 131671 - url: https://security.snyk.io/vuln/SNYK-RUBY-HANDLEBARSSOURCE-20238 - title: handlebars.js - quoteless attributes in templates can lead to XSS - date: 2015-08-24 - description: | - The upstream 'handlebars' node.js module was found to not properly - escape equals (=) signs, leading to possible content injection - via attributes in templates. - - Example: - * Template: - * Input: { 'foo' : 'test.com onload=alert(1)'} - * Rendered result: - patched_versions: - - ">= 4.0.0" - related: - ghsa: - - 9prh-257w-9277 - url: - - https://github.com/handlebars-lang/handlebars.js - - https://github.com/handlebars-lang/handlebars.js/compare/v3.0.8...v4.0.0 - - https://security.snyk.io/vuln/SNYK-RUBY-HANDLEBARSSOURCE-20238 - - https://github.com/rubysec/bundler-audit/issues/185 - - https://www.veracode.com/blog/research/handlebarsjs-vulnerability-impact-study ---- +--- +layout: advisory +title: 'OSVDB-131671 (handlebars-source): handlebars.js - quoteless attributes in + templates can lead to XSS' +comments: false +categories: +- handlebars-source +advisory: + gem: handlebars-source + osvdb: 131671 + url: https://security.snyk.io/vuln/SNYK-RUBY-HANDLEBARSSOURCE-20238 + title: handlebars.js - quoteless attributes in templates can lead to XSS + date: 2015-08-24 + description: | + The upstream 'handlebars' node.js module was found to not properly + escape equals (=) signs, leading to possible content injection + via attributes in templates. + + Example: + * Template: + * Input: { 'foo' : 'test.com onload=alert(1)'} + * Rendered result: + patched_versions: + - ">= 4.0.0" + related: + ghsa: + - 9prh-257w-9277 + url: + - https://github.com/handlebars-lang/handlebars.js + - https://github.com/handlebars-lang/handlebars.js/compare/v3.0.8...v4.0.0 + - https://security.snyk.io/vuln/SNYK-RUBY-HANDLEBARSSOURCE-20238 + - https://github.com/rubysec/bundler-audit/issues/185 + - https://www.veracode.com/blog/research/handlebarsjs-vulnerability-impact-study +--- diff --git a/advisories/_posts/2015-09-17-CVE-2015-7225.md b/advisories/_posts/2015-09-17-CVE-2015-7225.md index 7eac9687..6e54dc9f 100644 --- a/advisories/_posts/2015-09-17-CVE-2015-7225.md +++ b/advisories/_posts/2015-09-17-CVE-2015-7225.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2015-7225 (devise-two-factor): devise-two-factor 1.1.0 and earlier vulnerable - to replay attacks' -comments: false -categories: -- devise-two-factor -advisory: - gem: devise-two-factor - cve: 2015-7225 - ghsa: x489-jjwm-52g7 - url: http://www.openwall.com/lists/oss-security/2015/09/06/2 - title: devise-two-factor 1.1.0 and earlier vulnerable to replay attacks - date: 2015-09-17 - description: | - A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local - attackers to shoulder-surf a user's TOTP verification code and use it to - login after the user has authenticated. - - By not "burning" a previously used TOTP, devise-two-factor allows a narrow - window of opportunity (aka the timestep period) where an attacker can re-use a - verification code. - - Should an attacker possess a given user's authentication - credentials, this flaw effectively defeats two-factor authentication for the - duration of the timestep. - cvss_v3: 5.3 - patched_versions: - - ">= 2.0.0" ---- +--- +layout: advisory +title: 'CVE-2015-7225 (devise-two-factor): devise-two-factor 1.1.0 and earlier vulnerable + to replay attacks' +comments: false +categories: +- devise-two-factor +advisory: + gem: devise-two-factor + cve: 2015-7225 + ghsa: x489-jjwm-52g7 + url: http://www.openwall.com/lists/oss-security/2015/09/06/2 + title: devise-two-factor 1.1.0 and earlier vulnerable to replay attacks + date: 2015-09-17 + description: | + A OTP replay vulnerability in devise-two-factor 1.1.0 and earlier allows local + attackers to shoulder-surf a user's TOTP verification code and use it to + login after the user has authenticated. + + By not "burning" a previously used TOTP, devise-two-factor allows a narrow + window of opportunity (aka the timestep period) where an attacker can re-use a + verification code. + + Should an attacker possess a given user's authentication + credentials, this flaw effectively defeats two-factor authentication for the + duration of the timestep. + cvss_v3: 5.3 + patched_versions: + - ">= 2.0.0" +--- diff --git a/advisories/_posts/2015-09-20-CVE-2015-7314.md b/advisories/_posts/2015-09-20-CVE-2015-7314.md index 0f373ec0..290883af 100644 --- a/advisories/_posts/2015-09-20-CVE-2015-7314.md +++ b/advisories/_posts/2015-09-20-CVE-2015-7314.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2015-7314 (gollum): gollum Upload File Functionality Permits Arbitrary - File Access' -comments: false -categories: -- gollum -advisory: - gem: gollum - cve: 2015-7314 - osvdb: 127779 - ghsa: m2q3-53fq-7h66 - url: https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1 - title: gollum Upload File Functionality Permits Arbitrary File Access - date: 2015-09-20 - description: | - The gollum gem contains a flaw in its upload file functionality that can - allow arbitrary file access. This occurs due to a lack of type checking - when handling temporary files during the upload process. - patched_versions: - - ">= 4.0.1" ---- +--- +layout: advisory +title: 'CVE-2015-7314 (gollum): gollum Upload File Functionality Permits Arbitrary + File Access' +comments: false +categories: +- gollum +advisory: + gem: gollum + cve: 2015-7314 + osvdb: 127779 + ghsa: m2q3-53fq-7h66 + url: https://github.com/gollum/gollum/commit/ce68a88293ce3b18c261312392ad33a88bb69ea1 + title: gollum Upload File Functionality Permits Arbitrary File Access + date: 2015-09-20 + description: | + The gollum gem contains a flaw in its upload file functionality that can + allow arbitrary file access. This occurs due to a lack of type checking + when handling temporary files during the upload process. + patched_versions: + - ">= 4.0.1" +--- diff --git a/advisories/_posts/2015-10-24-CVE-2017-1000042.md b/advisories/_posts/2015-10-24-CVE-2017-1000042.md index d58a7ae3..bc8caf24 100644 --- a/advisories/_posts/2015-10-24-CVE-2017-1000042.md +++ b/advisories/_posts/2015-10-24-CVE-2017-1000042.md @@ -1,44 +1,44 @@ ---- -layout: advisory -title: 'CVE-2017-1000042 (mapbox-rails): mapbox-rails Content Injection via TileJSON - attribute' -comments: false -categories: -- mapbox-rails -advisory: - gem: mapbox-rails - cve: 2017-1000042 - osvdb: 129854 - ghsa: qr28-7j6p-9hmv - url: https://nvd.nist.gov/vuln/detail/CVE-2017-1000042 - title: mapbox-rails Content Injection via TileJSON attribute - date: 2015-10-24 - description: | - Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable - to a cross-site-scripting attack in certain uncommon usage scenarios. - - If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON - content from a non-Mapbox URL, it is possible for a malicious user with - control over the TileJSON content to inject script content into the - "attribution" value of the TileJSON which will be executed in the context of - the page using Mapbox.js. - - Such usage is uncommon. The following usage scenarios are not vulnerable: - - * only trusted TileJSON content is loaded - * TileJSON content comes only from mapbox.com URLs - * a Mapbox map ID is supplied, rather than a TileJSON URL - - * CWE: 79 - Improper Neutralization of Input During Web Page Generation (XSS) - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - "~> 1.6.5" - - ">= 2.1.7" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2017-1000042 - - https://nodesecurity.io/advisories/49 - - https://hackerone.com/reports/54327 - - https://github.com/advisories/GHSA-qr28-7j6p-9hmv ---- +--- +layout: advisory +title: 'CVE-2017-1000042 (mapbox-rails): mapbox-rails Content Injection via TileJSON + attribute' +comments: false +categories: +- mapbox-rails +advisory: + gem: mapbox-rails + cve: 2017-1000042 + osvdb: 129854 + ghsa: qr28-7j6p-9hmv + url: https://nvd.nist.gov/vuln/detail/CVE-2017-1000042 + title: mapbox-rails Content Injection via TileJSON attribute + date: 2015-10-24 + description: | + Mapbox.js versions 1.x prior to 1.6.5 and 2.x prior to 2.1.7 are vulnerable + to a cross-site-scripting attack in certain uncommon usage scenarios. + + If you use L.mapbox.map or L.mapbox.tileLayer to load untrusted TileJSON + content from a non-Mapbox URL, it is possible for a malicious user with + control over the TileJSON content to inject script content into the + "attribution" value of the TileJSON which will be executed in the context of + the page using Mapbox.js. + + Such usage is uncommon. The following usage scenarios are not vulnerable: + + * only trusted TileJSON content is loaded + * TileJSON content comes only from mapbox.com URLs + * a Mapbox map ID is supplied, rather than a TileJSON URL + + * CWE: 79 - Improper Neutralization of Input During Web Page Generation (XSS) + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - "~> 1.6.5" + - ">= 2.1.7" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2017-1000042 + - https://nodesecurity.io/advisories/49 + - https://hackerone.com/reports/54327 + - https://github.com/advisories/GHSA-qr28-7j6p-9hmv +--- diff --git a/advisories/_posts/2015-11-17-OSVDB-131671.md b/advisories/_posts/2015-11-17-OSVDB-131671.md index 83e0ee63..c6ad1fe2 100644 --- a/advisories/_posts/2015-11-17-OSVDB-131671.md +++ b/advisories/_posts/2015-11-17-OSVDB-131671.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'OSVDB-131671 (mustache-js-rails): mustache.js - quoteless attributes in templates - can lead to XSS' -comments: false -categories: -- mustache-js-rails -advisory: - gem: mustache-js-rails - osvdb: 131671 - url: https://security.snyk.io/vuln/SNYK-RUBY-MUSTACHEJSRAILS-20242 - title: mustache.js - quoteless attributes in templates can lead to XSS - date: 2015-11-17 - description: | - The upstream 'mustache.js' node.js module was found to not properly - escape backtick (`) and equals (=) characters, leading to possible - content injection via attributes in templates. - - Example: - * Template: - * Input: { 'foo' : 'test.com onload=alert(1)'} - * Rendered result: - patched_versions: - - ">= 2.0.3" - related: - ghsa: - - w3w8-37jv-2c58 - url: - - https://github.com/janl/mustache.js/pull/530 - - https://security.snyk.io/vuln/SNYK-RUBY-MUSTACHEJSRAILS-20242 - - https://www.veracode.com/blog/research/handlebarsjs-vulnerability-impact-study ---- +--- +layout: advisory +title: 'OSVDB-131671 (mustache-js-rails): mustache.js - quoteless attributes in templates + can lead to XSS' +comments: false +categories: +- mustache-js-rails +advisory: + gem: mustache-js-rails + osvdb: 131671 + url: https://security.snyk.io/vuln/SNYK-RUBY-MUSTACHEJSRAILS-20242 + title: mustache.js - quoteless attributes in templates can lead to XSS + date: 2015-11-17 + description: | + The upstream 'mustache.js' node.js module was found to not properly + escape backtick (`) and equals (=) characters, leading to possible + content injection via attributes in templates. + + Example: + * Template: + * Input: { 'foo' : 'test.com onload=alert(1)'} + * Rendered result: + patched_versions: + - ">= 2.0.3" + related: + ghsa: + - w3w8-37jv-2c58 + url: + - https://github.com/janl/mustache.js/pull/530 + - https://security.snyk.io/vuln/SNYK-RUBY-MUSTACHEJSRAILS-20242 + - https://www.veracode.com/blog/research/handlebarsjs-vulnerability-impact-study +--- diff --git a/advisories/_posts/2015-11-23-CVE-2015-7519.md b/advisories/_posts/2015-11-23-CVE-2015-7519.md index 2b901de0..997f4cbd 100644 --- a/advisories/_posts/2015-11-23-CVE-2015-7519.md +++ b/advisories/_posts/2015-11-23-CVE-2015-7519.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2015-7519 (passenger): Phusion Passenger Server allows to overwrite headers - in some cases' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2015-7519 - ghsa: fxwv-953p-7qpf - url: https://blog.phusion.nl/2015/12/07/cve-2015-7519/ - title: Phusion Passenger Server allows to overwrite headers in some cases - date: 2015-11-23 - description: | - It is possible in some cases, for clients to overwrite headers set by - the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired - format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired - format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES - whereby the difference between characters like '-' and '_' is lost. - cvss_v3: 3.7 - patched_versions: - - "~> 4.0.60" - - ">= 5.0.22" ---- +--- +layout: advisory +title: 'CVE-2015-7519 (passenger): Phusion Passenger Server allows to overwrite headers + in some cases' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2015-7519 + ghsa: fxwv-953p-7qpf + url: https://blog.phusion.nl/2015/12/07/cve-2015-7519/ + title: Phusion Passenger Server allows to overwrite headers in some cases + date: 2015-11-23 + description: | + It is possible in some cases, for clients to overwrite headers set by + the server, resulting in a medium level security issue. Passenger 5 uses an SCGI-inspired + format to pass headers to Ruby/Python applications, while Passenger 4 uses an SCGI-inspired + format to pass headers to all applications. This implies a conversion to UPPER_CASE_WITH_UNDERSCORES + whereby the difference between characters like '-' and '_' is lost. + cvss_v3: 3.7 + patched_versions: + - "~> 4.0.60" + - ">= 5.0.22" +--- diff --git a/advisories/_posts/2015-12-09-CVE-2015-9097.md b/advisories/_posts/2015-12-09-CVE-2015-9097.md index bfd90de8..b8c77b9e 100644 --- a/advisories/_posts/2015-12-09-CVE-2015-9097.md +++ b/advisories/_posts/2015-12-09-CVE-2015-9097.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2015-9097 (mail): CVE-2015-9097 rubygem-mail: SMTP injection via recipient - email addresses' -comments: false -categories: -- mail -advisory: - gem: mail - cve: 2015-9097 - osvdb: 131677 - ghsa: q86f-fmqf-qrf6 - url: https://hackerone.com/reports/137631 - title: 'CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses' - date: 2015-12-09 - description: | - The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is - vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM - command, as demonstrated by CRLF sequences immediately before and after a DATA substring. - cvss_v3: 6.1 - patched_versions: - - ">= 2.5.5" - related: - url: - - http://www.mbsd.jp/Whitepaper/smtpi.pdf - - https://github.com/mikel/mail/pull/1097 ---- +--- +layout: advisory +title: 'CVE-2015-9097 (mail): CVE-2015-9097 rubygem-mail: SMTP injection via recipient + email addresses' +comments: false +categories: +- mail +advisory: + gem: mail + cve: 2015-9097 + osvdb: 131677 + ghsa: q86f-fmqf-qrf6 + url: https://hackerone.com/reports/137631 + title: 'CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses' + date: 2015-12-09 + description: | + The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is + vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM + command, as demonstrated by CRLF sequences immediately before and after a DATA substring. + cvss_v3: 6.1 + patched_versions: + - ">= 2.5.5" + related: + url: + - http://www.mbsd.jp/Whitepaper/smtpi.pdf + - https://github.com/mikel/mail/pull/1097 +--- diff --git a/advisories/_posts/2015-12-11-CVE-2015-8968.md b/advisories/_posts/2015-12-11-CVE-2015-8968.md index 466e1b36..1de5f033 100644 --- a/advisories/_posts/2015-12-11-CVE-2015-8968.md +++ b/advisories/_posts/2015-12-11-CVE-2015-8968.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2015-8968 (git-fastclone): git-fastclone permits arbitrary shell command - execution from .gitmodules' -comments: false -categories: -- git-fastclone -advisory: - gem: git-fastclone - cve: 2015-8968 - ghsa: 8gg6-3r63-25m8 - url: https://hackerone.com/reports/104465 - title: git-fastclone permits arbitrary shell command execution from .gitmodules - date: 2015-12-11 - description: | - Git allows executing arbitrary shell commands using git-remote-ext via a - remote URLs. Normally git never requests URLs that the user doesn't - specifically request, so this is not a serious security concern. However, - submodules did allow the remote repository to specify what URL to clone - from. - - If an attacker can instruct a user to run a recursive clone from a - repository they control, they can get a client to run an arbitrary shell - command. Alternately, if an attacker can MITM an unencrypted git clone, - they could exploit this. The ext command will be run if the repository is - recursively cloned or if submodules are updated. This attack works when - cloning both local and remote repositories. - cvss_v3: 8.8 - patched_versions: - - ">= 1.0.1" ---- +--- +layout: advisory +title: 'CVE-2015-8968 (git-fastclone): git-fastclone permits arbitrary shell command + execution from .gitmodules' +comments: false +categories: +- git-fastclone +advisory: + gem: git-fastclone + cve: 2015-8968 + ghsa: 8gg6-3r63-25m8 + url: https://hackerone.com/reports/104465 + title: git-fastclone permits arbitrary shell command execution from .gitmodules + date: 2015-12-11 + description: | + Git allows executing arbitrary shell commands using git-remote-ext via a + remote URLs. Normally git never requests URLs that the user doesn't + specifically request, so this is not a serious security concern. However, + submodules did allow the remote repository to specify what URL to clone + from. + + If an attacker can instruct a user to run a recursive clone from a + repository they control, they can get a client to run an arbitrary shell + command. Alternately, if an attacker can MITM an unencrypted git clone, + they could exploit this. The ext command will be run if the repository is + recursively cloned or if submodules are updated. This attack works when + cloning both local and remote repositories. + cvss_v3: 8.8 + patched_versions: + - ">= 1.0.1" +--- diff --git a/advisories/_posts/2015-12-15-CVE-2015-5312.md b/advisories/_posts/2015-12-15-CVE-2015-5312.md index 00ae60ce..6c626170 100644 --- a/advisories/_posts/2015-12-15-CVE-2015-5312.md +++ b/advisories/_posts/2015-12-15-CVE-2015-5312.md @@ -1,96 +1,96 @@ ---- -layout: advisory -title: 'CVE-2015-5312 (nokogiri): Nokogiri gem contains several vulnerabilities in - libxml2' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2015-5312 - ghsa: xjqg-9jvg-fgx2 - url: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s - title: Nokogiri gem contains several vulnerabilities in libxml2 - date: 2015-12-15 - description: | - Nokogiri version 1.6.7.1 has been released, pulling in several upstream - patches to the vendored libxml2 to address the following CVEs: - - CVE-2015-5312 - CVSS v2 Base Score: 7.1 (HIGH) - The xmlStringLenDecodeEntities function in parser.c in libxml2 - before 2.9.3 does not properly prevent entity expansion, which - allows context-dependent attackers to cause a denial of - service (CPU consumption) via crafted XML data, a different - vulnerability than CVE-2014-3660. - - CVE-2015-7497 - CVSS v2 Base Score: 5.0 (MEDIUM) - Heap-based buffer overflow in the xmlDictComputeFastQKey - function in dict.c in libxml2 before 2.9.3 allows - context-dependent attackers to cause a denial of service via - unspecified vectors. - - CVE-2015-7498 - CVSS v2 Base Score: 5.0 (MEDIUM) - Heap-based buffer overflow in the xmlParseXmlDecl function in - parser.c in libxml2 before 2.9.3 allows context-dependent - attackers to cause a denial of service via unspecified vectors - related to extracting errors after an encoding conversion - failure. - - CVE-2015-7499 - CVSS v2 Base Score: 5.0 (MEDIUM) - Heap-based buffer overflow in the xmlGROW function in parser.c - in libxml2 before 2.9.3 allows context-dependent attackers to - obtain sensitive process memory information via unspecified - vectors. - - CVE-2015-7500 - CVSS v2 Base Score: 5.0 (MEDIUM) - The xmlParseMisc function in parser.c in libxml2 before 2.9.3 - allows context-dependent attackers to cause a denial of - service (out-of-bounds heap read) via unspecified vectors - related to incorrect entities boundaries and start tags. - - CVE-2015-8241 - CVSS v2 Base Score: 6.4 (MEDIUM) - The xmlNextChar function in libxml2 2.9.2 does not properly - check the state, which allows context-dependent attackers to - cause a denial of service (heap-based buffer over-read and - application crash) or obtain sensitive information via crafted - XML data. - - CVE-2015-8242 - CVSS v2 Base Score: 5.8 (MEDIUM) - The xmlSAX2TextNode function in SAX2.c in the push interface in - the HTML parser in libxml2 before 2.9.3 allows - context-dependent attackers to cause a denial of - service (stack-based buffer over-read and application crash) or - obtain sensitive information via crafted XML data. - - CVE-2015-8317 - CVSS v2 Base Score: 5.0 (MEDIUM) - The xmlParseXMLDecl function in parser.c in libxml2 before - 2.9.3 allows context-dependent attackers to obtain sensitive - information via an (1) unterminated encoding value or (2) - incomplete XML declaration in XML data, which triggers an - out-of-bounds heap read. - cvss_v2: 7.1 - unaffected_versions: - - "< 1.6.0" - patched_versions: - - ">= 1.6.7.1" - related: - cve: - - 2015-7497 - - 2015-7498 - - 2015-7499 - - 2015-7500 - - 2015-8241 - - 2015-8242 - - 2015-8317 - url: - - https://github.com/sparklemotion/nokogiri/pull/1378 - - https://github.com/sparklemotion/nokogiri/commit/4205af1a2a546f79d1b48df2ad8b27299c0099c5 ---- +--- +layout: advisory +title: 'CVE-2015-5312 (nokogiri): Nokogiri gem contains several vulnerabilities in + libxml2' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2015-5312 + ghsa: xjqg-9jvg-fgx2 + url: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s + title: Nokogiri gem contains several vulnerabilities in libxml2 + date: 2015-12-15 + description: | + Nokogiri version 1.6.7.1 has been released, pulling in several upstream + patches to the vendored libxml2 to address the following CVEs: + + CVE-2015-5312 + CVSS v2 Base Score: 7.1 (HIGH) + The xmlStringLenDecodeEntities function in parser.c in libxml2 + before 2.9.3 does not properly prevent entity expansion, which + allows context-dependent attackers to cause a denial of + service (CPU consumption) via crafted XML data, a different + vulnerability than CVE-2014-3660. + + CVE-2015-7497 + CVSS v2 Base Score: 5.0 (MEDIUM) + Heap-based buffer overflow in the xmlDictComputeFastQKey + function in dict.c in libxml2 before 2.9.3 allows + context-dependent attackers to cause a denial of service via + unspecified vectors. + + CVE-2015-7498 + CVSS v2 Base Score: 5.0 (MEDIUM) + Heap-based buffer overflow in the xmlParseXmlDecl function in + parser.c in libxml2 before 2.9.3 allows context-dependent + attackers to cause a denial of service via unspecified vectors + related to extracting errors after an encoding conversion + failure. + + CVE-2015-7499 + CVSS v2 Base Score: 5.0 (MEDIUM) + Heap-based buffer overflow in the xmlGROW function in parser.c + in libxml2 before 2.9.3 allows context-dependent attackers to + obtain sensitive process memory information via unspecified + vectors. + + CVE-2015-7500 + CVSS v2 Base Score: 5.0 (MEDIUM) + The xmlParseMisc function in parser.c in libxml2 before 2.9.3 + allows context-dependent attackers to cause a denial of + service (out-of-bounds heap read) via unspecified vectors + related to incorrect entities boundaries and start tags. + + CVE-2015-8241 + CVSS v2 Base Score: 6.4 (MEDIUM) + The xmlNextChar function in libxml2 2.9.2 does not properly + check the state, which allows context-dependent attackers to + cause a denial of service (heap-based buffer over-read and + application crash) or obtain sensitive information via crafted + XML data. + + CVE-2015-8242 + CVSS v2 Base Score: 5.8 (MEDIUM) + The xmlSAX2TextNode function in SAX2.c in the push interface in + the HTML parser in libxml2 before 2.9.3 allows + context-dependent attackers to cause a denial of + service (stack-based buffer over-read and application crash) or + obtain sensitive information via crafted XML data. + + CVE-2015-8317 + CVSS v2 Base Score: 5.0 (MEDIUM) + The xmlParseXMLDecl function in parser.c in libxml2 before + 2.9.3 allows context-dependent attackers to obtain sensitive + information via an (1) unterminated encoding value or (2) + incomplete XML declaration in XML data, which triggers an + out-of-bounds heap read. + cvss_v2: 7.1 + unaffected_versions: + - "< 1.6.0" + patched_versions: + - ">= 1.6.7.1" + related: + cve: + - 2015-7497 + - 2015-7498 + - 2015-7499 + - 2015-7500 + - 2015-8241 + - 2015-8242 + - 2015-8317 + url: + - https://github.com/sparklemotion/nokogiri/pull/1378 + - https://github.com/sparklemotion/nokogiri/commit/4205af1a2a546f79d1b48df2ad8b27299c0099c5 +--- diff --git a/advisories/_posts/2015-12-15-CVE-2015-8969.md b/advisories/_posts/2015-12-15-CVE-2015-8969.md index 11e19900..4b70e992 100644 --- a/advisories/_posts/2015-12-15-CVE-2015-8969.md +++ b/advisories/_posts/2015-12-15-CVE-2015-8969.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2015-8969 (git-fastclone): git-fastclone Shell Metacharacter Injection - Arbitrary Command Execution' -comments: false -categories: -- git-fastclone -advisory: - gem: git-fastclone - cve: 2015-8969 - ghsa: mf6w-45cf-qhmp - url: https://hackerone.com/reports/105190 - title: git-fastclone Shell Metacharacter Injection Arbitrary Command Execution - date: 2015-12-15 - description: | - git-fastclone before 1.0.5 passes user modifiable strings directly to a shell - command. An attacker can execute malicious commands by modifying the strings - that are passed as arguments to "cd " and "git clone " commands in the - library. - cvss_v3: 9.8 - patched_versions: - - ">= 1.0.5" ---- +--- +layout: advisory +title: 'CVE-2015-8969 (git-fastclone): git-fastclone Shell Metacharacter Injection + Arbitrary Command Execution' +comments: false +categories: +- git-fastclone +advisory: + gem: git-fastclone + cve: 2015-8969 + ghsa: mf6w-45cf-qhmp + url: https://hackerone.com/reports/105190 + title: git-fastclone Shell Metacharacter Injection Arbitrary Command Execution + date: 2015-12-15 + description: | + git-fastclone before 1.0.5 passes user modifiable strings directly to a shell + command. An attacker can execute malicious commands by modifying the strings + that are passed as arguments to "cd " and "git clone " commands in the + library. + cvss_v3: 9.8 + patched_versions: + - ">= 1.0.5" +--- diff --git a/advisories/_posts/2015-12-18-OSVDB-132234.md b/advisories/_posts/2015-12-18-OSVDB-132234.md index e1ee2e85..8e9ec149 100644 --- a/advisories/_posts/2015-12-18-OSVDB-132234.md +++ b/advisories/_posts/2015-12-18-OSVDB-132234.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'OSVDB-132234 (rack-attack): rack-attack Gem for Ruby missing normalization - before request path processing' -comments: false -categories: -- rack-attack -advisory: - gem: rack-attack - osvdb: 132234 - url: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1 - title: rack-attack Gem for Ruby missing normalization before request path processing - date: 2015-12-18 - description: | - When using rack-attack with a rails app, developers expect the request - path to be normalized. In particular, trailing slashes are stripped so - a request path "/login/" becomes "/login" by the time you're in - ActionController. - - Since Rack::Attack runs before ActionDispatch, the request path is not - yet normalized. This can cause throttles and blacklists to not work as - expected. - - E.g., a throttle: - - `throttle('logins', ...) {|req| req.path == "/login" }` - - would not match a request to '/login/', though Rails would route - '/login/' to the same '/login' action. - patched_versions: - - ">= 4.3.1" - related: - url: - - https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1 - - https://github.com/rack/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977 - - https://security.snyk.io/vuln/SNYK-RUBY-RACKATTACK-20246 - - https://github.com/rack/rack-attack/blob/main/CHANGELOG.md ---- +--- +layout: advisory +title: 'OSVDB-132234 (rack-attack): rack-attack Gem for Ruby missing normalization + before request path processing' +comments: false +categories: +- rack-attack +advisory: + gem: rack-attack + osvdb: 132234 + url: https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1 + title: rack-attack Gem for Ruby missing normalization before request path processing + date: 2015-12-18 + description: | + When using rack-attack with a rails app, developers expect the request + path to be normalized. In particular, trailing slashes are stripped so + a request path "/login/" becomes "/login" by the time you're in + ActionController. + + Since Rack::Attack runs before ActionDispatch, the request path is not + yet normalized. This can cause throttles and blacklists to not work as + expected. + + E.g., a throttle: + + `throttle('logins', ...) {|req| req.path == "/login" }` + + would not match a request to '/login/', though Rails would route + '/login/' to the same '/login' action. + patched_versions: + - ">= 4.3.1" + related: + url: + - https://github.com/kickstarter/rack-attack/releases/tag/v4.3.1 + - https://github.com/rack/rack-attack/commit/76c2e3143099d938883ae5654527b47e9e6a8977 + - https://security.snyk.io/vuln/SNYK-RUBY-RACKATTACK-20246 + - https://github.com/rack/rack-attack/blob/main/CHANGELOG.md +--- diff --git a/advisories/_posts/2016-01-04-CVE-2015-7541.md b/advisories/_posts/2016-01-04-CVE-2015-7541.md index e2290ad2..1388a3f5 100644 --- a/advisories/_posts/2016-01-04-CVE-2015-7541.md +++ b/advisories/_posts/2016-01-04-CVE-2015-7541.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2015-7541 (colorscore): colorscore Gem for Ruby lib/colorscore/histogram.rb - Arbitrary Command Injection' -comments: false -categories: -- colorscore -advisory: - gem: colorscore - cve: 2015-7541 - osvdb: 132516 - ghsa: 73qw-ww62-m54x - url: http://seclists.org/oss-sec/2016/q1/17 - title: colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection - date: 2016-01-04 - description: | - The contents of the `image_path`, `colors`, and `depth` variables generated - from possibly user-supplied input are passed directly to the shell via - `convert ...`. - - If a user supplies a value that includes shell metacharacters such as ';', an - attacker may be able to execute shell commands on the remote system as the - user id of the Ruby process. - - To resolve this issue, the aforementioned variables (especially `image_path`) - must be sanitized for shell metacharacters. - cvss_v3: 10.0 - patched_versions: - - ">= 0.0.5" ---- +--- +layout: advisory +title: 'CVE-2015-7541 (colorscore): colorscore Gem for Ruby lib/colorscore/histogram.rb + Arbitrary Command Injection' +comments: false +categories: +- colorscore +advisory: + gem: colorscore + cve: 2015-7541 + osvdb: 132516 + ghsa: 73qw-ww62-m54x + url: http://seclists.org/oss-sec/2016/q1/17 + title: colorscore Gem for Ruby lib/colorscore/histogram.rb Arbitrary Command Injection + date: 2016-01-04 + description: | + The contents of the `image_path`, `colors`, and `depth` variables generated + from possibly user-supplied input are passed directly to the shell via + `convert ...`. + + If a user supplies a value that includes shell metacharacters such as ';', an + attacker may be able to execute shell commands on the remote system as the + user id of the Ruby process. + + To resolve this issue, the aforementioned variables (especially `image_path`) + must be sanitized for shell metacharacters. + cvss_v3: 10.0 + patched_versions: + - ">= 0.0.5" +--- diff --git a/advisories/_posts/2016-01-08-OSVDB-132800.md b/advisories/_posts/2016-01-08-OSVDB-132800.md index 3c84d5b6..e45e9720 100644 --- a/advisories/_posts/2016-01-08-OSVDB-132800.md +++ b/advisories/_posts/2016-01-08-OSVDB-132800.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'OSVDB-132800 (auto_select2): auto_select2 Gem for Ruby allows arbitrary search - execution' -comments: false -categories: -- auto_select2 -advisory: - gem: auto_select2 - osvdb: 132800 - url: https://www.openwall.com/lists/oss-security/2016/01/11/2 - title: auto_select2 Gem for Ruby allows arbitrary search execution - date: 2016-01-08 - description: | - auto_select2 Gem for Ruby contains a flaw that is triggered - when handling the 'params[:default_class_name]' option. This - allows users to search any object of all given ActiveRecord classes. - patched_versions: - - ">= 0.5.0" - related: - url: - - https://www.openwall.com/lists/oss-security/2016/01/11/2 - - https://github.com/Loriowar/auto_select2/issues/4 - - https://github.com/bkocherov/auto_select2/commit/c283ba5b2ad828c3b7414565ae66cd0d86f5a5df - - https://github.com/rubysec/ruby-advisory-db/issues/224 - - https://github.com/rubysec/ruby-advisory-db/pull/227 - - https://github.com/Tab10id/auto_awesomplete/issues/2 ---- +--- +layout: advisory +title: 'OSVDB-132800 (auto_select2): auto_select2 Gem for Ruby allows arbitrary search + execution' +comments: false +categories: +- auto_select2 +advisory: + gem: auto_select2 + osvdb: 132800 + url: https://www.openwall.com/lists/oss-security/2016/01/11/2 + title: auto_select2 Gem for Ruby allows arbitrary search execution + date: 2016-01-08 + description: | + auto_select2 Gem for Ruby contains a flaw that is triggered + when handling the 'params[:default_class_name]' option. This + allows users to search any object of all given ActiveRecord classes. + patched_versions: + - ">= 0.5.0" + related: + url: + - https://www.openwall.com/lists/oss-security/2016/01/11/2 + - https://github.com/Loriowar/auto_select2/issues/4 + - https://github.com/bkocherov/auto_select2/commit/c283ba5b2ad828c3b7414565ae66cd0d86f5a5df + - https://github.com/rubysec/ruby-advisory-db/issues/224 + - https://github.com/rubysec/ruby-advisory-db/pull/227 + - https://github.com/Tab10id/auto_awesomplete/issues/2 +--- diff --git a/advisories/_posts/2016-01-12-CVE-2017-1000043.md b/advisories/_posts/2016-01-12-CVE-2017-1000043.md index 79c4e866..d2d07a6c 100644 --- a/advisories/_posts/2016-01-12-CVE-2017-1000043.md +++ b/advisories/_posts/2016-01-12-CVE-2017-1000043.md @@ -1,43 +1,43 @@ ---- -layout: advisory -title: 'CVE-2017-1000043 (mapbox-rails): mapbox-rails Content Injection via TileJSON - Name' -comments: false -categories: -- mapbox-rails -advisory: - gem: mapbox-rails - cve: 2017-1000043 - osvdb: 132871 - ghsa: q69p-5h74-w36f - url: https://nvd.nist.gov/vuln/detail/CVE-2017-1000043 - title: mapbox-rails Content Injection via TileJSON Name - date: 2016-01-12 - description: | - Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable - to a cross-site-scripting attack in certain uncommon usage scenarios. - - If you use L.mapbox.map and L.mapbox.shareControl it is possible for a - malicious user with control over the TileJSON content to inject script - content into the name value of the TileJSON. After clicking on the share - control, the malicious code will execute in the context of the page using - Mapbox.js. - - Such usage is uncommon. L.mapbox.shareControl is not automatically added to - Mapbox.js maps and must be explicitly added. The following usage scenarios - are not vulnerable: - - * the map does not use a share control (L.mapbox.sharecontrol) - * only trusted TileJSON content is loaded - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - "~> 1.6.6" - - ">= 2.2.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2017-1000043 - - https://nodesecurity.io/advisories/74 - - https://hackerone.com/reports/99245 - - https://github.com/advisories/GHSA-q69p-5h74-w36f ---- +--- +layout: advisory +title: 'CVE-2017-1000043 (mapbox-rails): mapbox-rails Content Injection via TileJSON + Name' +comments: false +categories: +- mapbox-rails +advisory: + gem: mapbox-rails + cve: 2017-1000043 + osvdb: 132871 + ghsa: q69p-5h74-w36f + url: https://nvd.nist.gov/vuln/detail/CVE-2017-1000043 + title: mapbox-rails Content Injection via TileJSON Name + date: 2016-01-12 + description: | + Mapbox.js versions 1.x prior to 1.6.6 and 2.x prior to 2.2.4 are vulnerable + to a cross-site-scripting attack in certain uncommon usage scenarios. + + If you use L.mapbox.map and L.mapbox.shareControl it is possible for a + malicious user with control over the TileJSON content to inject script + content into the name value of the TileJSON. After clicking on the share + control, the malicious code will execute in the context of the page using + Mapbox.js. + + Such usage is uncommon. L.mapbox.shareControl is not automatically added to + Mapbox.js maps and must be explicitly added. The following usage scenarios + are not vulnerable: + + * the map does not use a share control (L.mapbox.sharecontrol) + * only trusted TileJSON content is loaded + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - "~> 1.6.6" + - ">= 2.2.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2017-1000043 + - https://nodesecurity.io/advisories/74 + - https://hackerone.com/reports/99245 + - https://github.com/advisories/GHSA-q69p-5h74-w36f +--- diff --git a/advisories/_posts/2016-01-14-CVE-2015-7565.md b/advisories/_posts/2016-01-14-CVE-2015-7565.md index 6d48a0ce..3b7283e8 100644 --- a/advisories/_posts/2016-01-14-CVE-2015-7565.md +++ b/advisories/_posts/2016-01-14-CVE-2015-7565.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2015-7565 (ember-source): Ember.js XSS Vulnerability with User-Supplied - JSON' -comments: false -categories: -- ember-source -advisory: - gem: ember-source - cve: 2015-7565 - ghsa: m3q7-rj8g-m457 - url: https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY - title: Ember.js XSS Vulnerability with User-Supplied JSON - date: 2016-01-14 - description: | - By default, Ember will escape any values in Handlebars templates that - use double curlies (`{{value}}`). Developers can specifically opt out of - this escaping behavior by passing an instance of `SafeString` rather - than a raw string, which tells Ember that it should not escape the - string because the developer has taken responsibility for escapement. - - It is possible for an attacker to create a specially-crafted payload - that causes a non-sanitized string to be treated as a `SafeString`, and - thus bypass Ember's normal escaping behavior. This could allow an - attacker to execute arbitrary JavaScript in the context of the current - domain ("XSS"). - - All users running an affected release should either upgrade or use of - the workarounds immediately. - cvss_v3: 6.1 - unaffected_versions: - - "< 1.8.0" - patched_versions: - - "~> 1.11.4" - - "~> 1.12.2" - - "~> 1.13.12" - - "~> 2.0.3" - - "~> 2.1.2" - - ">= 2.2.1" ---- +--- +layout: advisory +title: 'CVE-2015-7565 (ember-source): Ember.js XSS Vulnerability with User-Supplied + JSON' +comments: false +categories: +- ember-source +advisory: + gem: ember-source + cve: 2015-7565 + ghsa: m3q7-rj8g-m457 + url: https://groups.google.com/forum/#!topic/ember-security/OfyQkoSuppY + title: Ember.js XSS Vulnerability with User-Supplied JSON + date: 2016-01-14 + description: | + By default, Ember will escape any values in Handlebars templates that + use double curlies (`{{value}}`). Developers can specifically opt out of + this escaping behavior by passing an instance of `SafeString` rather + than a raw string, which tells Ember that it should not escape the + string because the developer has taken responsibility for escapement. + + It is possible for an attacker to create a specially-crafted payload + that causes a non-sanitized string to be treated as a `SafeString`, and + thus bypass Ember's normal escaping behavior. This could allow an + attacker to execute arbitrary JavaScript in the context of the current + domain ("XSS"). + + All users running an affected release should either upgrade or use of + the workarounds immediately. + cvss_v3: 6.1 + unaffected_versions: + - "< 1.8.0" + patched_versions: + - "~> 1.11.4" + - "~> 1.12.2" + - "~> 1.13.12" + - "~> 2.0.3" + - "~> 2.1.2" + - ">= 2.2.1" +--- diff --git a/advisories/_posts/2016-01-18-CVE-2015-8314.md b/advisories/_posts/2016-01-18-CVE-2015-8314.md index 28d5c359..7c2970b0 100644 --- a/advisories/_posts/2016-01-18-CVE-2015-8314.md +++ b/advisories/_posts/2016-01-18-CVE-2015-8314.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2015-8314 (devise): Devise Gem for Ruby Unauthorized Access Using Remember - Me Cookie' -comments: false -categories: -- devise -advisory: - gem: devise - cve: 2015-8314 - ghsa: 746g-3gfp-hfhw - url: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/ - title: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie - date: 2016-01-18 - description: | - Devise version before 3.5.4 uses cookies to implement a "Remember me" - functionality. However, it generates the same cookie for all devices. If an - attacker manages to steal a remember me cookie and the user does not change - the password frequently, the cookie can be used to gain access to the - application indefinitely. - cvss_v3: 7.5 - patched_versions: - - ">= 3.5.4" ---- +--- +layout: advisory +title: 'CVE-2015-8314 (devise): Devise Gem for Ruby Unauthorized Access Using Remember + Me Cookie' +comments: false +categories: +- devise +advisory: + gem: devise + cve: 2015-8314 + ghsa: 746g-3gfp-hfhw + url: http://blog.plataformatec.com.br/2016/01/improve-remember-me-cookie-expiration-in-devise/ + title: Devise Gem for Ruby Unauthorized Access Using Remember Me Cookie + date: 2016-01-18 + description: | + Devise version before 3.5.4 uses cookies to implement a "Remember me" + functionality. However, it generates the same cookie for all devices. If an + attacker manages to steal a remember me cookie and the user does not change + the password frequently, the cookie can be used to gain access to the + application indefinitely. + cvss_v3: 7.5 + patched_versions: + - ">= 3.5.4" +--- diff --git a/advisories/_posts/2016-01-19-CVE-2015-7499.md b/advisories/_posts/2016-01-19-CVE-2015-7499.md index bc060a2b..c051eede 100644 --- a/advisories/_posts/2016-01-19-CVE-2015-7499.md +++ b/advisories/_posts/2016-01-19-CVE-2015-7499.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2015-7499 (nokogiri): Nokogiri gem contains a heap-based buffer overflow - vulnerability in libxml2' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2015-7499 - ghsa: jxjr-5h69-qw3w - url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM - title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 - date: 2016-01-19 - description: | - Nokogiri version 1.6.7.2 has been released, pulling in several upstream - patches to the vendored libxml2 to address the following CVE: - - CVE-2015-7499 - CVSS v2 Base Score: 5.0 (MEDIUM) - - Heap-based buffer overflow in the xmlGROW function in parser.c - in libxml2 before 2.9.3 allows context-dependent attackers to - obtain sensitive process memory information via unspecified - vectors. - - libxml2 could be made to crash if it opened a specially crafted - file. It was discovered that libxml2 incorrectly handled certain - malformed documents. If a user or automated system were tricked - into opening a specially crafted document, an attacker could - possibly cause libxml2 to crash, resulting in a denial of service. - cvss_v2: 5.0 - unaffected_versions: - - "< 1.6.0" - patched_versions: - - ">= 1.6.7.2" - related: - url: - - https://github.com/sparklemotion/nokogiri/commit/9eb540e7c905924a42757bf0a34c2c00707d536c ---- +--- +layout: advisory +title: 'CVE-2015-7499 (nokogiri): Nokogiri gem contains a heap-based buffer overflow + vulnerability in libxml2' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2015-7499 + ghsa: jxjr-5h69-qw3w + url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM + title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 + date: 2016-01-19 + description: | + Nokogiri version 1.6.7.2 has been released, pulling in several upstream + patches to the vendored libxml2 to address the following CVE: + + CVE-2015-7499 + CVSS v2 Base Score: 5.0 (MEDIUM) + + Heap-based buffer overflow in the xmlGROW function in parser.c + in libxml2 before 2.9.3 allows context-dependent attackers to + obtain sensitive process memory information via unspecified + vectors. + + libxml2 could be made to crash if it opened a specially crafted + file. It was discovered that libxml2 incorrectly handled certain + malformed documents. If a user or automated system were tricked + into opening a specially crafted document, an attacker could + possibly cause libxml2 to crash, resulting in a denial of service. + cvss_v2: 5.0 + unaffected_versions: + - "< 1.6.0" + patched_versions: + - ">= 1.6.7.2" + related: + url: + - https://github.com/sparklemotion/nokogiri/commit/9eb540e7c905924a42757bf0a34c2c00707d536c +--- diff --git a/advisories/_posts/2016-01-25-CVE-2015-7576.md b/advisories/_posts/2016-01-25-CVE-2015-7576.md index 92d721f5..f6ac98f2 100644 --- a/advisories/_posts/2016-01-25-CVE-2015-7576.md +++ b/advisories/_posts/2016-01-25-CVE-2015-7576.md @@ -1,125 +1,125 @@ ---- -layout: advisory -title: 'CVE-2015-7576 (actionpack): Timing attack vulnerability in basic authentication - in Action Controller.' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2015-7576 - ghsa: p692-7mm3-3fxg - url: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k - title: Timing attack vulnerability in basic authentication in Action Controller. - date: 2016-01-25 - description: | - There is a timing attack vulnerability in the basic authentication support - in Action Controller. This vulnerability has been assigned the CVE - identifier CVE-2015-7576. - - Versions Affected: All. - Not affected: None. - Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 - - Impact - ------ - Due to the way that Action Controller compares user names and passwords in - basic authentication authorization code, it is possible for an attacker to - analyze the time taken by a response and intuit the password. - - For example, this string comparison: - - "foo" == "bar" - - is possibly faster than this comparison: - - "foo" == "fo1" - - Attackers can use this information to attempt to guess the username and - password used in the basic authentication system. - - You can tell you application is vulnerable to this attack by looking for - `http_basic_authenticate_with` method calls in your application. - - All users running an affected release should either upgrade or use one of - the workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - If you can't upgrade, please use the following monkey patch in an initializer - that is loaded before your application: - - ``` - $ cat config/initializers/basic_auth_fix.rb - module ActiveSupport - module SecurityUtils - def secure_compare(a, b) - return false unless a.bytesize == b.bytesize - - l = a.unpack "C#{a.bytesize}" - - res = 0 - b.each_byte { |byte| res |= byte ^ l.shift } - res == 0 - end - module_function :secure_compare - - def variable_size_secure_compare(a, b) - secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) - end - module_function :variable_size_secure_compare - end - end - - module ActionController - class Base - def self.http_basic_authenticate_with(options = {}) - before_action(options.except(:name, :password, :realm)) do - authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| - # This comparison uses & so that it doesn't short circuit and - # uses `variable_size_secure_compare` so that length information - # isn't leaked. - ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & - ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) - end - end - end - end - end - ``` - - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a - single changeset. - - * 4-1-basic_auth.patch - Patch for 4.1 series - * 4-2-basic_auth.patch - Patch for 4.2 series - * 5-0-basic_auth.patch - Patch for 5.0 series - - Please note that only the 4.1.x and 4.2.x series are supported at present. Users - of earlier unsupported releases are advised to upgrade as soon as possible as we - cannot guarantee the continued availability of security fixes for unsupported - releases. - - Credits - ------- - - Thank you to Daniel Waterworth for reporting the problem and working with us to - fix it. - cvss_v2: 4.3 - cvss_v3: 3.7 - patched_versions: - - ">= 5.0.0.beta1.1" - - "~> 4.2.5, >= 4.2.5.1" - - "~> 4.1.14, >= 4.1.14.1" - - "~> 3.2.22.1" ---- +--- +layout: advisory +title: 'CVE-2015-7576 (actionpack): Timing attack vulnerability in basic authentication + in Action Controller.' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2015-7576 + ghsa: p692-7mm3-3fxg + url: https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k + title: Timing attack vulnerability in basic authentication in Action Controller. + date: 2016-01-25 + description: | + There is a timing attack vulnerability in the basic authentication support + in Action Controller. This vulnerability has been assigned the CVE + identifier CVE-2015-7576. + + Versions Affected: All. + Not affected: None. + Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 + + Impact + ------ + Due to the way that Action Controller compares user names and passwords in + basic authentication authorization code, it is possible for an attacker to + analyze the time taken by a response and intuit the password. + + For example, this string comparison: + + "foo" == "bar" + + is possibly faster than this comparison: + + "foo" == "fo1" + + Attackers can use this information to attempt to guess the username and + password used in the basic authentication system. + + You can tell you application is vulnerable to this attack by looking for + `http_basic_authenticate_with` method calls in your application. + + All users running an affected release should either upgrade or use one of + the workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + If you can't upgrade, please use the following monkey patch in an initializer + that is loaded before your application: + + ``` + $ cat config/initializers/basic_auth_fix.rb + module ActiveSupport + module SecurityUtils + def secure_compare(a, b) + return false unless a.bytesize == b.bytesize + + l = a.unpack "C#{a.bytesize}" + + res = 0 + b.each_byte { |byte| res |= byte ^ l.shift } + res == 0 + end + module_function :secure_compare + + def variable_size_secure_compare(a, b) + secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) + end + module_function :variable_size_secure_compare + end + end + + module ActionController + class Base + def self.http_basic_authenticate_with(options = {}) + before_action(options.except(:name, :password, :realm)) do + authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| + # This comparison uses & so that it doesn't short circuit and + # uses `variable_size_secure_compare` so that length information + # isn't leaked. + ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & + ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) + end + end + end + end + end + ``` + + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a + single changeset. + + * 4-1-basic_auth.patch - Patch for 4.1 series + * 4-2-basic_auth.patch - Patch for 4.2 series + * 5-0-basic_auth.patch - Patch for 5.0 series + + Please note that only the 4.1.x and 4.2.x series are supported at present. Users + of earlier unsupported releases are advised to upgrade as soon as possible as we + cannot guarantee the continued availability of security fixes for unsupported + releases. + + Credits + ------- + + Thank you to Daniel Waterworth for reporting the problem and working with us to + fix it. + cvss_v2: 4.3 + cvss_v3: 3.7 + patched_versions: + - ">= 5.0.0.beta1.1" + - "~> 4.2.5, >= 4.2.5.1" + - "~> 4.1.14, >= 4.1.14.1" + - "~> 3.2.22.1" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2015-7577.md b/advisories/_posts/2016-01-25-CVE-2015-7577.md index 00f79707..48b02d9c 100644 --- a/advisories/_posts/2016-01-25-CVE-2015-7577.md +++ b/advisories/_posts/2016-01-25-CVE-2015-7577.md @@ -1,115 +1,115 @@ ---- -layout: advisory -title: 'CVE-2015-7577 (activerecord): Nested attributes rejection proc bypass in Active - Record' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2015-7577 - ghsa: xrr6-3pc4-m447 - url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g - title: Nested attributes rejection proc bypass in Active Record - date: 2016-01-25 - description: | - There is a vulnerability in how the nested attributes feature in Active Record - handles updates in combination with destroy flags when destroying records is - disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577. - - Versions Affected: 3.1.0 and newer - Not affected: 3.0.x and older - Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 - - Impact - ------ - When using the nested attributes feature in Active Record you can prevent the - destruction of associated records by passing the `allow_destroy: false` option - to the `accepts_nested_attributes_for` method. However due to a change in the - commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from - being called because it assumes that the record will be destroyed anyway. - - However this isn't true if `:allow_destroy` is false so this leads to changes - that would have been rejected being applied to the record. Attackers could use - this do things like set attributes to invalid values and to clear all of the - attributes amongst other things. The severity will be dependent on how the - application has used this feature. - - All users running an affected release should either upgrade or use one of - the workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - If you can't upgrade, please use the following monkey patch in an initializer - that is loaded before your application: - - ``` - $ cat config/initializers/nested_attributes_bypass_fix.rb - module ActiveRecord - module NestedAttributes - private - - def reject_new_record?(association_name, attributes) - will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes) - end - - def call_reject_if(association_name, attributes) - return false if will_be_destroyed?(association_name, attributes) - - case callback = self.nested_attributes_options[association_name][:reject_if] - when Symbol - method(callback).arity == 0 ? send(callback) : send(callback, attributes) - when Proc - callback.call(attributes) - end - end - - def will_be_destroyed?(association_name, attributes) - allow_destroy?(association_name) && has_destroy_flag?(attributes) - end - - def allow_destroy?(association_name) - self.nested_attributes_options[association_name][:allow_destroy] - end - end - end - ``` - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a - single changeset. - - * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series - * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series - * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series - * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series - - Please note that only the 4.1.x and 4.2.x series are supported at present. Users - of earlier unsupported releases are advised to upgrade as soon as possible as we - cannot guarantee the continued availability of security fixes for unsupported - releases. - - Credits - ------- - Thank you to Justin Coyne for reporting the problem and working with us to fix it. - - [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325 - cvss_v2: 5.0 - cvss_v3: 5.3 - unaffected_versions: - - "~> 3.0.0" - - "< 3.0.0" - patched_versions: - - ">= 5.0.0.beta1.1" - - "~> 4.2.5, >= 4.2.5.1" - - "~> 4.1.14, >= 4.1.14.1" - - "~> 3.2.22.1" ---- +--- +layout: advisory +title: 'CVE-2015-7577 (activerecord): Nested attributes rejection proc bypass in Active + Record' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2015-7577 + ghsa: xrr6-3pc4-m447 + url: https://groups.google.com/forum/#!topic/rubyonrails-security/cawsWcQ6c8g + title: Nested attributes rejection proc bypass in Active Record + date: 2016-01-25 + description: | + There is a vulnerability in how the nested attributes feature in Active Record + handles updates in combination with destroy flags when destroying records is + disabled. This vulnerability has been assigned the CVE identifier CVE-2015-7577. + + Versions Affected: 3.1.0 and newer + Not affected: 3.0.x and older + Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 + + Impact + ------ + When using the nested attributes feature in Active Record you can prevent the + destruction of associated records by passing the `allow_destroy: false` option + to the `accepts_nested_attributes_for` method. However due to a change in the + commit [a9b4b5d][1] the `_destroy` flag prevents the `:reject_if` proc from + being called because it assumes that the record will be destroyed anyway. + + However this isn't true if `:allow_destroy` is false so this leads to changes + that would have been rejected being applied to the record. Attackers could use + this do things like set attributes to invalid values and to clear all of the + attributes amongst other things. The severity will be dependent on how the + application has used this feature. + + All users running an affected release should either upgrade or use one of + the workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + If you can't upgrade, please use the following monkey patch in an initializer + that is loaded before your application: + + ``` + $ cat config/initializers/nested_attributes_bypass_fix.rb + module ActiveRecord + module NestedAttributes + private + + def reject_new_record?(association_name, attributes) + will_be_destroyed?(association_name, attributes) || call_reject_if(association_name, attributes) + end + + def call_reject_if(association_name, attributes) + return false if will_be_destroyed?(association_name, attributes) + + case callback = self.nested_attributes_options[association_name][:reject_if] + when Symbol + method(callback).arity == 0 ? send(callback) : send(callback, attributes) + when Proc + callback.call(attributes) + end + end + + def will_be_destroyed?(association_name, attributes) + allow_destroy?(association_name) && has_destroy_flag?(attributes) + end + + def allow_destroy?(association_name) + self.nested_attributes_options[association_name][:allow_destroy] + end + end + end + ``` + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a + single changeset. + + * 3-2-nested-attributes-reject-if-bypass.patch - Patch for 3.2 series + * 4-1-nested-attributes-reject-if-bypass.patch - Patch for 4.1 series + * 4-2-nested-attributes-reject-if-bypass.patch - Patch for 4.2 series + * 5-0-nested-attributes-reject-if-bypass.patch - Patch for 5.0 series + + Please note that only the 4.1.x and 4.2.x series are supported at present. Users + of earlier unsupported releases are advised to upgrade as soon as possible as we + cannot guarantee the continued availability of security fixes for unsupported + releases. + + Credits + ------- + Thank you to Justin Coyne for reporting the problem and working with us to fix it. + + [1]: https://github.com/rails/rails/commit/a9b4b5da7c216e4464eeb9dbd0a39ea258d64325 + cvss_v2: 5.0 + cvss_v3: 5.3 + unaffected_versions: + - "~> 3.0.0" + - "< 3.0.0" + patched_versions: + - ">= 5.0.0.beta1.1" + - "~> 4.2.5, >= 4.2.5.1" + - "~> 4.1.14, >= 4.1.14.1" + - "~> 3.2.22.1" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2015-7578.md b/advisories/_posts/2016-01-25-CVE-2015-7578.md index f0888eaf..bd12c8f9 100644 --- a/advisories/_posts/2016-01-25-CVE-2015-7578.md +++ b/advisories/_posts/2016-01-25-CVE-2015-7578.md @@ -1,53 +1,53 @@ ---- -layout: advisory -title: 'CVE-2015-7578 (rails-html-sanitizer): Possible XSS vulnerability in rails-html-sanitizer' -comments: false -categories: -- rails-html-sanitizer -advisory: - gem: rails-html-sanitizer - cve: 2015-7578 - ghsa: 59c7-4xj2-hgvw - url: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI - title: Possible XSS vulnerability in rails-html-sanitizer - date: 2016-01-25 - description: | - There is a possible XSS vulnerability in rails-html-sanitizer. This - vulnerability has been assigned the CVE identifier CVE-2015-7578. - - Versions Affected: All. - Not affected: None. - Fixed Versions: 1.0.3 - - Impact - ------ - There is a possible XSS vulnerability in rails-html-sanitizer. Certain - attributes are not removed from tags when they are sanitized, and these - attributes can lead to an XSS attack on target applications. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - There are no feasible workarounds for this issue. - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a - single changeset. - - * 1-0-sanitize_data_attributes.patch - Patch for 1.0 series - - Credits - ------- - Thanks to Ben Murphy and Marien for reporting this. - cvss_v3: 6.1 - patched_versions: - - ">= 1.0.3" ---- +--- +layout: advisory +title: 'CVE-2015-7578 (rails-html-sanitizer): Possible XSS vulnerability in rails-html-sanitizer' +comments: false +categories: +- rails-html-sanitizer +advisory: + gem: rails-html-sanitizer + cve: 2015-7578 + ghsa: 59c7-4xj2-hgvw + url: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI + title: Possible XSS vulnerability in rails-html-sanitizer + date: 2016-01-25 + description: | + There is a possible XSS vulnerability in rails-html-sanitizer. This + vulnerability has been assigned the CVE identifier CVE-2015-7578. + + Versions Affected: All. + Not affected: None. + Fixed Versions: 1.0.3 + + Impact + ------ + There is a possible XSS vulnerability in rails-html-sanitizer. Certain + attributes are not removed from tags when they are sanitized, and these + attributes can lead to an XSS attack on target applications. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + There are no feasible workarounds for this issue. + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a + single changeset. + + * 1-0-sanitize_data_attributes.patch - Patch for 1.0 series + + Credits + ------- + Thanks to Ben Murphy and Marien for reporting this. + cvss_v3: 6.1 + patched_versions: + - ">= 1.0.3" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2015-7579.md b/advisories/_posts/2016-01-25-CVE-2015-7579.md index bb5e2904..4bb3a925 100644 --- a/advisories/_posts/2016-01-25-CVE-2015-7579.md +++ b/advisories/_posts/2016-01-25-CVE-2015-7579.md @@ -1,80 +1,80 @@ ---- -layout: advisory -title: 'CVE-2015-7579 (rails-html-sanitizer): XSS vulnerability in rails-html-sanitizer' -comments: false -categories: -- rails-html-sanitizer -advisory: - gem: rails-html-sanitizer - cve: 2015-7579 - ghsa: r9c2-cr39-c8g6 - url: https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc - title: XSS vulnerability in rails-html-sanitizer - date: 2016-01-25 - description: | - There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`. - This vulnerability has been assigned the CVE identifier CVE-2015-7579. - - Versions Affected: 1.0.2 - Not affected: 1.0.0, 1.0.1 - Fixed Versions: 1.0.3 - - Impact - ------ - Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker - passes an already escaped HTML entity to the input of Action View's `strip_tags` - these entities will be unescaped what may cause a XSS attack if used in combination - with `raw` or `html_safe`. - - For example: - - strip_tags("<script>alert('XSS')</script>") - - Would generate: - - - - After the fix it will generate: - - <script>alert('XSS')</script> - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - If you can't upgrade, please use the following monkey patch in an initializer - that is loaded before your application: - - ``` - $ cat config/initializers/strip_tags_fix.rb - class ActionView::Base - def strip_tags(html) - self.class.full_sanitizer.sanitize(html) - end - end - ``` - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches - for the two supported release series. They are in git-am format and consist - of a single changeset. - - * Do-not-unescape-already-escaped-HTML-entities.patch - - Credits - ------- - Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for - reporting the problem and working with us to fix it. - cvss_v3: 6.1 - unaffected_versions: - - "~> 1.0.0" - - "~> 1.0.1" - patched_versions: - - ">= 1.0.3" ---- +--- +layout: advisory +title: 'CVE-2015-7579 (rails-html-sanitizer): XSS vulnerability in rails-html-sanitizer' +comments: false +categories: +- rails-html-sanitizer +advisory: + gem: rails-html-sanitizer + cve: 2015-7579 + ghsa: r9c2-cr39-c8g6 + url: https://groups.google.com/forum/#!topic/rubyonrails-security/OU9ugTZcbjc + title: XSS vulnerability in rails-html-sanitizer + date: 2016-01-25 + description: | + There is a XSS vulnerability in `Rails::Html::FullSanitizer` used by Action View's `strip_tags`. + This vulnerability has been assigned the CVE identifier CVE-2015-7579. + + Versions Affected: 1.0.2 + Not affected: 1.0.0, 1.0.1 + Fixed Versions: 1.0.3 + + Impact + ------ + Due to the way that `Rails::Html::FullSanitizer` is implemented, if an attacker + passes an already escaped HTML entity to the input of Action View's `strip_tags` + these entities will be unescaped what may cause a XSS attack if used in combination + with `raw` or `html_safe`. + + For example: + + strip_tags("<script>alert('XSS')</script>") + + Would generate: + + + + After the fix it will generate: + + <script>alert('XSS')</script> + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + If you can't upgrade, please use the following monkey patch in an initializer + that is loaded before your application: + + ``` + $ cat config/initializers/strip_tags_fix.rb + class ActionView::Base + def strip_tags(html) + self.class.full_sanitizer.sanitize(html) + end + end + ``` + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches + for the two supported release series. They are in git-am format and consist + of a single changeset. + + * Do-not-unescape-already-escaped-HTML-entities.patch + + Credits + ------- + Thank you to Arthur Neves from GitHub and Spyros Livathinos from Zendesk for + reporting the problem and working with us to fix it. + cvss_v3: 6.1 + unaffected_versions: + - "~> 1.0.0" + - "~> 1.0.1" + patched_versions: + - ">= 1.0.3" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2015-7580.md b/advisories/_posts/2016-01-25-CVE-2015-7580.md index d2f58836..5cb8ac2d 100644 --- a/advisories/_posts/2016-01-25-CVE-2015-7580.md +++ b/advisories/_posts/2016-01-25-CVE-2015-7580.md @@ -1,76 +1,76 @@ ---- -layout: advisory -title: 'CVE-2015-7580 (rails-html-sanitizer): Possible XSS vulnerability in rails-html-sanitizer' -comments: false -categories: -- rails-html-sanitizer -advisory: - gem: rails-html-sanitizer - cve: 2015-7580 - ghsa: ghqm-pgxj-37gq - url: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI - title: Possible XSS vulnerability in rails-html-sanitizer - date: 2016-01-25 - description: | - There is a possible XSS vulnerability in the white list sanitizer in the - rails-html-sanitizer gem. This vulnerability has been assigned the CVE - identifier CVE-2015-7580. - - Versions Affected: All. - Not affected: None. - Fixed Versions: v1.0.3 - - Impact - ------ - Carefully crafted strings can cause user input to bypass the sanitization in - the white list sanitizer which will can lead to an XSS attack. - - Vulnerable code will look something like this: - - <%= sanitize user_input, tags: %w(em) %> - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - Putting the following monkey patch in an initializer can help to mitigate the - issue: - - ``` - class Rails::Html::PermitScrubber - alias :old_scrub :scrub - alias :old_skip_node? :skip_node? - - def scrub(node) - if node.cdata? - text = node.document.create_text_node node.text - node.replace text - return CONTINUE - end - old_scrub node - end - - def skip_node?(node); node.text?; end - end - ``` - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a - single changeset. - - * 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series - - Credits - ------- - Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue. - cvss_v3: 6.1 - patched_versions: - - ">= 1.0.3" ---- +--- +layout: advisory +title: 'CVE-2015-7580 (rails-html-sanitizer): Possible XSS vulnerability in rails-html-sanitizer' +comments: false +categories: +- rails-html-sanitizer +advisory: + gem: rails-html-sanitizer + cve: 2015-7580 + ghsa: ghqm-pgxj-37gq + url: https://groups.google.com/forum/#!topic/rubyonrails-security/uh--W4TDwmI + title: Possible XSS vulnerability in rails-html-sanitizer + date: 2016-01-25 + description: | + There is a possible XSS vulnerability in the white list sanitizer in the + rails-html-sanitizer gem. This vulnerability has been assigned the CVE + identifier CVE-2015-7580. + + Versions Affected: All. + Not affected: None. + Fixed Versions: v1.0.3 + + Impact + ------ + Carefully crafted strings can cause user input to bypass the sanitization in + the white list sanitizer which will can lead to an XSS attack. + + Vulnerable code will look something like this: + + <%= sanitize user_input, tags: %w(em) %> + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + Putting the following monkey patch in an initializer can help to mitigate the + issue: + + ``` + class Rails::Html::PermitScrubber + alias :old_scrub :scrub + alias :old_skip_node? :skip_node? + + def scrub(node) + if node.cdata? + text = node.document.create_text_node node.text + node.replace text + return CONTINUE + end + old_scrub node + end + + def skip_node?(node); node.text?; end + end + ``` + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a + single changeset. + + * 1-0-whitelist_sanitizer_xss.patch - Patch for 1.0 series + + Credits + ------- + Thanks to Arnaud Germis, Nate Clark, and John Colvin for reporting this issue. + cvss_v3: 6.1 + patched_versions: + - ">= 1.0.3" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2015-7581.md b/advisories/_posts/2016-01-25-CVE-2015-7581.md index af761bd4..814e81c3 100644 --- a/advisories/_posts/2016-01-25-CVE-2015-7581.md +++ b/advisories/_posts/2016-01-25-CVE-2015-7581.md @@ -1,62 +1,62 @@ ---- -layout: advisory -title: 'CVE-2015-7581 (actionpack): Object leak vulnerability for wildcard controller - routes in Action Pack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2015-7581 - ghsa: 9h6g-gp95-x3q5 - url: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE - title: Object leak vulnerability for wildcard controller routes in Action Pack - date: 2016-01-25 - description: | - There is an object leak vulnerability for wildcard controllers in Action Pack. - This vulnerability has been assigned the CVE identifier CVE-2015-7581. - - Versions Affected: >= 4.0.0 and < 5.0.0.beta1 - Not affected: < 4.0.0, 5.0.0.beta1 and newer - Fixed Versions: 4.2.5.1, 4.1.14.1 - - Impact - ------ - Users that have a route that contains the string ":controller" are susceptible - to objects being leaked globally which can lead to unbounded memory growth. - To identify if your application is vulnerable, look for routes that contain - ":controller". - - Internally, Action Pack keeps a map of "url controller name" to "controller - class name". This map is cached globally, and is populated even if the - controller class doesn't actually exist. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - There are no feasible workarounds for this issue. - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. - - * 4-1-wildcard_route.patch - Patch for 4.1 series - * 4-2-wildcard_route.patch - Patch for 4.2 series - - Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. - cvss_v3: 7.5 - unaffected_versions: - - "< 4.0.0" - - ">= 5.0.0.beta1" - patched_versions: - - "~> 4.2.5, >= 4.2.5.1" - - "~> 4.1.14, >= 4.1.14.1" ---- +--- +layout: advisory +title: 'CVE-2015-7581 (actionpack): Object leak vulnerability for wildcard controller + routes in Action Pack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2015-7581 + ghsa: 9h6g-gp95-x3q5 + url: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE + title: Object leak vulnerability for wildcard controller routes in Action Pack + date: 2016-01-25 + description: | + There is an object leak vulnerability for wildcard controllers in Action Pack. + This vulnerability has been assigned the CVE identifier CVE-2015-7581. + + Versions Affected: >= 4.0.0 and < 5.0.0.beta1 + Not affected: < 4.0.0, 5.0.0.beta1 and newer + Fixed Versions: 4.2.5.1, 4.1.14.1 + + Impact + ------ + Users that have a route that contains the string ":controller" are susceptible + to objects being leaked globally which can lead to unbounded memory growth. + To identify if your application is vulnerable, look for routes that contain + ":controller". + + Internally, Action Pack keeps a map of "url controller name" to "controller + class name". This map is cached globally, and is populated even if the + controller class doesn't actually exist. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + There are no feasible workarounds for this issue. + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. + + * 4-1-wildcard_route.patch - Patch for 4.1 series + * 4-2-wildcard_route.patch - Patch for 4.2 series + + Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. + cvss_v3: 7.5 + unaffected_versions: + - "< 4.0.0" + - ">= 5.0.0.beta1" + patched_versions: + - "~> 4.2.5, >= 4.2.5.1" + - "~> 4.1.14, >= 4.1.14.1" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2016-0751.md b/advisories/_posts/2016-01-25-CVE-2016-0751.md index b5dc1c85..428e67fb 100644 --- a/advisories/_posts/2016-01-25-CVE-2016-0751.md +++ b/advisories/_posts/2016-01-25-CVE-2016-0751.md @@ -1,80 +1,80 @@ ---- -layout: advisory -title: 'CVE-2016-0751 (actionpack): Possible Object Leak and Denial of Service attack - in Action Pack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2016-0751 - ghsa: ffpv-c4hm-3x6v - url: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc - title: Possible Object Leak and Denial of Service attack in Action Pack - date: 2016-01-25 - description: | - There is a possible object leak which can lead to a denial of service - vulnerability in Action Pack. This vulnerability has been - assigned the CVE identifier CVE-2016-0751. - - Versions Affected: All. - Not affected: None. - Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 - - Impact - ------ - A carefully crafted accept header can cause a global cache of mime types to - grow indefinitely which can lead to a possible denial of service attack in - Action Pack. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - This attack can be mitigated by a proxy that only allows known mime types in - the Accept header. - - Placing the following code in an initializer will also mitigate the issue: - - ```ruby - require 'action_dispatch/http/mime_type' - - Mime.const_set :LOOKUP, Hash.new { |h,k| - Mime::Type.new(k) unless k.blank? - } - ``` - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a - single changeset. - - * 5-0-mime_types_leak.patch - Patch for 5.0 series - * 4-2-mime_types_leak.patch - Patch for 4.2 series - * 4-1-mime_types_leak.patch - Patch for 4.1 series - * 3-2-mime_types_leak.patch - Patch for 3.2 series - - Please note that only the 4.1.x and 4.2.x series are supported at present. Users - of earlier unsupported releases are advised to upgrade as soon as possible as we - cannot guarantee the continued availability of security fixes for unsupported - releases. - - Credits - ------- - Aaron Patterson <3<3 - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 5.0.0.beta1.1" - - "~> 4.2.5, >= 4.2.5.1" - - "~> 4.1.14, >= 4.1.14.1" - - "~> 3.2.22.1" ---- +--- +layout: advisory +title: 'CVE-2016-0751 (actionpack): Possible Object Leak and Denial of Service attack + in Action Pack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2016-0751 + ghsa: ffpv-c4hm-3x6v + url: https://groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc + title: Possible Object Leak and Denial of Service attack in Action Pack + date: 2016-01-25 + description: | + There is a possible object leak which can lead to a denial of service + vulnerability in Action Pack. This vulnerability has been + assigned the CVE identifier CVE-2016-0751. + + Versions Affected: All. + Not affected: None. + Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 + + Impact + ------ + A carefully crafted accept header can cause a global cache of mime types to + grow indefinitely which can lead to a possible denial of service attack in + Action Pack. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + This attack can be mitigated by a proxy that only allows known mime types in + the Accept header. + + Placing the following code in an initializer will also mitigate the issue: + + ```ruby + require 'action_dispatch/http/mime_type' + + Mime.const_set :LOOKUP, Hash.new { |h,k| + Mime::Type.new(k) unless k.blank? + } + ``` + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a + single changeset. + + * 5-0-mime_types_leak.patch - Patch for 5.0 series + * 4-2-mime_types_leak.patch - Patch for 4.2 series + * 4-1-mime_types_leak.patch - Patch for 4.1 series + * 3-2-mime_types_leak.patch - Patch for 3.2 series + + Please note that only the 4.1.x and 4.2.x series are supported at present. Users + of earlier unsupported releases are advised to upgrade as soon as possible as we + cannot guarantee the continued availability of security fixes for unsupported + releases. + + Credits + ------- + Aaron Patterson <3<3 + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 5.0.0.beta1.1" + - "~> 4.2.5, >= 4.2.5.1" + - "~> 4.1.14, >= 4.1.14.1" + - "~> 3.2.22.1" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2016-0752.md b/advisories/_posts/2016-01-25-CVE-2016-0752.md index af91697e..26d22e14 100644 --- a/advisories/_posts/2016-01-25-CVE-2016-0752.md +++ b/advisories/_posts/2016-01-25-CVE-2016-0752.md @@ -1,101 +1,101 @@ ---- -layout: advisory -title: 'CVE-2016-0752 (actionview): Possible Information Leak Vulnerability in Action - View' -comments: false -categories: -- actionview -- rails -advisory: - gem: actionview - framework: rails - cve: 2016-0752 - ghsa: xrr4-p6fq-hjg7 - url: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00 - title: Possible Information Leak Vulnerability in Action View - date: 2016-01-25 - description: | - There is a possible directory traversal and information leak vulnerability in - Action View. This vulnerability has been assigned the CVE identifier - CVE-2016-0752. - - Versions Affected: All. - Not affected: None. - Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 - - Impact - ------ - Applications that pass unverified user input to the `render` method in a - controller may be vulnerable to an information leak vulnerability. - - Impacted code will look something like this: - - ```ruby - def index - render params[:id] - end - ``` - - Carefully crafted requests can cause the above code to render files from - unexpected places like outside the application's view directory, and can - possibly escalate this to a remote code execution attack. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - A workaround to this issue is to not pass arbitrary user input to the `render` - method. Instead, verify that data before passing it to the `render` method. - - For example, change this: - - ```ruby - def index - render params[:id] - end - ``` - - To this: - - ```ruby - def index - render verify_template(params[:id]) - end - - private - def verify_template(name) - # add verification logic particular to your application here - end - ``` - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a - single changeset. - - * 3-2-render_data_leak.patch - Patch for 3.2 series - * 4-1-render_data_leak.patch - Patch for 4.1 series - * 4-2-render_data_leak.patch - Patch for 4.2 series - * 5-0-render_data_leak.patch - Patch for 5.0 series - - Please note that only the 4.1.x and 4.2.x series are supported at present. Users - of earlier unsupported releases are advised to upgrade as soon as possible as we - cannot guarantee the continued availability of security fixes for unsupported - releases. - - Credits - ------- - Thanks John Poulin for reporting this! - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 5.0.0.beta1.1" - - "~> 4.2.5, >= 4.2.5.1" - - "~> 4.1.14, >= 4.1.14.1" ---- +--- +layout: advisory +title: 'CVE-2016-0752 (actionview): Possible Information Leak Vulnerability in Action + View' +comments: false +categories: +- actionview +- rails +advisory: + gem: actionview + framework: rails + cve: 2016-0752 + ghsa: xrr4-p6fq-hjg7 + url: https://groups.google.com/forum/#!topic/rubyonrails-security/335P1DcLG00 + title: Possible Information Leak Vulnerability in Action View + date: 2016-01-25 + description: | + There is a possible directory traversal and information leak vulnerability in + Action View. This vulnerability has been assigned the CVE identifier + CVE-2016-0752. + + Versions Affected: All. + Not affected: None. + Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 + + Impact + ------ + Applications that pass unverified user input to the `render` method in a + controller may be vulnerable to an information leak vulnerability. + + Impacted code will look something like this: + + ```ruby + def index + render params[:id] + end + ``` + + Carefully crafted requests can cause the above code to render files from + unexpected places like outside the application's view directory, and can + possibly escalate this to a remote code execution attack. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + A workaround to this issue is to not pass arbitrary user input to the `render` + method. Instead, verify that data before passing it to the `render` method. + + For example, change this: + + ```ruby + def index + render params[:id] + end + ``` + + To this: + + ```ruby + def index + render verify_template(params[:id]) + end + + private + def verify_template(name) + # add verification logic particular to your application here + end + ``` + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a + single changeset. + + * 3-2-render_data_leak.patch - Patch for 3.2 series + * 4-1-render_data_leak.patch - Patch for 4.1 series + * 4-2-render_data_leak.patch - Patch for 4.2 series + * 5-0-render_data_leak.patch - Patch for 5.0 series + + Please note that only the 4.1.x and 4.2.x series are supported at present. Users + of earlier unsupported releases are advised to upgrade as soon as possible as we + cannot guarantee the continued availability of security fixes for unsupported + releases. + + Credits + ------- + Thanks John Poulin for reporting this! + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 5.0.0.beta1.1" + - "~> 4.2.5, >= 4.2.5.1" + - "~> 4.1.14, >= 4.1.14.1" +--- diff --git a/advisories/_posts/2016-01-25-CVE-2016-0753.md b/advisories/_posts/2016-01-25-CVE-2016-0753.md index b66c0c44..545f703a 100644 --- a/advisories/_posts/2016-01-25-CVE-2016-0753.md +++ b/advisories/_posts/2016-01-25-CVE-2016-0753.md @@ -1,100 +1,100 @@ ---- -layout: advisory -title: 'CVE-2016-0753 (activemodel): Possible Input Validation Circumvention in Active - Model' -comments: false -categories: -- activemodel -- rails -advisory: - gem: activemodel - framework: rails - cve: 2016-0753 - ghsa: 543v-gj2c-r3ch - url: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ - title: Possible Input Validation Circumvention in Active Model - date: 2016-01-25 - description: | - There is a possible input validation circumvention vulnerability in Active - Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. - - Versions Affected: 4.1.0 and newer - Not affected: 4.0.13 and older - Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1 - - Impact - ------ - Code that uses Active Model based models (including Active Record models) and - does not validate user input before passing it to the model can be subject to - an attack where specially crafted input will cause the model to skip - validations. - - Vulnerable code will look something like this: - - ```ruby - SomeModel.new(unverified_user_input) - ``` - - Rails users using Strong Parameters are generally not impacted by this issue - as they are encouraged to whitelist parameters and must specifically opt-out - of input verification using the `permit!` method to allow mass assignment. - - For example, a vulnerable Rails application will have code that looks like - this: - - ```ruby - def create - params.permit! # allow all parameters - @user = User.new params[:users] - end - ``` - - Active Model and Active Record objects are not equipped to handle arbitrary - user input. It is up to the application to verify input before passing it to - Active Model models. Rails users already have Strong Parameters in place to - handle white listing, but applications using Active Model and Active Record - outside of a Rails environment may be impacted. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - There are several workarounds depending on the application. Inside a Rails - application, stop using `permit!`. Outside a Rails application, either use - Hash#slice to select the parameters you need, or integrate Strong Parameters - with your application. - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a - single changeset. - - * 4-1-validation_skip.patch - Patch for 4.1 series - * 4-2-validation_skip.patch - Patch for 4.2 series - * 5-0-validation_skip.patch - Patch for 5.0 series - - Please note that only the 4.1.x and 4.2.x series are supported at present. Users - of earlier unsupported releases are advised to upgrade as soon as possible as we - cannot guarantee the continued availability of security fixes for unsupported - releases. - - Credits - ------- - Thanks to: - - [John Backus](https://github.com/backus) from BlockScore for reporting this! - cvss_v2: 5.0 - cvss_v3: 5.3 - unaffected_versions: - - "<= 4.0.13" - patched_versions: - - ">= 5.0.0.beta1.1" - - "~> 4.2.5, >= 4.2.5.1" - - "~> 4.1.14, >= 4.1.14.1" ---- +--- +layout: advisory +title: 'CVE-2016-0753 (activemodel): Possible Input Validation Circumvention in Active + Model' +comments: false +categories: +- activemodel +- rails +advisory: + gem: activemodel + framework: rails + cve: 2016-0753 + ghsa: 543v-gj2c-r3ch + url: https://groups.google.com/forum/#!topic/rubyonrails-security/6jQVC1geukQ + title: Possible Input Validation Circumvention in Active Model + date: 2016-01-25 + description: | + There is a possible input validation circumvention vulnerability in Active + Model. This vulnerability has been assigned the CVE identifier CVE-2016-0753. + + Versions Affected: 4.1.0 and newer + Not affected: 4.0.13 and older + Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1 + + Impact + ------ + Code that uses Active Model based models (including Active Record models) and + does not validate user input before passing it to the model can be subject to + an attack where specially crafted input will cause the model to skip + validations. + + Vulnerable code will look something like this: + + ```ruby + SomeModel.new(unverified_user_input) + ``` + + Rails users using Strong Parameters are generally not impacted by this issue + as they are encouraged to whitelist parameters and must specifically opt-out + of input verification using the `permit!` method to allow mass assignment. + + For example, a vulnerable Rails application will have code that looks like + this: + + ```ruby + def create + params.permit! # allow all parameters + @user = User.new params[:users] + end + ``` + + Active Model and Active Record objects are not equipped to handle arbitrary + user input. It is up to the application to verify input before passing it to + Active Model models. Rails users already have Strong Parameters in place to + handle white listing, but applications using Active Model and Active Record + outside of a Rails environment may be impacted. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + There are several workarounds depending on the application. Inside a Rails + application, stop using `permit!`. Outside a Rails application, either use + Hash#slice to select the parameters you need, or integrate Strong Parameters + with your application. + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a + single changeset. + + * 4-1-validation_skip.patch - Patch for 4.1 series + * 4-2-validation_skip.patch - Patch for 4.2 series + * 5-0-validation_skip.patch - Patch for 5.0 series + + Please note that only the 4.1.x and 4.2.x series are supported at present. Users + of earlier unsupported releases are advised to upgrade as soon as possible as we + cannot guarantee the continued availability of security fixes for unsupported + releases. + + Credits + ------- + Thanks to: + + [John Backus](https://github.com/backus) from BlockScore for reporting this! + cvss_v2: 5.0 + cvss_v3: 5.3 + unaffected_versions: + - "<= 4.0.13" + patched_versions: + - ">= 5.0.0.beta1.1" + - "~> 4.2.5, >= 4.2.5.1" + - "~> 4.1.14, >= 4.1.14.1" +--- diff --git a/advisories/_posts/2016-02-29-CVE-2016-2097.md b/advisories/_posts/2016-02-29-CVE-2016-2097.md index 0141f134..242f0b38 100644 --- a/advisories/_posts/2016-02-29-CVE-2016-2097.md +++ b/advisories/_posts/2016-02-29-CVE-2016-2097.md @@ -1,95 +1,95 @@ ---- -layout: advisory -title: 'CVE-2016-2097 (actionview): Possible Information Leak Vulnerability in Action - View' -comments: false -categories: -- actionview -- rails -advisory: - gem: actionview - framework: rails - cve: 2016-2097 - ghsa: vx9j-46rh-fqr8 - url: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4 - title: Possible Information Leak Vulnerability in Action View - date: 2016-02-29 - description: |2 - - There is a possible directory traversal and information leak vulnerability - in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 - patch was not covering all the scenarios. This vulnerability has been - assigned the CVE identifier CVE-2016-2097. - - Versions Affected: 3.2.x, 4.0.x, 4.1.x - Not affected: 4.2+ - Fixed Versions: 3.2.22.2, 4.1.14.2 - - Impact - ------ - Applications that pass unverified user input to the `render` method in a - controller may be vulnerable to an information leak vulnerability. - - Impacted code will look something like this: - - ```ruby - def index - render params[:id] - end - ``` - - Carefully crafted requests can cause the above code to render files from - unexpected places like outside the application's view directory, and can - possibly escalate this to a remote code execution attack. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - A workaround to this issue is to not pass arbitrary user input to the `render` - method. Instead, verify that data before passing it to the `render` method. - - For example, change this: - - ```ruby - def index - render params[:id] - end - ``` - - To this: - - ```ruby - def index - render verify_template(params[:id]) - end - - private - def verify_template(name) - # add verification logic particular to your application here - end - ``` - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided patches - for it. It is in git-am format and consist of a single changeset. - - * 3-2-render_data_leak_2.patch - Patch for 3.2 series - * 4-1-render_data_leak_2.patch - Patch for 4.1 series - - Credits - ------- - Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this - and working with us in the patch! - cvss_v3: 5.3 - unaffected_versions: - - ">= 4.2.0" - patched_versions: - - "~> 4.1.14, >= 4.1.14.2" ---- +--- +layout: advisory +title: 'CVE-2016-2097 (actionview): Possible Information Leak Vulnerability in Action + View' +comments: false +categories: +- actionview +- rails +advisory: + gem: actionview + framework: rails + cve: 2016-2097 + ghsa: vx9j-46rh-fqr8 + url: https://groups.google.com/forum/#!topic/rubyonrails-security/ddY6HgqB2z4 + title: Possible Information Leak Vulnerability in Action View + date: 2016-02-29 + description: |2 + + There is a possible directory traversal and information leak vulnerability + in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 + patch was not covering all the scenarios. This vulnerability has been + assigned the CVE identifier CVE-2016-2097. + + Versions Affected: 3.2.x, 4.0.x, 4.1.x + Not affected: 4.2+ + Fixed Versions: 3.2.22.2, 4.1.14.2 + + Impact + ------ + Applications that pass unverified user input to the `render` method in a + controller may be vulnerable to an information leak vulnerability. + + Impacted code will look something like this: + + ```ruby + def index + render params[:id] + end + ``` + + Carefully crafted requests can cause the above code to render files from + unexpected places like outside the application's view directory, and can + possibly escalate this to a remote code execution attack. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + A workaround to this issue is to not pass arbitrary user input to the `render` + method. Instead, verify that data before passing it to the `render` method. + + For example, change this: + + ```ruby + def index + render params[:id] + end + ``` + + To this: + + ```ruby + def index + render verify_template(params[:id]) + end + + private + def verify_template(name) + # add verification logic particular to your application here + end + ``` + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided patches + for it. It is in git-am format and consist of a single changeset. + + * 3-2-render_data_leak_2.patch - Patch for 3.2 series + * 4-1-render_data_leak_2.patch - Patch for 4.1 series + + Credits + ------- + Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this + and working with us in the patch! + cvss_v3: 5.3 + unaffected_versions: + - ">= 4.2.0" + patched_versions: + - "~> 4.1.14, >= 4.1.14.2" +--- diff --git a/advisories/_posts/2016-02-29-CVE-2016-2098.md b/advisories/_posts/2016-02-29-CVE-2016-2098.md index 7c18c910..346d982e 100644 --- a/advisories/_posts/2016-02-29-CVE-2016-2098.md +++ b/advisories/_posts/2016-02-29-CVE-2016-2098.md @@ -1,96 +1,96 @@ ---- -layout: advisory -title: 'CVE-2016-2098 (actionpack): Possible remote code execution vulnerability in - Action Pack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2016-2098 - ghsa: 78rc-8c29-p45g - url: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q - title: Possible remote code execution vulnerability in Action Pack - date: 2016-02-29 - description: | - There is a possible remote code execution vulnerability in Action Pack. - This vulnerability has been assigned the CVE identifier CVE-2016-2098. - - Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x - Not affected: 5.0+ - Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2 - - Impact - ------ - Applications that pass unverified user input to the `render` method in a - controller or a view may be vulnerable to a code injection. - - Impacted code will look like this: - - ```ruby - class TestController < ApplicationController - def show - render params[:id] - end - end - ``` - - An attacker could use the request parameters to coerce the above example - to execute arbitrary ruby code. - - All users running an affected release should either upgrade or use one of - the workarounds immediately. - - Releases - -------- - The FIXED releases are available at the normal locations. - - Workarounds - ----------- - A workaround to this issue is to not pass arbitrary user input to the `render` - method. Instead, verify that data before passing it to the `render` method. - - For example, change this: - - ```ruby - def index - render params[:id] - end - ``` - - To this: - - ```ruby - def index - render verify_template(params[:id]) - end - - private - def verify_template(name) - # add verification logic particular to your application here - end - ``` - - Patches - ------- - To aid users who aren't able to upgrade immediately we have provided a - patch for it. It is in git-am format and consist of a single changeset. - - * 3-2-secure_inline_with_params.patch - Patch for 3.2 series - * 4-1-secure_inline_with_params.patch - Patch for 4.1 series - * 4-2-secure_inline_with_params.patch - Patch for 4.2 series - - Credits - ------- - Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for - reporting this! - cvss_v3: 7.3 - unaffected_versions: - - ">= 5.0.0.beta1" - patched_versions: - - "~> 3.2.22.2" - - "~> 4.2.5, >= 4.2.5.2" - - "~> 4.1.14, >= 4.1.14.2" ---- +--- +layout: advisory +title: 'CVE-2016-2098 (actionpack): Possible remote code execution vulnerability in + Action Pack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2016-2098 + ghsa: 78rc-8c29-p45g + url: https://groups.google.com/forum/#!topic/rubyonrails-security/ly-IH-fxr_Q + title: Possible remote code execution vulnerability in Action Pack + date: 2016-02-29 + description: | + There is a possible remote code execution vulnerability in Action Pack. + This vulnerability has been assigned the CVE identifier CVE-2016-2098. + + Versions Affected: 3.2.x, 4.0.x, 4.1.x, 4.2.x + Not affected: 5.0+ + Fixed Versions: 3.2.22.2, 4.1.14.2, 4.2.5.2 + + Impact + ------ + Applications that pass unverified user input to the `render` method in a + controller or a view may be vulnerable to a code injection. + + Impacted code will look like this: + + ```ruby + class TestController < ApplicationController + def show + render params[:id] + end + end + ``` + + An attacker could use the request parameters to coerce the above example + to execute arbitrary ruby code. + + All users running an affected release should either upgrade or use one of + the workarounds immediately. + + Releases + -------- + The FIXED releases are available at the normal locations. + + Workarounds + ----------- + A workaround to this issue is to not pass arbitrary user input to the `render` + method. Instead, verify that data before passing it to the `render` method. + + For example, change this: + + ```ruby + def index + render params[:id] + end + ``` + + To this: + + ```ruby + def index + render verify_template(params[:id]) + end + + private + def verify_template(name) + # add verification logic particular to your application here + end + ``` + + Patches + ------- + To aid users who aren't able to upgrade immediately we have provided a + patch for it. It is in git-am format and consist of a single changeset. + + * 3-2-secure_inline_with_params.patch - Patch for 3.2 series + * 4-1-secure_inline_with_params.patch - Patch for 4.1 series + * 4-2-secure_inline_with_params.patch - Patch for 4.2 series + + Credits + ------- + Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for + reporting this! + cvss_v3: 7.3 + unaffected_versions: + - ">= 5.0.0.beta1" + patched_versions: + - "~> 3.2.22.2" + - "~> 4.2.5, >= 4.2.5.2" + - "~> 4.1.14, >= 4.1.14.2" +--- diff --git a/advisories/_posts/2016-04-01-CVE-2016-3098.md b/advisories/_posts/2016-04-01-CVE-2016-3098.md index 46ba3ff5..cbf2d0ca 100644 --- a/advisories/_posts/2016-04-01-CVE-2016-3098.md +++ b/advisories/_posts/2016-04-01-CVE-2016-3098.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2016-3098 (administrate): Cross-site request forgery (CSRF) vulnerability - in administrate gem' -comments: false -categories: -- administrate -advisory: - gem: administrate - cve: 2016-3098 - ghsa: cc8c-26rj-v2vx - url: http://seclists.org/oss-sec/2016/q2/0 - title: Cross-site request forgery (CSRF) vulnerability in administrate gem - date: 2016-04-01 - description: | - "`Administrate::ApplicationController` actions didn't have CSRF protection. - Remote attackers can hijack user's sessions and use any functionality that administrate - exposes on their behalf." - cvss_v3: 5.4 - patched_versions: - - ">= 0.1.5" ---- +--- +layout: advisory +title: 'CVE-2016-3098 (administrate): Cross-site request forgery (CSRF) vulnerability + in administrate gem' +comments: false +categories: +- administrate +advisory: + gem: administrate + cve: 2016-3098 + ghsa: cc8c-26rj-v2vx + url: http://seclists.org/oss-sec/2016/q2/0 + title: Cross-site request forgery (CSRF) vulnerability in administrate gem + date: 2016-04-01 + description: | + "`Administrate::ApplicationController` actions didn't have CSRF protection. + Remote attackers can hijack user's sessions and use any functionality that administrate + exposes on their behalf." + cvss_v3: 5.4 + patched_versions: + - ">= 0.1.5" +--- diff --git a/advisories/_posts/2016-04-13-CVE-2016-10193.md b/advisories/_posts/2016-04-13-CVE-2016-10193.md index 26e97227..2027b93e 100644 --- a/advisories/_posts/2016-04-13-CVE-2016-10193.md +++ b/advisories/_posts/2016-04-13-CVE-2016-10193.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2016-10193 (espeak-ruby): espeak-ruby Gem for Ruby Arbitrary Command Execution' -comments: false -categories: -- espeak-ruby -advisory: - gem: espeak-ruby - cve: 2016-10193 - ghsa: 4jm3-pfpf-h54p - url: https://github.com/dejan/espeak-ruby/issues/7 - title: espeak-ruby Gem for Ruby Arbitrary Command Execution - date: 2016-04-13 - description: | - espeak-ruby passes user modifiable strings directly to a shell - command. An attacker can execute malicious commands by modifying - the strings that are passed as arguments to the speak, save, bytes - and bytes_wav methods in the lib/espeak/speech.rb library. - cvss_v3: 9.8 - patched_versions: - - ">= 1.0.3" ---- +--- +layout: advisory +title: 'CVE-2016-10193 (espeak-ruby): espeak-ruby Gem for Ruby Arbitrary Command Execution' +comments: false +categories: +- espeak-ruby +advisory: + gem: espeak-ruby + cve: 2016-10193 + ghsa: 4jm3-pfpf-h54p + url: https://github.com/dejan/espeak-ruby/issues/7 + title: espeak-ruby Gem for Ruby Arbitrary Command Execution + date: 2016-04-13 + description: | + espeak-ruby passes user modifiable strings directly to a shell + command. An attacker can execute malicious commands by modifying + the strings that are passed as arguments to the speak, save, bytes + and bytes_wav methods in the lib/espeak/speech.rb library. + cvss_v3: 9.8 + patched_versions: + - ">= 1.0.3" +--- diff --git a/advisories/_posts/2016-04-20-CVE-2016-3693.md b/advisories/_posts/2016-04-20-CVE-2016-3693.md index 684997a5..7a7a9e09 100644 --- a/advisories/_posts/2016-04-20-CVE-2016-3693.md +++ b/advisories/_posts/2016-04-20-CVE-2016-3693.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2016-3693 (safemode): Safemode Gem for Ruby is vulnerable to information - disclosure' -comments: false -categories: -- safemode -advisory: - gem: safemode - cve: 2016-3693 - ghsa: c92m-rrrc-q5wf - url: http://seclists.org/oss-sec/2016/q2/119 - title: Safemode Gem for Ruby is vulnerable to information disclosure - date: 2016-04-20 - description: | - Safemode is initialised with an optional 'delegate' object. - If the delegated object is a Rails controller, 'inspect' could - be called which then exposes all informations about the App, - including routes, secret tokens, caches and so on. - cvss_v3: 8.1 - patched_versions: - - ">= 1.2.4" ---- +--- +layout: advisory +title: 'CVE-2016-3693 (safemode): Safemode Gem for Ruby is vulnerable to information + disclosure' +comments: false +categories: +- safemode +advisory: + gem: safemode + cve: 2016-3693 + ghsa: c92m-rrrc-q5wf + url: http://seclists.org/oss-sec/2016/q2/119 + title: Safemode Gem for Ruby is vulnerable to information disclosure + date: 2016-04-20 + description: | + Safemode is initialised with an optional 'delegate' object. + If the delegated object is a Rails controller, 'inspect' could + be called which then exposes all informations about the App, + including routes, secret tokens, caches and so on. + cvss_v3: 8.1 + patched_versions: + - ">= 1.2.4" +--- diff --git a/advisories/_posts/2016-04-23-CVE-2016-10194.md b/advisories/_posts/2016-04-23-CVE-2016-10194.md index 890858bc..46b820bd 100644 --- a/advisories/_posts/2016-04-23-CVE-2016-10194.md +++ b/advisories/_posts/2016-04-23-CVE-2016-10194.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2016-10194 (festivaltts4r): festivaltts4r Gem for Ruby Arbitrary Command - Execution' -comments: false -categories: -- festivaltts4r -advisory: - gem: festivaltts4r - cve: 2016-10194 - ghsa: f7f4-5w9j-23p2 - url: https://github.com/spejman/festivaltts4r/issues/1 - title: festivaltts4r Gem for Ruby Arbitrary Command Execution - date: 2016-04-23 - description: | - festivaltts4r passes user modifiable strings directly to a shell - command. An attacker can execute malicious commands by modifying - the strings that are passed as arguments to the to_speech and - and to_mp3 methods in lib/festivaltts4r/festival4r.rb library. - cvss_v3: 9.8 ---- +--- +layout: advisory +title: 'CVE-2016-10194 (festivaltts4r): festivaltts4r Gem for Ruby Arbitrary Command + Execution' +comments: false +categories: +- festivaltts4r +advisory: + gem: festivaltts4r + cve: 2016-10194 + ghsa: f7f4-5w9j-23p2 + url: https://github.com/spejman/festivaltts4r/issues/1 + title: festivaltts4r Gem for Ruby Arbitrary Command Execution + date: 2016-04-23 + description: | + festivaltts4r passes user modifiable strings directly to a shell + command. An attacker can execute malicious commands by modifying + the strings that are passed as arguments to the to_speech and + and to_mp3 methods in lib/festivaltts4r/festival4r.rb library. + cvss_v3: 9.8 +--- diff --git a/advisories/_posts/2016-04-26-CVE-2016-2785.md b/advisories/_posts/2016-04-26-CVE-2016-2785.md index 6ed3254a..8b9747f6 100644 --- a/advisories/_posts/2016-04-26-CVE-2016-2785.md +++ b/advisories/_posts/2016-04-26-CVE-2016-2785.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2016-2785 (puppet): Puppet Improper Access Control' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2016-2785 - ghsa: pqj5-7r86-64fv - url: https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding - title: Puppet Improper Access Control - date: 2016-04-26 - description: | - Puppet Server before 2.3.2 and - Ruby puppetmaster in Puppet 4.x before 4.4.2 and in - Puppet Agent before 1.4.2 - might allow remote attackers to bypass intended auth.conf - access restrictions by leveraging incorrect URL decoding. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 4.4.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2016-2785 - - https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding - - https://github.com/puppetlabs/puppet/pull/4921 - - https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2 - - https://security.gentoo.org/glsa/201606-02 - - https://github.com/advisories/GHSA-pqj5-7r86-64fv ---- +--- +layout: advisory +title: 'CVE-2016-2785 (puppet): Puppet Improper Access Control' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2016-2785 + ghsa: pqj5-7r86-64fv + url: https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding + title: Puppet Improper Access Control + date: 2016-04-26 + description: | + Puppet Server before 2.3.2 and + Ruby puppetmaster in Puppet 4.x before 4.4.2 and in + Puppet Agent before 1.4.2 + might allow remote attackers to bypass intended auth.conf + access restrictions by leveraging incorrect URL decoding. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 4.4.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-2785 + - https://www.puppet.com/security/cve/cve-2016-2785-incorrect-url-decoding + - https://github.com/puppetlabs/puppet/pull/4921 + - https://github.com/puppetlabs/puppet/pull/4921/commits/8d2ce797db265720f0a20d1d46ee2757b4e4f6b2 + - https://security.gentoo.org/glsa/201606-02 + - https://github.com/advisories/GHSA-pqj5-7r86-64fv +--- diff --git a/advisories/_posts/2016-05-18-CVE-2016-4442.md b/advisories/_posts/2016-05-18-CVE-2016-4442.md index bb5be4ac..fec1c4c7 100644 --- a/advisories/_posts/2016-05-18-CVE-2016-4442.md +++ b/advisories/_posts/2016-05-18-CVE-2016-4442.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2016-4442 (rack-mini-profiler): rack-mini-profiler may disclose information - to unauthorized users' -comments: false -categories: -- rack-mini-profiler -advisory: - gem: rack-mini-profiler - cve: 2016-4442 - ghsa: j5hj-fhc9-g24m - url: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c - title: rack-mini-profiler may disclose information to unauthorized users - date: 2016-05-18 - description: | - Carefully crafted requests can expose information about strings and objects - allocated during the request for unauthorised users. - cvss_v3: 5.3 - patched_versions: - - ">= 0.10.1" - related: - url: - - http://seclists.org/oss-sec/2016/q2/516 ---- +--- +layout: advisory +title: 'CVE-2016-4442 (rack-mini-profiler): rack-mini-profiler may disclose information + to unauthorized users' +comments: false +categories: +- rack-mini-profiler +advisory: + gem: rack-mini-profiler + cve: 2016-4442 + ghsa: j5hj-fhc9-g24m + url: https://github.com/MiniProfiler/rack-mini-profiler/commit/4273771d65f1a7411e3ef5843329308d0e2d257c + title: rack-mini-profiler may disclose information to unauthorized users + date: 2016-05-18 + description: | + Carefully crafted requests can expose information about strings and objects + allocated during the request for unauthorised users. + cvss_v3: 5.3 + patched_versions: + - ">= 0.10.1" + related: + url: + - http://seclists.org/oss-sec/2016/q2/516 +--- diff --git a/advisories/_posts/2016-06-07-CVE-2015-8806.md b/advisories/_posts/2016-06-07-CVE-2015-8806.md index 38bbde5d..25ea15da 100644 --- a/advisories/_posts/2016-06-07-CVE-2015-8806.md +++ b/advisories/_posts/2016-06-07-CVE-2015-8806.md @@ -1,50 +1,50 @@ ---- -layout: advisory -title: 'CVE-2015-8806 (nokogiri): Denial of service or RCE from libxml2 and libxslt' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2015-8806 - ghsa: 7hp2-xwpj-95jq - url: https://github.com/sparklemotion/nokogiri/issues/1473 - title: Denial of service or RCE from libxml2 and libxslt - date: 2016-06-07 - description: | - Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, - which are libraries Nokogiri depends on. It was discovered that libxml2 and - libxslt incorrectly handled certain malformed documents, which can allow - malicious users to cause issues ranging from denial of service to remote code - execution attacks. - - For more information, the Ubuntu Security Notice is a good start: - http://www.ubuntu.com/usn/usn-2994-1/ - cvss_v3: 7.5 - unaffected_versions: - - "< 1.6.0" - patched_versions: - - ">= 1.6.8" - related: - cve: - - 2016-1762 - - 2016-1833 - - 2016-1834 - - 2016-1835 - - 2016-1836 - - 2016-1837 - - 2016-1838 - - 2016-1839 - - 2016-1840 - - 2016-2073 - - 2016-3627 - - 2016-3705 - - 2016-4447 - - 2016-4449 - - 2016-4483 - url: - - https://github.com/sparklemotion/nokogiri/issues/1473 - - https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028 - - https://mail.gnome.org/archives/xml/2016-May/msg00023.html - - http://www.ubuntu.com/usn/usn-2994-1/ ---- +--- +layout: advisory +title: 'CVE-2015-8806 (nokogiri): Denial of service or RCE from libxml2 and libxslt' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2015-8806 + ghsa: 7hp2-xwpj-95jq + url: https://github.com/sparklemotion/nokogiri/issues/1473 + title: Denial of service or RCE from libxml2 and libxslt + date: 2016-06-07 + description: | + Nokogiri is affected by series of vulnerabilities in libxml2 and libxslt, + which are libraries Nokogiri depends on. It was discovered that libxml2 and + libxslt incorrectly handled certain malformed documents, which can allow + malicious users to cause issues ranging from denial of service to remote code + execution attacks. + + For more information, the Ubuntu Security Notice is a good start: + http://www.ubuntu.com/usn/usn-2994-1/ + cvss_v3: 7.5 + unaffected_versions: + - "< 1.6.0" + patched_versions: + - ">= 1.6.8" + related: + cve: + - 2016-1762 + - 2016-1833 + - 2016-1834 + - 2016-1835 + - 2016-1836 + - 2016-1837 + - 2016-1838 + - 2016-1839 + - 2016-1840 + - 2016-2073 + - 2016-3627 + - 2016-3705 + - 2016-4447 + - 2016-4449 + - 2016-4483 + url: + - https://github.com/sparklemotion/nokogiri/issues/1473 + - https://github.com/sparklemotion/nokogiri/commit/03d402212707bd5dfa0a21b7de5e91a7f9d90028 + - https://mail.gnome.org/archives/xml/2016-May/msg00023.html + - http://www.ubuntu.com/usn/usn-2994-1/ +--- diff --git a/advisories/_posts/2016-06-16-CVE-2016-10362.md b/advisories/_posts/2016-06-16-CVE-2016-10362.md index 54dc2068..204f0b5a 100644 --- a/advisories/_posts/2016-06-16-CVE-2016-10362.md +++ b/advisories/_posts/2016-06-16-CVE-2016-10362.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2016-10362 (logstash-core): Logstash Logs Sensitive Information' -comments: false -categories: -- logstash-core -advisory: - gem: logstash-core - cve: 2016-10362 - ghsa: 3gg4-6hqg-2vjx - url: https://web.archive.org/web/20210730201452/http://www.securityfocus.com/bid/99154 - title: Logstash Logs Sensitive Information - date: 2016-06-16 - description: | - Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating - connections after sniffing, would log to file HTTP basic auth credentials. - cvss_v2: 4.0 - cvss_v3: 6.5 - patched_versions: - - ">= 5.0.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2016-10362 - - https://web.archive.org/web/20210730201452/http://www.securityfocus.com/bid/99154 - - https://www.opencve.io/cve/CVE-2016-10362 - - https://www.elastic.co/community/security - - https://github.com/advisories/GHSA-3gg4-6hqg-2vjx ---- +--- +layout: advisory +title: 'CVE-2016-10362 (logstash-core): Logstash Logs Sensitive Information' +comments: false +categories: +- logstash-core +advisory: + gem: logstash-core + cve: 2016-10362 + ghsa: 3gg4-6hqg-2vjx + url: https://web.archive.org/web/20210730201452/http://www.securityfocus.com/bid/99154 + title: Logstash Logs Sensitive Information + date: 2016-06-16 + description: | + Prior to Logstash version 5.0.1, Elasticsearch Output plugin when updating + connections after sniffing, would log to file HTTP basic auth credentials. + cvss_v2: 4.0 + cvss_v3: 6.5 + patched_versions: + - ">= 5.0.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-10362 + - https://web.archive.org/web/20210730201452/http://www.securityfocus.com/bid/99154 + - https://www.opencve.io/cve/CVE-2016-10362 + - https://www.elastic.co/community/security + - https://github.com/advisories/GHSA-3gg4-6hqg-2vjx +--- diff --git a/advisories/_posts/2016-06-24-CVE-2016-5697.md b/advisories/_posts/2016-06-24-CVE-2016-5697.md index 87cdc216..eb655f2a 100644 --- a/advisories/_posts/2016-06-24-CVE-2016-5697.md +++ b/advisories/_posts/2016-06-24-CVE-2016-5697.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2016-5697 (ruby-saml): XML signature wrapping attack' -comments: false -categories: -- ruby-saml -advisory: - gem: ruby-saml - cve: 2016-5697 - ghsa: 36p7-xjw8-h6f2 - url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995 - title: XML signature wrapping attack - date: 2016-06-24 - description: | - ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack - in the specific scenario where there was a signature that referenced at the same time - 2 elements (but past the scheme validator process since 1 of the element was inside - the encrypted assertion). - - ruby-saml users must update to 1.3.0, which implements 3 extra validations to - mitigate this kind of attack. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 1.3.0" ---- +--- +layout: advisory +title: 'CVE-2016-5697 (ruby-saml): XML signature wrapping attack' +comments: false +categories: +- ruby-saml +advisory: + gem: ruby-saml + cve: 2016-5697 + ghsa: 36p7-xjw8-h6f2 + url: https://github.com/onelogin/ruby-saml/commit/a571f52171e6bfd87db59822d1d9e8c38fb3b995 + title: XML signature wrapping attack + date: 2016-06-24 + description: | + ruby-saml prior to version 1.3.0 is vulnerable to an XML signature wrapping attack + in the specific scenario where there was a signature that referenced at the same time + 2 elements (but past the scheme validator process since 1 of the element was inside + the encrypted assertion). + + ruby-saml users must update to 1.3.0, which implements 3 extra validations to + mitigate this kind of attack. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 1.3.0" +--- diff --git a/advisories/_posts/2016-07-27-CVE-2016-10735.md b/advisories/_posts/2016-07-27-CVE-2016-10735.md index 5fd4d1e0..5c54de84 100644 --- a/advisories/_posts/2016-07-27-CVE-2016-10735.md +++ b/advisories/_posts/2016-07-27-CVE-2016-10735.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2016-10735 (bootstrap): XSS vulnerability via data-target in bootstrap' -comments: false -categories: -- bootstrap -advisory: - gem: bootstrap - cve: 2016-10735 - ghsa: 4p24-vmcr-4gqj - url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ - title: XSS vulnerability via data-target in bootstrap - date: 2016-07-27 - description: | - In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, - XSS is possible in the data-target attribute. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 4.0.0-beta.2" - related: - url: - - https://github.com/twbs/bootstrap/issues/20184 ---- +--- +layout: advisory +title: 'CVE-2016-10735 (bootstrap): XSS vulnerability via data-target in bootstrap' +comments: false +categories: +- bootstrap +advisory: + gem: bootstrap + cve: 2016-10735 + ghsa: 4p24-vmcr-4gqj + url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ + title: XSS vulnerability via data-target in bootstrap + date: 2016-07-27 + description: | + In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, + XSS is possible in the data-target attribute. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 4.0.0-beta.2" + related: + url: + - https://github.com/twbs/bootstrap/issues/20184 +--- diff --git a/advisories/_posts/2016-08-11-CVE-2016-6316.md b/advisories/_posts/2016-08-11-CVE-2016-6316.md index e43fffc0..03b08d68 100644 --- a/advisories/_posts/2016-08-11-CVE-2016-6316.md +++ b/advisories/_posts/2016-08-11-CVE-2016-6316.md @@ -1,61 +1,61 @@ ---- -layout: advisory -title: 'CVE-2016-6316 (actionview): Possible XSS Vulnerability in Action View' -comments: false -categories: -- actionview -- rails -advisory: - gem: actionview - framework: rails - cve: 2016-6316 - ghsa: pc3m-v286-2jwj - url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk - title: Possible XSS Vulnerability in Action View - date: 2016-08-11 - description: | - There is a possible XSS vulnerability in Action View. Text declared as "HTML - safe" will not have quotes escaped when used as attribute values in tag - helpers. - - Impact - ------ - - Text declared as "HTML safe" when passed as an attribute value to a tag helper - will not have quotes escaped which can lead to an XSS attack. Impacted code - looks something like this: - - ```ruby - content_tag(:div, "hi", title: user_input.html_safe) - ``` - - Some helpers like the `sanitize` helper will automatically mark strings as - "HTML safe", so impacted code could also look something like this: - - ```ruby - content_tag(:div, "hi", title: sanitize(user_input)) - ``` - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Workarounds - ----------- - You can work around this issue by either *not* marking arbitrary user input as - safe, or by manually escaping quotes like this: - - ```ruby - def escape_quotes(value) - value.gsub(/"/, '"'.freeze) - end - - content_tag(:div, "hi", title: escape_quotes(sanitize(user_input))) - ``` - cvss_v3: 6.1 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - "~> 4.2.7.1" - - "~> 4.2.8" - - ">= 5.0.0.1" ---- +--- +layout: advisory +title: 'CVE-2016-6316 (actionview): Possible XSS Vulnerability in Action View' +comments: false +categories: +- actionview +- rails +advisory: + gem: actionview + framework: rails + cve: 2016-6316 + ghsa: pc3m-v286-2jwj + url: https://groups.google.com/forum/#!topic/rubyonrails-security/I-VWr034ouk + title: Possible XSS Vulnerability in Action View + date: 2016-08-11 + description: | + There is a possible XSS vulnerability in Action View. Text declared as "HTML + safe" will not have quotes escaped when used as attribute values in tag + helpers. + + Impact + ------ + + Text declared as "HTML safe" when passed as an attribute value to a tag helper + will not have quotes escaped which can lead to an XSS attack. Impacted code + looks something like this: + + ```ruby + content_tag(:div, "hi", title: user_input.html_safe) + ``` + + Some helpers like the `sanitize` helper will automatically mark strings as + "HTML safe", so impacted code could also look something like this: + + ```ruby + content_tag(:div, "hi", title: sanitize(user_input)) + ``` + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Workarounds + ----------- + You can work around this issue by either *not* marking arbitrary user input as + safe, or by manually escaping quotes like this: + + ```ruby + def escape_quotes(value) + value.gsub(/"/, '"'.freeze) + end + + content_tag(:div, "hi", title: escape_quotes(sanitize(user_input))) + ``` + cvss_v3: 6.1 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - "~> 4.2.7.1" + - "~> 4.2.8" + - ">= 5.0.0.1" +--- diff --git a/advisories/_posts/2016-08-11-CVE-2016-6317.md b/advisories/_posts/2016-08-11-CVE-2016-6317.md index 07217f25..c25440d2 100644 --- a/advisories/_posts/2016-08-11-CVE-2016-6317.md +++ b/advisories/_posts/2016-08-11-CVE-2016-6317.md @@ -1,79 +1,79 @@ ---- -layout: advisory -title: 'CVE-2016-6317 (activerecord): Unsafe Query Generation Risk in Active Record' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2016-6317 - ghsa: pr3r-4wrp-r2pv - url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s - title: Unsafe Query Generation Risk in Active Record - date: 2016-08-11 - description: | - There is a vulnerability when Active Record is used in conjunction with JSON - parameter parsing. This vulnerability is similar to CVE-2012-2660, - CVE-2012-2694 and CVE-2013-0155. - - Impact - ------ - - Due to the way Active Record interprets parameters in combination with the way - that JSON parameters are parsed, it is possible for an attacker to issue - unexpected database queries with "IS NULL" or empty where clauses. This issue - does *not* let an attacker insert arbitrary values into an SQL query, however - they can cause the query to check for NULL or eliminate a WHERE clause when - most users wouldn't expect it. - - For example, a system has password reset with token functionality: - - ```ruby - unless params[:token].nil? - user = User.find_by_token(params[:token]) - user.reset_password! - end - ``` - - An attacker can craft a request such that `params[:token]` will return - `[nil]`. The `[nil]` value will bypass the test for nil, but will still add - an "IN ('xyz', NULL)" clause to the SQL query. - - Similarly, an attacker can craft a request such that `params[:token]` will - return an empty hash. An empty hash will eliminate the WHERE clause of the - query, but can bypass the `nil?` check. - - Note that this impacts not only dynamic finders (`find_by_*`) but also - relations (`User.where(:name => params[:name])`). - - All users running an affected release should either upgrade or use one of the - work arounds immediately. All users running an affected release should upgrade - immediately. Please note, this vulnerability is a variant of CVE-2012-2660, - CVE-2012-2694, and CVE-2013-0155. Even if you upgraded to address those - issues, you must take action again. - - If this chance in behavior impacts your application, you can manually decode - the original values from the request like so: - - `ActiveSupport::JSON.decode(request.body)` - - Workarounds - ----------- - This problem can be mitigated by casting the parameter to a string before - passing it to Active Record. For example: - - ```ruby - unless params[:token].nil? || params[:token].to_s.empty? - user = User.find_by_token(params[:token].to_s) - user.reset_password! - end - ``` - cvss_v3: 7.5 - unaffected_versions: - - "< 4.2.0" - - ">= 5.0.0" - patched_versions: - - ">= 4.2.7.1" ---- +--- +layout: advisory +title: 'CVE-2016-6317 (activerecord): Unsafe Query Generation Risk in Active Record' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2016-6317 + ghsa: pr3r-4wrp-r2pv + url: https://groups.google.com/forum/#!topic/rubyonrails-security/rgO20zYW33s + title: Unsafe Query Generation Risk in Active Record + date: 2016-08-11 + description: | + There is a vulnerability when Active Record is used in conjunction with JSON + parameter parsing. This vulnerability is similar to CVE-2012-2660, + CVE-2012-2694 and CVE-2013-0155. + + Impact + ------ + + Due to the way Active Record interprets parameters in combination with the way + that JSON parameters are parsed, it is possible for an attacker to issue + unexpected database queries with "IS NULL" or empty where clauses. This issue + does *not* let an attacker insert arbitrary values into an SQL query, however + they can cause the query to check for NULL or eliminate a WHERE clause when + most users wouldn't expect it. + + For example, a system has password reset with token functionality: + + ```ruby + unless params[:token].nil? + user = User.find_by_token(params[:token]) + user.reset_password! + end + ``` + + An attacker can craft a request such that `params[:token]` will return + `[nil]`. The `[nil]` value will bypass the test for nil, but will still add + an "IN ('xyz', NULL)" clause to the SQL query. + + Similarly, an attacker can craft a request such that `params[:token]` will + return an empty hash. An empty hash will eliminate the WHERE clause of the + query, but can bypass the `nil?` check. + + Note that this impacts not only dynamic finders (`find_by_*`) but also + relations (`User.where(:name => params[:name])`). + + All users running an affected release should either upgrade or use one of the + work arounds immediately. All users running an affected release should upgrade + immediately. Please note, this vulnerability is a variant of CVE-2012-2660, + CVE-2012-2694, and CVE-2013-0155. Even if you upgraded to address those + issues, you must take action again. + + If this chance in behavior impacts your application, you can manually decode + the original values from the request like so: + + `ActiveSupport::JSON.decode(request.body)` + + Workarounds + ----------- + This problem can be mitigated by casting the parameter to a string before + passing it to Active Record. For example: + + ```ruby + unless params[:token].nil? || params[:token].to_s.empty? + user = User.find_by_token(params[:token].to_s) + user.reset_password! + end + ``` + cvss_v3: 7.5 + unaffected_versions: + - "< 4.2.0" + - ">= 5.0.0" + patched_versions: + - ">= 4.2.7.1" +--- diff --git a/advisories/_posts/2016-08-18-CVE-2016-6582.md b/advisories/_posts/2016-08-18-CVE-2016-6582.md index f64fbef6..3ae59aa3 100644 --- a/advisories/_posts/2016-08-18-CVE-2016-6582.md +++ b/advisories/_posts/2016-08-18-CVE-2016-6582.md @@ -1,48 +1,48 @@ ---- -layout: advisory -title: 'CVE-2016-6582 (doorkeeper): Doorkeeper gem does not revoke tokens & uses wrong - auth/auth method' -comments: false -categories: -- doorkeeper -advisory: - gem: doorkeeper - cve: 2016-6582 - ghsa: 3m6r-39p3-jq25 - url: http://www.openwall.com/lists/oss-security/2016/08/19/2 - title: Doorkeeper gem does not revoke tokens & uses wrong auth/auth method - date: 2016-08-18 - description: | - Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the - following ways: - - 1. Public clients making valid, unauthenticated calls to revoke a token - would not have their token revoked - 2. Requests were not properly authenticating the *client credentials* but - were, instead, looking at the access token in a second location - 3. Because of 2, the requests were also not authorizing confidential - clients' ability to revoke a given token. It should only revoke tokens - that belong to it. - - The security implication is: OAuth 2.0 clients who "log out" a user expect - to have the corresponding access & refresh tokens revoked, preventing an - attacker who may have already hijacked the session from continuing to - impersonate the victim. Because of the bug described above, this is not the - case. As far as OWASP is concerned, this counts as broken authentication - design. - - MITRE has assigned CVE-2016-6582 due to the security issues raised. An - attacker, thanks to 1, can replay a hijacked session after a victim logs - out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a - compromised confidential client could "grief" other clients by revoking - their tokens (albeit this is an exceptionally narrow attack with little - value). - cvss_v3: 9.1 - unaffected_versions: - - "< 1.2.0" - patched_versions: - - ">= 4.2.0" - related: - url: - - https://github.com/doorkeeper-gem/doorkeeper/commit/fb938051777a3c9cb071e96fc66458f8f615bd53 ---- +--- +layout: advisory +title: 'CVE-2016-6582 (doorkeeper): Doorkeeper gem does not revoke tokens & uses wrong + auth/auth method' +comments: false +categories: +- doorkeeper +advisory: + gem: doorkeeper + cve: 2016-6582 + ghsa: 3m6r-39p3-jq25 + url: http://www.openwall.com/lists/oss-security/2016/08/19/2 + title: Doorkeeper gem does not revoke tokens & uses wrong auth/auth method + date: 2016-08-18 + description: | + Doorkeeper failed to implement OAuth 2.0 Token Revocation (RFC 7009) in the + following ways: + + 1. Public clients making valid, unauthenticated calls to revoke a token + would not have their token revoked + 2. Requests were not properly authenticating the *client credentials* but + were, instead, looking at the access token in a second location + 3. Because of 2, the requests were also not authorizing confidential + clients' ability to revoke a given token. It should only revoke tokens + that belong to it. + + The security implication is: OAuth 2.0 clients who "log out" a user expect + to have the corresponding access & refresh tokens revoked, preventing an + attacker who may have already hijacked the session from continuing to + impersonate the victim. Because of the bug described above, this is not the + case. As far as OWASP is concerned, this counts as broken authentication + design. + + MITRE has assigned CVE-2016-6582 due to the security issues raised. An + attacker, thanks to 1, can replay a hijacked session after a victim logs + out/revokes their token. Additionally, thanks to 2 & 3, an attacker via a + compromised confidential client could "grief" other clients by revoking + their tokens (albeit this is an exceptionally narrow attack with little + value). + cvss_v3: 9.1 + unaffected_versions: + - "< 1.2.0" + patched_versions: + - ">= 4.2.0" + related: + url: + - https://github.com/doorkeeper-gem/doorkeeper/commit/fb938051777a3c9cb071e96fc66458f8f615bd53 +--- diff --git a/advisories/_posts/2016-08-22-CVE-2016-10173.md b/advisories/_posts/2016-08-22-CVE-2016-10173.md index af9e6980..39c42279 100644 --- a/advisories/_posts/2016-08-22-CVE-2016-10173.md +++ b/advisories/_posts/2016-08-22-CVE-2016-10173.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2016-10173 (minitar): Minitar Directory Traversal Vulnerability' -comments: false -categories: -- minitar -advisory: - gem: minitar - cve: 2016-10173 - ghsa: h5g2-38x9-4gv3 - url: https://github.com/halostatue/minitar/issues/16 - title: Minitar Directory Traversal Vulnerability - date: 2016-08-22 - description: | - Minitar allows attackers to overwrite arbitrary files during archive - extraction via a .. (dot dot) in an extracted filename. Analogous - vulnerabilities for unzip and tar: - https://www.cvedetails.com/cve/CVE-2001-1268/ and - http://www.cvedetails.com/cve/CVE-2001-1267/ - - Credit: ecneladis - cvss_v3: 7.5 - patched_versions: - - ">= 0.6.0" - related: - url: - - https://github.com/halostatue/minitar/issues/16 - - https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 ---- +--- +layout: advisory +title: 'CVE-2016-10173 (minitar): Minitar Directory Traversal Vulnerability' +comments: false +categories: +- minitar +advisory: + gem: minitar + cve: 2016-10173 + ghsa: h5g2-38x9-4gv3 + url: https://github.com/halostatue/minitar/issues/16 + title: Minitar Directory Traversal Vulnerability + date: 2016-08-22 + description: | + Minitar allows attackers to overwrite arbitrary files during archive + extraction via a .. (dot dot) in an extracted filename. Analogous + vulnerabilities for unzip and tar: + https://www.cvedetails.com/cve/CVE-2001-1268/ and + http://www.cvedetails.com/cve/CVE-2001-1267/ + + Credit: ecneladis + cvss_v3: 7.5 + patched_versions: + - ">= 0.6.0" + related: + url: + - https://github.com/halostatue/minitar/issues/16 + - https://github.com/halostatue/minitar/commit/e25205ecbb6277ae8a3df1e6a306d7ed4458b6e4 +--- diff --git a/advisories/_posts/2016-08-27-CVE-2016-7103.md b/advisories/_posts/2016-08-27-CVE-2016-7103.md index fe8d2632..a44e4399 100644 --- a/advisories/_posts/2016-08-27-CVE-2016-7103.md +++ b/advisories/_posts/2016-08-27-CVE-2016-7103.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2016-7103 (jquery-ui-rails): XSS Vulnerability on closeText option of - Dialog jQuery UI' -comments: false -categories: -- jquery-ui-rails -- rails -advisory: - gem: jquery-ui-rails - framework: rails - cve: 2016-7103 - ghsa: hpcf-8vf9-q4gj - url: https://github.com/jquery/api.jqueryui.com/issues/281 - title: XSS Vulnerability on closeText option of Dialog jQuery UI - date: 2016-08-27 - description: | - Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might - allow remote attackers to inject arbitrary web script or HTML via the - closeText parameter of the dialog function. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 6.0.0" - related: - url: - - https://github.com/jquery/jquery-ui/pull/1635 - - https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/History.md#600 ---- +--- +layout: advisory +title: 'CVE-2016-7103 (jquery-ui-rails): XSS Vulnerability on closeText option of + Dialog jQuery UI' +comments: false +categories: +- jquery-ui-rails +- rails +advisory: + gem: jquery-ui-rails + framework: rails + cve: 2016-7103 + ghsa: hpcf-8vf9-q4gj + url: https://github.com/jquery/api.jqueryui.com/issues/281 + title: XSS Vulnerability on closeText option of Dialog jQuery UI + date: 2016-08-27 + description: | + Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might + allow remote attackers to inject arbitrary web script or HTML via the + closeText parameter of the dialog function. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 6.0.0" + related: + url: + - https://github.com/jquery/jquery-ui/pull/1635 + - https://github.com/jquery-ui-rails/jquery-ui-rails/blob/master/History.md#600 +--- diff --git a/advisories/_posts/2016-10-06-CVE-2016-7954.md b/advisories/_posts/2016-10-06-CVE-2016-7954.md index 7631a636..792752dd 100644 --- a/advisories/_posts/2016-10-06-CVE-2016-7954.md +++ b/advisories/_posts/2016-10-06-CVE-2016-7954.md @@ -1,48 +1,48 @@ ---- -layout: advisory -title: 'CVE-2016-7954 (bundler): Allows an attacker to inject arbitrary code into - your application via any secondary Gem source declared in your Gemfile' -comments: false -categories: -- bundler -advisory: - gem: bundler - cve: 2016-7954 - ghsa: jvgm-pfqv-887x - url: https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability - title: Allows an attacker to inject arbitrary code into your application via any - secondary Gem source declared in your Gemfile - date: 2016-10-06 - description: | - Bundler 1.x might allow remote attackers to inject arbitrary Ruby - code into an application by leveraging a Gem name collision on a - secondary source. - - Please note that this vulnerability only applies for Ruby - projects using Bundler < 2.0 with Gemfiles having 2 or more - "source" lines. - - In other words, if the user's Gemfile does not use multiple - sources, this vulnerability can be ignored. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 2.0.0" - related: - cve: - - 2013-0334 - url: - - https://nvd.nist.gov/vuln/detail/CVE-2016-7954 - - https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability - - https://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html - - https://github.com/advisories/GHSA-jvgm-pfqv-887x - - https://seclists.org/oss-sec/2016/q4/25 - - https://seclists.org/oss-sec/2016/q4/18 - - https://seclists.org/oss-sec/2016/q4/20 - - https://github.com/rubygems/bundler/pull/3696 - - https://github.com/rubygems/bundler/issues/3671 - - https://github.com/rubygems/bundler/issues/5274 - - https://github.com/rubygems/bundler/issues/5051 - - https://github.com/rubygems/bundler/issues/5062 - notes: 'NOTE: This might overlap CVE-2013-0334.; GHSA is unreviewed' ---- +--- +layout: advisory +title: 'CVE-2016-7954 (bundler): Allows an attacker to inject arbitrary code into + your application via any secondary Gem source declared in your Gemfile' +comments: false +categories: +- bundler +advisory: + gem: bundler + cve: 2016-7954 + ghsa: jvgm-pfqv-887x + url: https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability + title: Allows an attacker to inject arbitrary code into your application via any + secondary Gem source declared in your Gemfile + date: 2016-10-06 + description: | + Bundler 1.x might allow remote attackers to inject arbitrary Ruby + code into an application by leveraging a Gem name collision on a + secondary source. + + Please note that this vulnerability only applies for Ruby + projects using Bundler < 2.0 with Gemfiles having 2 or more + "source" lines. + + In other words, if the user's Gemfile does not use multiple + sources, this vulnerability can be ignored. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 2.0.0" + related: + cve: + - 2013-0334 + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-7954 + - https://collectiveidea.com/blog/archives/2016/10/06/bundlers-multiple-source-security-vulnerability + - https://bundler.io/blog/2014/08/14/bundler-may-install-gems-from-a-different-source-than-expected-cve-2013-0334.html + - https://github.com/advisories/GHSA-jvgm-pfqv-887x + - https://seclists.org/oss-sec/2016/q4/25 + - https://seclists.org/oss-sec/2016/q4/18 + - https://seclists.org/oss-sec/2016/q4/20 + - https://github.com/rubygems/bundler/pull/3696 + - https://github.com/rubygems/bundler/issues/3671 + - https://github.com/rubygems/bundler/issues/5274 + - https://github.com/rubygems/bundler/issues/5051 + - https://github.com/rubygems/bundler/issues/5062 + notes: 'NOTE: This might overlap CVE-2013-0334.; GHSA is unreviewed' +--- diff --git a/advisories/_posts/2016-11-09-CVE-2016-10345.md b/advisories/_posts/2016-11-09-CVE-2016-10345.md index c98024d9..49272984 100644 --- a/advisories/_posts/2016-11-09-CVE-2016-10345.md +++ b/advisories/_posts/2016-11-09-CVE-2016-10345.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2016-10345 (passenger): Predictable tmp File Path Vulnerability in Phusion - Passenger' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2016-10345 - ghsa: cqxw-3p7v-p9gr - url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/ - title: Predictable tmp File Path Vulnerability in Phusion Passenger - date: 2016-11-09 - description: | - In Phusion Passenger before 5.1.0, a known /tmp filename was used during - passenger-install-nginx-module execution, which could allow local attackers to gain - the privileges of the passenger user. - cvss_v2: 4.6 - cvss_v3: 7.8 - patched_versions: - - ">= 5.1.0" ---- +--- +layout: advisory +title: 'CVE-2016-10345 (passenger): Predictable tmp File Path Vulnerability in Phusion + Passenger' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2016-10345 + ghsa: cqxw-3p7v-p9gr + url: https://blog.phusion.nl/2017/01/10/passenger-5-1-1/ + title: Predictable tmp File Path Vulnerability in Phusion Passenger + date: 2016-11-09 + description: | + In Phusion Passenger before 5.1.0, a known /tmp filename was used during + passenger-install-nginx-module execution, which could allow local attackers to gain + the privileges of the passenger user. + cvss_v2: 4.6 + cvss_v3: 7.8 + patched_versions: + - ">= 5.1.0" +--- diff --git a/advisories/_posts/2016-12-21-CVE-2016-10522.md b/advisories/_posts/2016-12-21-CVE-2016-10522.md index 09905dc7..153c2ef9 100644 --- a/advisories/_posts/2016-12-21-CVE-2016-10522.md +++ b/advisories/_posts/2016-12-21-CVE-2016-10522.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2016-10522 (rails_admin): CSRF vulnerability in rails_admin' -comments: false -categories: -- rails_admin -advisory: - gem: rails_admin - cve: 2016-10522 - ghsa: pxqr-8v54-m2hj - url: https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/ - title: CSRF vulnerability in rails_admin - date: 2016-12-21 - description: | - The rails_admin gem is vulnerable to cross-site request forgery (CSRF) attacks. - Due to a bug, non-GET methods were not validating CSRF tokens and, as a result, - an attacker could hypothetically gain access to the application administrative - endpoints exposed by the gem. - cvss_v2: 5.5 - cvss_v3: 8.8 - unaffected_versions: - - "< 1.0.0" - patched_versions: - - ">= 1.1.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2016-10522 - - https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173 - - https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a - - https://advisories.gitlab.com/pkg/gem/rails_admin/SRCCLR-SID-3173 - - https://github.com/advisories/GHSA-pxqr-8v54-m2hj ---- +--- +layout: advisory +title: 'CVE-2016-10522 (rails_admin): CSRF vulnerability in rails_admin' +comments: false +categories: +- rails_admin +advisory: + gem: rails_admin + cve: 2016-10522 + ghsa: pxqr-8v54-m2hj + url: https://www.sourceclear.com/blog/Rails_admin-Vulnerability-Disclosure/ + title: CSRF vulnerability in rails_admin + date: 2016-12-21 + description: | + The rails_admin gem is vulnerable to cross-site request forgery (CSRF) attacks. + Due to a bug, non-GET methods were not validating CSRF tokens and, as a result, + an attacker could hypothetically gain access to the application administrative + endpoints exposed by the gem. + cvss_v2: 5.5 + cvss_v3: 8.8 + unaffected_versions: + - "< 1.0.0" + patched_versions: + - ">= 1.1.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-10522 + - https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173 + - https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a + - https://advisories.gitlab.com/pkg/gem/rails_admin/SRCCLR-SID-3173 + - https://github.com/advisories/GHSA-pxqr-8v54-m2hj +--- diff --git a/advisories/_posts/2017-01-11-CVE-2017-18076.md b/advisories/_posts/2017-01-11-CVE-2017-18076.md index ac1e64a5..b88d73fc 100644 --- a/advisories/_posts/2017-01-11-CVE-2017-18076.md +++ b/advisories/_posts/2017-01-11-CVE-2017-18076.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2017-18076 (omniauth): omniauth leaks authenticity token in callback params' -comments: false -categories: -- omniauth -advisory: - gem: omniauth - cve: 2017-18076 - ghsa: 9pr6-grf4-x2fr - url: https://github.com/omniauth/omniauth/pull/867 - title: omniauth leaks authenticity token in callback params - date: 2017-01-11 - description: | - In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value - is improperly protected because POST (in addition to GET) parameters are stored - in the session and become available in the environment of the callback phase. - cvss_v2: 6.8 - cvss_v3: 7.5 - patched_versions: - - ">= 1.3.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2017-18076 ---- +--- +layout: advisory +title: 'CVE-2017-18076 (omniauth): omniauth leaks authenticity token in callback params' +comments: false +categories: +- omniauth +advisory: + gem: omniauth + cve: 2017-18076 + ghsa: 9pr6-grf4-x2fr + url: https://github.com/omniauth/omniauth/pull/867 + title: omniauth leaks authenticity token in callback params + date: 2017-01-11 + description: | + In strategy.rb in OmniAuth before 1.3.2, the authenticity_token value + is improperly protected because POST (in addition to GET) parameters are stored + in the session and become available in the environment of the callback phase. + cvss_v2: 6.8 + cvss_v3: 7.5 + patched_versions: + - ">= 1.3.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2017-18076 +--- diff --git a/advisories/_posts/2017-02-27-CVE-2017-5946.md b/advisories/_posts/2017-02-27-CVE-2017-5946.md index db6c5451..1951b8b2 100644 --- a/advisories/_posts/2017-02-27-CVE-2017-5946.md +++ b/advisories/_posts/2017-02-27-CVE-2017-5946.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2017-5946 (rubyzip): Directory traversal vulnerability in rubyzip' -comments: false -categories: -- rubyzip -advisory: - gem: rubyzip - cve: 2017-5946 - ghsa: gcqq-w6gr-h9j9 - url: https://github.com/rubyzip/rubyzip/issues/315 - title: Directory traversal vulnerability in rubyzip - date: 2017-02-27 - description: | - The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a - directory traversal vulnerability. If a site allows uploading of .zip files, - an attacker can upload a malicious file that uses "../" pathname substrings to - write arbitrary files to the filesystem. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 1.2.1" ---- +--- +layout: advisory +title: 'CVE-2017-5946 (rubyzip): Directory traversal vulnerability in rubyzip' +comments: false +categories: +- rubyzip +advisory: + gem: rubyzip + cve: 2017-5946 + ghsa: gcqq-w6gr-h9j9 + url: https://github.com/rubyzip/rubyzip/issues/315 + title: Directory traversal vulnerability in rubyzip + date: 2017-02-27 + description: | + The Zip::File component in the rubyzip gem before 1.2.1 for Ruby has a + directory traversal vulnerability. If a site allows uploading of .zip files, + an attacker can upload a malicious file that uses "../" pathname substrings to + write arbitrary files to the filesystem. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 1.2.1" +--- diff --git a/advisories/_posts/2017-03-11-CVE-2016-4658.md b/advisories/_posts/2017-03-11-CVE-2016-4658.md index 9166ac2e..034d7be2 100644 --- a/advisories/_posts/2017-03-11-CVE-2016-4658.md +++ b/advisories/_posts/2017-03-11-CVE-2016-4658.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2016-4658 (nokogiri): Nokogiri gem contains several vulnerabilities in - libxml2 and libxslt' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2016-4658 - ghsa: fr52-4hqw-p27f - url: https://github.com/sparklemotion/nokogiri/issues/1615 - title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt - date: 2017-03-11 - description: | - Nokogiri version 1.7.1 has been released, pulling in several upstream - patches to the vendored libxml2 to address the following CVEs: - - CVE-2016-4658 - CVSS v3 Base Score: 9.8 (Critical) - libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and - watchOS before 3 allows remote attackers to execute arbitrary code or cause - a denial of service (memory corruption) via a crafted XML document. - - CVE-2016-5131 - CVSS v3 Base Score: 8.8 (HIGH) - Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google - Chrome before 52.0.2743.82, allows remote attackers to cause a denial of - service or possibly have unspecified other impact via vectors related to - the XPointer range-to function. - cvss_v2: 10.0 - cvss_v3: 9.8 - patched_versions: - - ">= 1.7.1" - related: - cve: - - 2016-5131 - url: - - https://github.com/sparklemotion/nokogiri/issues/1615 ---- +--- +layout: advisory +title: 'CVE-2016-4658 (nokogiri): Nokogiri gem contains several vulnerabilities in + libxml2 and libxslt' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2016-4658 + ghsa: fr52-4hqw-p27f + url: https://github.com/sparklemotion/nokogiri/issues/1615 + title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt + date: 2017-03-11 + description: | + Nokogiri version 1.7.1 has been released, pulling in several upstream + patches to the vendored libxml2 to address the following CVEs: + + CVE-2016-4658 + CVSS v3 Base Score: 9.8 (Critical) + libxml2 in Apple iOS before 10, OS X before 10.12, tvOS before 10, and + watchOS before 3 allows remote attackers to execute arbitrary code or cause + a denial of service (memory corruption) via a crafted XML document. + + CVE-2016-5131 + CVSS v3 Base Score: 8.8 (HIGH) + Use-after-free vulnerability in libxml2 through 2.9.4, as used in Google + Chrome before 52.0.2743.82, allows remote attackers to cause a denial of + service or possibly have unspecified other impact via vectors related to + the XPointer range-to function. + cvss_v2: 10.0 + cvss_v3: 9.8 + patched_versions: + - ">= 1.7.1" + related: + cve: + - 2016-5131 + url: + - https://github.com/sparklemotion/nokogiri/issues/1615 +--- diff --git a/advisories/_posts/2017-04-05-CVE-2017-7540.md b/advisories/_posts/2017-04-05-CVE-2017-7540.md index c2c82602..c6f52d5c 100644 --- a/advisories/_posts/2017-04-05-CVE-2017-7540.md +++ b/advisories/_posts/2017-04-05-CVE-2017-7540.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2017-7540 (safemode): Safemode Gem for Ruby is vulnerable to bypassing - safe mode limitations' -comments: false -categories: -- safemode -advisory: - gem: safemode - cve: 2017-7540 - ghsa: 5vx5-9q73-wgp4 - url: https://nvd.nist.gov/vuln/detail/CVE-2017-7540 - title: Safemode Gem for Ruby is vulnerable to bypassing safe mode limitations - date: 2017-04-05 - description: | - Safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable - to bypassing safe mode limitations via special Ruby syntax. This can - lead to deletion of objects for which the user does not have delete - permissions or possibly to privilege escalation. - cvss_v3: 9.8 - patched_versions: - - ">= 1.3.3" - related: - url: - - https://github.com/svenfuchs/safemode/pull/23 ---- +--- +layout: advisory +title: 'CVE-2017-7540 (safemode): Safemode Gem for Ruby is vulnerable to bypassing + safe mode limitations' +comments: false +categories: +- safemode +advisory: + gem: safemode + cve: 2017-7540 + ghsa: 5vx5-9q73-wgp4 + url: https://nvd.nist.gov/vuln/detail/CVE-2017-7540 + title: Safemode Gem for Ruby is vulnerable to bypassing safe mode limitations + date: 2017-04-05 + description: | + Safemode, as used in Foreman, versions 1.3.2 and earlier are vulnerable + to bypassing safe mode limitations via special Ruby syntax. This can + lead to deletion of objects for which the user does not have delete + permissions or possibly to privilege escalation. + cvss_v3: 9.8 + patched_versions: + - ">= 1.3.3" + related: + url: + - https://github.com/svenfuchs/safemode/pull/23 +--- diff --git a/advisories/_posts/2017-05-01-CVE-2017-8418.md b/advisories/_posts/2017-05-01-CVE-2017-8418.md index 0b8ba913..b0282fab 100644 --- a/advisories/_posts/2017-05-01-CVE-2017-8418.md +++ b/advisories/_posts/2017-05-01-CVE-2017-8418.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2017-8418 (rubocop): RuboCop gem Insecure use of /tmp' -comments: false -categories: -- rubocop -advisory: - gem: rubocop - cve: 2017-8418 - ghsa: wmjf-jpjj-9f3j - url: https://github.com/bbatsov/rubocop/issues/4336 - title: RuboCop gem Insecure use of /tmp - date: 2017-05-01 - description: | - RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local - users to exploit this to tamper with cache files belonging to other users. - cvss_v2: 2.1 - cvss_v3: 3.3 - patched_versions: - - ">= 0.49.0" - related: - url: - - http://www.openwall.com/lists/oss-security/2017/05/01/14 ---- +--- +layout: advisory +title: 'CVE-2017-8418 (rubocop): RuboCop gem Insecure use of /tmp' +comments: false +categories: +- rubocop +advisory: + gem: rubocop + cve: 2017-8418 + ghsa: wmjf-jpjj-9f3j + url: https://github.com/bbatsov/rubocop/issues/4336 + title: RuboCop gem Insecure use of /tmp + date: 2017-05-01 + description: | + RuboCop 0.48.1 and earlier does not use /tmp in safe way, allowing local + users to exploit this to tamper with cache files belonging to other users. + cvss_v2: 2.1 + cvss_v3: 3.3 + patched_versions: + - ">= 0.49.0" + related: + url: + - http://www.openwall.com/lists/oss-security/2017/05/01/14 +--- diff --git a/advisories/_posts/2017-05-08-CVE-2017-1002201.md b/advisories/_posts/2017-05-08-CVE-2017-1002201.md index 0259694b..b1251687 100644 --- a/advisories/_posts/2017-05-08-CVE-2017-1002201.md +++ b/advisories/_posts/2017-05-08-CVE-2017-1002201.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2017-1002201 (haml): haml failure to escape single quotes' -comments: false -categories: -- haml -advisory: - gem: haml - cve: 2017-1002201 - ghsa: r53w-g4xm-3gc6 - url: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 - title: haml failure to escape single quotes - date: 2017-05-08 - description: | - In haml versions prior to version 5.0.0.beta.2, when using user input to - perform tasks on the server, characters like < > " ' must be escaped properly. - In this case, the ' character was missed. An attacker can manipulate the input - to introduce additional attributes, potentially executing code. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 5.0.0.beta.2" - related: - url: - - https://snyk.io/vuln/SNYK-RUBY-HAML-20362 ---- +--- +layout: advisory +title: 'CVE-2017-1002201 (haml): haml failure to escape single quotes' +comments: false +categories: +- haml +advisory: + gem: haml + cve: 2017-1002201 + ghsa: r53w-g4xm-3gc6 + url: https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2 + title: haml failure to escape single quotes + date: 2017-05-08 + description: | + In haml versions prior to version 5.0.0.beta.2, when using user input to + perform tasks on the server, characters like < > " ' must be escaped properly. + In this case, the ' character was missed. An attacker can manipulate the input + to introduce additional attributes, potentially executing code. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 5.0.0.beta.2" + related: + url: + - https://snyk.io/vuln/SNYK-RUBY-HAML-20362 +--- diff --git a/advisories/_posts/2017-05-09-CVE-2017-5029.md b/advisories/_posts/2017-05-09-CVE-2017-5029.md index 4436c5c1..c5a0fba3 100644 --- a/advisories/_posts/2017-05-09-CVE-2017-5029.md +++ b/advisories/_posts/2017-05-09-CVE-2017-5029.md @@ -1,53 +1,53 @@ ---- -layout: advisory -title: 'CVE-2017-5029 (nokogiri): Nokogiri gem contains two upstream vulnerabilities - in libxslt 1.1.29' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2017-5029 - ghsa: pf6m-fxpq-fg8v - url: https://github.com/sparklemotion/nokogiri/issues/1634 - title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 - date: 2017-05-09 - description: | - nokogiri version 1.7.2 has been released. - - This is a security update based on 1.7.1, addressing two upstream - libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical - and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat. - - These patches only apply when using Nokogiri's vendored libxslt - package. If you're using your distro's system libraries, there's no - need to upgrade from 1.7.0.1 or 1.7.1 at this time. - - Full details are available at the github issue linked to in the - changelog below. - - ----- - - # 1.7.2 / 2017-05-09 - - ## Security Notes - - [MRI] Upstream libxslt patches are applied to the vendored libxslt - 1.1.29 which address CVE-2017-5029 and CVE-2016-4738. - - For more information: - - * https://github.com/sparklemotion/nokogiri/issues/1634 - * http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html - * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html - cvss_v3: 8.8 - patched_versions: - - ">= 1.7.2" - related: - cve: - - 2016-4738 - - 2017-5029 - url: - - http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html - - http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html ---- +--- +layout: advisory +title: 'CVE-2017-5029 (nokogiri): Nokogiri gem contains two upstream vulnerabilities + in libxslt 1.1.29' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2017-5029 + ghsa: pf6m-fxpq-fg8v + url: https://github.com/sparklemotion/nokogiri/issues/1634 + title: Nokogiri gem contains two upstream vulnerabilities in libxslt 1.1.29 + date: 2017-05-09 + description: | + nokogiri version 1.7.2 has been released. + + This is a security update based on 1.7.1, addressing two upstream + libxslt 1.1.29 vulnerabilities classified as "Medium" by Canonical + and given a CVSS3 score of "6.5 Medium" and "8.8 High" by RedHat. + + These patches only apply when using Nokogiri's vendored libxslt + package. If you're using your distro's system libraries, there's no + need to upgrade from 1.7.0.1 or 1.7.1 at this time. + + Full details are available at the github issue linked to in the + changelog below. + + ----- + + # 1.7.2 / 2017-05-09 + + ## Security Notes + + [MRI] Upstream libxslt patches are applied to the vendored libxslt + 1.1.29 which address CVE-2017-5029 and CVE-2016-4738. + + For more information: + + * https://github.com/sparklemotion/nokogiri/issues/1634 + * http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html + * http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html + cvss_v3: 8.8 + patched_versions: + - ">= 1.7.2" + related: + cve: + - 2016-4738 + - 2017-5029 + url: + - http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-5029.html + - http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4738.html +--- diff --git a/advisories/_posts/2017-06-16-CVE-2016-1000221.md b/advisories/_posts/2017-06-16-CVE-2016-1000221.md index a010caa6..4ad4f70e 100644 --- a/advisories/_posts/2017-06-16-CVE-2016-1000221.md +++ b/advisories/_posts/2017-06-16-CVE-2016-1000221.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2016-1000221 (logstash-core): Logstash Logs Sensitive Information' -comments: false -categories: -- logstash-core -advisory: - gem: logstash-core - cve: 2016-1000221 - ghsa: vcmm-ppqx-95ch - url: https://web.archive.org/web/20210124065200/http://www.securityfocus.com/bid/99126 - title: Logstash Logs Sensitive Information - date: 2017-06-16 - description: | - Logstash prior to version 2.3.4, Elasticsearch Output plugin would log - to file HTTP authorization headers which could contain sensitive information. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 2.3.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2016-1000221 - - https://web.archive.org/web/20210124065200/http://www.securityfocus.com/bid/99126 - - https://security-tracker.debian.org/tracker/CVE-2016-1000221 - - http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.108361 - - https://www.scaprepo.com/control.jsp?command=relation&relationId=CVE-2016-1000221&search=CVE-2016-1000221 - - https://cve.reconshell.com/cve/CVE-2016-1000221 - - https://www.elastic.co/community/security - - https://github.com/advisories/GHSA-vcmm-ppqx-95ch ---- +--- +layout: advisory +title: 'CVE-2016-1000221 (logstash-core): Logstash Logs Sensitive Information' +comments: false +categories: +- logstash-core +advisory: + gem: logstash-core + cve: 2016-1000221 + ghsa: vcmm-ppqx-95ch + url: https://web.archive.org/web/20210124065200/http://www.securityfocus.com/bid/99126 + title: Logstash Logs Sensitive Information + date: 2017-06-16 + description: | + Logstash prior to version 2.3.4, Elasticsearch Output plugin would log + to file HTTP authorization headers which could contain sensitive information. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 2.3.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-1000221 + - https://web.archive.org/web/20210124065200/http://www.securityfocus.com/bid/99126 + - https://security-tracker.debian.org/tracker/CVE-2016-1000221 + - http://www.securityspace.com/smysecure/catid.html?id=1.3.6.1.4.1.25623.1.0.108361 + - https://www.scaprepo.com/control.jsp?command=relation&relationId=CVE-2016-1000221&search=CVE-2016-1000221 + - https://cve.reconshell.com/cve/CVE-2016-1000221 + - https://www.elastic.co/community/security + - https://github.com/advisories/GHSA-vcmm-ppqx-95ch +--- diff --git a/advisories/_posts/2017-07-11-CVE-2017-16833.md b/advisories/_posts/2017-07-11-CVE-2017-16833.md index c262b58a..b291784f 100644 --- a/advisories/_posts/2017-07-11-CVE-2017-16833.md +++ b/advisories/_posts/2017-07-11-CVE-2017-16833.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2017-16833 (gemirro): Stored XSS in "gemirro" via injection in Gemspec - "homepage" value' -comments: false -categories: -- gemirro -advisory: - gem: gemirro - cve: 2017-16833 - ghsa: x7p2-x2j6-mwhr - url: https://github.com/PierreRambaud/gemirro/commit/9659f9b7ce15a723da8e361bd41b9203b19c97de - title: Stored XSS in "gemirro" via injection in Gemspec "homepage" value - date: 2017-07-11 - description: | - Stored cross-site scripting (XSS) vulnerability in Gemirro allows - attackers to inject arbitrary web script via a crafted JavaScript URL - in the "homepage" value of a ".gemspec" file. - - A ".gemspec" file must be created with a JavaScript URL in the homepage - value. This can be used to build a gem for upload to the Gemirro server, - in order to achieve stored XSS via the author name hyperlink. - cvss_v3: 6.1 - patched_versions: - - ">= 0.15.0" - related: - url: - - https://github.com/PierreRambaud/gemirro/commit/8acfb9ce9774128d535e2795d583242bb86d6ea8 - - https://github.com/PierreRambaud/gemirro/commit/8fa709b121b7e18fceda308917d0fb68dc1479c3 - - https://rubygems.org/gems/gemirro/versions/0.15.0 ---- +--- +layout: advisory +title: 'CVE-2017-16833 (gemirro): Stored XSS in "gemirro" via injection in Gemspec + "homepage" value' +comments: false +categories: +- gemirro +advisory: + gem: gemirro + cve: 2017-16833 + ghsa: x7p2-x2j6-mwhr + url: https://github.com/PierreRambaud/gemirro/commit/9659f9b7ce15a723da8e361bd41b9203b19c97de + title: Stored XSS in "gemirro" via injection in Gemspec "homepage" value + date: 2017-07-11 + description: | + Stored cross-site scripting (XSS) vulnerability in Gemirro allows + attackers to inject arbitrary web script via a crafted JavaScript URL + in the "homepage" value of a ".gemspec" file. + + A ".gemspec" file must be created with a JavaScript URL in the homepage + value. This can be used to build a gem for upload to the Gemirro server, + in order to achieve stored XSS via the author name hyperlink. + cvss_v3: 6.1 + patched_versions: + - ">= 0.15.0" + related: + url: + - https://github.com/PierreRambaud/gemirro/commit/8acfb9ce9774128d535e2795d583242bb86d6ea8 + - https://github.com/PierreRambaud/gemirro/commit/8fa709b121b7e18fceda308917d0fb68dc1479c3 + - https://rubygems.org/gems/gemirro/versions/0.15.0 +--- diff --git a/advisories/_posts/2017-08-29-CVE-2017-0899.md b/advisories/_posts/2017-08-29-CVE-2017-0899.md index 75fe062f..33bcbcf3 100644 --- a/advisories/_posts/2017-08-29-CVE-2017-0899.md +++ b/advisories/_posts/2017-08-29-CVE-2017-0899.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2017-0899 (rubygems-update): RubyGems ANSI escape sequence vulnerability' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2017-0899 - ghsa: 7gcp-2gmq-w3xh - url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html - title: RubyGems ANSI escape sequence vulnerability - date: 2017-08-29 - description: | - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem - specifications that include terminal escape characters. Printing the gem - specification would execute terminal escape sequences. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 2.4.5.3" - - ">= 2.5.2.1" - - ">= 2.6.13" ---- +--- +layout: advisory +title: 'CVE-2017-0899 (rubygems-update): RubyGems ANSI escape sequence vulnerability' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2017-0899 + ghsa: 7gcp-2gmq-w3xh + url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html + title: RubyGems ANSI escape sequence vulnerability + date: 2017-08-29 + description: | + RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem + specifications that include terminal escape characters. Printing the gem + specification would execute terminal escape sequences. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 2.4.5.3" + - ">= 2.5.2.1" + - ">= 2.6.13" +--- diff --git a/advisories/_posts/2017-08-29-CVE-2017-0900.md b/advisories/_posts/2017-08-29-CVE-2017-0900.md index 49d93b13..4075f345 100644 --- a/advisories/_posts/2017-08-29-CVE-2017-0900.md +++ b/advisories/_posts/2017-08-29-CVE-2017-0900.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2017-0900 (rubygems-update): RubyGems DoS vulnerability in the query command' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2017-0900 - ghsa: p7f2-rr42-m9xm - url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html - title: RubyGems DoS vulnerability in the query command - date: 2017-08-29 - description: | - RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem - specifications to cause a denial of service attack against RubyGems clients - who have issued a `query` command. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 2.4.5.3" - - ">= 2.5.2.1" - - ">= 2.6.13" ---- +--- +layout: advisory +title: 'CVE-2017-0900 (rubygems-update): RubyGems DoS vulnerability in the query command' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2017-0900 + ghsa: p7f2-rr42-m9xm + url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html + title: RubyGems DoS vulnerability in the query command + date: 2017-08-29 + description: | + RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem + specifications to cause a denial of service attack against RubyGems clients + who have issued a `query` command. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 2.4.5.3" + - ">= 2.5.2.1" + - ">= 2.6.13" +--- diff --git a/advisories/_posts/2017-08-29-CVE-2017-0901.md b/advisories/_posts/2017-08-29-CVE-2017-0901.md index 50b661bf..0a75566a 100644 --- a/advisories/_posts/2017-08-29-CVE-2017-0901.md +++ b/advisories/_posts/2017-08-29-CVE-2017-0901.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2017-0901 (rubygems-update): RubyGems vulnerability in the gem installer - that allowed a malicious gem to overwrite arbitrary files' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2017-0901 - ghsa: pm9x-4392-2c2p - url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html - title: RubyGems vulnerability in the gem installer that allowed a malicious gem - to overwrite arbitrary files - date: 2017-08-29 - description: | - RubyGems version 2.6.12 and earlier fails to validate specification names, - allowing a maliciously crafted gem to potentially overwrite any file on the - filesystem. - cvss_v2: 6.4 - cvss_v3: 7.5 - patched_versions: - - ">= 2.4.5.3" - - ">= 2.5.2.1" - - ">= 2.6.13" ---- +--- +layout: advisory +title: 'CVE-2017-0901 (rubygems-update): RubyGems vulnerability in the gem installer + that allowed a malicious gem to overwrite arbitrary files' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2017-0901 + ghsa: pm9x-4392-2c2p + url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html + title: RubyGems vulnerability in the gem installer that allowed a malicious gem + to overwrite arbitrary files + date: 2017-08-29 + description: | + RubyGems version 2.6.12 and earlier fails to validate specification names, + allowing a maliciously crafted gem to potentially overwrite any file on the + filesystem. + cvss_v2: 6.4 + cvss_v3: 7.5 + patched_versions: + - ">= 2.4.5.3" + - ">= 2.5.2.1" + - ">= 2.6.13" +--- diff --git a/advisories/_posts/2017-08-29-CVE-2017-0902.md b/advisories/_posts/2017-08-29-CVE-2017-0902.md index fb55f641..39c24245 100644 --- a/advisories/_posts/2017-08-29-CVE-2017-0902.md +++ b/advisories/_posts/2017-08-29-CVE-2017-0902.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2017-0902 (rubygems-update): RubyGems DNS request hijacking vulnerability' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2017-0902 - ghsa: 73w7-6w9g-gc8w - url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html - title: RubyGems DNS request hijacking vulnerability - date: 2017-08-29 - description: | - RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking - vulnerability that allows a MITM attacker to force the RubyGems client to - down load and install gems from a server that the attacker controls. - cvss_v2: 6.8 - cvss_v3: 8.1 - patched_versions: - - ">= 2.4.5.3" - - ">= 2.5.2.1" - - ">= 2.6.13" ---- +--- +layout: advisory +title: 'CVE-2017-0902 (rubygems-update): RubyGems DNS request hijacking vulnerability' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2017-0902 + ghsa: 73w7-6w9g-gc8w + url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html + title: RubyGems DNS request hijacking vulnerability + date: 2017-08-29 + description: | + RubyGems version 2.6.12 and earlier is vulnerable to a DNS hijacking + vulnerability that allows a MITM attacker to force the RubyGems client to + down load and install gems from a server that the attacker controls. + cvss_v2: 6.8 + cvss_v3: 8.1 + patched_versions: + - ">= 2.4.5.3" + - ">= 2.5.2.1" + - ">= 2.6.13" +--- diff --git a/advisories/_posts/2017-09-19-CVE-2017-9050.md b/advisories/_posts/2017-09-19-CVE-2017-9050.md index 1246f8b8..03c9aa62 100644 --- a/advisories/_posts/2017-09-19-CVE-2017-9050.md +++ b/advisories/_posts/2017-09-19-CVE-2017-9050.md @@ -1,69 +1,69 @@ ---- -layout: advisory -title: 'CVE-2017-9050 (nokogiri): Nokogiri gem, via libxml, is affected by DoS and - RCE vulnerabilities' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2017-9050 - ghsa: 8c56-cpmw-89x7 - url: https://github.com/sparklemotion/nokogiri/issues/1673 - title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities - date: 2017-09-19 - description: | - The version of libxml2 packaged with Nokogiri contains several - vulnerabilities. Nokogiri has mitigated these issues by upgrading to - libxml 2.9.5. - - It was discovered that a type confusion error existed in libxml2. An - attacker could use this to specially construct XML data that - could cause a denial of service or possibly execute arbitrary - code. (CVE-2017-0663) - - It was discovered that libxml2 did not properly validate parsed entity - references. An attacker could use this to specially construct XML - data that could expose sensitive information. (CVE-2017-7375) - - It was discovered that a buffer overflow existed in libxml2 when - handling HTTP redirects. An attacker could use this to specially - construct XML data that could cause a denial of service or possibly - execute arbitrary code. (CVE-2017-7376) - - Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in - libxml2 when handling elements. An attacker could use this to specially - construct XML data that could cause a denial of service or possibly - execute arbitrary code. (CVE-2017-9047) - - Marcel Böhme and Van-Thuan Pham discovered a buffer overread - in libxml2 when handling elements. An attacker could use this - to specially construct XML data that could cause a denial of - service. (CVE-2017-9048) - - Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads - in libxml2 when handling parameter-entity references. An attacker - could use these to specially construct XML data that could cause a - denial of service. (CVE-2017-9049, CVE-2017-9050) - cvss_v3: 7.5 - patched_versions: - - ">= 1.8.1" - related: - cve: - - 2017-0663 - - 2017-7375 - - 2017-7376 - - 2017-9047 - - 2017-9048 - - 2017-9049 - - 2017-9050 - url: - - https://usn.ubuntu.com/usn/usn-3424-1/ - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html ---- +--- +layout: advisory +title: 'CVE-2017-9050 (nokogiri): Nokogiri gem, via libxml, is affected by DoS and + RCE vulnerabilities' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2017-9050 + ghsa: 8c56-cpmw-89x7 + url: https://github.com/sparklemotion/nokogiri/issues/1673 + title: Nokogiri gem, via libxml, is affected by DoS and RCE vulnerabilities + date: 2017-09-19 + description: | + The version of libxml2 packaged with Nokogiri contains several + vulnerabilities. Nokogiri has mitigated these issues by upgrading to + libxml 2.9.5. + + It was discovered that a type confusion error existed in libxml2. An + attacker could use this to specially construct XML data that + could cause a denial of service or possibly execute arbitrary + code. (CVE-2017-0663) + + It was discovered that libxml2 did not properly validate parsed entity + references. An attacker could use this to specially construct XML + data that could expose sensitive information. (CVE-2017-7375) + + It was discovered that a buffer overflow existed in libxml2 when + handling HTTP redirects. An attacker could use this to specially + construct XML data that could cause a denial of service or possibly + execute arbitrary code. (CVE-2017-7376) + + Marcel Böhme and Van-Thuan Pham discovered a buffer overflow in + libxml2 when handling elements. An attacker could use this to specially + construct XML data that could cause a denial of service or possibly + execute arbitrary code. (CVE-2017-9047) + + Marcel Böhme and Van-Thuan Pham discovered a buffer overread + in libxml2 when handling elements. An attacker could use this + to specially construct XML data that could cause a denial of + service. (CVE-2017-9048) + + Marcel Böhme and Van-Thuan Pham discovered multiple buffer overreads + in libxml2 when handling parameter-entity references. An attacker + could use these to specially construct XML data that could cause a + denial of service. (CVE-2017-9049, CVE-2017-9050) + cvss_v3: 7.5 + patched_versions: + - ">= 1.8.1" + related: + cve: + - 2017-0663 + - 2017-7375 + - 2017-7376 + - 2017-9047 + - 2017-9048 + - 2017-9049 + - 2017-9050 + url: + - https://usn.ubuntu.com/usn/usn-3424-1/ + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-0663.html + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7375.html + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7376.html + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9047.html + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9048.html + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9049.html + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-9050.html +--- diff --git a/advisories/_posts/2017-10-09-CVE-2017-0903.md b/advisories/_posts/2017-10-09-CVE-2017-0903.md index 5e28f9fd..1ed85f06 100644 --- a/advisories/_posts/2017-10-09-CVE-2017-0903.md +++ b/advisories/_posts/2017-10-09-CVE-2017-0903.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2017-0903 (rubygems-update): Unsafe Object Deserialization Vulnerability - in RubyGems' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2017-0903 - ghsa: mqwr-4qf2-2hcv - url: https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html - title: Unsafe Object Deserialization Vulnerability in RubyGems - date: 2017-10-09 - description: | - There is a possible unsafe object deserialization vulnerability in RubyGems. - It is possible for YAML deserialization of gem specifications to bypass class - white lists. Specially crafted serialized objects can possibly be used to - escalate to remote code execution. - cvss_v2: 7.5 - cvss_v3: 9.8 - unaffected_versions: - - "< 2.0.0" - patched_versions: - - ">= 2.6.14" ---- +--- +layout: advisory +title: 'CVE-2017-0903 (rubygems-update): Unsafe Object Deserialization Vulnerability + in RubyGems' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2017-0903 + ghsa: mqwr-4qf2-2hcv + url: https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html + title: Unsafe Object Deserialization Vulnerability in RubyGems + date: 2017-10-09 + description: | + There is a possible unsafe object deserialization vulnerability in RubyGems. + It is possible for YAML deserialization of gem specifications to bypass class + white lists. Specially crafted serialized objects can possibly be used to + escalate to remote code execution. + cvss_v2: 7.5 + cvss_v3: 9.8 + unaffected_versions: + - "< 2.0.0" + patched_versions: + - ">= 2.6.14" +--- diff --git a/advisories/_posts/2017-10-24-CVE-2006-4111.md b/advisories/_posts/2017-10-24-CVE-2006-4111.md index b890be2f..18a32c41 100644 --- a/advisories/_posts/2017-10-24-CVE-2006-4111.md +++ b/advisories/_posts/2017-10-24-CVE-2006-4111.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2006-4111 (rails): High severity vulnerability that affects rails' -comments: false -categories: -- rails -advisory: - gem: rails - cve: 2006-4111 - ghsa: rvpq-5xqx-pfpp - url: https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md - title: High severity vulnerability that affects rails - date: 2017-10-24 - description: | - Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code - with "severe" or "serious" impact via a File Upload request with an HTTP header - that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. - cvss_v2: 7.5 - unaffected_versions: - - "< 1.1.0" - patched_versions: - - ">= 1.1.6" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2006-4111 - - https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md - - https://blog.evanweaver.com/2006/08/12/anatomy-of-an-attack-against-1-1-4 - - https://rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure - - http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits - - https://github.com/advisories/GHSA-rvpq-5xqx-pfpp - - http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml ---- +--- +layout: advisory +title: 'CVE-2006-4111 (rails): High severity vulnerability that affects rails' +comments: false +categories: +- rails +advisory: + gem: rails + cve: 2006-4111 + ghsa: rvpq-5xqx-pfpp + url: https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md + title: High severity vulnerability that affects rails + date: 2017-10-24 + description: | + Ruby on Rails before 1.1.5 allows remote attackers to execute Ruby code + with "severe" or "serious" impact via a File Upload request with an HTTP header + that modifies the LOAD_PATH variable, a different vulnerability than CVE-2006-4112. + cvss_v2: 7.5 + unaffected_versions: + - "< 1.1.0" + patched_versions: + - ">= 1.1.6" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2006-4111 + - https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md + - https://blog.evanweaver.com/2006/08/12/anatomy-of-an-attack-against-1-1-4 + - https://rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure + - http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits + - https://github.com/advisories/GHSA-rvpq-5xqx-pfpp + - http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml +--- diff --git a/advisories/_posts/2017-10-24-CVE-2006-4112.md b/advisories/_posts/2017-10-24-CVE-2006-4112.md index 7d6364bb..405b8426 100644 --- a/advisories/_posts/2017-10-24-CVE-2006-4112.md +++ b/advisories/_posts/2017-10-24-CVE-2006-4112.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2006-4112 (rails): High severity vulnerability that affects rails.' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2006-4112 - ghsa: 9wrq-xvmp-xjc8 - url: https://exchange.xforce.ibmcloud.com/vulnerabilities/28364 - title: High severity vulnerability that affects rails. - date: 2017-10-24 - description: | - Unspecified vulnerability in the "dependency resolution mechanism" in - Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby - code via a URL that is not properly handled in the routing code, which leads to - a denial of service (application hang) or "data loss," a different vulnerability - than CVE-2006-4111. - cvss_v2: 7.5 - unaffected_versions: - - "< 1.1.0" - patched_versions: - - ">= 1.1.6" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2006-4112 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/28364 - - https://github.com/advisories/GHSA-9wrq-xvmp-xjc8 - - http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure - - https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md - - https://blog.evanweaver.com/2006/08/12/anatomy-of-an-attack-against-1-1-4 - - http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits - - http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml - - http://www.kb.cert.org/vuls/id/699540 ---- +--- +layout: advisory +title: 'CVE-2006-4112 (rails): High severity vulnerability that affects rails.' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2006-4112 + ghsa: 9wrq-xvmp-xjc8 + url: https://exchange.xforce.ibmcloud.com/vulnerabilities/28364 + title: High severity vulnerability that affects rails. + date: 2017-10-24 + description: | + Unspecified vulnerability in the "dependency resolution mechanism" in + Ruby on Rails 1.1.0 through 1.1.5 allows remote attackers to execute arbitrary Ruby + code via a URL that is not properly handled in the routing code, which leads to + a denial of service (application hang) or "data loss," a different vulnerability + than CVE-2006-4111. + cvss_v2: 7.5 + unaffected_versions: + - "< 1.1.0" + patched_versions: + - ">= 1.1.6" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2006-4112 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/28364 + - https://github.com/advisories/GHSA-9wrq-xvmp-xjc8 + - http://weblog.rubyonrails.org/2006/8/10/rails-1-1-6-backports-and-full-disclosure + - https://github.com/presidentbeef/rails-security-history/blob/master/vulnerabilities.md + - https://blog.evanweaver.com/2006/08/12/anatomy-of-an-attack-against-1-1-4 + - http://weblog.rubyonrails.org/2006/8/9/rails-1-1-5-mandatory-security-patch-and-other-tidbits + - http://www.gentoo.org/security/en/glsa/glsa-200608-20.xml + - http://www.kb.cert.org/vuls/id/699540 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2007-3227.md b/advisories/_posts/2017-10-24-CVE-2007-3227.md index 24c0b233..9097deb8 100644 --- a/advisories/_posts/2017-10-24-CVE-2007-3227.md +++ b/advisories/_posts/2017-10-24-CVE-2007-3227.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2007-3227 (rails): Moderate severity vulnerability that affects rails' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2007-3227 - ghsa: gm25-fpmr-43fj - osvdb: 36378 - url: http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release - title: Moderate severity vulnerability that affects rails - date: 2017-10-24 - description: | - Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) - function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary - web script via the input values. - cvss_v2: 4.3 - patched_versions: - - ">= 1.2.5" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2007-3227 - - http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release - - http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release - - https://github.com/advisories/GHSA-gm25-fpmr-43fj - - http://bugs.gentoo.org/show_bug.cgi?id=195315 - - http://osvdb.org/36378 - - http://security.gentoo.org/glsa/glsa-200711-17.xml ---- +--- +layout: advisory +title: 'CVE-2007-3227 (rails): Moderate severity vulnerability that affects rails' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2007-3227 + ghsa: gm25-fpmr-43fj + osvdb: 36378 + url: http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release + title: Moderate severity vulnerability that affects rails + date: 2017-10-24 + description: | + Cross-site scripting (XSS) vulnerability in the to_json (ActiveRecord::Base#to_json) + function in Ruby on Rails before edge 9606 allows remote attackers to inject arbitrary + web script via the input values. + cvss_v2: 4.3 + patched_versions: + - ">= 1.2.5" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2007-3227 + - http://weblog.rubyonrails.org/2007/10/12/rails-1-2-5-maintenance-release + - http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release + - https://github.com/advisories/GHSA-gm25-fpmr-43fj + - http://bugs.gentoo.org/show_bug.cgi?id=195315 + - http://osvdb.org/36378 + - http://security.gentoo.org/glsa/glsa-200711-17.xml +--- diff --git a/advisories/_posts/2017-10-24-CVE-2007-5379.md b/advisories/_posts/2017-10-24-CVE-2007-5379.md index 759983d5..4fa90cb2 100644 --- a/advisories/_posts/2017-10-24-CVE-2007-5379.md +++ b/advisories/_posts/2017-10-24-CVE-2007-5379.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2007-5379 (rails): Moderate severity vulnerability that affects rails' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2007-5379 - osvdb: 40717 - ghsa: fjfg-q662-gm6j - url: http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release - title: Moderate severity vulnerability that affects rails - date: 2017-10-24 - description: | - Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers - and ActiveResource servers to determine the existence of arbitrary files and read - arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple - (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) - .purple/accounts.xml file. - cvss_v2: 5.0 - patched_versions: - - ">= 1.2.5" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2007-5379 - - http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release - - https://github.com/advisories/GHSA-fjfg-q662-gm6j - - http://bugs.gentoo.org/show_bug.cgi?id=195315 - - http://osvdb.org/40717 - - http://security.gentoo.org/glsa/glsa-200711-17.xml ---- +--- +layout: advisory +title: 'CVE-2007-5379 (rails): Moderate severity vulnerability that affects rails' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2007-5379 + osvdb: 40717 + ghsa: fjfg-q662-gm6j + url: http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release + title: Moderate severity vulnerability that affects rails + date: 2017-10-24 + description: | + Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers + and ActiveResource servers to determine the existence of arbitrary files and read + arbitrary XML files via the Hash.from_xml (Hash#from_xml) method, which uses XmlSimple + (XML::Simple) unsafely, as demonstrated by reading passwords from the Pidgin (Gaim) + .purple/accounts.xml file. + cvss_v2: 5.0 + patched_versions: + - ">= 1.2.5" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2007-5379 + - http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release + - https://github.com/advisories/GHSA-fjfg-q662-gm6j + - http://bugs.gentoo.org/show_bug.cgi?id=195315 + - http://osvdb.org/40717 + - http://security.gentoo.org/glsa/glsa-200711-17.xml +--- diff --git a/advisories/_posts/2017-10-24-CVE-2007-5380.md b/advisories/_posts/2017-10-24-CVE-2007-5380.md index 71e75f99..d4c7d9f7 100644 --- a/advisories/_posts/2017-10-24-CVE-2007-5380.md +++ b/advisories/_posts/2017-10-24-CVE-2007-5380.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2007-5380 (rails): Moderate severity vulnerability that affects rails' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2007-5380 - ghsa: jwhv-rgqc-fqj5 - url: http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release - title: Moderate severity vulnerability that affects rails - date: 2017-10-24 - description: | - Session fixation vulnerability in Rails before 1.2.4, as used for Ruby - on Rails, allows remote attackers to hijack web sessions via unspecified vectors - related to "URL-based sessions." - cvss_v2: 6.8 - patched_versions: - - ">= 1.2.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2007-5380 - - http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release - - https://github.com/advisories/GHSA-jwhv-rgqc-fqj5 - - http://bugs.gentoo.org/show_bug.cgi?id=195315 - - http://security.gentoo.org/glsa/glsa-200711-17.xml ---- +--- +layout: advisory +title: 'CVE-2007-5380 (rails): Moderate severity vulnerability that affects rails' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2007-5380 + ghsa: jwhv-rgqc-fqj5 + url: http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release + title: Moderate severity vulnerability that affects rails + date: 2017-10-24 + description: | + Session fixation vulnerability in Rails before 1.2.4, as used for Ruby + on Rails, allows remote attackers to hijack web sessions via unspecified vectors + related to "URL-based sessions." + cvss_v2: 6.8 + patched_versions: + - ">= 1.2.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2007-5380 + - http://weblog.rubyonrails.org/2007/10/5/rails-1-2-4-maintenance-release + - https://github.com/advisories/GHSA-jwhv-rgqc-fqj5 + - http://bugs.gentoo.org/show_bug.cgi?id=195315 + - http://security.gentoo.org/glsa/glsa-200711-17.xml +--- diff --git a/advisories/_posts/2017-10-24-CVE-2007-6077.md b/advisories/_posts/2017-10-24-CVE-2007-6077.md index 1a365f75..3f73f254 100644 --- a/advisories/_posts/2017-10-24-CVE-2007-6077.md +++ b/advisories/_posts/2017-10-24-CVE-2007-6077.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2007-6077 (rails): Moderate severity vulnerability that affects rails' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2007-6077 - ghsa: p4c6-77gc-694x - url: https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release - title: Moderate severity vulnerability that affects rails - date: 2017-10-24 - description: | - The session fixation protection mechanism in cgi_process.rb in - Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only - attribute from the DEFAULT_SESSION_OPTIONS constant, which - effectively causes cookie_only to be applied only to the first - instantiation of CgiRequest, which allows remote attackers to - conduct session fixation attacks. - - NOTE: this is due to an incomplete fix for CVE-2007-5380. - cvss_v2: 6.8 - patched_versions: - - ">= 1.2.6" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2007-6077 - - http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release - - https://github.com/advisories/GHSA-p4c6-77gc-694x - - https://ubuntu.com/security/CVE-2007-6077 ---- +--- +layout: advisory +title: 'CVE-2007-6077 (rails): Moderate severity vulnerability that affects rails' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2007-6077 + ghsa: p4c6-77gc-694x + url: https://rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release + title: Moderate severity vulnerability that affects rails + date: 2017-10-24 + description: | + The session fixation protection mechanism in cgi_process.rb in + Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only + attribute from the DEFAULT_SESSION_OPTIONS constant, which + effectively causes cookie_only to be applied only to the first + instantiation of CgiRequest, which allows remote attackers to + conduct session fixation attacks. + + NOTE: this is due to an incomplete fix for CVE-2007-5380. + cvss_v2: 6.8 + patched_versions: + - ">= 1.2.6" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2007-6077 + - http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release + - https://github.com/advisories/GHSA-p4c6-77gc-694x + - https://ubuntu.com/security/CVE-2007-6077 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2008-4094.md b/advisories/_posts/2017-10-24-CVE-2008-4094.md index c143b5cf..502338c1 100644 --- a/advisories/_posts/2017-10-24-CVE-2008-4094.md +++ b/advisories/_posts/2017-10-24-CVE-2008-4094.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2008-4094 (activerecord): High severity vulnerability that affects rails' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2008-4094 - ghsa: xf96-32q2-9rw2 - url: http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter - title: High severity vulnerability that affects rails - date: 2017-10-24 - description: | - Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 - allow remote attackers to execute arbitrary SQL commands via the - (1) :limit and (2) :offset parameters, related to ActiveRecord, - ActiveSupport, ActiveResource, ActionPack, and ActionMailer. - cvss_v2: 7.5 - patched_versions: - - "~> 2.0.0" - - ">= 2.1.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2008-4094 - - http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter - - https://rubyonrails.org/2008/10/23/rails-2-1-2-security-other-fixes - - https://github.com/rails/rails/commit/213f31513e4cb640fa3ed45f387f221401023646 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/45109 - - https://github.com/advisories/GHSA-xf96-32q2-9rw2 - - http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html - - http://rails.lighthouseapp.com/projects/8994/tickets/288 - - http://rails.lighthouseapp.com/projects/8994/tickets/964 - - http://www.openwall.com/lists/oss-security/2008/09/13/2 - - http://www.openwall.com/lists/oss-security/2008/09/16/1 ---- +--- +layout: advisory +title: 'CVE-2008-4094 (activerecord): High severity vulnerability that affects rails' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2008-4094 + ghsa: xf96-32q2-9rw2 + url: http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter + title: High severity vulnerability that affects rails + date: 2017-10-24 + description: | + Multiple SQL injection vulnerabilities in Ruby on Rails before 2.1.1 + allow remote attackers to execute arbitrary SQL commands via the + (1) :limit and (2) :offset parameters, related to ActiveRecord, + ActiveSupport, ActiveResource, ActionPack, and ActionMailer. + cvss_v2: 7.5 + patched_versions: + - "~> 2.0.0" + - ">= 2.1.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2008-4094 + - http://www.rorsecurity.info/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter + - https://rubyonrails.org/2008/10/23/rails-2-1-2-security-other-fixes + - https://github.com/rails/rails/commit/213f31513e4cb640fa3ed45f387f221401023646 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/45109 + - https://github.com/advisories/GHSA-xf96-32q2-9rw2 + - http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html + - http://rails.lighthouseapp.com/projects/8994/tickets/288 + - http://rails.lighthouseapp.com/projects/8994/tickets/964 + - http://www.openwall.com/lists/oss-security/2008/09/13/2 + - http://www.openwall.com/lists/oss-security/2008/09/16/1 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2008-5189.md b/advisories/_posts/2017-10-24-CVE-2008-5189.md index c532c9fd..c3aac3f8 100644 --- a/advisories/_posts/2017-10-24-CVE-2008-5189.md +++ b/advisories/_posts/2017-10-24-CVE-2008-5189.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2008-5189 (rails): Moderate severity vulnerability that affects rails' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2008-5189 - ghsa: jmgf-p46x-982h - url: http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing - title: Moderate severity vulnerability that affects rails - date: 2017-10-24 - description: | - CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote - attackers to inject arbitrary HTTP headers and conduct HTTP response - splitting attacks via a crafted URL to the redirect_to function. - cvss_v2: 5.0 - patched_versions: - - ">= 2.0.5" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2008-5189 - - http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing - - http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d - - http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk - - http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html - - https://github.com/advisories/GHSA-jmgf-p46x-982h ---- +--- +layout: advisory +title: 'CVE-2008-5189 (rails): Moderate severity vulnerability that affects rails' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2008-5189 + ghsa: jmgf-p46x-982h + url: http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing + title: Moderate severity vulnerability that affects rails + date: 2017-10-24 + description: | + CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote + attackers to inject arbitrary HTTP headers and conduct HTTP response + splitting attacks via a crafted URL to the redirect_to function. + cvss_v2: 5.0 + patched_versions: + - ">= 2.0.5" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2008-5189 + - http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing + - http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d + - http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk + - http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html + - https://github.com/advisories/GHSA-jmgf-p46x-982h +--- diff --git a/advisories/_posts/2017-10-24-CVE-2008-7248.md b/advisories/_posts/2017-10-24-CVE-2008-7248.md index 94ee6c1c..b494888f 100644 --- a/advisories/_posts/2017-10-24-CVE-2008-7248.md +++ b/advisories/_posts/2017-10-24-CVE-2008-7248.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2008-7248 (actionpack): Improper Input Validation in rails' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2008-7248 - ghsa: 8fqx-7pv4-3jwm - url: https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 - title: Improper Input Validation in rails - date: 2017-10-24 - description: | - Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify - tokens for requests with certain content types, which allows remote - attackers to bypass cross-site request forgery (CSRF) protection - for requests to applications that rely on this protection, as - demonstrated using text/plain. - cvss_v2: 6.8 - unaffected_versions: - - "< 2.1.0" - patched_versions: - - "~> 2.1.3" - - ">= 2.2.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2008-7248 - - https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 - - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en - - https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html - - https://github.com/advisories/GHSA-8fqx-7pv4-3jwm - - https://access.redhat.com/security/cve/CVE-2008-7248 - - https://bugzilla.redhat.com/show_bug.cgi?id=544329 - - https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ - - https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html - - https://www.openwall.com/lists/oss-security/2009/11/28/1 - - https://www.openwall.com/lists/oss-security/2009/12/02/2 - - http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a - - http://github.com/rails/rails/commit/f1ad8b48aae3ee26613b3e77bc0056e120096846 - - https://rubygems.org/gems/rails/versions/2.1.2 - - https://rubygems.org/gems/rails/versions/2.1.2 ---- +--- +layout: advisory +title: 'CVE-2008-7248 (actionpack): Improper Input Validation in rails' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2008-7248 + ghsa: 8fqx-7pv4-3jwm + url: https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 + title: Improper Input Validation in rails + date: 2017-10-24 + description: | + Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify + tokens for requests with certain content types, which allows remote + attackers to bypass cross-site request forgery (CSRF) protection + for requests to applications that rely on this protection, as + demonstrated using text/plain. + cvss_v2: 6.8 + unaffected_versions: + - "< 2.1.0" + patched_versions: + - "~> 2.1.3" + - ">= 2.2.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2008-7248 + - https://weblog.rubyonrails.org/2008/11/18/potential-circumvention-of-csrf-protection-in-rails-2-1 + - https://groups.google.com/group/rubyonrails-security/browse_thread/thread/d741ee286e36e301?hl=en + - https://www.rorsecurity.info/journal/2008/11/19/circumvent-rails-csrf-protection.html + - https://github.com/advisories/GHSA-8fqx-7pv4-3jwm + - https://access.redhat.com/security/cve/CVE-2008-7248 + - https://bugzilla.redhat.com/show_bug.cgi?id=544329 + - https://pseudo-flaw.net/content/web-browsers/form-data-encoding-roundup/ + - https://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.html + - https://www.openwall.com/lists/oss-security/2009/11/28/1 + - https://www.openwall.com/lists/oss-security/2009/12/02/2 + - http://github.com/rails/rails/commit/099a98e9b7108dae3e0f78b207e0a7dc5913bd1a + - http://github.com/rails/rails/commit/f1ad8b48aae3ee26613b3e77bc0056e120096846 + - https://rubygems.org/gems/rails/versions/2.1.2 + - https://rubygems.org/gems/rails/versions/2.1.2 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2009-3009.md b/advisories/_posts/2017-10-24-CVE-2009-3009.md index 727d7c50..1df6743f 100644 --- a/advisories/_posts/2017-10-24-CVE-2009-3009.md +++ b/advisories/_posts/2017-10-24-CVE-2009-3009.md @@ -1,42 +1,42 @@ ---- -layout: advisory -title: 'CVE-2009-3009 (activesupport): Moderate severity XSS vulnerability that affects - rails' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2009-3009 - osvdb: 57666 - ghsa: 8qrh-h9m2-5fvf - url: http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails - title: Moderate severity XSS vulnerability that affects rails - date: 2017-10-24 - description: | - Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before - 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary - web script or HTML by placing malformed Unicode strings into a form helper. - - 9/4/2009 url mentions patches for 2.0, 2.1, 2.2, and 2.3 series. - unaffected_versions: - - "< 2.0.0" - patched_versions: - - "~> 2.2.3" - - ">= 2.3.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2009-3009 - - http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails - - https://groups.google.com/g/rubyonrails-security/c/SKs_SiwWGQ8/m/tNHhlHfNV38J - - http://www.osvdb.org/57666 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/53036 - - https://github.com/advisories/GHSA-8qrh-h9m2-5fvf - - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063 - - https://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html - - http://support.apple.com/kb/HT4077 - - https://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html - - http://www.debian.org/security/2009/dsa-1887 ---- +--- +layout: advisory +title: 'CVE-2009-3009 (activesupport): Moderate severity XSS vulnerability that affects + rails' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2009-3009 + osvdb: 57666 + ghsa: 8qrh-h9m2-5fvf + url: http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails + title: Moderate severity XSS vulnerability that affects rails + date: 2017-10-24 + description: | + Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before + 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject arbitrary + web script or HTML by placing malformed Unicode strings into a form helper. + + 9/4/2009 url mentions patches for 2.0, 2.1, 2.2, and 2.3 series. + unaffected_versions: + - "< 2.0.0" + patched_versions: + - "~> 2.2.3" + - ">= 2.3.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-3009 + - http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on-rails + - https://groups.google.com/g/rubyonrails-security/c/SKs_SiwWGQ8/m/tNHhlHfNV38J + - http://www.osvdb.org/57666 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/53036 + - https://github.com/advisories/GHSA-8qrh-h9m2-5fvf + - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=545063 + - https://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html + - http://support.apple.com/kb/HT4077 + - https://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html + - http://www.debian.org/security/2009/dsa-1887 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2009-3086.md b/advisories/_posts/2017-10-24-CVE-2009-3086.md index 0efbb894..c00eeb28 100644 --- a/advisories/_posts/2017-10-24-CVE-2009-3086.md +++ b/advisories/_posts/2017-10-24-CVE-2009-3086.md @@ -1,43 +1,43 @@ ---- -layout: advisory -title: 'CVE-2009-3086 (activesupport): actionpack and activesupport vulnerable to - information leaks' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2009-3086 - ghsa: fg9w-g6m4-557j - url: http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails - title: actionpack and activesupport vulnerable to information leaks - date: 2017-10-24 - description: | - A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x - before 2.3.4, leaks information about the complexity of message-digest - signature verification in the cookie store, which might allow remote - attackers to forge a digest via multiple attempts. - cvss_v2: 5.0 - unaffected_versions: - - "< 2.1.0" - patched_versions: - - "~> 2.2.3" - - ">= 2.3.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2009-3086 - - http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails - - https://github.com/advisories/GHSA-fg9w-g6m4-557j - - http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html - - http://www.debian.org/security/2011/dsa-2260 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml - - https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0 - - https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978 - - https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686 - - https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544 - - https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600 - - https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427 - - https://github.com/advisories/GHSA-fg9w-g6m4-557j ---- +--- +layout: advisory +title: 'CVE-2009-3086 (activesupport): actionpack and activesupport vulnerable to + information leaks' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2009-3086 + ghsa: fg9w-g6m4-557j + url: http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails + title: actionpack and activesupport vulnerable to information leaks + date: 2017-10-24 + description: | + A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x + before 2.3.4, leaks information about the complexity of message-digest + signature verification in the cookie store, which might allow remote + attackers to forge a digest via multiple attempts. + cvss_v2: 5.0 + unaffected_versions: + - "< 2.1.0" + patched_versions: + - "~> 2.2.3" + - ">= 2.3.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-3086 + - http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails + - https://github.com/advisories/GHSA-fg9w-g6m4-557j + - http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html + - http://www.debian.org/security/2011/dsa-2260 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2009-3086.yml + - https://github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0 + - https://github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978 + - https://github.com/rails/rails/commit/d460c9a25560f43e7c3789abadf7b455053eb686 + - https://web.archive.org/web/20090906010200/http://www.vupen.com/english/advisories/2009/2544 + - https://web.archive.org/web/20090907001716/http://secunia.com/advisories/36600 + - https://web.archive.org/web/20200229150042/http://www.securityfocus.com/bid/37427 + - https://github.com/advisories/GHSA-fg9w-g6m4-557j +--- diff --git a/advisories/_posts/2017-10-24-CVE-2009-3287.md b/advisories/_posts/2017-10-24-CVE-2009-3287.md index 96917897..0d2c70d4 100644 --- a/advisories/_posts/2017-10-24-CVE-2009-3287.md +++ b/advisories/_posts/2017-10-24-CVE-2009-3287.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2009-3287 (thin): High severity vulnerability that affects thin' -comments: false -categories: -- thin -advisory: - gem: thin - cve: 2009-3287 - ghsa: j24p-r6wx-r79w - url: http://github.com/macournoyer/thin/blob/master/CHANGELOG - title: High severity vulnerability that affects thin - date: 2017-10-24 - description: | - lib/thin/connection.rb in Thin web server before 1.2.4 relies on the - X-Forwarded-For header to determine the IP address of the client, - which allows remote attackers to spoof the IP address and hide - activities via a modified X-Forwarded-For header. - cvss_v2: 7.5 - patched_versions: - - ">= 1.2.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2009-3287 - - http://github.com/macournoyer/thin/blob/master/CHANGELOG - - http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a - - https://github.com/advisories/GHSA-j24p-r6wx-r79w - - http://www.openwall.com/lists/oss-security/2009/09/12/1 ---- +--- +layout: advisory +title: 'CVE-2009-3287 (thin): High severity vulnerability that affects thin' +comments: false +categories: +- thin +advisory: + gem: thin + cve: 2009-3287 + ghsa: j24p-r6wx-r79w + url: http://github.com/macournoyer/thin/blob/master/CHANGELOG + title: High severity vulnerability that affects thin + date: 2017-10-24 + description: | + lib/thin/connection.rb in Thin web server before 1.2.4 relies on the + X-Forwarded-For header to determine the IP address of the client, + which allows remote attackers to spoof the IP address and hide + activities via a modified X-Forwarded-For header. + cvss_v2: 7.5 + patched_versions: + - ">= 1.2.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-3287 + - http://github.com/macournoyer/thin/blob/master/CHANGELOG + - http://github.com/macournoyer/thin/commit/7bd027914c5ffd36bb408ef47dc749de3b6e063a + - https://github.com/advisories/GHSA-j24p-r6wx-r79w + - http://www.openwall.com/lists/oss-security/2009/09/12/1 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2009-4214.md b/advisories/_posts/2017-10-24-CVE-2009-4214.md index 95552320..f96bed04 100644 --- a/advisories/_posts/2017-10-24-CVE-2009-4214.md +++ b/advisories/_posts/2017-10-24-CVE-2009-4214.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2009-4214 (rails): Moderate severity XSS vulnerability that affects rails' -comments: false -categories: -- rails -- rails -advisory: - gem: rails - framework: rails - cve: 2009-4214 - ghsa: 9p3v-wf2w-v29c - url: http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released - title: Moderate severity XSS vulnerability that affects rails - date: 2017-10-24 - description: | - Cross-site scripting (XSS) vulnerability in the strip_tags function - in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote - attackers to inject arbitrary web script or HTML via vectors involving - non-printing ASCII characters,related to HTML::Tokenizer and - actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. - cvss_v2: 4.3 - patched_versions: - - "~> 2.2.2" - - ">= 2.3.5" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2009-4214 - - http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released - - https://groups.google.com/g/rubyonrails-security/c/TU9x8q70wKs - - http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 - - https://github.com/advisories/GHSA-9p3v-wf2w-v29c - - http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html - - http://support.apple.com/kb/HT4077 - - http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.htm - - http://www.debian.org/security/2011/dsa-2260 - - http://www.debian.org/security/2011/dsa-2301 - - http://www.openwall.com/lists/oss-security/2009/11/27/2 - - http://www.openwall.com/lists/oss-security/2009/12/08/3 ---- +--- +layout: advisory +title: 'CVE-2009-4214 (rails): Moderate severity XSS vulnerability that affects rails' +comments: false +categories: +- rails +- rails +advisory: + gem: rails + framework: rails + cve: 2009-4214 + ghsa: 9p3v-wf2w-v29c + url: http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released + title: Moderate severity XSS vulnerability that affects rails + date: 2017-10-24 + description: | + Cross-site scripting (XSS) vulnerability in the strip_tags function + in Ruby on Rails before 2.2.s, and 2.3.x before 2.3.5, allows remote + attackers to inject arbitrary web script or HTML via vectors involving + non-printing ASCII characters,related to HTML::Tokenizer and + actionpack/lib/action_controller/vendor/html-scanner/html/node.rb. + cvss_v2: 4.3 + patched_versions: + - "~> 2.2.2" + - ">= 2.3.5" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-4214 + - http://weblog.rubyonrails.org/2009/11/30/ruby-on-rails-2-3-5-released + - https://groups.google.com/g/rubyonrails-security/c/TU9x8q70wKs + - http://github.com/rails/rails/commit/bfe032858077bb2946abe25e95e485ba6da86bd5 + - https://github.com/advisories/GHSA-9p3v-wf2w-v29c + - http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html + - http://support.apple.com/kb/HT4077 + - http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.htm + - http://www.debian.org/security/2011/dsa-2260 + - http://www.debian.org/security/2011/dsa-2301 + - http://www.openwall.com/lists/oss-security/2009/11/27/2 + - http://www.openwall.com/lists/oss-security/2009/12/08/3 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2009-4492.md b/advisories/_posts/2017-10-24-CVE-2009-4492.md index 4e0638de..4bbc1313 100644 --- a/advisories/_posts/2017-10-24-CVE-2009-4492.md +++ b/advisories/_posts/2017-10-24-CVE-2009-4492.md @@ -1,36 +1,36 @@ ---- -layout: advisory -title: 'CVE-2009-4492 (webrick): WEBrick Improper Input Validation vulnerability' -comments: false -categories: -- webrick -advisory: - gem: webrick - cve: 2009-4492 - ghsa: 6mq2-37j5-w6r6 - url: https://github.com/advisories/GHSA-6mq2-37j5-w6r6 - title: WEBrick Improper Input Validation vulnerability - date: 2017-10-24 - description: | - WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel - 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file - without sanitizing non-printable characters, which might allow remote attackers - to modify a window's title, or possibly execute arbitrary commands or overwrite - files, via an HTTP request containing an escape sequence for a terminal emulator. - cvss_v2: 7.5 - patched_versions: - - ">= 1.4.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2009-4492 - - https://github.com/advisories/GHSA-6mq2-37j5-w6r6 - - http://www.redhat.com/support/errata/RHSA-2011-0908.html - - http://www.redhat.com/support/errata/RHSA-2011-0909.html - - http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection - - http://www.ush.it/team/ush/hack_httpd_escape/adv.txt - - https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089 - - https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949 - - https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429 - - https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded - - https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710 ---- +--- +layout: advisory +title: 'CVE-2009-4492 (webrick): WEBrick Improper Input Validation vulnerability' +comments: false +categories: +- webrick +advisory: + gem: webrick + cve: 2009-4492 + ghsa: 6mq2-37j5-w6r6 + url: https://github.com/advisories/GHSA-6mq2-37j5-w6r6 + title: WEBrick Improper Input Validation vulnerability + date: 2017-10-24 + description: | + WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel + 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file + without sanitizing non-printable characters, which might allow remote attackers + to modify a window's title, or possibly execute arbitrary commands or overwrite + files, via an HTTP request containing an escape sequence for a terminal emulator. + cvss_v2: 7.5 + patched_versions: + - ">= 1.4.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-4492 + - https://github.com/advisories/GHSA-6mq2-37j5-w6r6 + - http://www.redhat.com/support/errata/RHSA-2011-0908.html + - http://www.redhat.com/support/errata/RHSA-2011-0909.html + - http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection + - http://www.ush.it/team/ush/hack_httpd_escape/adv.txt + - https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089 + - https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949 + - https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429 + - https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded + - https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2010-3933.md b/advisories/_posts/2017-10-24-CVE-2010-3933.md index 8efe13cb..c6035ec6 100644 --- a/advisories/_posts/2017-10-24-CVE-2010-3933.md +++ b/advisories/_posts/2017-10-24-CVE-2010-3933.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2010-3933 (activerecord): Security Vulnerability in Nested Attributes - code in Ruby On Rails 2.3.9 and 3.0.0' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2010-3933 - ghsa: gjxw-5w2q-7grf - url: http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0 - title: Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and - 3.0.0 - date: 2017-10-24 - description: | - Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested - attributes, which allows remote attackers to modify arbitrary - records by changing the names of parameters for form inputs. - - Patches are available for 2.3 and 3.0 series. - cvss_v2: 6.4 - unaffected_versions: - - "< 2.3.9" - patched_versions: - - "~> 2.3.9" - - ">= 3.0.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2010-3933 - - http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0 - - https://github.com/advisories/GHSA-gjxw-5w2q-7grf - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/41930 - - https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1024624 ---- +--- +layout: advisory +title: 'CVE-2010-3933 (activerecord): Security Vulnerability in Nested Attributes + code in Ruby On Rails 2.3.9 and 3.0.0' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2010-3933 + ghsa: gjxw-5w2q-7grf + url: http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0 + title: Security Vulnerability in Nested Attributes code in Ruby On Rails 2.3.9 and + 3.0.0 + date: 2017-10-24 + description: | + Ruby on Rails 2.3.9 and 3.0.0 does not properly handle nested + attributes, which allows remote attackers to modify arbitrary + records by changing the names of parameters for form inputs. + + Patches are available for 2.3 and 3.0 series. + cvss_v2: 6.4 + unaffected_versions: + - "< 2.3.9" + patched_versions: + - "~> 2.3.9" + - ">= 3.0.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2010-3933 + - http://weblog.rubyonrails.org/2010/10/15/security-vulnerability-in-nested-attributes-code-in-ruby-on-rails-2-3-9-and-3-0-0 + - https://github.com/advisories/GHSA-gjxw-5w2q-7grf + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/41930 + - https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1024624 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2010-5312.md b/advisories/_posts/2017-10-24-CVE-2010-5312.md index b31a0cb9..f1466800 100644 --- a/advisories/_posts/2017-10-24-CVE-2010-5312.md +++ b/advisories/_posts/2017-10-24-CVE-2010-5312.md @@ -1,51 +1,51 @@ ---- -layout: advisory -title: 'CVE-2010-5312 (jquery-ui-rails): Cross-site Scripting in jquery-ui' -comments: false -categories: -- jquery-ui-rails -advisory: - gem: jquery-ui-rails - cve: 2010-5312 - ghsa: wcm2-9c89-wmfm - url: https://nvd.nist.gov/vuln/detail/CVE-2010-5312 - title: Cross-site Scripting in jquery-ui - date: 2017-10-24 - description: | - Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in - the Dialog widget in jQuery UI before 1.10.0 allows remote attackers - to inject arbitrary web script or HTML via the title option. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 4.0.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2010-5312 - - https://github.com/jquery-ui-rails/jquery-ui-rails/commit/61a8e3f50796118e9f49fbd224b67d4065b40c50 - - http://bugs.jqueryui.com/ticket/6016 - - https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3 - - https://security.netapp.com/advisory/ntap-20190416-0007 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/98696 - - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f - - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442 - - http://rhn.redhat.com/errata/RHSA-2015-0442.html - - http://rhn.redhat.com/errata/RHSA-2015-1462.html - - http://seclists.org/oss-sec/2014/q4/613 - - http://seclists.org/oss-sec/2014/q4/616 - - http://www.debian.org/security/2015/dsa-3249 - - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc - - https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html - - https://www.drupal.org/sa-core-2022-002 - - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f - - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442 - - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc - - https://lists.fedoraproject.org/archives/list/package-announce - - https://lists.fedoraproject.org/archives/list/package-announce - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ - - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html - - https://web.archive.org/web/20150316023043/http://www.securityfocus.com/bid/71106 - - https://web.archive.org/web/20170316161850/http://www.securitytracker.com/id/1037035 - - https://github.com/advisories/GHSA-wcm2-9c89-wmfm ---- +--- +layout: advisory +title: 'CVE-2010-5312 (jquery-ui-rails): Cross-site Scripting in jquery-ui' +comments: false +categories: +- jquery-ui-rails +advisory: + gem: jquery-ui-rails + cve: 2010-5312 + ghsa: wcm2-9c89-wmfm + url: https://nvd.nist.gov/vuln/detail/CVE-2010-5312 + title: Cross-site Scripting in jquery-ui + date: 2017-10-24 + description: | + Cross-site scripting (XSS) vulnerability in jquery.ui.dialog.js in + the Dialog widget in jQuery UI before 1.10.0 allows remote attackers + to inject arbitrary web script or HTML via the title option. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 4.0.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2010-5312 + - https://github.com/jquery-ui-rails/jquery-ui-rails/commit/61a8e3f50796118e9f49fbd224b67d4065b40c50 + - http://bugs.jqueryui.com/ticket/6016 + - https://github.com/jquery/jquery-ui/commit/7e9060c109b928769a664dbcc2c17bd21231b6f3 + - https://security.netapp.com/advisory/ntap-20190416-0007 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/98696 + - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f + - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442 + - http://rhn.redhat.com/errata/RHSA-2015-0442.html + - http://rhn.redhat.com/errata/RHSA-2015-1462.html + - http://seclists.org/oss-sec/2014/q4/613 + - http://seclists.org/oss-sec/2014/q4/616 + - http://www.debian.org/security/2015/dsa-3249 + - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc + - https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html + - https://www.drupal.org/sa-core-2022-002 + - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f + - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442 + - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc + - https://lists.fedoraproject.org/archives/list/package-announce + - https://lists.fedoraproject.org/archives/list/package-announce + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/ + - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html + - https://web.archive.org/web/20150316023043/http://www.securityfocus.com/bid/71106 + - https://web.archive.org/web/20170316161850/http://www.securitytracker.com/id/1037035 + - https://github.com/advisories/GHSA-wcm2-9c89-wmfm +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-0446.md b/advisories/_posts/2017-10-24-CVE-2011-0446.md index 12ef97b1..df41a334 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-0446.md +++ b/advisories/_posts/2017-10-24-CVE-2011-0446.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2011-0446 (actionview): XSS vulnerabilities in the mail_to helper in rails/actionview' -comments: false -categories: -- actionview -- rails -advisory: - gem: actionview - framework: rails - cve: 2011-0446 - ghsa: 75w6-p6mg-vh8j - url: https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ - title: XSS vulnerabilities in the mail_to helper in rails/actionview - date: 2017-10-24 - description: | - Multiple cross-site scripting (XSS) vulnerabilities in the mail_to - helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when - javascript encoding is used, allow remote attackers to inject - arbitrary web script or HTML via a crafted (1) name or (2) email value. - cvss_v2: 4.3 - patched_versions: - - "~> 2.3.11" - - ">= 3.0.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-0446 - - https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ - - https://github.com/advisories/GHSA-75w6-p6mg-vh8j - - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html - - http://www.debian.org/security/2011/dsa-2247 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666 - - https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1025064 - - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/46291 ---- +--- +layout: advisory +title: 'CVE-2011-0446 (actionview): XSS vulnerabilities in the mail_to helper in rails/actionview' +comments: false +categories: +- actionview +- rails +advisory: + gem: actionview + framework: rails + cve: 2011-0446 + ghsa: 75w6-p6mg-vh8j + url: https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ + title: XSS vulnerabilities in the mail_to helper in rails/actionview + date: 2017-10-24 + description: | + Multiple cross-site scripting (XSS) vulnerabilities in the mail_to + helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when + javascript encoding is used, allow remote attackers to inject + arbitrary web script or HTML via a crafted (1) name or (2) email value. + cvss_v2: 4.3 + patched_versions: + - "~> 2.3.11" + - ">= 3.0.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-0446 + - https://groups.google.com/g/rubyonrails-security/c/8CpI7egxX4E/m/SmtqtyOKWzYJ + - https://github.com/advisories/GHSA-75w6-p6mg-vh8j + - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html + - http://www.debian.org/security/2011/dsa-2247 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666 + - https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1025064 + - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/46291 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-0447.md b/advisories/_posts/2017-10-24-CVE-2011-0447.md index 22018235..9096cd21 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-0447.md +++ b/advisories/_posts/2017-10-24-CVE-2011-0447.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2011-0447 (actionpack): CSRF Protection Bypass in Ruby on Rails' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2011-0447 - ghsa: 24fg-p96v-hxh8 - url: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails - title: CSRF Protection Bypass in Ruby on Rails - date: 2017-10-24 - description: | - Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and - 3.x before 3.0.4, does not properly validate HTTP requests that - contain an X-Requested-With header, which makes it easier for - remote attackers to conduct cross-site request forgery (CSRF) - attacks via forged (1) AJAX or (2) API requests that leverage - "combinations of browser plugins and HTTP redirects," - a related issue to CVE-2011-0696. - cvss_v2: 6.8 - unaffected_versions: - - "< 2.1.0" - patched_versions: - - "~> 2.3.11" - - ">= 3.0.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-0447 - - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails - - https://groups.google.com/g/rubyonrails-security/c/LZWjzCPgNmU/m/HBgNjGahLsIJ - - https://github.com/advisories/GHSA-24fg-p96v-hxh8 - - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html - - https://bugzilla.redhat.com/show_bug.cgi?id=677631 - - http://www.debian.org/security/2011/dsa-2247 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666 - - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/46291 - - https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1025060 ---- +--- +layout: advisory +title: 'CVE-2011-0447 (actionpack): CSRF Protection Bypass in Ruby on Rails' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2011-0447 + ghsa: 24fg-p96v-hxh8 + url: http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails + title: CSRF Protection Bypass in Ruby on Rails + date: 2017-10-24 + description: | + Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and + 3.x before 3.0.4, does not properly validate HTTP requests that + contain an X-Requested-With header, which makes it easier for + remote attackers to conduct cross-site request forgery (CSRF) + attacks via forged (1) AJAX or (2) API requests that leverage + "combinations of browser plugins and HTTP redirects," + a related issue to CVE-2011-0696. + cvss_v2: 6.8 + unaffected_versions: + - "< 2.1.0" + patched_versions: + - "~> 2.3.11" + - ">= 3.0.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-0447 + - http://weblog.rubyonrails.org/2011/2/8/csrf-protection-bypass-in-ruby-on-rails + - https://groups.google.com/g/rubyonrails-security/c/LZWjzCPgNmU/m/HBgNjGahLsIJ + - https://github.com/advisories/GHSA-24fg-p96v-hxh8 + - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055074.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-March/055088.html + - https://bugzilla.redhat.com/show_bug.cgi?id=677631 + - http://www.debian.org/security/2011/dsa-2247 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43274 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43666 + - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/46291 + - https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1025060 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-0448.md b/advisories/_posts/2017-10-24-CVE-2011-0448.md index b833860f..667953ec 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-0448.md +++ b/advisories/_posts/2017-10-24-CVE-2011-0448.md @@ -1,36 +1,36 @@ ---- -layout: advisory -title: 'CVE-2011-0448 (activerecord): Potential SQL Injection with limit in rails/activerecord' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2011-0448 - ghsa: jmm9-2p29-vh2w - url: http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 - title: Potential SQL Injection with limit in rails/activerecord - date: 2017-10-24 - description: | - Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to - the limit function specify integer values, which makes it easier - for remote attackers to conduct SQL injection attacks via a - non-numeric argument. - cvss_v2: 7.5 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - "~> 2.3.11" - - "> 3.0.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-0448 - - http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 - - https://groups.google.com/g/rubyonrails-security/c/tliQLPa_Tu0/m/rUCt9kyGGU4J - - https://github.com/advisories/GHSA-jmm9-2p29-vh2w - - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43278 - - https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1025063 ---- +--- +layout: advisory +title: 'CVE-2011-0448 (activerecord): Potential SQL Injection with limit in rails/activerecord' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2011-0448 + ghsa: jmm9-2p29-vh2w + url: http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 + title: Potential SQL Injection with limit in rails/activerecord + date: 2017-10-24 + description: | + Ruby on Rails 3.0.x before 3.0.4 does not ensure that arguments to + the limit function specify integer values, which makes it easier + for remote attackers to conduct SQL injection attacks via a + non-numeric argument. + cvss_v2: 7.5 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - "~> 2.3.11" + - "> 3.0.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-0448 + - http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 + - https://groups.google.com/g/rubyonrails-security/c/tliQLPa_Tu0/m/rUCt9kyGGU4J + - https://github.com/advisories/GHSA-jmm9-2p29-vh2w + - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43278 + - https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1025063 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-0449.md b/advisories/_posts/2017-10-24-CVE-2011-0449.md index 8b87ed39..dfe0d66e 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-0449.md +++ b/advisories/_posts/2017-10-24-CVE-2011-0449.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2011-0449 (actionpack): Filter Problems on Case-Insensitive Filesystems - in rails/actionpack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2011-0449 - ghsa: 4ww3-3rxj-8v6q - url: http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 - title: Filter Problems on Case-Insensitive Filesystems in rails/actionpack - date: 2017-10-24 - description: | - actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x - before 3.0.4, when a case-insensitive filesystem is used, does not - properly implement filters associated with the list of available - templates, which allows remote attackers to bypass intended access - restrictions via an action name that uses an unintended case for - alphabetic characters. - cvss_v2: 7.5 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - ">= 3.0.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-0449 - - http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 - - https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b - - https://groups.google.com/g/rubyonrails-security/c/Ni8fvBdhszY/m/T1vfhC5bNAQJ - - https://github.com/advisories/GHSA-4ww3-3rxj-8v6q - - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html - - https://bugzilla.redhat.com/show_bug.cgi?id=679351 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43278 - - https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1025061 ---- +--- +layout: advisory +title: 'CVE-2011-0449 (actionpack): Filter Problems on Case-Insensitive Filesystems + in rails/actionpack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2011-0449 + ghsa: 4ww3-3rxj-8v6q + url: http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 + title: Filter Problems on Case-Insensitive Filesystems in rails/actionpack + date: 2017-10-24 + description: | + actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x + before 3.0.4, when a case-insensitive filesystem is used, does not + properly implement filters associated with the list of available + templates, which allows remote attackers to bypass intended access + restrictions via an action name that uses an unintended case for + alphabetic characters. + cvss_v2: 7.5 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - ">= 3.0.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-0449 + - http://weblog.rubyonrails.org/2011/2/8/new-releases-2-3-11-and-3-0-4 + - https://github.com/rails/rails/commit/6f80224057803f85b3f448936aae89e742452c3b + - https://groups.google.com/g/rubyonrails-security/c/Ni8fvBdhszY/m/T1vfhC5bNAQJ + - https://github.com/advisories/GHSA-4ww3-3rxj-8v6q + - http://lists.fedoraproject.org/pipermail/package-announce/2011-April/057650.html + - https://bugzilla.redhat.com/show_bug.cgi?id=679351 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/43278 + - https://web.archive.org/web/20201208053819/http://securitytracker.com/id?1025061 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-2197.md b/advisories/_posts/2017-10-24-CVE-2011-2197.md index 9384d329..03823e42 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-2197.md +++ b/advisories/_posts/2017-10-24-CVE-2011-2197.md @@ -1,41 +1,41 @@ ---- -layout: advisory -title: 'CVE-2011-2197 (activesupport): Potential XSS Vulnerability in Ruby on Rails - Applications' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2011-2197 - ghsa: v9v4-7jp6-8c73 - url: http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications - title: Potential XSS Vulnerability in Ruby on Rails Applications - date: 2017-10-24 - description: | - The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x - before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does - not properly handle mutation of safe buffers, which makes it easier - for remote attackers to conduct XSS attacks via crafted strings to an - application that uses a problematic string method, as demonstrated - by the sub method. - cvss_v2: 4.3 - patched_versions: - - "~> 2.3.12" - - ">= 3.0.8" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-2197 - - http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications - - https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd - - https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da - - https://groups.google.com/g/rubyonrails-security/c/LlFuesyWxPs/m/1OBxRA1gO2YJ - - https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f - - https://github.com/advisories/GHSA-v9v4-7jp6-8c73 - - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html - - http://openwall.com/lists/oss-security/2011/06/09/2 - - http://openwall.com/lists/oss-security/2011/06/13/9 ---- +--- +layout: advisory +title: 'CVE-2011-2197 (activesupport): Potential XSS Vulnerability in Ruby on Rails + Applications' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2011-2197 + ghsa: v9v4-7jp6-8c73 + url: http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications + title: Potential XSS Vulnerability in Ruby on Rails Applications + date: 2017-10-24 + description: | + The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x + before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does + not properly handle mutation of safe buffers, which makes it easier + for remote attackers to conduct XSS attacks via crafted strings to an + application that uses a problematic string method, as demonstrated + by the sub method. + cvss_v2: 4.3 + patched_versions: + - "~> 2.3.12" + - ">= 3.0.8" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-2197 + - http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications + - https://github.com/rails/rails/commit/53a2c0baf2b128dd4808eca313256f6f4bb8c4cd + - https://github.com/rails/rails/commit/ed3796434af6069ced6a641293cf88eef3b284da + - https://groups.google.com/g/rubyonrails-security/c/LlFuesyWxPs/m/1OBxRA1gO2YJ + - https://gist.github.com/NZKoz/b2ceb626fc2bcdfe497f + - https://github.com/advisories/GHSA-v9v4-7jp6-8c73 + - http://lists.fedoraproject.org/pipermail/package-announce/2011-July/062514.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-June/062090.html + - http://openwall.com/lists/oss-security/2011/06/09/2 + - http://openwall.com/lists/oss-security/2011/06/13/9 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-2929.md b/advisories/_posts/2017-10-24-CVE-2011-2929.md index a46d8bee..ee02dd75 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-2929.md +++ b/advisories/_posts/2017-10-24-CVE-2011-2929.md @@ -1,47 +1,47 @@ ---- -layout: advisory -title: 'CVE-2011-2929 (actionpack): Filter Skipping Vulnerability in Ruby on Rails - 3.0/actionpack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2011-2929 - ghsa: r7q2-5gqg-6c7q - url: https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - title: Filter Skipping Vulnerability in Ruby on Rails 3.0/actionpack - date: 2017-10-24 - description: | - The template selection functionality in - actionpack/lib/action_view/template/resolver.rb in Ruby on Rails - 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly - handle glob characters, which allows remote attackers to render - arbitrary views via a crafted URL, related to a - "filter skipping vulnerability." - cvss_v2: 5.0 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - "~> 3.0.10" - - "~> 3.1.0.rc6" - - ">= 3.1.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-2929 - - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - - https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552 - - https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY/m/Ya9-T266u8sJ - - https://bugzilla.redhat.com/show_bug.cgi?id=731432 - - https://github.com/advisories/GHSA-r7q2-5gqg-6c7q - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html - - http://www.openwall.com/lists/oss-security/2011/08/17/1 - - http://www.openwall.com/lists/oss-security/2011/08/19/11 - - http://www.openwall.com/lists/oss-security/2011/08/20/1 - - http://www.openwall.com/lists/oss-security/2011/08/22/13 - - http://www.openwall.com/lists/oss-security/2011/08/22/14 - - http://www.openwall.com/lists/oss-security/2011/08/22/5 ---- +--- +layout: advisory +title: 'CVE-2011-2929 (actionpack): Filter Skipping Vulnerability in Ruby on Rails + 3.0/actionpack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2011-2929 + ghsa: r7q2-5gqg-6c7q + url: https://rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + title: Filter Skipping Vulnerability in Ruby on Rails 3.0/actionpack + date: 2017-10-24 + description: | + The template selection functionality in + actionpack/lib/action_view/template/resolver.rb in Ruby on Rails + 3.0.x before 3.0.10 and 3.1.x before 3.1.0.rc6 does not properly + handle glob characters, which allows remote attackers to render + arbitrary views via a crafted URL, related to a + "filter skipping vulnerability." + cvss_v2: 5.0 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - "~> 3.0.10" + - "~> 3.1.0.rc6" + - ">= 3.1.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-2929 + - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + - https://github.com/rails/rails/commit/5f94b93279f6d0682fafb237c301302c107a9552 + - https://groups.google.com/g/rubyonrails-security/c/NCCsca7TEtY/m/Ya9-T266u8sJ + - https://bugzilla.redhat.com/show_bug.cgi?id=731432 + - https://github.com/advisories/GHSA-r7q2-5gqg-6c7q + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html + - http://www.openwall.com/lists/oss-security/2011/08/17/1 + - http://www.openwall.com/lists/oss-security/2011/08/19/11 + - http://www.openwall.com/lists/oss-security/2011/08/20/1 + - http://www.openwall.com/lists/oss-security/2011/08/22/13 + - http://www.openwall.com/lists/oss-security/2011/08/22/14 + - http://www.openwall.com/lists/oss-security/2011/08/22/5 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-2930.md b/advisories/_posts/2017-10-24-CVE-2011-2930.md index 4268137e..699cd3ac 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-2930.md +++ b/advisories/_posts/2017-10-24-CVE-2011-2930.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2011-2930 (activerecord): SQL Injection Vulnerability in quote_table_name - in rails/activerecord' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2011-2930 - ghsa: h6w6-xmqv-7q78 - url: http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - title: SQL Injection Vulnerability in quote_table_name in rails/activerecord - date: 2017-10-24 - description: | - Multiple SQL injection vulnerabilities in the - quote_table_name method in the ActiveRecord adapters in - activerecord/lib/active_record/connection_adapters in Ruby on Rails - before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow - remote attackers to execute arbitrary SQL commands via a crafted column name. - cvss_v2: 7.5 - patched_versions: - - "~> 2.3.13" - - "~> 3.0.10" - - "~> 3.1.0.rc5" - - ">= 3.1.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-2930 - - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - - https://groups.google.com/g/rubyonrails-security/c/ah5HN0S8OJs/m/MN35sDZdqLEJ - - https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 - - https://github.com/advisories/GHSA-h6w6-xmqv-7q78 - - https://bugzilla.redhat.com/show_bug.cgi?id=731438 - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html - - http://www.debian.org/security/2011/dsa-2301 - - http://www.openwall.com/lists/oss-security/2011/08/17/1 - - http://www.openwall.com/lists/oss-security/2011/08/19/11 - - http://www.openwall.com/lists/oss-security/2011/08/20/1 - - http://www.openwall.com/lists/oss-security/2011/08/22/13 - - http://www.openwall.com/lists/oss-security/2011/08/22/14 - - http://www.openwall.com/lists/oss-security/2011/08/22/5 ---- +--- +layout: advisory +title: 'CVE-2011-2930 (activerecord): SQL Injection Vulnerability in quote_table_name + in rails/activerecord' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2011-2930 + ghsa: h6w6-xmqv-7q78 + url: http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + title: SQL Injection Vulnerability in quote_table_name in rails/activerecord + date: 2017-10-24 + description: | + Multiple SQL injection vulnerabilities in the + quote_table_name method in the ActiveRecord adapters in + activerecord/lib/active_record/connection_adapters in Ruby on Rails + before 2.3.13, 3.0.x before 3.0.10, and 3.1.x before 3.1.0.rc5 allow + remote attackers to execute arbitrary SQL commands via a crafted column name. + cvss_v2: 7.5 + patched_versions: + - "~> 2.3.13" + - "~> 3.0.10" + - "~> 3.1.0.rc5" + - ">= 3.1.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-2930 + - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + - https://groups.google.com/g/rubyonrails-security/c/ah5HN0S8OJs/m/MN35sDZdqLEJ + - https://github.com/rails/rails/commit/8a39f411dc3c806422785b1f4d5c7c9d58e4bf85 + - https://github.com/advisories/GHSA-h6w6-xmqv-7q78 + - https://bugzilla.redhat.com/show_bug.cgi?id=731438 + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html + - http://www.debian.org/security/2011/dsa-2301 + - http://www.openwall.com/lists/oss-security/2011/08/17/1 + - http://www.openwall.com/lists/oss-security/2011/08/19/11 + - http://www.openwall.com/lists/oss-security/2011/08/20/1 + - http://www.openwall.com/lists/oss-security/2011/08/22/13 + - http://www.openwall.com/lists/oss-security/2011/08/22/14 + - http://www.openwall.com/lists/oss-security/2011/08/22/5 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-2931.md b/advisories/_posts/2017-10-24-CVE-2011-2931.md index 2ee20b81..8ff31483 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-2931.md +++ b/advisories/_posts/2017-10-24-CVE-2011-2931.md @@ -1,48 +1,48 @@ ---- -layout: advisory -title: 'CVE-2011-2931 (actionpack): XSS Vulnerability in strip_tags helper in rails/actionpack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2011-2931 - ghsa: v5jg-558j-q67c - url: http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - title: XSS Vulnerability in strip_tags helper in rails/actionpack - date: 2017-10-24 - description: | - Cross-site scripting (XSS) vulnerability in the strip_tags helper - in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb - in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x - before 3.1.0.rc5 allows remote attackers to inject arbitrary web - script or HTML via a tag with an invalid name. - cvss_v2: 4.3 - unaffected_versions: - - "< 2.0.0" - - "< 3.0.0" - patched_versions: - - "~> 2.3.13" - - ">= 3.0.10" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-2931 - - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - - https://groups.google.com/g/rubyonrails-security/c/K5EwdJt06hI - - https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a - - https://bugzilla.redhat.com/show_bug.cgi?id=731436 - - https://github.com/advisories/GHSA-v5jg-558j-q67c - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html - - http://www.debian.org/security/2011/dsa-2301 - - http://www.openwall.com/lists/oss-security/2011/08/17/1 - - http://www.openwall.com/lists/oss-security/2011/08/19/11 - - http://www.openwall.com/lists/oss-security/2011/08/20/1 - - http://www.openwall.com/lists/oss-security/2011/08/22/13 - - http://www.openwall.com/lists/oss-security/2011/08/22/14 - - http://www.openwall.com/lists/oss-security/2011/08/22/5 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/45921 ---- +--- +layout: advisory +title: 'CVE-2011-2931 (actionpack): XSS Vulnerability in strip_tags helper in rails/actionpack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2011-2931 + ghsa: v5jg-558j-q67c + url: http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + title: XSS Vulnerability in strip_tags helper in rails/actionpack + date: 2017-10-24 + description: | + Cross-site scripting (XSS) vulnerability in the strip_tags helper + in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb + in Ruby on Rails before 2.3.13, 3.0.x before 3.0.10, and 3.1.x + before 3.1.0.rc5 allows remote attackers to inject arbitrary web + script or HTML via a tag with an invalid name. + cvss_v2: 4.3 + unaffected_versions: + - "< 2.0.0" + - "< 3.0.0" + patched_versions: + - "~> 2.3.13" + - ">= 3.0.10" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-2931 + - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + - https://groups.google.com/g/rubyonrails-security/c/K5EwdJt06hI + - https://github.com/rails/rails/commit/586a944ddd4d03e66dea1093306147594748037a + - https://bugzilla.redhat.com/show_bug.cgi?id=731436 + - https://github.com/advisories/GHSA-v5jg-558j-q67c + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065109.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065137.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html + - http://www.debian.org/security/2011/dsa-2301 + - http://www.openwall.com/lists/oss-security/2011/08/17/1 + - http://www.openwall.com/lists/oss-security/2011/08/19/11 + - http://www.openwall.com/lists/oss-security/2011/08/20/1 + - http://www.openwall.com/lists/oss-security/2011/08/22/13 + - http://www.openwall.com/lists/oss-security/2011/08/22/14 + - http://www.openwall.com/lists/oss-security/2011/08/22/5 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/45921 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-2932.md b/advisories/_posts/2017-10-24-CVE-2011-2932.md index a7a58e18..e323e677 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-2932.md +++ b/advisories/_posts/2017-10-24-CVE-2011-2932.md @@ -1,47 +1,47 @@ ---- -layout: advisory -title: 'CVE-2011-2932 (activesupport): UTF-8 escaping vulnerability in rails/activesupport' -comments: false -categories: -- activesupport -- rails -advisory: - gem: activesupport - framework: rails - cve: 2011-2932 - ghsa: 9fh3-vh3h-q4g3 - url: http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - title: UTF-8 escaping vulnerability in rails/activesupport - date: 2017-10-24 - description: | - Cross-site scripting (XSS) vulnerability in - activesupport/lib/active_support/core_ext/string/output_safety.rb - in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and - 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary - web script or HTML via a malformed Unicode string, related to - a "UTF-8 escaping vulnerability." - cvss_v2: 4.3 - patched_versions: - - "~> 2.3.13" - - "~> 3.0.10" - - "~> 3.1.0.rc5" - - ">= 3.1.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-2932 - - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 - - https://groups.google.com/g/rubyonrails-security/c/Vr_7WSOrEZU/m/IZ_bc5d00vEJ - - https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd - - https://bugzilla.redhat.com/show_bug.cgi?id=731435 - - https://github.com/advisories/GHSA-9fh3-vh3h-q4g3 - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html - - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html - - http://www.openwall.com/lists/oss-security/2011/08/17/1 - - http://www.openwall.com/lists/oss-security/2011/08/19/11 - - http://www.openwall.com/lists/oss-security/2011/08/20/1 - - http://www.openwall.com/lists/oss-security/2011/08/22/13 - - http://www.openwall.com/lists/oss-security/2011/08/22/14 - - http://www.openwall.com/lists/oss-security/2011/08/22/5 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/45917 ---- +--- +layout: advisory +title: 'CVE-2011-2932 (activesupport): UTF-8 escaping vulnerability in rails/activesupport' +comments: false +categories: +- activesupport +- rails +advisory: + gem: activesupport + framework: rails + cve: 2011-2932 + ghsa: 9fh3-vh3h-q4g3 + url: http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + title: UTF-8 escaping vulnerability in rails/activesupport + date: 2017-10-24 + description: | + Cross-site scripting (XSS) vulnerability in + activesupport/lib/active_support/core_ext/string/output_safety.rb + in Ruby on Rails 2.x before 2.3.13, 3.0.x before 3.0.10, and + 3.1.x before 3.1.0.rc5 allows remote attackers to inject arbitrary + web script or HTML via a malformed Unicode string, related to + a "UTF-8 escaping vulnerability." + cvss_v2: 4.3 + patched_versions: + - "~> 2.3.13" + - "~> 3.0.10" + - "~> 3.1.0.rc5" + - ">= 3.1.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-2932 + - http://weblog.rubyonrails.org/2011/8/16/ann-rails-3-1-0-rc6 + - https://groups.google.com/g/rubyonrails-security/c/Vr_7WSOrEZU/m/IZ_bc5d00vEJ + - https://github.com/rails/rails/commit/bfc432574d0b141fd7fe759edfe9b6771dd306bd + - https://bugzilla.redhat.com/show_bug.cgi?id=731435 + - https://github.com/advisories/GHSA-9fh3-vh3h-q4g3 + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065114.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065189.html + - http://lists.fedoraproject.org/pipermail/package-announce/2011-September/065212.html + - http://www.openwall.com/lists/oss-security/2011/08/17/1 + - http://www.openwall.com/lists/oss-security/2011/08/19/11 + - http://www.openwall.com/lists/oss-security/2011/08/20/1 + - http://www.openwall.com/lists/oss-security/2011/08/22/13 + - http://www.openwall.com/lists/oss-security/2011/08/22/14 + - http://www.openwall.com/lists/oss-security/2011/08/22/5 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/45917 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-3187.md b/advisories/_posts/2017-10-24-CVE-2011-3187.md index 181657f8..beb3a834 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-3187.md +++ b/advisories/_posts/2017-10-24-CVE-2011-3187.md @@ -1,41 +1,41 @@ ---- -layout: advisory -title: 'CVE-2011-3187 (actionpack): Ruby on rails 3.0.5 Remote_IP.rb Input Validation - in rails/actionpack' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2011-3187 - ghsa: 3vfw-7rcp-3xgm - url: http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html - title: Ruby on rails 3.0.5 Remote_IP.rb Input Validation in rails/actionpack - date: 2017-10-24 - description: | - The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb - in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header - in requests from IP addresses on a Class C network, which might allow - remote attackers to inject arbitrary text into log files or bypass - intended address parsing via a crafted header. - cvss_v2: 4.3 - unaffected_versions: - - "< 2.3.0" - patched_versions: - - ">= 2.3.13" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-3187 - - http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html - - https://github.com/advisories/GHSA-3vfw-7rcp-3xgm - - https://www.rapid7.com/db/vulnerabilities/ruby_on_rails-cve-2011-3187 - - http://www.openwall.com/lists/oss-security/2011/08/17/1 - - http://www.openwall.com/lists/oss-security/2011/08/19/11 - - http://www.openwall.com/lists/oss-security/2011/08/20/1 - - http://www.openwall.com/lists/oss-security/2011/08/22/13 - - http://www.openwall.com/lists/oss-security/2011/08/22/14 - - http://www.openwall.com/lists/oss-security/2011/08/22/5 - - https://web.archive.org/web/20111209181000/http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html ---- +--- +layout: advisory +title: 'CVE-2011-3187 (actionpack): Ruby on rails 3.0.5 Remote_IP.rb Input Validation + in rails/actionpack' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2011-3187 + ghsa: 3vfw-7rcp-3xgm + url: http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html + title: Ruby on rails 3.0.5 Remote_IP.rb Input Validation in rails/actionpack + date: 2017-10-24 + description: | + The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb + in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For header + in requests from IP addresses on a Class C network, which might allow + remote attackers to inject arbitrary text into log files or bypass + intended address parsing via a crafted header. + cvss_v2: 4.3 + unaffected_versions: + - "< 2.3.0" + patched_versions: + - ">= 2.3.13" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-3187 + - http://webservsec.blogspot.com/2011/02/ruby-on-rails-vulnerability.html + - https://github.com/advisories/GHSA-3vfw-7rcp-3xgm + - https://www.rapid7.com/db/vulnerabilities/ruby_on_rails-cve-2011-3187 + - http://www.openwall.com/lists/oss-security/2011/08/17/1 + - http://www.openwall.com/lists/oss-security/2011/08/19/11 + - http://www.openwall.com/lists/oss-security/2011/08/20/1 + - http://www.openwall.com/lists/oss-security/2011/08/22/13 + - http://www.openwall.com/lists/oss-security/2011/08/22/14 + - http://www.openwall.com/lists/oss-security/2011/08/22/5 + - https://web.archive.org/web/20111209181000/http://archives.neohapsis.com/archives/fulldisclosure/2011-02/0337.html +--- diff --git a/advisories/_posts/2017-10-24-CVE-2011-4319.md b/advisories/_posts/2017-10-24-CVE-2011-4319.md index 9381c5fb..83d6cb86 100644 --- a/advisories/_posts/2017-10-24-CVE-2011-4319.md +++ b/advisories/_posts/2017-10-24-CVE-2011-4319.md @@ -1,51 +1,51 @@ ---- -layout: advisory -title: 'CVE-2011-4319 (actionpack): Cross-site Scripting vulnerability in i18n translations - helper method' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2011-4319 - osvdb: 77199 - ghsa: xxr8-833v-c7wc - url: http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released - title: Cross-site Scripting vulnerability in i18n translations helper method - date: 2017-10-24 - description: | - A cross-site scripting (XSS) flaw was found in the way the 'translate' helper - method of the Ruby on Rails performed HTML escaping of interpolated user - input, when interpolation in combination with HTML-safe translations were - used. A remote attacker could use this flaw to execute arbitrary HTML or web - script by providing a specially-crafted input to Ruby on Rails application, - using the ActionPack module and its 'translate' helper method without explicit - (application specific) sanitization of user provided input. - - Cross-site scripting (XSS) vulnerability in the i18n translations helper - method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, - and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote - attackers to inject arbitrary web script or HTML via vectors related - to a translations string whose name ends with an "html" substring. - cvss_v2: 4.3 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - "~> 3.0.11" - - ">= 3.1.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2011-4319 - - http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released - - http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released - - https://groups.google.com/g/rubyonrails-security/c/K2HXD7c8fMU - - https://groups.google.com/g/rubyonrails-security/c/K2HXD7c8fMU/m/gt22xPskXMYJ - - https://github.com/advisories/GHSA-xxr8-833v-c7wc - - http://osvdb.org/77199 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/71364 - - http://openwall.com/lists/oss-security/2011/11/18/8 - - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/50722 - - https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1026342 ---- +--- +layout: advisory +title: 'CVE-2011-4319 (actionpack): Cross-site Scripting vulnerability in i18n translations + helper method' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2011-4319 + osvdb: 77199 + ghsa: xxr8-833v-c7wc + url: http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released + title: Cross-site Scripting vulnerability in i18n translations helper method + date: 2017-10-24 + description: | + A cross-site scripting (XSS) flaw was found in the way the 'translate' helper + method of the Ruby on Rails performed HTML escaping of interpolated user + input, when interpolation in combination with HTML-safe translations were + used. A remote attacker could use this flaw to execute arbitrary HTML or web + script by providing a specially-crafted input to Ruby on Rails application, + using the ActionPack module and its 'translate' helper method without explicit + (application specific) sanitization of user provided input. + + Cross-site scripting (XSS) vulnerability in the i18n translations helper + method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before 3.1.2, + and the rails_xss plugin in Ruby on Rails 2.3.x, allows remote + attackers to inject arbitrary web script or HTML via vectors related + to a translations string whose name ends with an "html" substring. + cvss_v2: 4.3 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - "~> 3.0.11" + - ">= 3.1.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-4319 + - http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released + - http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released + - https://groups.google.com/g/rubyonrails-security/c/K2HXD7c8fMU + - https://groups.google.com/g/rubyonrails-security/c/K2HXD7c8fMU/m/gt22xPskXMYJ + - https://github.com/advisories/GHSA-xxr8-833v-c7wc + - http://osvdb.org/77199 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/71364 + - http://openwall.com/lists/oss-security/2011/11/18/8 + - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/50722 + - https://web.archive.org/web/20201208053819/http://www.securitytracker.com/id?1026342 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-1989.md b/advisories/_posts/2017-10-24-CVE-2012-1989.md index 5b190523..215df469 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-1989.md +++ b/advisories/_posts/2017-10-24-CVE-2012-1989.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2012-1989 (puppet): Arbitrary File Write Access in Puppet' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2012-1989 - ghsa: c5qq-g673-5p49 - url: https://www.puppet.com/security/cve/cve-2012-1989-arbitrary-file-write-access - title: Arbitrary File Write Access in Puppet - date: 2017-10-24 - description: | - telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise - (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users - to overwrite arbitrary files via a symlink attack on the - NET::Telnet connection log (/tmp/out.log). - cvss_v2: 3.6 - unaffected_versions: - - "< 2.7.1" - patched_versions: - - "~> 2.5.1" - - ">= 2.7.13" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-1989 - - https://www.puppet.com/security/cve/cve-2012-1989-arbitrary-file-write-access - - https://github.com/advisories/GHSA-c5qq-g673-5p49 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/74797 - - https://security.gentoo.org/glsa/201208-02 - - http://ubuntu.com/usn/usn-1419-1 - - http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html - - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/52975 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/49136 - - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/48748 - - https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743 ---- +--- +layout: advisory +title: 'CVE-2012-1989 (puppet): Arbitrary File Write Access in Puppet' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2012-1989 + ghsa: c5qq-g673-5p49 + url: https://www.puppet.com/security/cve/cve-2012-1989-arbitrary-file-write-access + title: Arbitrary File Write Access in Puppet + date: 2017-10-24 + description: | + telnet.rb in Puppet 2.7.x before 2.7.13 and Puppet Enterprise + (PE) 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows local users + to overwrite arbitrary files via a symlink attack on the + NET::Telnet connection log (/tmp/out.log). + cvss_v2: 3.6 + unaffected_versions: + - "< 2.7.1" + patched_versions: + - "~> 2.5.1" + - ">= 2.7.13" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-1989 + - https://www.puppet.com/security/cve/cve-2012-1989-arbitrary-file-write-access + - https://github.com/advisories/GHSA-c5qq-g673-5p49 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/74797 + - https://security.gentoo.org/glsa/201208-02 + - http://ubuntu.com/usn/usn-1419-1 + - http://lists.opensuse.org/opensuse-updates/2012-05/msg00012.html + - https://web.archive.org/web/20210121211512/http://www.securityfocus.com/bid/52975 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/49136 + - https://web.archive.org/web/20111225083933/http://secunia.com/advisories/48748 + - https://web.archive.org/web/20121025194938/http://secunia.com/advisories/48743 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-2660.md b/advisories/_posts/2017-10-24-CVE-2012-2660.md index 2163ab44..38fedba7 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-2660.md +++ b/advisories/_posts/2017-10-24-CVE-2012-2660.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2012-2660 (actionpack): Unsafe Query Generation Risk in Ruby on Rails' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2012-2660 - ghsa: hgpp-pp89-4fgf - url: https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ - title: Unsafe Query Generation Risk in Ruby on Rails - date: 2017-10-24 - description: | - actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails - before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not - properly consider differences in parameter handling between the - Active Record component and the Rack interface, which allows remote - attackers to bypass intended database-query restrictions and perform - NULL checks via a crafted request, as demonstrated by certain - "[nil]" values, a related issue to CVE-2012-2694. - cvss_v2: 6.4 - patched_versions: - - "~> 3.0.13" - - "~> 3.1.5" - - ">= 3.2.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-2660 - - https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ - - https://github.com/advisories/GHSA-hgpp-pp89-4fgf - - http://rhn.redhat.com/errata/RHSA-2013-0154.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html - - http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html ---- +--- +layout: advisory +title: 'CVE-2012-2660 (actionpack): Unsafe Query Generation Risk in Ruby on Rails' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2012-2660 + ghsa: hgpp-pp89-4fgf + url: https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ + title: Unsafe Query Generation Risk in Ruby on Rails + date: 2017-10-24 + description: | + actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails + before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not + properly consider differences in parameter handling between the + Active Record component and the Rack interface, which allows remote + attackers to bypass intended database-query restrictions and perform + NULL checks via a crafted request, as demonstrated by certain + "[nil]" values, a related issue to CVE-2012-2694. + cvss_v2: 6.4 + patched_versions: + - "~> 3.0.13" + - "~> 3.1.5" + - ">= 3.2.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-2660 + - https://groups.google.com/g/rubyonrails-security/c/8SA-M3as7A8/m/Mr9fi9X4kNgJ + - https://github.com/advisories/GHSA-hgpp-pp89-4fgf + - http://rhn.redhat.com/errata/RHSA-2013-0154.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html + - http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-2694.md b/advisories/_posts/2017-10-24-CVE-2012-2694.md index 2b1fab04..db4c1453 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-2694.md +++ b/advisories/_posts/2017-10-24-CVE-2012-2694.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2012-2694 (actionpack): Unsafe Query Generation Risk in Ruby on Rails' -comments: false -categories: -- actionpack -- rails -advisory: - gem: actionpack - framework: rails - cve: 2012-2694 - ghsa: q34c-48gc-m9g8 - url: https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ - title: Unsafe Query Generation Risk in Ruby on Rails - date: 2017-10-24 - description: | - actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails - before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not - properly consider differences in parameter handling between the - Active Record component and the Rack interface, which allows remote - attackers to bypass intended database-query restrictions and perform - NULL checks via a crafted request, as demonstrated by certain - "['xyz', nil]" values, a related issue to CVE-2012-2660. - cvss_v2: 4.3 - patched_versions: - - "~> 3.0.14" - - "~> 3.1.6" - - ">= 3.2.6" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-2694 - - https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ - - https://github.com/advisories/GHSA-q34c-48gc-m9g8 - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html - - http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html - - http://rhn.redhat.com/errata/RHSA-2013-0154.html ---- +--- +layout: advisory +title: 'CVE-2012-2694 (actionpack): Unsafe Query Generation Risk in Ruby on Rails' +comments: false +categories: +- actionpack +- rails +advisory: + gem: actionpack + framework: rails + cve: 2012-2694 + ghsa: q34c-48gc-m9g8 + url: https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ + title: Unsafe Query Generation Risk in Ruby on Rails + date: 2017-10-24 + description: | + actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails + before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not + properly consider differences in parameter handling between the + Active Record component and the Rack interface, which allows remote + attackers to bypass intended database-query restrictions and perform + NULL checks via a crafted request, as demonstrated by certain + "['xyz', nil]" values, a related issue to CVE-2012-2660. + cvss_v2: 4.3 + patched_versions: + - "~> 3.0.14" + - "~> 3.1.6" + - ">= 3.2.6" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-2694 + - https://groups.google.com/g/rubyonrails-security/c/jILZ34tAHF4/m/7x0hLH-o0-IJ + - https://github.com/advisories/GHSA-q34c-48gc-m9g8 + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00017.html + - http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html + - http://rhn.redhat.com/errata/RHSA-2013-0154.html +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-2695.md b/advisories/_posts/2017-10-24-CVE-2012-2695.md index e5445cd4..e3d10fa0 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-2695.md +++ b/advisories/_posts/2017-10-24-CVE-2012-2695.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2012-2695 (activerecord): SQL Injection Vulnerability in Ruby on Rails' -comments: false -categories: -- activerecord -- rails -advisory: - gem: activerecord - framework: rails - cve: 2012-2695 - ghsa: 76wq-xw4h-f8wj - url: https://groups.google.com/g/rubyonrails-security/c/l4L0TEVAz1k/m/Vr84sD9B464J - title: SQL Injection Vulnerability in Ruby on Rails - date: 2017-10-24 - description: | - The Active Record component in Ruby on Rails before 3.0.14, 3.1.x - before 3.1.6, and 3.2.x before 3.2.6 does not properly implement - the passing of request data to a where method in an ActiveRecord - class, which allows remote attackers to conduct certain SQL - injection attacks via nested query parameters that leverage - improper handling of nested hashes, a related issue to CVE-2012-2661. - cvss_v2: 7.5 - patched_versions: - - "~> 3.0.14" - - "~> 3.1.6" - - ">= 3.2.6" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-2695 - - https://groups.google.com/g/rubyonrails-security/c/l4L0TEVAz1k/m/Vr84sD9B464J - - https://github.com/advisories/GHSA-76wq-xw4h-f8wj - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html - - http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html - - http://rhn.redhat.com/errata/RHSA-2013-0154.html ---- +--- +layout: advisory +title: 'CVE-2012-2695 (activerecord): SQL Injection Vulnerability in Ruby on Rails' +comments: false +categories: +- activerecord +- rails +advisory: + gem: activerecord + framework: rails + cve: 2012-2695 + ghsa: 76wq-xw4h-f8wj + url: https://groups.google.com/g/rubyonrails-security/c/l4L0TEVAz1k/m/Vr84sD9B464J + title: SQL Injection Vulnerability in Ruby on Rails + date: 2017-10-24 + description: | + The Active Record component in Ruby on Rails before 3.0.14, 3.1.x + before 3.1.6, and 3.2.x before 3.2.6 does not properly implement + the passing of request data to a where method in an ActiveRecord + class, which allows remote attackers to conduct certain SQL + injection attacks via nested query parameters that leverage + improper handling of nested hashes, a related issue to CVE-2012-2661. + cvss_v2: 7.5 + patched_versions: + - "~> 3.0.14" + - "~> 3.1.6" + - ">= 3.2.6" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-2695 + - https://groups.google.com/g/rubyonrails-security/c/l4L0TEVAz1k/m/Vr84sD9B464J + - https://github.com/advisories/GHSA-76wq-xw4h-f8wj + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html + - http://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html + - http://rhn.redhat.com/errata/RHSA-2013-0154.html +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-3408.md b/advisories/_posts/2017-10-24-CVE-2012-3408.md index b16e0efa..be4e6725 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-3408.md +++ b/advisories/_posts/2017-10-24-CVE-2012-3408.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2012-3408 (puppet): Agent Imprersonation in Puppet' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2012-3408 - ghsa: vxf6-w9mp-95hm - url: https://www.puppet.com/security/cve/cve-2012-3408-agent-impersonation - title: Agent Imprersonation in Puppet - date: 2017-10-24 - description: | - lib/puppet/network/authstore.rb in Puppet before 2.7.18, and - Puppet Enterprise before 2.5.2, supports use of IP addresses in - certnames without warning of potential risks, which might allow - remote attackers to spoof an agent by acquiring a previously - used IP address. - cvss_v2: 2.6 - patched_versions: - - ">= 2.7.18" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-3408 - - https://www.puppet.com/security/cve/cve-2012-3408-agent-impersonation - - https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd - - https://github.com/advisories/GHSA-vxf6-w9mp-95hm - - https://bugzilla.redhat.com/show_bug.cgi?id=839166 ---- +--- +layout: advisory +title: 'CVE-2012-3408 (puppet): Agent Imprersonation in Puppet' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2012-3408 + ghsa: vxf6-w9mp-95hm + url: https://www.puppet.com/security/cve/cve-2012-3408-agent-impersonation + title: Agent Imprersonation in Puppet + date: 2017-10-24 + description: | + lib/puppet/network/authstore.rb in Puppet before 2.7.18, and + Puppet Enterprise before 2.5.2, supports use of IP addresses in + certnames without warning of potential risks, which might allow + remote attackers to spoof an agent by acquiring a previously + used IP address. + cvss_v2: 2.6 + patched_versions: + - ">= 2.7.18" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-3408 + - https://www.puppet.com/security/cve/cve-2012-3408-agent-impersonation + - https://github.com/puppetlabs/puppet/commit/ab9150baa1b738467a33b01df1d90e076253fbbd + - https://github.com/advisories/GHSA-vxf6-w9mp-95hm + - https://bugzilla.redhat.com/show_bug.cgi?id=839166 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-3865.md b/advisories/_posts/2017-10-24-CVE-2012-3865.md index 3e3bb8e9..99ade029 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-3865.md +++ b/advisories/_posts/2017-10-24-CVE-2012-3865.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2012-3865 (puppet): Arbitrary file delete/D.O.S on Puppet Master' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2012-3865 - ghsa: g89m-3wjw-h857 - url: https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master - title: Arbitrary file delete/D.O.S on Puppet Master - date: 2017-10-24 - description: | - Directory traversal vulnerability in lib/puppet/reports/store.rb - in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet - Enterprise before 2.5.2, when Delete is enabled in auth.conf, - allows remote authenticated users to delete arbitrary files on - the puppet master server via a .. (dot dot) in a node name. - cvss_v2: 3.5 - patched_versions: - - "~> 2.6.17" - - ">= 2.7.18" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-3865 - - https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master - - https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f - - https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 - - https://github.com/advisories/GHSA-g89m-3wjw-h857 - - https://bugzilla.redhat.com/show_bug.cgi?id=839131 - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html - - http://www.debian.org/security/2012/dsa-2511 - - http://www.ubuntu.com/usn/USN-1506-1 ---- +--- +layout: advisory +title: 'CVE-2012-3865 (puppet): Arbitrary file delete/D.O.S on Puppet Master' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2012-3865 + ghsa: g89m-3wjw-h857 + url: https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master + title: Arbitrary file delete/D.O.S on Puppet Master + date: 2017-10-24 + description: | + Directory traversal vulnerability in lib/puppet/reports/store.rb + in Puppet before 2.6.17 and 2.7.x before 2.7.18, and Puppet + Enterprise before 2.5.2, when Delete is enabled in auth.conf, + allows remote authenticated users to delete arbitrary files on + the puppet master server via a .. (dot dot) in a node name. + cvss_v2: 3.5 + patched_versions: + - "~> 2.6.17" + - ">= 2.7.18" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-3865 + - https://www.puppet.com/security/cve/overview-cve-2012-3865-arbitrary-file-delete/dos-puppet-master + - https://github.com/puppetlabs/puppet/commit/554eefc55f57ed2b76e5ee04d8f194d36f6ee67f + - https://github.com/puppetlabs/puppet/commit/d80478208d79a3e6d6cb1fbc525e24817fe8c4c6 + - https://github.com/advisories/GHSA-g89m-3wjw-h857 + - https://bugzilla.redhat.com/show_bug.cgi?id=839131 + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html + - http://www.debian.org/security/2012/dsa-2511 + - http://www.ubuntu.com/usn/USN-1506-1 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-3866.md b/advisories/_posts/2017-10-24-CVE-2012-3866.md index edd2ac58..05d0713e 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-3866.md +++ b/advisories/_posts/2017-10-24-CVE-2012-3866.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2012-3866 (puppet): last_run_report.yaml is world readable' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2012-3866 - ghsa: 8jxj-9r5f-w3m2 - url: https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable - title: last_run_report.yaml is world readable - date: 2017-10-24 - description: | - lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet - Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, - which allows local users to obtain sensitive configuration information - by leveraging access to the puppet master server to read this file. - unaffected_versions: - - "< 2.7.0" - patched_versions: - - ">= 2.7.18" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-3866 - - https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable - - https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f - - https://github.com/advisories/GHSA-8jxj-9r5f-w3m2 - - https://bugzilla.redhat.com/show_bug.cgi?id=839135 - - http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html - - http://www.debian.org/security/2012/dsa-2511 - - http://www.ubuntu.com/usn/USN-1506-1 ---- +--- +layout: advisory +title: 'CVE-2012-3866 (puppet): last_run_report.yaml is world readable' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2012-3866 + ghsa: 8jxj-9r5f-w3m2 + url: https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable + title: last_run_report.yaml is world readable + date: 2017-10-24 + description: | + lib/puppet/defaults.rb in Puppet 2.7.x before 2.7.18, and Puppet + Enterprise before 2.5.2, uses 0644 permissions for last_run_report.yaml, + which allows local users to obtain sensitive configuration information + by leveraging access to the puppet master server to read this file. + unaffected_versions: + - "< 2.7.0" + patched_versions: + - ">= 2.7.18" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-3866 + - https://www.puppet.com/security/cve/cve-2012-3866-lastrunreportyaml-world-readable + - https://github.com/puppetlabs/puppet/commit/fd44bf5e6d0d360f6a493d663b653c121fa83c3f + - https://github.com/advisories/GHSA-8jxj-9r5f-w3m2 + - https://bugzilla.redhat.com/show_bug.cgi?id=839135 + - http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html + - http://www.debian.org/security/2012/dsa-2511 + - http://www.ubuntu.com/usn/USN-1506-1 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-3867.md b/advisories/_posts/2017-10-24-CVE-2012-3867.md index 6fecc12f..666b45ce 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-3867.md +++ b/advisories/_posts/2017-10-24-CVE-2012-3867.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2012-3867 (puppet): Insufficient input validation' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2012-3867 - ghsa: q44r-f2hm-v76v - url: https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation - title: Insufficient input validation - date: 2017-10-24 - description: | - lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and - 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not - properly restrict the characters in the Common Name field of a - Certificate Signing Request (CSR), which makes it easier for - user-assisted remote attackers to trick administrators into - signing a crafted agent certificate via ANSI control sequences. - cvss_v2: 4.3 - patched_versions: - - "~> 2.6.17" - - ">= 2.7.18" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-3867 - - https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation - - https://github.com/puppetlabs/puppet/commit/dfedaa5fa841ccf335245a748b347b7c7c236640 - - https://github.com/puppetlabs/puppet/commit/f3419620b42080dad3b0be14470b20a972f13c50 - - https://github.com/advisories/GHSA-q44r-f2hm-v76v - - https://bugzilla.redhat.com/show_bug.cgi?id=839158 - - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html - - http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html - - http://www.debian.org/security/2012/dsa-2511 - - http://www.ubuntu.com/usn/USN-1506-1 ---- +--- +layout: advisory +title: 'CVE-2012-3867 (puppet): Insufficient input validation' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2012-3867 + ghsa: q44r-f2hm-v76v + url: https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation + title: Insufficient input validation + date: 2017-10-24 + description: | + lib/puppet/ssl/certificate_authority.rb in Puppet before 2.6.17 and + 2.7.x before 2.7.18, and Puppet Enterprise before 2.5.2, does not + properly restrict the characters in the Common Name field of a + Certificate Signing Request (CSR), which makes it easier for + user-assisted remote attackers to trick administrators into + signing a crafted agent certificate via ANSI control sequences. + cvss_v2: 4.3 + patched_versions: + - "~> 2.6.17" + - ">= 2.7.18" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-3867 + - https://www.puppet.com/security/cve/cve-2012-3867-insufficient-input-validation + - https://github.com/puppetlabs/puppet/commit/dfedaa5fa841ccf335245a748b347b7c7c236640 + - https://github.com/puppetlabs/puppet/commit/f3419620b42080dad3b0be14470b20a972f13c50 + - https://github.com/advisories/GHSA-q44r-f2hm-v76v + - https://bugzilla.redhat.com/show_bug.cgi?id=839158 + - http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00006.html + - http://lists.opensuse.org/opensuse-updates/2012-07/msg00036.html + - http://www.debian.org/security/2012/dsa-2511 + - http://www.ubuntu.com/usn/USN-1506-1 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2012-6662.md b/advisories/_posts/2017-10-24-CVE-2012-6662.md index a0d94223..a1e5e65b 100644 --- a/advisories/_posts/2017-10-24-CVE-2012-6662.md +++ b/advisories/_posts/2017-10-24-CVE-2012-6662.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2012-6662 (jquery-ui-rails): Moderate severity vulnerability that affects - jquery-ui' -comments: false -categories: -- jquery-ui-rails -advisory: - gem: jquery-ui-rails - cve: 2012-6662 - ghsa: qqxp-xp9v-vvx6 - url: https://nvd.nist.gov/vuln/detail/CVE-2012-6662 - title: Moderate severity vulnerability that affects jquery-ui - date: 2017-10-24 - description: | - Cross-site scripting (XSS) vulnerability in the default content option - in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before - 1.10.0 allows remote attackers to inject arbitrary web script or - HTML via the title attribute, which is not properly handled in the - autocomplete combo box demo. - cvss_v2: 4.3 - patched_versions: - - ">= 4.0.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2012-6662 - - https://github.com/jquery-ui-rails/jquery-ui-rails/commit/61a8e3f50796118e9f49fbd224b67d4065b40c50 - - https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde - - https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e - - http://bugs.jqueryui.com/ticket/8859 - - http://bugs.jqueryui.com/ticket/8861 - - https://github.com/jquery/jquery/issues/2432 - - https://exchange.xforce.ibmcloud.com/vulnerabilities/98697 - - http://rhn.redhat.com/errata/RHSA-2015-0442.html - - http://rhn.redhat.com/errata/RHSA-2015-1462.html - - http://seclists.org/oss-sec/2014/q4/613 - - http://seclists.org/oss-sec/2014/q4/616 - - http://www.securityfocus.com/bid/71107 - - https://github.com/advisories/GHSA-qqxp-xp9v-vvx6 ---- +--- +layout: advisory +title: 'CVE-2012-6662 (jquery-ui-rails): Moderate severity vulnerability that affects + jquery-ui' +comments: false +categories: +- jquery-ui-rails +advisory: + gem: jquery-ui-rails + cve: 2012-6662 + ghsa: qqxp-xp9v-vvx6 + url: https://nvd.nist.gov/vuln/detail/CVE-2012-6662 + title: Moderate severity vulnerability that affects jquery-ui + date: 2017-10-24 + description: | + Cross-site scripting (XSS) vulnerability in the default content option + in jquery.ui.tooltip.js in the Tooltip widget in jQuery UI before + 1.10.0 allows remote attackers to inject arbitrary web script or + HTML via the title attribute, which is not properly handled in the + autocomplete combo box demo. + cvss_v2: 4.3 + patched_versions: + - ">= 4.0.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-6662 + - https://github.com/jquery-ui-rails/jquery-ui-rails/commit/61a8e3f50796118e9f49fbd224b67d4065b40c50 + - https://github.com/jquery/jquery-ui/commit/f2854408cce7e4b7fc6bf8676761904af9c96bde + - https://github.com/jquery/jquery-ui/commit/5fee6fd5000072ff32f2d65b6451f39af9e0e39e + - http://bugs.jqueryui.com/ticket/8859 + - http://bugs.jqueryui.com/ticket/8861 + - https://github.com/jquery/jquery/issues/2432 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/98697 + - http://rhn.redhat.com/errata/RHSA-2015-0442.html + - http://rhn.redhat.com/errata/RHSA-2015-1462.html + - http://seclists.org/oss-sec/2014/q4/613 + - http://seclists.org/oss-sec/2014/q4/616 + - http://www.securityfocus.com/bid/71107 + - https://github.com/advisories/GHSA-qqxp-xp9v-vvx6 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2013-1655.md b/advisories/_posts/2017-10-24-CVE-2013-1655.md index dc4acf7c..4b687407 100644 --- a/advisories/_posts/2017-10-24-CVE-2013-1655.md +++ b/advisories/_posts/2017-10-24-CVE-2013-1655.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2013-1655 (puppet): Unauthenticated Remote Code Execution Vulnerability' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2013-1655 - ghsa: 574q-fxfj-wv6h - url: https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability - title: Unauthenticated Remote Code Execution Vulnerability - date: 2017-10-24 - description: | - Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running - Ruby 1.9.3 or later, allows remote attackers to execute arbitrary - code via vectors related to "serialized attributes." - cvss_v2: 7.5 - unaffected_versions: - - "< 2.7.0" - patched_versions: - - "~> 2.7.21" - - ">= 3.1.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-1655 - - https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability - - https://github.com/advisories/GHSA-574q-fxfj-wv6h - - http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html - - http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html - - http://ubuntu.com/usn/usn-1759-1 - - http://www.debian.org/security/2013/dsa-2643 - - https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-1655 - - https://web.archive.org/web/20210509162357/https://www.securityfocus.com/bid/46291 ---- +--- +layout: advisory +title: 'CVE-2013-1655 (puppet): Unauthenticated Remote Code Execution Vulnerability' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2013-1655 + ghsa: 574q-fxfj-wv6h + url: https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability + title: Unauthenticated Remote Code Execution Vulnerability + date: 2017-10-24 + description: | + Puppet 2.7.x before 2.7.21 and 3.1.x before 3.1.1, when running + Ruby 1.9.3 or later, allows remote attackers to execute arbitrary + code via vectors related to "serialized attributes." + cvss_v2: 7.5 + unaffected_versions: + - "< 2.7.0" + patched_versions: + - "~> 2.7.21" + - ">= 3.1.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-1655 + - https://www.puppet.com/security/cve/cve-2013-1655-unauthenticated-remote-code-execution-vulnerability + - https://github.com/advisories/GHSA-574q-fxfj-wv6h + - http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00004.html + - http://lists.opensuse.org/opensuse-updates/2013-04/msg00056.html + - http://ubuntu.com/usn/usn-1759-1 + - http://www.debian.org/security/2013/dsa-2643 + - https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2013-1655 + - https://web.archive.org/web/20210509162357/https://www.securityfocus.com/bid/46291 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2013-1812.md b/advisories/_posts/2017-10-24-CVE-2013-1812.md index d51fd7ec..3b5077ee 100644 --- a/advisories/_posts/2017-10-24-CVE-2013-1812.md +++ b/advisories/_posts/2017-10-24-CVE-2013-1812.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2013-1812 (ruby-openid): Vulnerable to XIE DoS attacks' -comments: false -categories: -- ruby-openid -advisory: - gem: ruby-openid - cve: 2013-1812 - ghsa: 6c8p-qphv-668v - url: https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md - title: Vulnerable to XIE DoS attacks - date: 2017-10-24 - description: | - The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID - providers to cause a denial of service (CPU consumption) via - (1) a large XRDS document or - (2) an XML Entity Expansion (XEE) attack. - cvss_v2: 4.3 - patched_versions: - - ">= 2.2.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-1812 - - https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md - - https://github.com/openid/ruby-openid/pull/43 - - https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed - - https://github.com/advisories/GHSA-6c8p-qphv-668v - - https://bugzilla.redhat.com/show_bug.cgi?id=918134 - - http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html - - http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html - - http://www.openwall.com/lists/oss-security/2013/03/03/8 ---- +--- +layout: advisory +title: 'CVE-2013-1812 (ruby-openid): Vulnerable to XIE DoS attacks' +comments: false +categories: +- ruby-openid +advisory: + gem: ruby-openid + cve: 2013-1812 + ghsa: 6c8p-qphv-668v + url: https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md + title: Vulnerable to XIE DoS attacks + date: 2017-10-24 + description: | + The ruby-openid gem before 2.2.2 for Ruby allows remote OpenID + providers to cause a denial of service (CPU consumption) via + (1) a large XRDS document or + (2) an XML Entity Expansion (XEE) attack. + cvss_v2: 4.3 + patched_versions: + - ">= 2.2.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-1812 + - https://github.com/openid/ruby-openid/blob/master/CHANGELOG.md + - https://github.com/openid/ruby-openid/pull/43 + - https://github.com/openid/ruby-openid/commit/a3693cef06049563f5b4e4824f4d3211288508ed + - https://github.com/advisories/GHSA-6c8p-qphv-668v + - https://bugzilla.redhat.com/show_bug.cgi?id=918134 + - http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120204.html + - http://lists.fedoraproject.org/pipermail/package-announce/2013-November/120361.html + - http://www.openwall.com/lists/oss-security/2013/03/03/8 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2013-3567.md b/advisories/_posts/2017-10-24-CVE-2013-3567.md index 49cc4db1..57933519 100644 --- a/advisories/_posts/2017-10-24-CVE-2013-3567.md +++ b/advisories/_posts/2017-10-24-CVE-2013-3567.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2013-3567 (puppet): Unauthenticated Remote Code Execution Vulnerability' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2013-3567 - ghsa: f7p5-w2cr-7cp7 - url: https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability - title: Unauthenticated Remote Code Execution Vulnerability - date: 2017-10-24 - description: | - Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet - Enterprise before 2.8.2, deserializes untrusted YAML, which allows - remote attackers to instantiate arbitrary Ruby classes and execute - arbitrary code via a crafted REST API call. - cvss_v2: 7.5 - patched_versions: - - "~> 2.7.22" - - ">= 3.2.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-3567 - - https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability - - https://github.com/advisories/GHSA-f7p5-w2cr-7cp7 - - http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html - - http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html - - http://rhn.redhat.com/errata/RHSA-2013-1283.html - - http://rhn.redhat.com/errata/RHSA-2013-1284.html - - http://www.debian.org/security/2013/dsa-2715 - - http://www.ubuntu.com/usn/USN-1886-1 ---- +--- +layout: advisory +title: 'CVE-2013-3567 (puppet): Unauthenticated Remote Code Execution Vulnerability' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2013-3567 + ghsa: f7p5-w2cr-7cp7 + url: https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability + title: Unauthenticated Remote Code Execution Vulnerability + date: 2017-10-24 + description: | + Puppet 2.7.x before 2.7.22 and 3.2.x before 3.2.2, and Puppet + Enterprise before 2.8.2, deserializes untrusted YAML, which allows + remote attackers to instantiate arbitrary Ruby classes and execute + arbitrary code via a crafted REST API call. + cvss_v2: 7.5 + patched_versions: + - "~> 2.7.22" + - ">= 3.2.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-3567 + - https://www.puppet.com/security/cve/cve-2013-3567-unauthenticated-remote-code-execution-vulnerability + - https://github.com/advisories/GHSA-f7p5-w2cr-7cp7 + - http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00002.html + - http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00019.html + - http://rhn.redhat.com/errata/RHSA-2013-1283.html + - http://rhn.redhat.com/errata/RHSA-2013-1284.html + - http://www.debian.org/security/2013/dsa-2715 + - http://www.ubuntu.com/usn/USN-1886-1 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2013-4761.md b/advisories/_posts/2017-10-24-CVE-2013-4761.md index 5f2677cc..d894f248 100644 --- a/advisories/_posts/2017-10-24-CVE-2013-4761.md +++ b/advisories/_posts/2017-10-24-CVE-2013-4761.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2013-4761 (puppet): Puppet `resource_type` Remote Code Execution Vulnerability' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2013-4761 - ghsa: cj43-9h3w-v976 - url: https://www.puppet.com/security/cve/cve-2013-4761-resourcetype-remote-code-execution-vulnerability - title: Puppet `resource_type` Remote Code Execution Vulnerability - date: 2017-10-24 - description: | - Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and - 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before - 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute - arbitrary Ruby programs from the master via the resource_type - service. - - NOTE: this vulnerability can only be exploited using unspecified - "local file system access" to the Puppet Master. - cvss_v2: 5.1 - unaffected_versions: - - "< 2.7.0" - patched_versions: - - "~> 2.7.23" - - ">= 3.2.4" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2013-4761 - - https://www.puppet.com/security/cve/cve-2013-4761-resourcetype-remote-code-execution-vulnerability - - https://github.com/advisories/GHSA-cj43-9h3w-v976 - - http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html - - http://rhn.redhat.com/errata/RHSA-2013-1283.html - - http://rhn.redhat.com/errata/RHSA-2013-1284.html - - http://www.debian.org/security/2013/dsa-2761 ---- +--- +layout: advisory +title: 'CVE-2013-4761 (puppet): Puppet `resource_type` Remote Code Execution Vulnerability' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2013-4761 + ghsa: cj43-9h3w-v976 + url: https://www.puppet.com/security/cve/cve-2013-4761-resourcetype-remote-code-execution-vulnerability + title: Puppet `resource_type` Remote Code Execution Vulnerability + date: 2017-10-24 + description: | + Unspecified vulnerability in Puppet 2.7.x before 2.7.23 and + 3.2.x before 3.2.4, and Puppet Enterprise 2.8.x before + 2.8.3 and 3.0.x before 3.0.1, allows remote attackers to execute + arbitrary Ruby programs from the master via the resource_type + service. + + NOTE: this vulnerability can only be exploited using unspecified + "local file system access" to the Puppet Master. + cvss_v2: 5.1 + unaffected_versions: + - "< 2.7.0" + patched_versions: + - "~> 2.7.23" + - ">= 3.2.4" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2013-4761 + - https://www.puppet.com/security/cve/cve-2013-4761-resourcetype-remote-code-execution-vulnerability + - https://github.com/advisories/GHSA-cj43-9h3w-v976 + - http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00009.html + - http://rhn.redhat.com/errata/RHSA-2013-1283.html + - http://rhn.redhat.com/errata/RHSA-2013-1284.html + - http://www.debian.org/security/2013/dsa-2761 +--- diff --git a/advisories/_posts/2017-10-24-CVE-2014-0081.md b/advisories/_posts/2017-10-24-CVE-2014-0081.md index cbdc5159..55bc4b2b 100644 --- a/advisories/_posts/2017-10-24-CVE-2014-0081.md +++ b/advisories/_posts/2017-10-24-CVE-2014-0081.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2014-0081 (rails): Rails vulnerable to Cross-site Scripting' -comments: false -categories: -- rails -advisory: - gem: rails - cve: 2014-0081 - ghsa: m46p-ggm5-5j83 - url: https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb - title: Rails vulnerable to Cross-site Scripting - date: 2017-10-24 - description: | - Multiple cross-site scripting (XSS) vulnerabilities in - "actionview/lib/action_view/helpers/number_helper.rb" - in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 - allow remote attackers to inject arbitrary web script or HTML via the - (1) format, (2) negative_format, or (3) units parameter to the - (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. - cvss_v2: 4.3 - patched_versions: - - "~> 3.2.17" - - "~> 4.0.3" - - "~> 4.1.0.beta2" - - ">= 4.1.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2014-0081 - - http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html - - http://openwall.com/lists/oss-security/2014/02/18/8 - - http://rhn.redhat.com/errata/RHSA-2014-0215.html - - http://rhn.redhat.com/errata/RHSA-2014-0306.html - - https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782 - - https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647 - - https://github.com/advisories/GHSA-m46p-ggm5-5j83 - - https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb ---- +--- +layout: advisory +title: 'CVE-2014-0081 (rails): Rails vulnerable to Cross-site Scripting' +comments: false +categories: +- rails +advisory: + gem: rails + cve: 2014-0081 + ghsa: m46p-ggm5-5j83 + url: https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb + title: Rails vulnerable to Cross-site Scripting + date: 2017-10-24 + description: | + Multiple cross-site scripting (XSS) vulnerabilities in + "actionview/lib/action_view/helpers/number_helper.rb" + in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 + allow remote attackers to inject arbitrary web script or HTML via the + (1) format, (2) negative_format, or (3) units parameter to the + (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper. + cvss_v2: 4.3 + patched_versions: + - "~> 3.2.17" + - "~> 4.0.3" + - "~> 4.1.0.beta2" + - ">= 4.1.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-0081 + - http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html + - http://openwall.com/lists/oss-security/2014/02/18/8 + - http://rhn.redhat.com/errata/RHSA-2014-0215.html + - http://rhn.redhat.com/errata/RHSA-2014-0306.html + - https://web.archive.org/web/20140911141416/http://www.securitytracker.com/id/1029782 + - https://web.archive.org/web/20170307202606/http://www.securityfocus.com/bid/65647 + - https://github.com/advisories/GHSA-m46p-ggm5-5j83 + - https://github.com/rails/rails/commit/08d0a11a3f62718d601d39e617c834759cf59bbb +--- diff --git a/advisories/_posts/2017-10-24-CVE-2014-3248.md b/advisories/_posts/2017-10-24-CVE-2014-3248.md index 0c790ee0..e34bfdcb 100644 --- a/advisories/_posts/2017-10-24-CVE-2014-3248.md +++ b/advisories/_posts/2017-10-24-CVE-2014-3248.md @@ -1,39 +1,39 @@ ---- -layout: advisory -title: 'CVE-2014-3248 (puppet): Moderate severity vulnerability that affects facter, - hiera, mcollective-client, and puppet' -comments: false -categories: -- puppet -advisory: - gem: puppet - cve: 2014-3248 - ghsa: 92v7-pq4h-58j5 - url: https://github.com/advisories/GHSA-92v7-pq4h-58j5 - title: Moderate severity vulnerability that affects facter, hiera, mcollective-client, - and puppet - date: 2017-10-24 - description: | - Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, - Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera - before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, - allows local users to gain privileges via a Trojan horse file in the current working - directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) - Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; - or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so - in puppet/confine. - patched_versions: - - "~> 2.7.26" - - ">= 3.6.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2014-3248 - - https://github.com/advisories/GHSA-92v7-pq4h-58j5 - - http://puppetlabs.com/security/cve/cve-2014-3248 - - http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/ - - http://secunia.com/advisories/59197 - - http://secunia.com/advisories/59200 - - http://www.securityfocus.com/bid/68035 - - https://github.com/rubysec/ruby-advisory-db/issues/238 - - https://sca.analysiscenter.veracode.com/vulnerability-database/security/elevation-privileges-untrusted-search/ruby/sid-1586/summary ---- +--- +layout: advisory +title: 'CVE-2014-3248 (puppet): Moderate severity vulnerability that affects facter, + hiera, mcollective-client, and puppet' +comments: false +categories: +- puppet +advisory: + gem: puppet + cve: 2014-3248 + ghsa: 92v7-pq4h-58j5 + url: https://github.com/advisories/GHSA-92v7-pq4h-58j5 + title: Moderate severity vulnerability that affects facter, hiera, mcollective-client, + and puppet + date: 2017-10-24 + description: | + Untrusted search path vulnerability in Puppet Enterprise 2.8 before 2.8.7, + Puppet before 2.7.26 and 3.x before 3.6.2, Facter 1.6.x and 2.x before 2.0.2, Hiera + before 1.3.4, and Mcollective before 2.5.2, when running with Ruby 1.9.1 or earlier, + allows local users to gain privileges via a Trojan horse file in the current working + directory, as demonstrated using (1) rubygems/defaults/operating_system.rb, (2) + Win32API.rb, (3) Win32API.so, (4) safe_yaml.rb, (5) safe_yaml/deep.rb, or (6) safe_yaml/deep.so; + or (7) operatingsystem.rb, (8) operatingsystem.so, (9) osfamily.rb, or (10) osfamily.so + in puppet/confine. + patched_versions: + - "~> 2.7.26" + - ">= 3.6.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-3248 + - https://github.com/advisories/GHSA-92v7-pq4h-58j5 + - http://puppetlabs.com/security/cve/cve-2014-3248 + - http://rowediness.com/2014/06/13/cve-2014-3248-a-little-problem-with-puppet/ + - http://secunia.com/advisories/59197 + - http://secunia.com/advisories/59200 + - http://www.securityfocus.com/bid/68035 + - https://github.com/rubysec/ruby-advisory-db/issues/238 + - https://sca.analysiscenter.veracode.com/vulnerability-database/security/elevation-privileges-untrusted-search/ruby/sid-1586/summary +--- diff --git a/advisories/_posts/2017-10-24-CVE-2016-7798.md b/advisories/_posts/2017-10-24-CVE-2016-7798.md index 9e486411..0ca99efe 100644 --- a/advisories/_posts/2017-10-24-CVE-2016-7798.md +++ b/advisories/_posts/2017-10-24-CVE-2016-7798.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2016-7798 (openssl): Incorrect handling of initialization vector in the - GCM mode in OpenSSL' -comments: false -categories: -- openssl -advisory: - gem: openssl - cve: 2016-7798 - ghsa: 6h88-qjpv-p32m - url: https://github.com/ruby/openssl/issues/49 - title: Incorrect handling of initialization vector in the GCM mode in OpenSSL - date: 2017-10-24 - description: | - The openssl gem for Ruby uses the same initialization vector (IV) in - GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for - context-dependent attackers to bypass the encryption protection mechanism. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 2.0.0" ---- +--- +layout: advisory +title: 'CVE-2016-7798 (openssl): Incorrect handling of initialization vector in the + GCM mode in OpenSSL' +comments: false +categories: +- openssl +advisory: + gem: openssl + cve: 2016-7798 + ghsa: 6h88-qjpv-p32m + url: https://github.com/ruby/openssl/issues/49 + title: Incorrect handling of initialization vector in the GCM mode in OpenSSL + date: 2017-10-24 + description: | + The openssl gem for Ruby uses the same initialization vector (IV) in + GCM Mode (aes-*-gcm) when the IV is set before the key, which makes it easier for + context-dependent attackers to bypass the encryption protection mechanism. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 2.0.0" +--- diff --git a/advisories/_posts/2017-10-27-CVE-2017-15928.md b/advisories/_posts/2017-10-27-CVE-2017-15928.md index 4813a1a5..eb410846 100644 --- a/advisories/_posts/2017-10-27-CVE-2017-15928.md +++ b/advisories/_posts/2017-10-27-CVE-2017-15928.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2017-15928 (ox): ox ruby gem segmentation fault via parse_obj' -comments: false -categories: -- ox -advisory: - gem: ox - cve: 2017-15928 - ghsa: pjj4-w39g-pw54 - url: https://github.com/ohler55/ox/issues/194 - title: ox ruby gem segmentation fault via parse_obj - date: 2017-10-27 - description: | - In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation - fault when a crafted input is supplied to parse_obj. NOTE: the vendor has stated - "Ox should handle the error more gracefully" but has not confirmed a security implication. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 2.8.1" ---- +--- +layout: advisory +title: 'CVE-2017-15928 (ox): ox ruby gem segmentation fault via parse_obj' +comments: false +categories: +- ox +advisory: + gem: ox + cve: 2017-15928 + ghsa: pjj4-w39g-pw54 + url: https://github.com/ohler55/ox/issues/194 + title: ox ruby gem segmentation fault via parse_obj + date: 2017-10-27 + description: | + In the Ox gem 2.8.0 for Ruby, the process crashes with a segmentation + fault when a crafted input is supplied to parse_obj. NOTE: the vendor has stated + "Ox should handle the error more gracefully" but has not confirmed a security implication. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 2.8.1" +--- diff --git a/advisories/_posts/2017-10-29-CVE-2017-16229.md b/advisories/_posts/2017-10-29-CVE-2017-16229.md index 68f21a81..c29165de 100644 --- a/advisories/_posts/2017-10-29-CVE-2017-16229.md +++ b/advisories/_posts/2017-10-29-CVE-2017-16229.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2017-16229 (ox): ox ruby gem stack overflow in sax_parse' -comments: false -categories: -- ox -advisory: - gem: ox - cve: 2017-16229 - ghsa: wfwm-chj7-w59r - url: https://github.com/ohler55/ox/issues/195 - title: ox ruby gem stack overflow in sax_parse - date: 2017-10-29 - description: | - In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based - buffer over-read in the read_from_str function in sax_buf.c when a crafted input - is supplied to sax_parse. - cvss_v2: 4.3 - cvss_v3: 5.5 - patched_versions: - - ">= 2.8.2" ---- +--- +layout: advisory +title: 'CVE-2017-16229 (ox): ox ruby gem stack overflow in sax_parse' +comments: false +categories: +- ox +advisory: + gem: ox + cve: 2017-16229 + ghsa: wfwm-chj7-w59r + url: https://github.com/ohler55/ox/issues/195 + title: ox ruby gem stack overflow in sax_parse + date: 2017-10-29 + description: | + In the Ox gem 2.8.1 for Ruby, the process crashes with a stack-based + buffer over-read in the read_from_str function in sax_buf.c when a crafted input + is supplied to sax_parse. + cvss_v2: 4.3 + cvss_v3: 5.5 + patched_versions: + - ">= 2.8.2" +--- diff --git a/advisories/_posts/2017-11-03-CVE-2017-16516.md b/advisories/_posts/2017-11-03-CVE-2017-16516.md index 1dd97686..d9c76f35 100644 --- a/advisories/_posts/2017-11-03-CVE-2017-16516.md +++ b/advisories/_posts/2017-11-03-CVE-2017-16516.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2017-16516 (yajl-ruby): Flaw in yajl-ruby gem may cause a DoS' -comments: false -categories: -- yajl-ruby -advisory: - gem: yajl-ruby - cve: 2017-16516 - ghsa: wwh7-4jw9-33x6 - url: https://nvd.nist.gov/vuln/detail/CVE-2017-16516 - title: Flaw in yajl-ruby gem may cause a DoS - date: 2017-11-03 - description: | - In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to - Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the - yajl_string_decode function in yajl_encode.c. This results in the whole ruby - process terminating and potentially a denial of service. - cvss_v3: 7.5 - patched_versions: - - ">= 1.3.1" - related: - url: - - https://github.com/brianmario/yajl-ruby/issues/176 ---- +--- +layout: advisory +title: 'CVE-2017-16516 (yajl-ruby): Flaw in yajl-ruby gem may cause a DoS' +comments: false +categories: +- yajl-ruby +advisory: + gem: yajl-ruby + cve: 2017-16516 + ghsa: wwh7-4jw9-33x6 + url: https://nvd.nist.gov/vuln/detail/CVE-2017-16516 + title: Flaw in yajl-ruby gem may cause a DoS + date: 2017-11-03 + description: | + In the yajl-ruby gem 1.3.0 for Ruby, when a crafted JSON file is supplied to + Yajl::Parser.new.parse, the whole ruby process crashes with a SIGABRT in the + yajl_string_decode function in yajl_encode.c. This results in the whole ruby + process terminating and potentially a denial of service. + cvss_v3: 7.5 + patched_versions: + - ">= 1.3.1" + related: + url: + - https://github.com/brianmario/yajl-ruby/issues/176 +--- diff --git a/advisories/_posts/2017-11-07-CVE-2017-0904.md b/advisories/_posts/2017-11-07-CVE-2017-0904.md index accb7d96..2399b52c 100644 --- a/advisories/_posts/2017-11-07-CVE-2017-0904.md +++ b/advisories/_posts/2017-11-07-CVE-2017-0904.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2017-0904 (private_address_check): private_address_check Ruby Gem Resolv.getaddresses - Server-Side Request Forgery' -comments: false -categories: -- private_address_check -advisory: - gem: private_address_check - cve: 2017-0904 - ghsa: hxhj-hp9m-qwc4 - url: https://github.com/jtdowney/private_address_check/issues/1 - title: private_address_check Ruby Gem Resolv.getaddresses Server-Side Request Forgery - date: 2017-11-07 - description: | - The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's - Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security - measures, such as when used to blacklist private network addresses to prevent server-side - request forgery. - cvss_v2: 6.8 - cvss_v3: 8.1 - patched_versions: - - ">= 0.4.0" ---- +--- +layout: advisory +title: 'CVE-2017-0904 (private_address_check): private_address_check Ruby Gem Resolv.getaddresses + Server-Side Request Forgery' +comments: false +categories: +- private_address_check +advisory: + gem: private_address_check + cve: 2017-0904 + ghsa: hxhj-hp9m-qwc4 + url: https://github.com/jtdowney/private_address_check/issues/1 + title: private_address_check Ruby Gem Resolv.getaddresses Server-Side Request Forgery + date: 2017-11-07 + description: | + The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's + Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security + measures, such as when used to blacklist private network addresses to prevent server-side + request forgery. + cvss_v2: 6.8 + cvss_v3: 8.1 + patched_versions: + - ">= 0.4.0" +--- diff --git a/advisories/_posts/2017-11-09-CVE-2017-0905.md b/advisories/_posts/2017-11-09-CVE-2017-0905.md index ccd5f5a2..dad92ba0 100644 --- a/advisories/_posts/2017-11-09-CVE-2017-0905.md +++ b/advisories/_posts/2017-11-09-CVE-2017-0905.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2017-0905 (recurly): SSRF vulnerability in Recurly gem''s Resource#find.' -comments: false -categories: -- recurly -advisory: - gem: recurly - cve: 2017-0905 - ghsa: x27v-x225-gq8g - url: https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be - title: SSRF vulnerability in Recurly gem's Resource#find. - date: 2017-11-09 - description: | - If you are using the #find method on any of the classes that are derived from - the Resource class and you are passing user input into that method, a - malicious user can force the http client to reach out to a server under their - control. This can lead to leakage of your private API key. - - Because of the severity of impact, we are recommending that all users upgrade - to a patched version. We have provided a non-breaking patch for every 2.X - version of the client. - cvss_v3: 9.8 - patched_versions: - - "~> 2.0.13" - - "~> 2.1.11" - - "~> 2.2.5" - - "~> 2.3.10" - - "~> 2.4.11" - - "~> 2.5.3" - - "~> 2.6.3" - - "~> 2.7.8" - - "~> 2.8.2" - - "~> 2.9.2" - - "~> 2.10.4" - - "~> 2.11.3" - - ">= 2.12.0" ---- +--- +layout: advisory +title: 'CVE-2017-0905 (recurly): SSRF vulnerability in Recurly gem''s Resource#find.' +comments: false +categories: +- recurly +advisory: + gem: recurly + cve: 2017-0905 + ghsa: x27v-x225-gq8g + url: https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be + title: SSRF vulnerability in Recurly gem's Resource#find. + date: 2017-11-09 + description: | + If you are using the #find method on any of the classes that are derived from + the Resource class and you are passing user input into that method, a + malicious user can force the http client to reach out to a server under their + control. This can lead to leakage of your private API key. + + Because of the severity of impact, we are recommending that all users upgrade + to a patched version. We have provided a non-breaking patch for every 2.X + version of the client. + cvss_v3: 9.8 + patched_versions: + - "~> 2.0.13" + - "~> 2.1.11" + - "~> 2.2.5" + - "~> 2.3.10" + - "~> 2.4.11" + - "~> 2.5.3" + - "~> 2.6.3" + - "~> 2.7.8" + - "~> 2.8.2" + - "~> 2.9.2" + - "~> 2.10.4" + - "~> 2.11.3" + - ">= 2.12.0" +--- diff --git a/advisories/_posts/2017-11-09-CVE-2017-0909.md b/advisories/_posts/2017-11-09-CVE-2017-0909.md index 4d1a18df..74b3acff 100644 --- a/advisories/_posts/2017-11-09-CVE-2017-0909.md +++ b/advisories/_posts/2017-11-09-CVE-2017-0909.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2017-0909 (private_address_check): private_address_check Ruby Gem Blacklist - Bypass privilege escalation' -comments: false -categories: -- private_address_check -advisory: - gem: private_address_check - cve: 2017-0909 - ghsa: 3v3c-r5v2-68ph - url: https://github.com/jtdowney/private_address_check/pull/3 - title: private_address_check Ruby Gem Blacklist Bypass privilege escalation - date: 2017-11-09 - description: | - The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete - blacklist of common private/local network addresses used to prevent server-side request forgery. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 0.4.1" ---- +--- +layout: advisory +title: 'CVE-2017-0909 (private_address_check): private_address_check Ruby Gem Blacklist + Bypass privilege escalation' +comments: false +categories: +- private_address_check +advisory: + gem: private_address_check + cve: 2017-0909 + ghsa: 3v3c-r5v2-68ph + url: https://github.com/jtdowney/private_address_check/pull/3 + title: private_address_check Ruby Gem Blacklist Bypass privilege escalation + date: 2017-11-09 + description: | + The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete + blacklist of common private/local network addresses used to prevent server-side request forgery. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 0.4.1" +--- diff --git a/advisories/_posts/2017-11-10-CVE-2017-16792.md b/advisories/_posts/2017-11-10-CVE-2017-16792.md index f7bb8449..1f2f9254 100644 --- a/advisories/_posts/2017-11-10-CVE-2017-16792.md +++ b/advisories/_posts/2017-11-10-CVE-2017-16792.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2017-16792 (geminabox): Stored XSS in "geminabox" via injection in Gemspec - "homepage" value' -comments: false -categories: -- geminabox -advisory: - gem: geminabox - cve: 2017-16792 - ghsa: 653m-r33x-39ff - url: https://github.com/geminabox/geminabox/blob/master/CHANGELOG.md#01310-2017-11-13 - title: Stored XSS in "geminabox" via injection in Gemspec "homepage" value - date: 2017-11-10 - description: | - Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem - in a Box) allows attackers to inject arbitrary web script via a crafted - JavaScript URL in the "homepage" value of a ".gemspec" file. - - A ".gemspec" file must be created with a JavaScript URL in the homepage - value. This can be used to build a gem for upload to the Geminabox server, - in order to achieve stored XSS via the gem hyperlink. - cvss_v3: 6.1 - patched_versions: - - ">= 0.13.10" - related: - url: - - https://github.com/geminabox/geminabox/commit/f8429a9e364658459add170e4ebc7a5d3b4759e7 - - https://github.com/geminabox/geminabox/commit/e7e0b16147677e9029f0b55eff6bc6dda52398d4 ---- +--- +layout: advisory +title: 'CVE-2017-16792 (geminabox): Stored XSS in "geminabox" via injection in Gemspec + "homepage" value' +comments: false +categories: +- geminabox +advisory: + gem: geminabox + cve: 2017-16792 + ghsa: 653m-r33x-39ff + url: https://github.com/geminabox/geminabox/blob/master/CHANGELOG.md#01310-2017-11-13 + title: Stored XSS in "geminabox" via injection in Gemspec "homepage" value + date: 2017-11-10 + description: | + Stored cross-site scripting (XSS) vulnerability in "geminabox" (Gem + in a Box) allows attackers to inject arbitrary web script via a crafted + JavaScript URL in the "homepage" value of a ".gemspec" file. + + A ".gemspec" file must be created with a JavaScript URL in the homepage + value. This can be used to build a gem for upload to the Geminabox server, + in order to achieve stored XSS via the gem hyperlink. + cvss_v3: 6.1 + patched_versions: + - ">= 0.13.10" + related: + url: + - https://github.com/geminabox/geminabox/commit/f8429a9e364658459add170e4ebc7a5d3b4759e7 + - https://github.com/geminabox/geminabox/commit/e7e0b16147677e9029f0b55eff6bc6dda52398d4 +--- diff --git a/advisories/_posts/2017-11-15-CVE-2017-7475.md b/advisories/_posts/2017-11-15-CVE-2017-7475.md index 16ccd90e..1955a5a0 100644 --- a/advisories/_posts/2017-11-15-CVE-2017-7475.md +++ b/advisories/_posts/2017-11-15-CVE-2017-7475.md @@ -1,20 +1,20 @@ ---- -layout: advisory -title: 'CVE-2017-7475 (cairo): cairo NULL pointer dereference' -comments: false -categories: -- cairo -advisory: - gem: cairo - cve: 2017-7475 - ghsa: 5v3f-73gv-x7x5 - url: https://bugs.freedesktop.org/show_bug.cgi?id=100763 - date: 2017-11-15 - title: cairo NULL pointer dereference - description: | - Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related - to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. - cvss_v3: 5.5 - patched_versions: - - ">= 1.15.5" ---- +--- +layout: advisory +title: 'CVE-2017-7475 (cairo): cairo NULL pointer dereference' +comments: false +categories: +- cairo +advisory: + gem: cairo + cve: 2017-7475 + ghsa: 5v3f-73gv-x7x5 + url: https://bugs.freedesktop.org/show_bug.cgi?id=100763 + date: 2017-11-15 + title: cairo NULL pointer dereference + description: | + Cairo version 1.15.4 is vulnerable to a NULL pointer dereference related + to the FT_Load_Glyph and FT_Render_Glyph resulting in an application crash. + cvss_v3: 5.5 + patched_versions: + - ">= 1.15.5" +--- diff --git a/advisories/_posts/2017-11-16-CVE-2014-9489.md b/advisories/_posts/2017-11-16-CVE-2014-9489.md index a0358288..34e460b6 100644 --- a/advisories/_posts/2017-11-16-CVE-2014-9489.md +++ b/advisories/_posts/2017-11-16-CVE-2014-9489.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2014-9489 (gollum): gollum and gollum-lib allow remote authenticated users - to execute arbitrary code' -comments: false -categories: -- gollum -advisory: - gem: gollum - cve: 2014-9489 - ghsa: q97v-764g-r2rp - url: https://github.com/gollum/gollum/issues/913 - title: gollum and gollum-lib allow remote authenticated users to execute arbitrary - code - date: 2017-11-16 - description: | - The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and - the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string `master` - is in any of the wiki documents, allows remote authenticated users to execute arbitrary - code via the `-O` or `--open-files-in-pager` flags. - cvss_v2: 6.5 - cvss_v3: 8.8 - patched_versions: - - ">= 3.1.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2014-9489 - - https://github.com/gollum/gollum/issues/913 - - https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7 - - http://www.openwall.com/lists/oss-security/2015/01/03/19 - - https://web.archive.org/web/20200229041306/http://www.securityfocus.com/bid/71499 - - https://github.com/advisories/GHSA-q97v-764g-r2rp ---- +--- +layout: advisory +title: 'CVE-2014-9489 (gollum): gollum and gollum-lib allow remote authenticated users + to execute arbitrary code' +comments: false +categories: +- gollum +advisory: + gem: gollum + cve: 2014-9489 + ghsa: q97v-764g-r2rp + url: https://github.com/gollum/gollum/issues/913 + title: gollum and gollum-lib allow remote authenticated users to execute arbitrary + code + date: 2017-11-16 + description: | + The gollum-grit_adapter Ruby gem dependency in gollum before 3.1.1 and + the gollum-lib gem dependency in gollum-lib before 4.0.1 when the string `master` + is in any of the wiki documents, allows remote authenticated users to execute arbitrary + code via the `-O` or `--open-files-in-pager` flags. + cvss_v2: 6.5 + cvss_v3: 8.8 + patched_versions: + - ">= 3.1.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-9489 + - https://github.com/gollum/gollum/issues/913 + - https://github.com/gollum/grit_adapter/commit/4520d973c81fecfebbeacd2ef2f1849d763951c7 + - http://www.openwall.com/lists/oss-security/2015/01/03/19 + - https://web.archive.org/web/20200229041306/http://www.securityfocus.com/bid/71499 + - https://github.com/advisories/GHSA-q97v-764g-r2rp +--- diff --git a/advisories/_posts/2017-11-16-CVE-2017-1000248.md b/advisories/_posts/2017-11-16-CVE-2017-1000248.md index 8c4e487a..dcd9805c 100644 --- a/advisories/_posts/2017-11-16-CVE-2017-1000248.md +++ b/advisories/_posts/2017-11-16-CVE-2017-1000248.md @@ -1,20 +1,20 @@ ---- -layout: advisory -title: 'CVE-2017-1000248 (redis-store): Unsafe objects can be loaded from Redis' -comments: false -categories: -- redis-store -advisory: - gem: redis-store - cve: 2017-1000248 - ghsa: 2w67-526p-gm73 - url: https://github.com/redis-store/redis-store/commit/ce13252c26fcc40ed4935c9abfeb0ee0761e5704 - title: Unsafe objects can be loaded from Redis - date: 2017-11-16 - description: | - Redis-store <=v1.3.0 allows unsafe objects to be loaded from Redis via the - use of the Marshal serializer. - cvss_v3: 9.8 - patched_versions: - - ">= 1.4.0" ---- +--- +layout: advisory +title: 'CVE-2017-1000248 (redis-store): Unsafe objects can be loaded from Redis' +comments: false +categories: +- redis-store +advisory: + gem: redis-store + cve: 2017-1000248 + ghsa: 2w67-526p-gm73 + url: https://github.com/redis-store/redis-store/commit/ce13252c26fcc40ed4935c9abfeb0ee0761e5704 + title: Unsafe objects can be loaded from Redis + date: 2017-11-16 + description: | + Redis-store <=v1.3.0 allows unsafe objects to be loaded from Redis via the + use of the Marshal serializer. + cvss_v3: 9.8 + patched_versions: + - ">= 1.4.0" +--- diff --git a/advisories/_posts/2017-11-28-CVE-2017-17042.md b/advisories/_posts/2017-11-28-CVE-2017-17042.md index e9481d4a..cd50e4fc 100644 --- a/advisories/_posts/2017-11-28-CVE-2017-17042.md +++ b/advisories/_posts/2017-11-28-CVE-2017-17042.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2017-17042 (yard): Potential arbitrary file read vulnerability in yard - server' -comments: false -categories: -- yard -advisory: - gem: yard - cve: 2017-17042 - ghsa: gj4p-3wh3-2rmf - url: https://nvd.nist.gov/vuln/detail/CVE-2017-17042 - title: Potential arbitrary file read vulnerability in yard server - date: 2017-11-28 - description: | - lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block - relative paths with an initial ../ sequence, which allows attackers to conduct - directory traversal attacks and read arbitrary files. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 0.9.11" ---- +--- +layout: advisory +title: 'CVE-2017-17042 (yard): Potential arbitrary file read vulnerability in yard + server' +comments: false +categories: +- yard +advisory: + gem: yard + cve: 2017-17042 + ghsa: gj4p-3wh3-2rmf + url: https://nvd.nist.gov/vuln/detail/CVE-2017-17042 + title: Potential arbitrary file read vulnerability in yard server + date: 2017-11-28 + description: | + lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block + relative paths with an initial ../ sequence, which allows attackers to conduct + directory traversal attacks and read arbitrary files. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 0.9.11" +--- diff --git a/advisories/_posts/2017-12-17-CVE-2017-17718.md b/advisories/_posts/2017-12-17-CVE-2017-17718.md index 6a9e0f01..49cccee4 100644 --- a/advisories/_posts/2017-12-17-CVE-2017-17718.md +++ b/advisories/_posts/2017-12-17-CVE-2017-17718.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2017-17718 (net-ldap): No validation of hostname certificate in net-ldap' -comments: false -categories: -- net-ldap -advisory: - gem: net-ldap - cve: 2017-17718 - ghsa: m7p8-9w66-9frm - url: https://github.com/ruby-ldap/ruby-net-ldap/issues/258 - title: No validation of hostname certificate in net-ldap - date: 2017-12-17 - description: | - The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL - Certificate Validation. The LDAP server's certificate was not verified - to match the host it was supposed to be connecting to. - cvss_v3: 5.9 - patched_versions: - - ">= 0.16.0" - related: - url: - - https://github.com/ruby-ldap/ruby-net-ldap/pull/279 - - https://github.com/ruby-ldap/ruby-net-ldap/commit/e4c46a223a19feda78393a793711353aa1febdcd ---- +--- +layout: advisory +title: 'CVE-2017-17718 (net-ldap): No validation of hostname certificate in net-ldap' +comments: false +categories: +- net-ldap +advisory: + gem: net-ldap + cve: 2017-17718 + ghsa: m7p8-9w66-9frm + url: https://github.com/ruby-ldap/ruby-net-ldap/issues/258 + title: No validation of hostname certificate in net-ldap + date: 2017-12-17 + description: | + The Net::LDAP (aka net-ldap) gem before 0.16.0 for Ruby has Missing SSL + Certificate Validation. The LDAP server's certificate was not verified + to match the host it was supposed to be connecting to. + cvss_v3: 5.9 + patched_versions: + - ">= 0.16.0" + related: + url: + - https://github.com/ruby-ldap/ruby-net-ldap/pull/279 + - https://github.com/ruby-ldap/ruby-net-ldap/commit/e4c46a223a19feda78393a793711353aa1febdcd +--- diff --git a/advisories/_posts/2018-01-04-CVE-2018-5216.md b/advisories/_posts/2018-01-04-CVE-2018-5216.md index a4e24423..d718d997 100644 --- a/advisories/_posts/2018-01-04-CVE-2018-5216.md +++ b/advisories/_posts/2018-01-04-CVE-2018-5216.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2018-5216 (radiant): Radiant CMS 1.1.4 Markdown admin/pages/*/edit part_body_content - cross site scripting' -comments: false -categories: -- radiant -advisory: - gem: radiant - cve: 2018-5216 - ghsa: mvw8-v767-qhjm - url: https://github.com/imsebao/404team/blob/master/radiantcms.md - title: Radiant CMS 1.1.4 Markdown admin/pages/*/edit part_body_content cross site - scripting - date: 2018-01-04 - description: | - Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_content - parameter to an admin/pages/*/edit resource. - cvss_v2: 3.5 - cvss_v3: 5.4 ---- +--- +layout: advisory +title: 'CVE-2018-5216 (radiant): Radiant CMS 1.1.4 Markdown admin/pages/*/edit part_body_content + cross site scripting' +comments: false +categories: +- radiant +advisory: + gem: radiant + cve: 2018-5216 + ghsa: mvw8-v767-qhjm + url: https://github.com/imsebao/404team/blob/master/radiantcms.md + title: Radiant CMS 1.1.4 Markdown admin/pages/*/edit part_body_content cross site + scripting + date: 2018-01-04 + description: | + Radiant CMS 1.1.4 has XSS via crafted Markdown input in the part_body_content + parameter to an admin/pages/*/edit resource. + cvss_v2: 3.5 + cvss_v3: 5.4 +--- diff --git a/advisories/_posts/2018-01-09-CVE-2018-7212.md b/advisories/_posts/2018-01-09-CVE-2018-7212.md index 6e4227f1..05e96204 100644 --- a/advisories/_posts/2018-01-09-CVE-2018-7212.md +++ b/advisories/_posts/2018-01-09-CVE-2018-7212.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2018-7212 (sinatra): sinatra ruby gem path traversal via backslash characters - on Windows' -comments: false -categories: -- sinatra -advisory: - gem: sinatra - cve: 2018-7212 - ghsa: h29f-7f56-j8wh - url: https://github.com/sinatra/sinatra/pull/1379 - title: sinatra ruby gem path traversal via backslash characters on Windows - date: 2018-01-09 - description: | - An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb - in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash - characters. - cvss_v2: 5.0 - cvss_v3: 5.3 - unaffected_versions: - - "< 2.0.0" - patched_versions: - - ">= 2.0.1" ---- +--- +layout: advisory +title: 'CVE-2018-7212 (sinatra): sinatra ruby gem path traversal via backslash characters + on Windows' +comments: false +categories: +- sinatra +advisory: + gem: sinatra + cve: 2018-7212 + ghsa: h29f-7f56-j8wh + url: https://github.com/sinatra/sinatra/pull/1379 + title: sinatra ruby gem path traversal via backslash characters on Windows + date: 2018-01-09 + description: | + An issue was discovered in rack-protection/lib/rack/protection/path_traversal.rb + in Sinatra 2.x before 2.0.1 on Windows. Path traversal is possible via backslash + characters. + cvss_v2: 5.0 + cvss_v3: 5.3 + unaffected_versions: + - "< 2.0.0" + patched_versions: + - ">= 2.0.1" +--- diff --git a/advisories/_posts/2018-01-10-CVE-2017-12097.md b/advisories/_posts/2018-01-10-CVE-2017-12097.md index ffba802f..0bc2982b 100644 --- a/advisories/_posts/2018-01-10-CVE-2017-12097.md +++ b/advisories/_posts/2018-01-10-CVE-2017-12097.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2017-12097 (delayed_job_web): delayed_job_web ruby gem XSS vulnerability - via `queues` parameter' -comments: false -categories: -- delayed_job_web -advisory: - gem: delayed_job_web - cve: 2017-12097 - ghsa: w7q9-xr2x-wh7x - url: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0449 - title: delayed_job_web ruby gem XSS vulnerability via `queues` parameter - date: 2018-01-10 - description: | - An exploitable cross site scripting (XSS) vulnerability exists in the - filter functionality of the delayed_job_web ruby gem. A specially crafted - URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary - javascript on the victim's browser. An attacker can phish an authenticated user - to trigger this vulnerability. - cvss_v3: 6.1 - patched_versions: - - ">= 1.4.2" ---- +--- +layout: advisory +title: 'CVE-2017-12097 (delayed_job_web): delayed_job_web ruby gem XSS vulnerability + via `queues` parameter' +comments: false +categories: +- delayed_job_web +advisory: + gem: delayed_job_web + cve: 2017-12097 + ghsa: w7q9-xr2x-wh7x + url: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0449 + title: delayed_job_web ruby gem XSS vulnerability via `queues` parameter + date: 2018-01-10 + description: | + An exploitable cross site scripting (XSS) vulnerability exists in the + filter functionality of the delayed_job_web ruby gem. A specially crafted + URL can cause an XSS flaw resulting in an attacker being able to execute arbitrary + javascript on the victim's browser. An attacker can phish an authenticated user + to trigger this vulnerability. + cvss_v3: 6.1 + patched_versions: + - ">= 1.4.2" +--- diff --git a/advisories/_posts/2018-01-10-CVE-2017-12098.md b/advisories/_posts/2018-01-10-CVE-2017-12098.md index f904a7c1..10fc9a74 100644 --- a/advisories/_posts/2018-01-10-CVE-2017-12098.md +++ b/advisories/_posts/2018-01-10-CVE-2017-12098.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2017-12098 (rails_admin): rails_admin ruby gem XSS vulnerability' -comments: false -categories: -- rails_admin -advisory: - gem: rails_admin - cve: 2017-12098 - ghsa: pxr8-w3jq-rcwj - url: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 - title: rails_admin ruby gem XSS vulnerability - date: 2018-01-10 - description: | - An exploitable cross site scripting (XSS) vulnerability exists in the - add filter functionality of the rails_admin rails gem version 1.2.0. A specially - crafted URL can cause an XSS flaw resulting in an attacker being able to execute - arbitrary javascript on the victim's browser. An attacker can phish an authenticated - user to trigger this vulnerability. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 1.3.0" - related: - url: - - https://github.com/sferik/rails_admin/issues/2985 ---- +--- +layout: advisory +title: 'CVE-2017-12098 (rails_admin): rails_admin ruby gem XSS vulnerability' +comments: false +categories: +- rails_admin +advisory: + gem: rails_admin + cve: 2017-12098 + ghsa: pxr8-w3jq-rcwj + url: https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0450 + title: rails_admin ruby gem XSS vulnerability + date: 2018-01-10 + description: | + An exploitable cross site scripting (XSS) vulnerability exists in the + add filter functionality of the rails_admin rails gem version 1.2.0. A specially + crafted URL can cause an XSS flaw resulting in an attacker being able to execute + arbitrary javascript on the victim's browser. An attacker can phish an authenticated + user to trigger this vulnerability. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 1.3.0" + related: + url: + - https://github.com/sferik/rails_admin/issues/2985 +--- diff --git a/advisories/_posts/2018-01-18-CVE-2016-10707.md b/advisories/_posts/2018-01-18-CVE-2016-10707.md index 9904def7..d75da2bc 100644 --- a/advisories/_posts/2018-01-18-CVE-2016-10707.md +++ b/advisories/_posts/2018-01-18-CVE-2016-10707.md @@ -1,41 +1,41 @@ ---- -layout: advisory -title: 'CVE-2016-10707 (jquery-rails): Denial of Service in jquery' -comments: false -categories: -- jquery-rails -- rails -advisory: - gem: jquery-rails - framework: rails - cve: 2016-10707 - ghsa: mhpp-875w-9cpv - url: https://nvd.nist.gov/vuln/detail/CVE-2016-10707 - title: Denial of Service in jquery - date: 2018-01-18 - description: | - Affected versions of `jquery` use a lowercasing logic on attribute - names. When given a boolean attribute with a name that contains - uppercase characters, `jquery` enters into an infinite recursion - loop, exceeding the call stack limit, and resulting in a denial - of service condition. - - ## Recommendation - - Update to version 3.0.0 or later. - cvss_v2: 5.0 - cvss_v3: 7.5 - unaffected_versions: - - "< 3.0.0-rc.1" - patched_versions: - - ">= 3.0.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2016-10707 - - https://github.com/advisories/GHSA-mhpp-875w-9cpv - - https://github.com/jquery/jquery/issues/3133 - - https://github.com/jquery/jquery/issues/3133#issuecomment-358978489 - - https://www.npmjs.com/advisories/330 - - https://github.com/jquery/jquery/pull/3134 - - https://snyk.io/vuln/npm:jquery:20160529 ---- +--- +layout: advisory +title: 'CVE-2016-10707 (jquery-rails): Denial of Service in jquery' +comments: false +categories: +- jquery-rails +- rails +advisory: + gem: jquery-rails + framework: rails + cve: 2016-10707 + ghsa: mhpp-875w-9cpv + url: https://nvd.nist.gov/vuln/detail/CVE-2016-10707 + title: Denial of Service in jquery + date: 2018-01-18 + description: | + Affected versions of `jquery` use a lowercasing logic on attribute + names. When given a boolean attribute with a name that contains + uppercase characters, `jquery` enters into an infinite recursion + loop, exceeding the call stack limit, and resulting in a denial + of service condition. + + ## Recommendation + + Update to version 3.0.0 or later. + cvss_v2: 5.0 + cvss_v3: 7.5 + unaffected_versions: + - "< 3.0.0-rc.1" + patched_versions: + - ">= 3.0.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-10707 + - https://github.com/advisories/GHSA-mhpp-875w-9cpv + - https://github.com/jquery/jquery/issues/3133 + - https://github.com/jquery/jquery/issues/3133#issuecomment-358978489 + - https://www.npmjs.com/advisories/330 + - https://github.com/jquery/jquery/pull/3134 + - https://snyk.io/vuln/npm:jquery:20160529 +--- diff --git a/advisories/_posts/2018-01-22-CVE-2015-9251.md b/advisories/_posts/2018-01-22-CVE-2015-9251.md index 69c964f1..89031969 100644 --- a/advisories/_posts/2018-01-22-CVE-2015-9251.md +++ b/advisories/_posts/2018-01-22-CVE-2015-9251.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2015-9251 (jquery-rails): Cross-Site Scripting (XSS) in jquery' -comments: false -categories: -- jquery-rails -- rails -advisory: - gem: jquery-rails - framework: rails - cve: 2015-9251 - ghsa: rmxg-73gg-4p98 - url: https://github.com/rails/jquery-rails/releases/tag/v4.2.0 - title: Cross-Site Scripting (XSS) in jquery - date: 2018-01-22 - description: | - Affected versions of `jquery` interpret `text/javascript` responses - from cross-origin ajax requests, and automatically execute the - contents in `jQuery.globalEval`, even when the ajax request - doesn't contain the `dataType` option. - cvss_v2: 6.1 - cvss_v3: 6.1 - patched_versions: - - ">= 4.2.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2015-9251 - - https://github.com/rails/jquery-rails/releases/tag/v4.2.0 - - https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420 - - https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377 - - https://github.com/advisories/GHSA-rmxg-73gg-4p98 ---- +--- +layout: advisory +title: 'CVE-2015-9251 (jquery-rails): Cross-Site Scripting (XSS) in jquery' +comments: false +categories: +- jquery-rails +- rails +advisory: + gem: jquery-rails + framework: rails + cve: 2015-9251 + ghsa: rmxg-73gg-4p98 + url: https://github.com/rails/jquery-rails/releases/tag/v4.2.0 + title: Cross-Site Scripting (XSS) in jquery + date: 2018-01-22 + description: | + Affected versions of `jquery` interpret `text/javascript` responses + from cross-origin ajax requests, and automatically execute the + contents in `jQuery.globalEval`, even when the ajax request + doesn't contain the `dataType` option. + cvss_v2: 6.1 + cvss_v3: 6.1 + patched_versions: + - ">= 4.2.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2015-9251 + - https://github.com/rails/jquery-rails/releases/tag/v4.2.0 + - https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#420 + - https://github.com/rails/jquery-rails/blob/v4.2.0/vendor/assets/javascripts/jquery3.js#L9377 + - https://github.com/advisories/GHSA-rmxg-73gg-4p98 +--- diff --git a/advisories/_posts/2018-01-23-CVE-2017-0889.md b/advisories/_posts/2018-01-23-CVE-2017-0889.md index c6bb39f9..6ddec908 100644 --- a/advisories/_posts/2018-01-23-CVE-2017-0889.md +++ b/advisories/_posts/2018-01-23-CVE-2017-0889.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2017-0889 (paperclip): Paperclip ruby gem suffers from a Server-Side Request - Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter - class.' -comments: false -categories: -- paperclip -advisory: - gem: paperclip - cve: 2017-0889 - ghsa: 5jcf-c5rg-rmm8 - url: https://github.com/thoughtbot/paperclip/pull/2435 - title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability - in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class. - date: 2018-01-23 - description: | - Paperclip gem provides multiple ways a file can be uploaded to a web server. - The vulnerability affects two of Paperclip’s IO adapters that accept URLs as - attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are - used, Paperclip acts as a proxy and downloads the file from the website URI - that is passed in. The library does not perform any validation to protect - against Server Side Request Forgery (SSRF) exploits by default. This may allow - a remote attacker to access information about internal network resources. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 5.2.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2017-0889 - - https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4 ---- +--- +layout: advisory +title: 'CVE-2017-0889 (paperclip): Paperclip ruby gem suffers from a Server-Side Request + Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter + class.' +comments: false +categories: +- paperclip +advisory: + gem: paperclip + cve: 2017-0889 + ghsa: 5jcf-c5rg-rmm8 + url: https://github.com/thoughtbot/paperclip/pull/2435 + title: Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability + in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class. + date: 2018-01-23 + description: | + Paperclip gem provides multiple ways a file can be uploaded to a web server. + The vulnerability affects two of Paperclip’s IO adapters that accept URLs as + attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are + used, Paperclip acts as a proxy and downloads the file from the website URI + that is passed in. The library does not perform any validation to protect + against Server Side Request Forgery (SSRF) exploits by default. This may allow + a remote attacker to access information about internal network resources. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 5.2.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2017-0889 + - https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4 +--- diff --git a/advisories/_posts/2018-01-29-CVE-2017-15412.md b/advisories/_posts/2018-01-29-CVE-2017-15412.md index 89225cbe..a9099c7e 100644 --- a/advisories/_posts/2018-01-29-CVE-2017-15412.md +++ b/advisories/_posts/2018-01-29-CVE-2017-15412.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2017-15412 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2017-15412 - ghsa: r58r-74gx-6wx3 - url: https://github.com/sparklemotion/nokogiri/issues/1714 - title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities - date: 2018-01-29 - description: | - The version of libxml2 packaged with Nokogiri contains a - vulnerability. Nokogiri has mitigated these issue by upgrading to - libxml 2.9.6. - - It was discovered that libxml2 incorrecty handled certain files. An attacker - could use this issue with specially constructed XML data to cause libxml2 to - consume resources, leading to a denial of service. - cvss_v3: 8.8 - patched_versions: - - ">= 1.8.2" - related: - cve: - - 2017-18258 - url: - - https://usn.ubuntu.com/usn/usn-3513-1/ - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15412.html ---- +--- +layout: advisory +title: 'CVE-2017-15412 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2017-15412 + ghsa: r58r-74gx-6wx3 + url: https://github.com/sparklemotion/nokogiri/issues/1714 + title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities + date: 2018-01-29 + description: | + The version of libxml2 packaged with Nokogiri contains a + vulnerability. Nokogiri has mitigated these issue by upgrading to + libxml 2.9.6. + + It was discovered that libxml2 incorrecty handled certain files. An attacker + could use this issue with specially constructed XML data to cause libxml2 to + consume resources, leading to a denial of service. + cvss_v3: 8.8 + patched_versions: + - ">= 1.8.2" + related: + cve: + - 2017-18258 + url: + - https://usn.ubuntu.com/usn/usn-3513-1/ + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-15412.html +--- diff --git a/advisories/_posts/2018-01-29-CVE-2017-16932.md b/advisories/_posts/2018-01-29-CVE-2017-16932.md index dc965339..10985921 100644 --- a/advisories/_posts/2018-01-29-CVE-2017-16932.md +++ b/advisories/_posts/2018-01-29-CVE-2017-16932.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2017-16932 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2017-16932 - ghsa: x2fm-93ww-ggvx - url: https://github.com/sparklemotion/nokogiri/issues/1714 - title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities - date: 2018-01-29 - description: | - The version of libxml2 packaged with Nokogiri contains a - vulnerability. Nokogiri has mitigated these issue by upgrading to - libxml 2.9.5. - - Wei Lei discovered that libxml2 incorrecty handled certain parameter - entities. An attacker could use this issue with specially constructed XML - data to cause libxml2 to consume resources, leading to a denial of service. - cvss_v3: 7.5 - patched_versions: - - ">= 1.8.1" - related: - url: - - https://usn.ubuntu.com/usn/usn-3504-1/ - - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html ---- +--- +layout: advisory +title: 'CVE-2017-16932 (nokogiri): Nokogiri gem, via libxml, is affected by DoS vulnerabilities' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2017-16932 + ghsa: x2fm-93ww-ggvx + url: https://github.com/sparklemotion/nokogiri/issues/1714 + title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities + date: 2018-01-29 + description: | + The version of libxml2 packaged with Nokogiri contains a + vulnerability. Nokogiri has mitigated these issue by upgrading to + libxml 2.9.5. + + Wei Lei discovered that libxml2 incorrecty handled certain parameter + entities. An attacker could use this issue with specially constructed XML + data to cause libxml2 to consume resources, leading to a denial of service. + cvss_v3: 7.5 + patched_versions: + - ">= 1.8.1" + related: + url: + - https://usn.ubuntu.com/usn/usn-3504-1/ + - https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-16932.html +--- diff --git a/advisories/_posts/2018-02-18-CVE-2018-7212.md b/advisories/_posts/2018-02-18-CVE-2018-7212.md index 2eb44330..fb0c9485 100644 --- a/advisories/_posts/2018-02-18-CVE-2018-7212.md +++ b/advisories/_posts/2018-02-18-CVE-2018-7212.md @@ -1,20 +1,20 @@ ---- -layout: advisory -title: 'CVE-2018-7212 (rack-protection): Path traversal is possible via backslash - characters on Windows.' -comments: false -categories: -- rack-protection -advisory: - gem: rack-protection - cve: 2018-7212 - url: https://github.com/sinatra/sinatra/pull/1379 - title: Path traversal is possible via backslash characters on Windows. - date: 2018-02-18 - description: | - An issue was discovered in rack-protection 2.x before 2.0.1 on Windows. Path traversal - is possible via backslash characters. - patched_versions: - - ">= 2.0.1" - - "~> 1.5.4" ---- +--- +layout: advisory +title: 'CVE-2018-7212 (rack-protection): Path traversal is possible via backslash + characters on Windows.' +comments: false +categories: +- rack-protection +advisory: + gem: rack-protection + cve: 2018-7212 + url: https://github.com/sinatra/sinatra/pull/1379 + title: Path traversal is possible via backslash characters on Windows. + date: 2018-02-18 + description: | + An issue was discovered in rack-protection 2.x before 2.0.1 on Windows. Path traversal + is possible via backslash characters. + patched_versions: + - ">= 2.0.1" + - "~> 1.5.4" +--- diff --git a/advisories/_posts/2018-02-19-CVE-2018-7261.md b/advisories/_posts/2018-02-19-CVE-2018-7261.md index 5e4297af..b5f5d1a3 100644 --- a/advisories/_posts/2018-02-19-CVE-2018-7261.md +++ b/advisories/_posts/2018-02-19-CVE-2018-7261.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2018-7261 (radiant): Multiple persistent XSS vulnerabilities in Radiant - CMS' -comments: false -categories: -- radiant -advisory: - gem: radiant - cve: 2018-7261 - ghsa: gp82-xr77-88f4 - url: https://github.com/radiant/radiant/issues/412 - title: Multiple persistent XSS vulnerabilities in Radiant CMS - date: 2018-02-19 - description: | - There are multiple Persistent XSS vulnerabilities in Radiant CMS. - They affect Personal Preferences (Name and Username) and Configuration (Site Title, - Dev Site Domain, Page Parts, and Page Fields). - cvss_v2: 3.5 - cvss_v3: 5.4 ---- +--- +layout: advisory +title: 'CVE-2018-7261 (radiant): Multiple persistent XSS vulnerabilities in Radiant + CMS' +comments: false +categories: +- radiant +advisory: + gem: radiant + cve: 2018-7261 + ghsa: gp82-xr77-88f4 + url: https://github.com/radiant/radiant/issues/412 + title: Multiple persistent XSS vulnerabilities in Radiant CMS + date: 2018-02-19 + description: | + There are multiple Persistent XSS vulnerabilities in Radiant CMS. + They affect Personal Preferences (Name and Username) and Configuration (Site Title, + Dev Site Domain, Page Parts, and Page Fields). + cvss_v2: 3.5 + cvss_v3: 5.4 +--- diff --git a/advisories/_posts/2018-02-21-CVE-2018-1000088.md b/advisories/_posts/2018-02-21-CVE-2018-1000088.md index 2e832cfa..a7bad6ac 100644 --- a/advisories/_posts/2018-02-21-CVE-2018-1000088.md +++ b/advisories/_posts/2018-02-21-CVE-2018-1000088.md @@ -1,42 +1,42 @@ ---- -layout: advisory -title: 'CVE-2018-1000088 (doorkeeper): Doorkeeper gem has stored XSS on authorization - consent view' -comments: false -categories: -- doorkeeper -advisory: - gem: doorkeeper - cve: 2018-1000088 - ghsa: hwhh-2fwm-cfgw - url: https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/ - title: Doorkeeper gem has stored XSS on authorization consent view - date: 2018-02-21 - description: | - Stored XSS on the OAuth Client's name will cause users being prompted for - consent via the "implicit" grant type to execute the XSS payload. - - The XSS attack could gain access to the user's active session, resulting in - account compromise. - - Any user is susceptible if they click the authorization link for the - malicious OAuth client. Because of how the links work, a user cannot tell if - a link is malicious or not without first visiting the page with the XSS - payload. - - If 3rd parties are allowed to create OAuth clients in the app using - Doorkeeper, upgrade to the patched versions immediately. - - Additionally there is stored XSS in the native_redirect_uri form element. - - DWF has assigned CVE-2018-1000088. - cvss_v3: 7.6 - unaffected_versions: - - "< 2.1.0" - patched_versions: - - ">= 4.2.6" - related: - url: - - https://github.com/doorkeeper-gem/doorkeeper/issues/969 - - https://github.com/doorkeeper-gem/doorkeeper/issues/970 ---- +--- +layout: advisory +title: 'CVE-2018-1000088 (doorkeeper): Doorkeeper gem has stored XSS on authorization + consent view' +comments: false +categories: +- doorkeeper +advisory: + gem: doorkeeper + cve: 2018-1000088 + ghsa: hwhh-2fwm-cfgw + url: https://blog.justinbull.ca/cve-2018-1000088-stored-xss-in-doorkeeper/ + title: Doorkeeper gem has stored XSS on authorization consent view + date: 2018-02-21 + description: | + Stored XSS on the OAuth Client's name will cause users being prompted for + consent via the "implicit" grant type to execute the XSS payload. + + The XSS attack could gain access to the user's active session, resulting in + account compromise. + + Any user is susceptible if they click the authorization link for the + malicious OAuth client. Because of how the links work, a user cannot tell if + a link is malicious or not without first visiting the page with the XSS + payload. + + If 3rd parties are allowed to create OAuth clients in the app using + Doorkeeper, upgrade to the patched versions immediately. + + Additionally there is stored XSS in the native_redirect_uri form element. + + DWF has assigned CVE-2018-1000088. + cvss_v3: 7.6 + unaffected_versions: + - "< 2.1.0" + patched_versions: + - ">= 4.2.6" + related: + url: + - https://github.com/doorkeeper-gem/doorkeeper/issues/969 + - https://github.com/doorkeeper-gem/doorkeeper/issues/970 +--- diff --git a/advisories/_posts/2018-02-27-CVE-2017-11428.md b/advisories/_posts/2018-02-27-CVE-2017-11428.md index 37935acb..1014a96c 100644 --- a/advisories/_posts/2018-02-27-CVE-2017-11428.md +++ b/advisories/_posts/2018-02-27-CVE-2017-11428.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2017-11428 (ruby-saml): Authentication bypass via incorrect XML canonicalization - and DOM traversal' -comments: false -categories: -- ruby-saml -advisory: - gem: ruby-saml - cve: 2017-11428 - ghsa: x2fr-v8wf-8wwv - url: https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f - title: Authentication bypass via incorrect XML canonicalization and DOM traversal - date: 2018-02-27 - description: | - ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect - XML canonicalization and DOM traversal. Specifically, there are inconsistencies in - handling of comments within XML nodes, resulting in incorrect parsing of the inner text - of XML nodes such that any inner text after the comment is lost prior to - cryptographically signing the SAML message. Text after the comment therefore has no - impact on the signature on the SAML message. - - A remote attacker can modify SAML content for a SAML service provider without - invalidating the cryptographic signature, which may allow attackers to bypass - primary authentication for the affected SAML service provider. - cvss_v2: 6.3 - cvss_v3: 7.7 - patched_versions: - - ">= 1.7.0" - related: - url: - - https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - - https://www.kb.cert.org/vuls/id/475445 ---- +--- +layout: advisory +title: 'CVE-2017-11428 (ruby-saml): Authentication bypass via incorrect XML canonicalization + and DOM traversal' +comments: false +categories: +- ruby-saml +advisory: + gem: ruby-saml + cve: 2017-11428 + ghsa: x2fr-v8wf-8wwv + url: https://github.com/onelogin/ruby-saml/commit/048a544730930f86e46804387a6b6fad50d8176f + title: Authentication bypass via incorrect XML canonicalization and DOM traversal + date: 2018-02-27 + description: | + ruby-saml prior to version 1.7.0 is vulnerable to an authentication bypass via incorrect + XML canonicalization and DOM traversal. Specifically, there are inconsistencies in + handling of comments within XML nodes, resulting in incorrect parsing of the inner text + of XML nodes such that any inner text after the comment is lost prior to + cryptographically signing the SAML message. Text after the comment therefore has no + impact on the signature on the SAML message. + + A remote attacker can modify SAML content for a SAML service provider without + invalidating the cryptographic signature, which may allow attackers to bypass + primary authentication for the affected SAML service provider. + cvss_v2: 6.3 + cvss_v3: 7.7 + patched_versions: + - ">= 1.7.0" + related: + url: + - https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + - https://www.kb.cert.org/vuls/id/475445 +--- diff --git a/advisories/_posts/2018-02-27-CVE-2017-11430.md b/advisories/_posts/2018-02-27-CVE-2017-11430.md index 1eb53609..1520c3cc 100644 --- a/advisories/_posts/2018-02-27-CVE-2017-11430.md +++ b/advisories/_posts/2018-02-27-CVE-2017-11430.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2017-11430 (omniauth-saml): omniauth-saml authentication bypass via incorrect - XML canonicalization and DOM traversal' -comments: false -categories: -- omniauth-saml -advisory: - gem: omniauth-saml - cve: 2017-11430 - ghsa: 94hm-8q65-rmxm - url: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations - title: omniauth-saml authentication bypass via incorrect XML canonicalization and - DOM traversal - date: 2018-02-27 - description: | - OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the - results of XML DOM traversal and canonicalization APIs in such a way that an attacker - may be able to manipulate the SAML data without invalidating the cryptographic signature, - allowing the attack to potentially bypass authentication to SAML service providers. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 1.10.0" ---- +--- +layout: advisory +title: 'CVE-2017-11430 (omniauth-saml): omniauth-saml authentication bypass via incorrect + XML canonicalization and DOM traversal' +comments: false +categories: +- omniauth-saml +advisory: + gem: omniauth-saml + cve: 2017-11430 + ghsa: 94hm-8q65-rmxm + url: https://duo.com/blog/duo-finds-saml-vulnerabilities-affecting-multiple-implementations + title: omniauth-saml authentication bypass via incorrect XML canonicalization and + DOM traversal + date: 2018-02-27 + description: | + OmniAuth OmnitAuth-SAML 1.9.0 and earlier may incorrectly utilize the + results of XML DOM traversal and canonicalization APIs in such a way that an attacker + may be able to manipulate the SAML data without invalidating the cryptographic signature, + allowing the attack to potentially bypass authentication to SAML service providers. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 1.10.0" +--- diff --git a/advisories/_posts/2018-03-07-CVE-2018-1000119.md b/advisories/_posts/2018-03-07-CVE-2018-1000119.md index c19c8d59..bc937db8 100644 --- a/advisories/_posts/2018-03-07-CVE-2018-1000119.md +++ b/advisories/_posts/2018-03-07-CVE-2018-1000119.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2018-1000119 (rack-protection): rack-protection gem timing attack vulnerability - when validating CSRF token' -comments: false -categories: -- rack-protection -advisory: - gem: rack-protection - cve: 2018-1000119 - ghsa: 688c-3x49-6rqj - url: https://github.com/sinatra/rack-protection/pull/98 - title: rack-protection gem timing attack vulnerability when validating CSRF token - date: 2018-03-07 - description: | - Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains - a timing attack vulnerability in the CSRF token checking that can result in signatures - can be exposed. This attack appear to be exploitable via network connectivity to - the ruby application. - cvss_v2: 4.3 - cvss_v3: 5.9 - patched_versions: - - "~> 1.5.5" - - ">= 2.0.0" ---- +--- +layout: advisory +title: 'CVE-2018-1000119 (rack-protection): rack-protection gem timing attack vulnerability + when validating CSRF token' +comments: false +categories: +- rack-protection +advisory: + gem: rack-protection + cve: 2018-1000119 + ghsa: 688c-3x49-6rqj + url: https://github.com/sinatra/rack-protection/pull/98 + title: rack-protection gem timing attack vulnerability when validating CSRF token + date: 2018-03-07 + description: | + Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains + a timing attack vulnerability in the CSRF token checking that can result in signatures + can be exposed. This attack appear to be exploitable via network connectivity to + the ruby application. + cvss_v2: 4.3 + cvss_v3: 5.9 + patched_versions: + - "~> 1.5.5" + - ">= 2.0.0" +--- diff --git a/advisories/_posts/2018-03-16-CVE-2018-8048.md b/advisories/_posts/2018-03-16-CVE-2018-8048.md index f6ddebcc..a214fa9a 100644 --- a/advisories/_posts/2018-03-16-CVE-2018-8048.md +++ b/advisories/_posts/2018-03-16-CVE-2018-8048.md @@ -1,20 +1,20 @@ ---- -layout: advisory -title: 'CVE-2018-8048 (loofah): Loofah XSS Vulnerability' -comments: false -categories: -- loofah -advisory: - gem: loofah - cve: 2018-8048 - ghsa: x7rv-cr6v-4vm4 - url: https://github.com/flavorjones/loofah/issues/144 - title: Loofah XSS Vulnerability - date: 2018-03-16 - description: | - Loofah allows non-whitelisted attributes to be present in sanitized - output when input with specially-crafted HTML fragments. - cvss_v3: 6.1 - patched_versions: - - ">= 2.2.1" ---- +--- +layout: advisory +title: 'CVE-2018-8048 (loofah): Loofah XSS Vulnerability' +comments: false +categories: +- loofah +advisory: + gem: loofah + cve: 2018-8048 + ghsa: x7rv-cr6v-4vm4 + url: https://github.com/flavorjones/loofah/issues/144 + title: Loofah XSS Vulnerability + date: 2018-03-16 + description: | + Loofah allows non-whitelisted attributes to be present in sanitized + output when input with specially-crafted HTML fragments. + cvss_v3: 6.1 + patched_versions: + - ">= 2.2.1" +--- diff --git a/advisories/_posts/2018-03-19-CVE-2018-3740.md b/advisories/_posts/2018-03-19-CVE-2018-3740.md index 07591c69..e4364eea 100644 --- a/advisories/_posts/2018-03-19-CVE-2018-3740.md +++ b/advisories/_posts/2018-03-19-CVE-2018-3740.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2018-3740 (sanitize): HTML injection/XSS in Sanitize' -comments: false -categories: -- sanitize -advisory: - gem: sanitize - cve: 2018-3740 - ghsa: 7f42-p84j-f58p - url: https://github.com/rgrove/sanitize/issues/176 - title: HTML injection/XSS in Sanitize - date: 2018-03-19 - description: | - When Sanitize gem is used in combination with libxml2 >= 2.9.2, - a specially crafted HTML fragment can cause libxml2 to generate - improperly escaped output, allowing non-whitelisted attributes to be - used on whitelisted elements. - - This can allow HTML and JavaScript injection, which could result in XSS - if Sanitize's output is served to browsers. - cvss_v3: 7.5 - unaffected_versions: - - "< 1.1.0" - patched_versions: - - "~> 2.1.1" - - ">= 4.6.3" - related: - url: - - https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e ---- +--- +layout: advisory +title: 'CVE-2018-3740 (sanitize): HTML injection/XSS in Sanitize' +comments: false +categories: +- sanitize +advisory: + gem: sanitize + cve: 2018-3740 + ghsa: 7f42-p84j-f58p + url: https://github.com/rgrove/sanitize/issues/176 + title: HTML injection/XSS in Sanitize + date: 2018-03-19 + description: | + When Sanitize gem is used in combination with libxml2 >= 2.9.2, + a specially crafted HTML fragment can cause libxml2 to generate + improperly escaped output, allowing non-whitelisted attributes to be + used on whitelisted elements. + + This can allow HTML and JavaScript injection, which could result in XSS + if Sanitize's output is served to browsers. + cvss_v3: 7.5 + unaffected_versions: + - "< 1.1.0" + patched_versions: + - "~> 2.1.1" + - ">= 4.6.3" + related: + url: + - https://github.com/rgrove/sanitize/commit/01629a162e448a83d901456d0ba8b65f3b03d46e +--- diff --git a/advisories/_posts/2018-03-22-CVE-2018-3741.md b/advisories/_posts/2018-03-22-CVE-2018-3741.md index bd36967a..92279c90 100644 --- a/advisories/_posts/2018-03-22-CVE-2018-3741.md +++ b/advisories/_posts/2018-03-22-CVE-2018-3741.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2018-3741 (rails-html-sanitizer): XSS vulnerability in rails-html-sanitizer' -comments: false -categories: -- rails-html-sanitizer -advisory: - gem: rails-html-sanitizer - cve: 2018-3741 - ghsa: px3r-jm9g-c8w8 - url: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ - title: XSS vulnerability in rails-html-sanitizer - date: 2018-03-22 - description: | - There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows - non-whitelisted attributes to be present in sanitized output when input with - specially-crafted HTML fragments, and these attributes can lead to an XSS attack - on target applications. - - This issue is similar to CVE-2018-8048 in Loofah. - cvss_v3: 6.1 - patched_versions: - - ">= 1.0.4" - related: - cve: - - 2018-8048 - url: - - https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae ---- +--- +layout: advisory +title: 'CVE-2018-3741 (rails-html-sanitizer): XSS vulnerability in rails-html-sanitizer' +comments: false +categories: +- rails-html-sanitizer +advisory: + gem: rails-html-sanitizer + cve: 2018-3741 + ghsa: px3r-jm9g-c8w8 + url: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ + title: XSS vulnerability in rails-html-sanitizer + date: 2018-03-22 + description: | + There is a possible XSS vulnerability in rails-html-sanitizer. The gem allows + non-whitelisted attributes to be present in sanitized output when input with + specially-crafted HTML fragments, and these attributes can lead to an XSS attack + on target applications. + + This issue is similar to CVE-2018-8048 in Loofah. + cvss_v3: 6.1 + patched_versions: + - ">= 1.0.4" + related: + cve: + - 2018-8048 + url: + - https://github.com/rails/rails-html-sanitizer/commit/f3ba1a839a35f2ba7f941c15e239a1cb379d56ae +--- diff --git a/advisories/_posts/2018-03-29-CVE-2018-8048.md b/advisories/_posts/2018-03-29-CVE-2018-8048.md index 4df63a99..3060218b 100644 --- a/advisories/_posts/2018-03-29-CVE-2018-8048.md +++ b/advisories/_posts/2018-03-29-CVE-2018-8048.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2018-8048 (nokogiri): Revert libxml2 behavior in Nokogiri gem that could - cause XSS' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2018-8048 - ghsa: x7rv-cr6v-4vm4 - url: https://github.com/sparklemotion/nokogiri/pull/1746 - title: Revert libxml2 behavior in Nokogiri gem that could cause XSS - date: 2018-03-29 - description: | - [MRI] Behavior in libxml2 has been reverted which caused - CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and - CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is - here: - - https://github.com/GNOME/libxml2/commit/960f0e2 - - and more information is available about this commit and its impact - here: - - https://github.com/flavorjones/loofah/issues/144 - - This release simply reverts the libxml2 commit in question to protect - users of Nokogiri's vendored libraries from similar vulnerabilities. - - If you're offended by what happened here, I'd kindly ask that you - comment on the upstream bug report here: - - https://bugzilla.gnome.org/show_bug.cgi?id=769760 - cvss_v3: 6.1 - patched_versions: - - ">= 1.8.3" - related: - cve: - - 2018-3740 - - 2018-3741 - url: - - https://github.com/GNOME/libxml2/commit/960f0e2 - - https://bugzilla.gnome.org/show_bug.cgi?id=769760 ---- +--- +layout: advisory +title: 'CVE-2018-8048 (nokogiri): Revert libxml2 behavior in Nokogiri gem that could + cause XSS' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2018-8048 + ghsa: x7rv-cr6v-4vm4 + url: https://github.com/sparklemotion/nokogiri/pull/1746 + title: Revert libxml2 behavior in Nokogiri gem that could cause XSS + date: 2018-03-29 + description: | + [MRI] Behavior in libxml2 has been reverted which caused + CVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and + CVE-2018-3741 (rails-html-sanitizer gem). The commit in question is + here: + + https://github.com/GNOME/libxml2/commit/960f0e2 + + and more information is available about this commit and its impact + here: + + https://github.com/flavorjones/loofah/issues/144 + + This release simply reverts the libxml2 commit in question to protect + users of Nokogiri's vendored libraries from similar vulnerabilities. + + If you're offended by what happened here, I'd kindly ask that you + comment on the upstream bug report here: + + https://bugzilla.gnome.org/show_bug.cgi?id=769760 + cvss_v3: 6.1 + patched_versions: + - ">= 1.8.3" + related: + cve: + - 2018-3740 + - 2018-3741 + url: + - https://github.com/GNOME/libxml2/commit/960f0e2 + - https://bugzilla.gnome.org/show_bug.cgi?id=769760 +--- diff --git a/advisories/_posts/2018-04-13-CVE-2017-18258.md b/advisories/_posts/2018-04-13-CVE-2017-18258.md index 6d02e071..feb21c0b 100644 --- a/advisories/_posts/2018-04-13-CVE-2017-18258.md +++ b/advisories/_posts/2018-04-13-CVE-2017-18258.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2017-18258 (nokogiri): Moderate severity vulnerability that affects nokogiri' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2017-18258 - ghsa: 882p-jqgm-f45g - url: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb - title: Moderate severity vulnerability that affects nokogiri - date: 2018-04-13 - description: | - The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial - of service (memory consumption) via a crafted LZMA file, because the decoder functionality does - not restrict memory usage to what is required for a legitimate file. - - References: - - https://nvd.nist.gov/vuln/detail/CVE-2017-18258 - - https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb - - https://github.com/advisories/GHSA-882p-jqgm-f45g - - https://kc.mcafee.com/corporate/index?page=content&id=SB10284 - - https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html - - https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html - - https://security.netapp.com/advisory/ntap-20190719-0001/ - - https://usn.ubuntu.com/3739-1/ - cvss_v3: 6.5 - patched_versions: - - ">= 1.8.2" ---- +--- +layout: advisory +title: 'CVE-2017-18258 (nokogiri): Moderate severity vulnerability that affects nokogiri' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2017-18258 + ghsa: 882p-jqgm-f45g + url: https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb + title: Moderate severity vulnerability that affects nokogiri + date: 2018-04-13 + description: | + The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial + of service (memory consumption) via a crafted LZMA file, because the decoder functionality does + not restrict memory usage to what is required for a legitimate file. + + References: + - https://nvd.nist.gov/vuln/detail/CVE-2017-18258 + - https://git.gnome.org/browse/libxml2/commit/?id=e2a9122b8dde53d320750451e9907a7dcb2ca8bb + - https://github.com/advisories/GHSA-882p-jqgm-f45g + - https://kc.mcafee.com/corporate/index?page=content&id=SB10284 + - https://lists.debian.org/debian-lts-announce/2018/09/msg00035.html + - https://lists.debian.org/debian-lts-announce/2020/09/msg00009.html + - https://security.netapp.com/advisory/ntap-20190719-0001/ + - https://usn.ubuntu.com/3739-1/ + cvss_v3: 6.5 + patched_versions: + - ">= 1.8.2" +--- diff --git a/advisories/_posts/2018-04-23-CVE-2019-3881.md b/advisories/_posts/2018-04-23-CVE-2019-3881.md index 0afee844..1b4b1a0a 100644 --- a/advisories/_posts/2018-04-23-CVE-2019-3881.md +++ b/advisories/_posts/2018-04-23-CVE-2019-3881.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2019-3881 (bundler): Insecure path handling in Bundler' -comments: false -categories: -- bundler -advisory: - gem: bundler - cve: 2019-3881 - ghsa: g98m-96g9-wfjq - url: https://github.com/advisories/GHSA-g98m-96g9-wfjq - date: 2018-04-23 - title: Insecure path handling in Bundler - description: | - Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with - insecure permissions as a storage location for gems, if locations under the user's - home directory are not available. If Bundler is used in a scenario where the user - does not have a writable home directory, an attacker could place malicious code - in this directory that would be later loaded and executed. - cvss_v3: 7.0 - patched_versions: - - ">= 2.1.0" - unaffected_versions: - - "< 1.14.0" ---- +--- +layout: advisory +title: 'CVE-2019-3881 (bundler): Insecure path handling in Bundler' +comments: false +categories: +- bundler +advisory: + gem: bundler + cve: 2019-3881 + ghsa: g98m-96g9-wfjq + url: https://github.com/advisories/GHSA-g98m-96g9-wfjq + date: 2018-04-23 + title: Insecure path handling in Bundler + description: | + Bundler prior to 2.1.0 uses a predictable path in /tmp/, created with + insecure permissions as a storage location for gems, if locations under the user's + home directory are not available. If Bundler is used in a scenario where the user + does not have a writable home directory, an attacker could place malicious code + in this directory that would be later loaded and executed. + cvss_v3: 7.0 + patched_versions: + - ">= 2.1.0" + unaffected_versions: + - "< 1.14.0" +--- diff --git a/advisories/_posts/2018-04-30-CVE-2018-1000539.md b/advisories/_posts/2018-04-30-CVE-2018-1000539.md index 2963786c..be12f95a 100644 --- a/advisories/_posts/2018-04-30-CVE-2018-1000539.md +++ b/advisories/_posts/2018-04-30-CVE-2018-1000539.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2018-1000539 (json-jwt): Auth tag forgery vulnerability with AES-GCM encrypted - JWT' -comments: false -categories: -- json-jwt -advisory: - gem: json-jwt - cve: 2018-1000539 - ghsa: mj4x-wcxf-hm8x - url: https://github.com/nov/json-jwt/pull/62 - title: Auth tag forgery vulnerability with AES-GCM encrypted JWT - date: 2018-04-30 - description: | - Ruby's OpenSSL bindings do not check the length of the supplied - authentication tag when decrypting an authenticated encryption mode - such as AES-GCM, leaving this up to the authors of a gem/app to - implement for properly validating the message. - - json-jwt was not checking for the authentication tag length, meaning - that with a one byte tag the JWT would be considered not tampered - with. This means that with an average of 128 (max 256) attempts an - attacker can forge a valid signature. - cvss_v3: 5.3 - unaffected_versions: - - "< 0.5.1" - patched_versions: - - ">= 1.9.4" ---- +--- +layout: advisory +title: 'CVE-2018-1000539 (json-jwt): Auth tag forgery vulnerability with AES-GCM encrypted + JWT' +comments: false +categories: +- json-jwt +advisory: + gem: json-jwt + cve: 2018-1000539 + ghsa: mj4x-wcxf-hm8x + url: https://github.com/nov/json-jwt/pull/62 + title: Auth tag forgery vulnerability with AES-GCM encrypted JWT + date: 2018-04-30 + description: | + Ruby's OpenSSL bindings do not check the length of the supplied + authentication tag when decrypting an authenticated encryption mode + such as AES-GCM, leaving this up to the authors of a gem/app to + implement for properly validating the message. + + json-jwt was not checking for the authentication tag length, meaning + that with a one byte tag the JWT would be considered not tampered + with. This means that with an average of 128 (max 256) attempts an + attacker can forge a valid signature. + cvss_v3: 5.3 + unaffected_versions: + - "< 0.5.1" + patched_versions: + - ">= 1.9.4" +--- diff --git a/advisories/_posts/2018-05-03-CVE-2018-3759.md b/advisories/_posts/2018-05-03-CVE-2018-3759.md index 1ce10f1a..967e200d 100644 --- a/advisories/_posts/2018-05-03-CVE-2018-3759.md +++ b/advisories/_posts/2018-05-03-CVE-2018-3759.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2018-3759 (private_address_check): private_address_check Ruby Gem Time-of-check - Time-of-use race condition' -comments: false -categories: -- private_address_check -advisory: - gem: private_address_check - cve: 2018-3759 - ghsa: 2xvj-j3qh-x8c3 - url: https://github.com/jtdowney/private_address_check/commit/4068228187db87fea7577f7020099399772bb147 - title: private_address_check Ruby Gem Time-of-check Time-of-use race condition - date: 2018-05-03 - description: | - private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) - race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 - can trigger this case where the initial resolution is a public address by the subsequent - resolution is a private address. - patched_versions: - - ">= 0.5.0" ---- +--- +layout: advisory +title: 'CVE-2018-3759 (private_address_check): private_address_check Ruby Gem Time-of-check + Time-of-use race condition' +comments: false +categories: +- private_address_check +advisory: + gem: private_address_check + cve: 2018-3759 + ghsa: 2xvj-j3qh-x8c3 + url: https://github.com/jtdowney/private_address_check/commit/4068228187db87fea7577f7020099399772bb147 + title: private_address_check Ruby Gem Time-of-check Time-of-use race condition + date: 2018-05-03 + description: | + private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) + race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 + can trigger this case where the initial resolution is a public address by the subsequent + resolution is a private address. + patched_versions: + - ">= 0.5.0" +--- diff --git a/advisories/_posts/2018-05-23-CVE-2018-3769.md b/advisories/_posts/2018-05-23-CVE-2018-3769.md index 5ee46117..443bf1cf 100644 --- a/advisories/_posts/2018-05-23-CVE-2018-3769.md +++ b/advisories/_posts/2018-05-23-CVE-2018-3769.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2018-3769 (grape): ruby-grape Gem has XSS via "format" parameter' -comments: false -categories: -- grape -advisory: - gem: grape - cve: 2018-3769 - ghsa: f599-5m7p-hcpf - url: https://github.com/ruby-grape/grape/issues/1762 - title: ruby-grape Gem has XSS via "format" parameter - date: 2018-05-23 - description: | - When request on API contains the "format" parameter in GET, the input - value of this parameter is rendered as the web-server responds with - text/html header. - - Example: - http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E - cvss_v3: 6.1 - patched_versions: - - ">= 1.1.0" - related: - url: - - https://github.com/ruby-grape/grape/pull/1763 - - https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af ---- +--- +layout: advisory +title: 'CVE-2018-3769 (grape): ruby-grape Gem has XSS via "format" parameter' +comments: false +categories: +- grape +advisory: + gem: grape + cve: 2018-3769 + ghsa: f599-5m7p-hcpf + url: https://github.com/ruby-grape/grape/issues/1762 + title: ruby-grape Gem has XSS via "format" parameter + date: 2018-05-23 + description: | + When request on API contains the "format" parameter in GET, the input + value of this parameter is rendered as the web-server responds with + text/html header. + + Example: + http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E + cvss_v3: 6.1 + patched_versions: + - ">= 1.1.0" + related: + url: + - https://github.com/ruby-grape/grape/pull/1763 + - https://github.com/ruby-grape/grape/commit/6876b71efc7b03f7ce1be3f075eaa4e7e6de19af +--- diff --git a/advisories/_posts/2018-05-31-CVE-2018-11627.md b/advisories/_posts/2018-05-31-CVE-2018-11627.md index fbddb16f..770bfed8 100644 --- a/advisories/_posts/2018-05-31-CVE-2018-11627.md +++ b/advisories/_posts/2018-05-31-CVE-2018-11627.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2018-11627 (sinatra): XSS via the 400 Bad Request page' -comments: false -categories: -- sinatra -advisory: - gem: sinatra - cve: 2018-11627 - ghsa: mq35-wqvf-r23c - url: https://github.com/sinatra/sinatra/issues/1428 - title: XSS via the 400 Bad Request page - date: 2018-05-31 - description: | - Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs - upon a params parser exception. - cvss_v3: 6.1 - unaffected_versions: - - "< 2.0.0.beta1" - - "= 2.0.0-alpha" - patched_versions: - - ">= 2.0.2" ---- +--- +layout: advisory +title: 'CVE-2018-11627 (sinatra): XSS via the 400 Bad Request page' +comments: false +categories: +- sinatra +advisory: + gem: sinatra + cve: 2018-11627 + ghsa: mq35-wqvf-r23c + url: https://github.com/sinatra/sinatra/issues/1428 + title: XSS via the 400 Bad Request page + date: 2018-05-31 + description: | + Sinatra before 2.0.2 has XSS via the 400 Bad Request page that occurs + upon a params parser exception. + cvss_v3: 6.1 + unaffected_versions: + - "< 2.0.0.beta1" + - "= 2.0.0-alpha" + patched_versions: + - ">= 2.0.2" +--- diff --git a/advisories/_posts/2018-06-12-CVE-2018-12026.md b/advisories/_posts/2018-06-12-CVE-2018-12026.md index aa6a5027..954dbfc7 100644 --- a/advisories/_posts/2018-06-12-CVE-2018-12026.md +++ b/advisories/_posts/2018-06-12-CVE-2018-12026.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2018-12026 (passenger): SpawningKit exploits' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2018-12026 - ghsa: 7cv3-gvmc-8mq5 - url: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ - title: SpawningKit exploits - date: 2018-06-12 - description: | - During the spawning of a malicious Passenger-managed application, SpawningKit - in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace - key files or directories in the spawning communication directory with - symlinks. This then could result in arbitrary reads and writes, which in turn - can result in information disclosure and privilege escalation. - cvss_v2: 7.5 - cvss_v3: 9.8 - unaffected_versions: - - "< 5.3.0" - patched_versions: - - ">= 5.3.2" - related: - cve: - - 2018-12027 - - 2018-12028 ---- +--- +layout: advisory +title: 'CVE-2018-12026 (passenger): SpawningKit exploits' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2018-12026 + ghsa: 7cv3-gvmc-8mq5 + url: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ + title: SpawningKit exploits + date: 2018-06-12 + description: | + During the spawning of a malicious Passenger-managed application, SpawningKit + in Phusion Passenger 5.3.x before 5.3.2 allows such applications to replace + key files or directories in the spawning communication directory with + symlinks. This then could result in arbitrary reads and writes, which in turn + can result in information disclosure and privilege escalation. + cvss_v2: 7.5 + cvss_v3: 9.8 + unaffected_versions: + - "< 5.3.0" + patched_versions: + - ">= 5.3.2" + related: + cve: + - 2018-12027 + - 2018-12028 +--- diff --git a/advisories/_posts/2018-06-12-CVE-2018-12027.md b/advisories/_posts/2018-06-12-CVE-2018-12027.md index 5b444dfb..fd27e23e 100644 --- a/advisories/_posts/2018-06-12-CVE-2018-12027.md +++ b/advisories/_posts/2018-06-12-CVE-2018-12027.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2018-12027 (passenger): Insecure Permissions in Phusion Passenger' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2018-12027 - ghsa: whfx-877c-5p28 - url: https://blog.phusion.nl/passenger-5-3-2 - title: Insecure Permissions in Phusion Passenger - date: 2018-06-12 - description: | - "An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger - 5.3.x before 5.3.2 causes information disclosure in the following situation: given - a Passenger-spawned application process that reports that it listens on a certain - Unix domain socket, if any of the parent directories of said socket are writable - by a normal user that is not the application''s user, then that non-application - user can swap that directory with something else, resulting in traffic being redirected - to a non-application user''s process through an alternative Unix domain socket." - cvss_v2: 6.5 - cvss_v3: 8.8 - unaffected_versions: - - "< 5.3.0" - patched_versions: - - ">= 5.3.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-12027 - - https://blog.phusion.nl/passenger-5-3-2 - - https://security.gentoo.org/glsa/201807-02 - - https://github.com/advisories/GHSA-whfx-877c-5p28 ---- +--- +layout: advisory +title: 'CVE-2018-12027 (passenger): Insecure Permissions in Phusion Passenger' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2018-12027 + ghsa: whfx-877c-5p28 + url: https://blog.phusion.nl/passenger-5-3-2 + title: Insecure Permissions in Phusion Passenger + date: 2018-06-12 + description: | + "An Insecure Permissions vulnerability in SpawningKit in Phusion Passenger + 5.3.x before 5.3.2 causes information disclosure in the following situation: given + a Passenger-spawned application process that reports that it listens on a certain + Unix domain socket, if any of the parent directories of said socket are writable + by a normal user that is not the application''s user, then that non-application + user can swap that directory with something else, resulting in traffic being redirected + to a non-application user''s process through an alternative Unix domain socket." + cvss_v2: 6.5 + cvss_v3: 8.8 + unaffected_versions: + - "< 5.3.0" + patched_versions: + - ">= 5.3.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-12027 + - https://blog.phusion.nl/passenger-5-3-2 + - https://security.gentoo.org/glsa/201807-02 + - https://github.com/advisories/GHSA-whfx-877c-5p28 +--- diff --git a/advisories/_posts/2018-06-12-CVE-2018-12028.md b/advisories/_posts/2018-06-12-CVE-2018-12028.md index 8279d0d9..6ab14a83 100644 --- a/advisories/_posts/2018-06-12-CVE-2018-12028.md +++ b/advisories/_posts/2018-06-12-CVE-2018-12028.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2018-12028 (passenger): Incorrect Access Control in Phusion Passenger' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2018-12028 - ghsa: jjhj-8gx7-x836 - url: https://blog.phusion.nl/passenger-5-3-2 - title: Incorrect Access Control in Phusion Passenger - date: 2018-06-12 - description: | - An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger - 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning - a child process, to report an arbitrary different PID back to Passenger's process - manager. If the malicious application then generates an error, it would cause Passenger's - process manager to kill said reported arbitrary PID. - cvss_v2: 6.8 - cvss_v3: 7.8 - unaffected_versions: - - "< 5.3.0" - patched_versions: - - ">= 5.3.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-12028 - - https://blog.phusion.nl/passenger-5-3-2 - - https://security.gentoo.org/glsa/201807-02 - - https://github.com/advisories/GHSA-jjhj-8gx7-x836 ---- +--- +layout: advisory +title: 'CVE-2018-12028 (passenger): Incorrect Access Control in Phusion Passenger' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2018-12028 + ghsa: jjhj-8gx7-x836 + url: https://blog.phusion.nl/passenger-5-3-2 + title: Incorrect Access Control in Phusion Passenger + date: 2018-06-12 + description: | + An Incorrect Access Control vulnerability in SpawningKit in Phusion Passenger + 5.3.x before 5.3.2 allows a Passenger-managed malicious application, upon spawning + a child process, to report an arbitrary different PID back to Passenger's process + manager. If the malicious application then generates an error, it would cause Passenger's + process manager to kill said reported arbitrary PID. + cvss_v2: 6.8 + cvss_v3: 7.8 + unaffected_versions: + - "< 5.3.0" + patched_versions: + - ">= 5.3.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-12028 + - https://blog.phusion.nl/passenger-5-3-2 + - https://security.gentoo.org/glsa/201807-02 + - https://github.com/advisories/GHSA-jjhj-8gx7-x836 +--- diff --git a/advisories/_posts/2018-06-12-CVE-2018-12029.md b/advisories/_posts/2018-06-12-CVE-2018-12029.md index 7d9a3223..4823e587 100644 --- a/advisories/_posts/2018-06-12-CVE-2018-12029.md +++ b/advisories/_posts/2018-06-12-CVE-2018-12029.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2018-12029 (passenger): CHMOD race vulnerability' -comments: false -categories: -- passenger -advisory: - gem: passenger - cve: 2018-12029 - ghsa: jjcj-fgfm-9g9r - url: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ - title: CHMOD race vulnerability - date: 2018-06-12 - description: | - The file system access race condition allows for local privilege escalation - and affects the Nginx module for Passenger versions 5.3.1, all the way back - to 3.0.0 (the chown command entered the code in 2010). - - The vulnerability was exploitable only when running a non-standard - `passenger_instance_registry_dir`, via a race condition where after a file - was created, there was a window in which it could be replaced with a symlink - before it was chowned via the path and not the file descriptor. - - If the symlink target was to a file which would be executed by root such as - root's crontab file, then privilege escalation was possible. - cvss_v2: 4.4 - cvss_v3: 7.0 - unaffected_versions: - - "< 3.0.0" - patched_versions: - - ">= 5.3.2" ---- +--- +layout: advisory +title: 'CVE-2018-12029 (passenger): CHMOD race vulnerability' +comments: false +categories: +- passenger +advisory: + gem: passenger + cve: 2018-12029 + ghsa: jjcj-fgfm-9g9r + url: https://blog.phusion.nl/2018/06/12/passenger-5-3-2-various-security-fixes/ + title: CHMOD race vulnerability + date: 2018-06-12 + description: | + The file system access race condition allows for local privilege escalation + and affects the Nginx module for Passenger versions 5.3.1, all the way back + to 3.0.0 (the chown command entered the code in 2010). + + The vulnerability was exploitable only when running a non-standard + `passenger_instance_registry_dir`, via a race condition where after a file + was created, there was a window in which it could be replaced with a symlink + before it was chowned via the path and not the file descriptor. + + If the symlink target was to a file which would be executed by root such as + root's crontab file, then privilege escalation was possible. + cvss_v2: 4.4 + cvss_v3: 7.0 + unaffected_versions: + - "< 3.0.0" + patched_versions: + - ">= 5.3.2" +--- diff --git a/advisories/_posts/2018-06-14-CVE-2018-1000544.md b/advisories/_posts/2018-06-14-CVE-2018-1000544.md index 1a71543a..4835e833 100644 --- a/advisories/_posts/2018-06-14-CVE-2018-1000544.md +++ b/advisories/_posts/2018-06-14-CVE-2018-1000544.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2018-1000544 (rubyzip): Directory Traversal in rubyzip' -comments: false -categories: -- rubyzip -advisory: - gem: rubyzip - cve: 2018-1000544 - ghsa: vqcq-mrmw-mcmg - url: https://github.com/rubyzip/rubyzip/issues/369 - title: Directory Traversal in rubyzip - date: 2018-06-14 - description: | - rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability - in Zip::File component that can result in write arbitrary files to the filesystem. - If a site allows uploading of .zip files, an attacker can upload a malicious file - which contains symlinks or files with absolute pathnames "../" to write arbitrary - files to the filesystem. - cvss_v3: 9.8 - patched_versions: - - ">= 1.2.2" - related: - cve: - - 2017-5946 - url: - - https://security-tracker.debian.org/tracker/CVE-2018-1000544 ---- +--- +layout: advisory +title: 'CVE-2018-1000544 (rubyzip): Directory Traversal in rubyzip' +comments: false +categories: +- rubyzip +advisory: + gem: rubyzip + cve: 2018-1000544 + ghsa: vqcq-mrmw-mcmg + url: https://github.com/rubyzip/rubyzip/issues/369 + title: Directory Traversal in rubyzip + date: 2018-06-14 + description: | + rubyzip version 1.2.1 and earlier contains a Directory Traversal vulnerability + in Zip::File component that can result in write arbitrary files to the filesystem. + If a site allows uploading of .zip files, an attacker can upload a malicious file + which contains symlinks or files with absolute pathnames "../" to write arbitrary + files to the filesystem. + cvss_v3: 9.8 + patched_versions: + - ">= 1.2.2" + related: + cve: + - 2017-5946 + url: + - https://security-tracker.debian.org/tracker/CVE-2018-1000544 +--- diff --git a/advisories/_posts/2018-06-19-CVE-2018-3760.md b/advisories/_posts/2018-06-19-CVE-2018-3760.md index 107ddb51..034acee0 100644 --- a/advisories/_posts/2018-06-19-CVE-2018-3760.md +++ b/advisories/_posts/2018-06-19-CVE-2018-3760.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2018-3760 (sprockets): Path Traversal in Sprockets' -comments: false -categories: -- sprockets -advisory: - gem: sprockets - cve: 2018-3760 - ghsa: pr3h-jjhj-573x - url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k - title: Path Traversal in Sprockets - date: 2018-06-19 - description: | - Specially crafted requests can be used to access files that exist on - the filesystem that is outside an application's root directory, when the - Sprockets server is used in production. - - All users running an affected release should either upgrade or use one of the work arounds immediately. - - Workaround: - In Rails applications, work around this issue, set `config.assets.compile = false` and - `config.public_file_server.enabled = true` in an initializer and precompile the assets. - - This work around will not be possible in all hosting environments and upgrading is advised. - cvss_v3: 7.5 - patched_versions: - - ">= 2.12.5, < 3.0.0" - - ">= 3.7.2, < 4.0.0" - - ">= 4.0.0.beta8" ---- +--- +layout: advisory +title: 'CVE-2018-3760 (sprockets): Path Traversal in Sprockets' +comments: false +categories: +- sprockets +advisory: + gem: sprockets + cve: 2018-3760 + ghsa: pr3h-jjhj-573x + url: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k + title: Path Traversal in Sprockets + date: 2018-06-19 + description: | + Specially crafted requests can be used to access files that exist on + the filesystem that is outside an application's root directory, when the + Sprockets server is used in production. + + All users running an affected release should either upgrade or use one of the work arounds immediately. + + Workaround: + In Rails applications, work around this issue, set `config.assets.compile = false` and + `config.public_file_server.enabled = true` in an initializer and precompile the assets. + + This work around will not be possible in all hosting environments and upgrading is advised. + cvss_v3: 7.5 + patched_versions: + - ">= 2.12.5, < 3.0.0" + - ">= 3.7.2, < 4.0.0" + - ">= 4.0.0.beta8" +--- diff --git a/advisories/_posts/2018-06-22-CVE-2018-1000201.md b/advisories/_posts/2018-06-22-CVE-2018-1000201.md index 49073c63..f5062f5b 100644 --- a/advisories/_posts/2018-06-22-CVE-2018-1000201.md +++ b/advisories/_posts/2018-06-22-CVE-2018-1000201.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2018-1000201 (ffi): ruby-ffi DDL loading issue on Windows OS' -comments: false -categories: -- ffi -advisory: - gem: ffi - cve: 2018-1000201 - ghsa: 2gw2-8q9w-cw8p - url: https://github.com/ffi/ffi/releases/tag/1.9.24 - title: ruby-ffi DDL loading issue on Windows OS - date: 2018-06-22 - description: | - ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be - hijacked on Windows OS, when a Symbol is used as DLL name instead of a String - This vulnerability appears to have been fixed in v1.9.24 and later. - cvss_v2: 6.8 - cvss_v3: 7.8 - patched_versions: - - ">= 1.9.24" - related: - url: - - https://github.com/ffi/ffi/commit/09e0c6076466b4383da7fa4e13f714311109945a - - https://github.com/ffi/ffi/commit/e0fe486df0e117ed67b0282b6ada04b7214ca05c ---- +--- +layout: advisory +title: 'CVE-2018-1000201 (ffi): ruby-ffi DDL loading issue on Windows OS' +comments: false +categories: +- ffi +advisory: + gem: ffi + cve: 2018-1000201 + ghsa: 2gw2-8q9w-cw8p + url: https://github.com/ffi/ffi/releases/tag/1.9.24 + title: ruby-ffi DDL loading issue on Windows OS + date: 2018-06-22 + description: | + ruby-ffi version 1.9.23 and earlier has a DLL loading issue which can be + hijacked on Windows OS, when a Symbol is used as DLL name instead of a String + This vulnerability appears to have been fixed in v1.9.24 and later. + cvss_v2: 6.8 + cvss_v3: 7.8 + patched_versions: + - ">= 1.9.24" + related: + url: + - https://github.com/ffi/ffi/commit/09e0c6076466b4383da7fa4e13f714311109945a + - https://github.com/ffi/ffi/commit/e0fe486df0e117ed67b0282b6ada04b7214ca05c +--- diff --git a/advisories/_posts/2018-07-03-CVE-2018-14040.md b/advisories/_posts/2018-07-03-CVE-2018-14040.md index 8b21fe0a..0847941d 100644 --- a/advisories/_posts/2018-07-03-CVE-2018-14040.md +++ b/advisories/_posts/2018-07-03-CVE-2018-14040.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2018-14040 (bootstrap): XSS vulnerabilities via data-parent, data-target, - data-container in bootstrap' -comments: false -categories: -- bootstrap -advisory: - gem: bootstrap - cve: 2018-14040 - ghsa: 3wqf-4x89-9g79 - url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ - title: XSS vulnerabilities via data-parent, data-target, data-container in bootstrap - date: 2018-07-03 - description: | - In Bootstrap before 4.1.2, XSS is possible in collapse data-parent - attribute (CVE-2018-14040), data-target property of scrollspy - (CVE-2018-14041), data-container property of tooltip (CVE-2018-14042) - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 4.1.2" - related: - cve: - - 2018-14041 - - 2018-14042 - url: - - https://nvd.nist.gov/vuln/detail/cve-2018-14040 - - https://github.com/twbs/bootstrap/issues/26423 - - https://github.com/twbs/bootstrap/pull/26630 - - https://github.com/advisories/GHSA-3wqf-4x89-9g79 ---- +--- +layout: advisory +title: 'CVE-2018-14040 (bootstrap): XSS vulnerabilities via data-parent, data-target, + data-container in bootstrap' +comments: false +categories: +- bootstrap +advisory: + gem: bootstrap + cve: 2018-14040 + ghsa: 3wqf-4x89-9g79 + url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ + title: XSS vulnerabilities via data-parent, data-target, data-container in bootstrap + date: 2018-07-03 + description: | + In Bootstrap before 4.1.2, XSS is possible in collapse data-parent + attribute (CVE-2018-14040), data-target property of scrollspy + (CVE-2018-14041), data-container property of tooltip (CVE-2018-14042) + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 4.1.2" + related: + cve: + - 2018-14041 + - 2018-14042 + url: + - https://nvd.nist.gov/vuln/detail/cve-2018-14040 + - https://github.com/twbs/bootstrap/issues/26423 + - https://github.com/twbs/bootstrap/pull/26630 + - https://github.com/advisories/GHSA-3wqf-4x89-9g79 +--- diff --git a/advisories/_posts/2018-07-11-CVE-2018-1000211.md b/advisories/_posts/2018-07-11-CVE-2018-1000211.md index a8303dcd..06fbaa27 100644 --- a/advisories/_posts/2018-07-11-CVE-2018-1000211.md +++ b/advisories/_posts/2018-07-11-CVE-2018-1000211.md @@ -1,44 +1,44 @@ ---- -layout: advisory -title: 'CVE-2018-1000211 (doorkeeper): Doorkeeper gem does not revoke token for public - clients' -comments: false -categories: -- doorkeeper -advisory: - gem: doorkeeper - cve: 2018-1000211 - ghsa: 694m-jhr9-pf77 - url: https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/ - title: Doorkeeper gem does not revoke token for public clients - date: 2018-07-11 - description: | - Any OAuth application that uses public/non-confidential authentication when - interacting with Doorkeeper is unable to revoke its tokens when calling the - revocation endpoint. - - A bug in the token revocation API would cause it to attempt to authenticate - the public OAuth client as if it was a confidential app. Because of this, the - token is never revoked. - - The impact of this is the access or refresh token is not revoked, leaking - access to protected resources for the remainder of that token's lifetime. - - If Doorkeeper is used to facilitate public OAuth apps and leverage token - revocation functionality, upgrade to the patched versions immediately. - - Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes. - - DWF has assigned CVE-2018-1000211. - cvss_v3: 7.5 - unaffected_versions: - - "< 4.2.0" - patched_versions: - - ">= 4.4.0" - - ">= 5.0.0.rc2" - related: - url: - - https://github.com/doorkeeper-gem/doorkeeper/issues/891 - - https://github.com/doorkeeper-gem/doorkeeper/pull/1119 - - https://github.com/doorkeeper-gem/doorkeeper/pull/1120 ---- +--- +layout: advisory +title: 'CVE-2018-1000211 (doorkeeper): Doorkeeper gem does not revoke token for public + clients' +comments: false +categories: +- doorkeeper +advisory: + gem: doorkeeper + cve: 2018-1000211 + ghsa: 694m-jhr9-pf77 + url: https://blog.justinbull.ca/cve-2018-1000211-public-apps-cant-revoke-tokens-in-doorkeeper/ + title: Doorkeeper gem does not revoke token for public clients + date: 2018-07-11 + description: | + Any OAuth application that uses public/non-confidential authentication when + interacting with Doorkeeper is unable to revoke its tokens when calling the + revocation endpoint. + + A bug in the token revocation API would cause it to attempt to authenticate + the public OAuth client as if it was a confidential app. Because of this, the + token is never revoked. + + The impact of this is the access or refresh token is not revoked, leaking + access to protected resources for the remainder of that token's lifetime. + + If Doorkeeper is used to facilitate public OAuth apps and leverage token + revocation functionality, upgrade to the patched versions immediately. + + Credit to Roberto Ostinelli for discovery, Justin Bull for the fixes. + + DWF has assigned CVE-2018-1000211. + cvss_v3: 7.5 + unaffected_versions: + - "< 4.2.0" + patched_versions: + - ">= 4.4.0" + - ">= 5.0.0.rc2" + related: + url: + - https://github.com/doorkeeper-gem/doorkeeper/issues/891 + - https://github.com/doorkeeper-gem/doorkeeper/pull/1119 + - https://github.com/doorkeeper-gem/doorkeeper/pull/1120 +--- diff --git a/advisories/_posts/2018-07-26-CVE-2018-3721.md b/advisories/_posts/2018-07-26-CVE-2018-3721.md index f039a799..53de670e 100644 --- a/advisories/_posts/2018-07-26-CVE-2018-3721.md +++ b/advisories/_posts/2018-07-26-CVE-2018-3721.md @@ -1,39 +1,39 @@ ---- -layout: advisory -title: 'CVE-2018-3721 (lodash-rails): Prototype Pollution in lodash' -comments: false -categories: -- lodash-rails -advisory: - gem: lodash-rails - cve: 2018-3721 - ghsa: fvqr-27wr-82fm - url: https://github.com/advisories/GHSA-fvqr-27wr-82fm - title: Prototype Pollution in lodash - date: 2018-07-26 - description: | - Versions of `lodash` before 4.17.5 are vulnerable to - prototype pollution. - - The vulnerable functions are 'defaultsDeep', 'merge', and - 'mergeWith' which allow a malicious user to modify the - prototype of `Object` via `__proto__` causing the addition - or modification of an existing property that will exist - on all objects. - - ## Recommendation - - Update to version 4.17.5 or later." - cvss_v2: 4.0 - cvss_v3: 6.5 - patched_versions: - - ">= 4.17.5" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-3721 - - https://hackerone.com/reports/310443 - - https://www.npmjs.com/advisories/577 - - https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a - - https://security.netapp.com/advisory/ntap-20190919-0004 - - https://github.com/advisories/GHSA-fvqr-27wr-82fm ---- +--- +layout: advisory +title: 'CVE-2018-3721 (lodash-rails): Prototype Pollution in lodash' +comments: false +categories: +- lodash-rails +advisory: + gem: lodash-rails + cve: 2018-3721 + ghsa: fvqr-27wr-82fm + url: https://github.com/advisories/GHSA-fvqr-27wr-82fm + title: Prototype Pollution in lodash + date: 2018-07-26 + description: | + Versions of `lodash` before 4.17.5 are vulnerable to + prototype pollution. + + The vulnerable functions are 'defaultsDeep', 'merge', and + 'mergeWith' which allow a malicious user to modify the + prototype of `Object` via `__proto__` causing the addition + or modification of an existing property that will exist + on all objects. + + ## Recommendation + + Update to version 4.17.5 or later." + cvss_v2: 4.0 + cvss_v3: 6.5 + patched_versions: + - ">= 4.17.5" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-3721 + - https://hackerone.com/reports/310443 + - https://www.npmjs.com/advisories/577 + - https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a + - https://security.netapp.com/advisory/ntap-20190919-0004 + - https://github.com/advisories/GHSA-fvqr-27wr-82fm +--- diff --git a/advisories/_posts/2018-07-27-CVE-2018-3777.md b/advisories/_posts/2018-07-27-CVE-2018-3777.md index faa9e084..b8fd8ff6 100644 --- a/advisories/_posts/2018-07-27-CVE-2018-3777.md +++ b/advisories/_posts/2018-07-27-CVE-2018-3777.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2018-3777 (restforce): Insufficient URI encoding in restforce' -comments: false -categories: -- restforce -advisory: - gem: restforce - cve: 2018-3777 - ghsa: 534w-937m-v7x3 - url: https://github.com/restforce/restforce/pull/392 - title: Insufficient URI encoding in restforce - date: 2018-07-27 - description: | - A flaw in how restforce constructs URL's may allow an attacker to inject - additional parameters into Salesforce API requests. - - Impact - ------ - This flaw is only exploitable in applications that pass user input directly - to restforce's select, find, describe, update, upsert, and destroy methods. - Vulnerable code might look like: - - ```ruby - client.select('SomeSalesForceObject', params[:some-id], - ...) - ``` - - In such an application, attackers could pass `0016000000MRatd/describe` - as a request parameter, causing the server to make a request to a different - endpoint than the server is designed to handle. Since the Salesforce REST - API supports overriding HTTP methods via a request parameter, an attacker - could also cause the client's `select()` method to modify data, by passing - `0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`. - - Workarounds - ------ - If possible, applications should track salesforce IDs internally, rather than - passing user-supplied IDs to salesforce. Such practice mitigates this - vulnerability, and in general is desirable for ensuring strong access control. - cvss_v3: 9.8 - patched_versions: - - "~> 2.5.4" - - ">= 3.0.0" ---- +--- +layout: advisory +title: 'CVE-2018-3777 (restforce): Insufficient URI encoding in restforce' +comments: false +categories: +- restforce +advisory: + gem: restforce + cve: 2018-3777 + ghsa: 534w-937m-v7x3 + url: https://github.com/restforce/restforce/pull/392 + title: Insufficient URI encoding in restforce + date: 2018-07-27 + description: | + A flaw in how restforce constructs URL's may allow an attacker to inject + additional parameters into Salesforce API requests. + + Impact + ------ + This flaw is only exploitable in applications that pass user input directly + to restforce's select, find, describe, update, upsert, and destroy methods. + Vulnerable code might look like: + + ```ruby + client.select('SomeSalesForceObject', params[:some-id], + ...) + ``` + + In such an application, attackers could pass `0016000000MRatd/describe` + as a request parameter, causing the server to make a request to a different + endpoint than the server is designed to handle. Since the Salesforce REST + API supports overriding HTTP methods via a request parameter, an attacker + could also cause the client's `select()` method to modify data, by passing + `0016000000MRatd/?_HttpMethod=PATCH&other-query-params=...`. + + Workarounds + ------ + If possible, applications should track salesforce IDs internally, rather than + passing user-supplied IDs to salesforce. Such practice mitigates this + vulnerability, and in general is desirable for ensuring strong access control. + cvss_v3: 9.8 + patched_versions: + - "~> 2.5.4" + - ">= 3.0.0" +--- diff --git a/advisories/_posts/2018-08-09-CVE-2018-3779.md b/advisories/_posts/2018-08-09-CVE-2018-3779.md index b71dbc05..09ba9a30 100644 --- a/advisories/_posts/2018-08-09-CVE-2018-3779.md +++ b/advisories/_posts/2018-08-09-CVE-2018-3779.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2018-3779 (active-support): Malicious ruby gem - active-support' -comments: false -categories: -- active-support -advisory: - gem: active-support - cve: 2018-3779 - ghsa: 2j55-pcw5-x4h2 - url: https://hackerone.com/reports/392311 - title: Malicious ruby gem - active-support - date: 2018-08-09 - description: | - The gem duplicates official `activesupport` (no hyphen) code, but adds a - compiled extension. The extension attempts to resolve a base64 encoded - domain, downloads a payload, and executes. - - Replace this gem with the official `activesupport` gem. - related: - url: - - https://github.com/rubygems/rubygems.org/pull/1762 ---- +--- +layout: advisory +title: 'CVE-2018-3779 (active-support): Malicious ruby gem - active-support' +comments: false +categories: +- active-support +advisory: + gem: active-support + cve: 2018-3779 + ghsa: 2j55-pcw5-x4h2 + url: https://hackerone.com/reports/392311 + title: Malicious ruby gem - active-support + date: 2018-08-09 + description: | + The gem duplicates official `activesupport` (no hyphen) code, but adds a + compiled extension. The extension attempts to resolve a base64 encoded + domain, downloads a payload, and executes. + + Replace this gem with the official `activesupport` gem. + related: + url: + - https://github.com/rubygems/rubygems.org/pull/1762 +--- diff --git a/advisories/_posts/2018-09-13-CVE-2018-14041.md b/advisories/_posts/2018-09-13-CVE-2018-14041.md index 3672be6d..12a4d491 100644 --- a/advisories/_posts/2018-09-13-CVE-2018-14041.md +++ b/advisories/_posts/2018-09-13-CVE-2018-14041.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2018-14041 (bootstrap): Bootstrap vulnerable to Cross-Site Scripting (XSS)' -comments: false -categories: -- bootstrap -advisory: - gem: bootstrap - cve: 2018-14041 - ghsa: pj7m-g53m-7638 - url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2 - title: Bootstrap vulnerable to Cross-Site Scripting (XSS) - date: 2018-09-13 - description: | - In Bootstrap before 4.1.2, XSS is possible in the collapse - data-parent attribute. - cvss_v3: 6.1 - patched_versions: - - ">= 4.1.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-14041 - - https://github.com/twbs/bootstrap/issues/26625 - - https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2 - - https://github.com/twbs/bootstrap/issues/26423 - - https://github.com/twbs/bootstrap/issues/26628 - - https://github.com/twbs/bootstrap/pull/26630 - - https://github.com/twbs/bootstrap/commit/149096016f70fd815540d62c0989fd99cdc809e0 - - https://github.com/twbs/bootstrap/blob/v3.4.1/js/collapse.js#L140 - - https://lists.debian.org/debian-lts-announce/2018/08/msg00027.html - - https://seclists.org/bugtraq/2019/May/18 - - https://www.oracle.com/security-alerts/cpuApr2021.html - - https://www.tenable.com/security/tns-2021-14 - - https://github.com/advisories/GHSA-pj7m-g53m-7638 ---- +--- +layout: advisory +title: 'CVE-2018-14041 (bootstrap): Bootstrap vulnerable to Cross-Site Scripting (XSS)' +comments: false +categories: +- bootstrap +advisory: + gem: bootstrap + cve: 2018-14041 + ghsa: pj7m-g53m-7638 + url: https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2 + title: Bootstrap vulnerable to Cross-Site Scripting (XSS) + date: 2018-09-13 + description: | + In Bootstrap before 4.1.2, XSS is possible in the collapse + data-parent attribute. + cvss_v3: 6.1 + patched_versions: + - ">= 4.1.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-14041 + - https://github.com/twbs/bootstrap/issues/26625 + - https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2 + - https://github.com/twbs/bootstrap/issues/26423 + - https://github.com/twbs/bootstrap/issues/26628 + - https://github.com/twbs/bootstrap/pull/26630 + - https://github.com/twbs/bootstrap/commit/149096016f70fd815540d62c0989fd99cdc809e0 + - https://github.com/twbs/bootstrap/blob/v3.4.1/js/collapse.js#L140 + - https://lists.debian.org/debian-lts-announce/2018/08/msg00027.html + - https://seclists.org/bugtraq/2019/May/18 + - https://www.oracle.com/security-alerts/cpuApr2021.html + - https://www.tenable.com/security/tns-2021-14 + - https://github.com/advisories/GHSA-pj7m-g53m-7638 +--- diff --git a/advisories/_posts/2018-09-13-CVE-2018-14042.md b/advisories/_posts/2018-09-13-CVE-2018-14042.md index 63035f16..c328257f 100644 --- a/advisories/_posts/2018-09-13-CVE-2018-14042.md +++ b/advisories/_posts/2018-09-13-CVE-2018-14042.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2018-14042 (bootstrap): Bootstrap Cross-site Scripting vulnerability' -comments: false -categories: -- bootstrap -advisory: - gem: bootstrap - cve: 2018-14042 - ghsa: 7mvr-5x2g-wfc8 - url: https://github.com/twbs/bootstrap/issues/26423 - title: Bootstrap Cross-site Scripting vulnerability - date: 2018-09-13 - description: | - In Bootstrap before 4.1.2, XSS is possible in the data-container property - of tooltip. This is similar to CVE-2018-14041. - cvss_v3: 6.1 - patched_versions: - - ">= 4.1.2" - related: - cve: - - 2018-14041 - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-14042 - - https://github.com/twbs/bootstrap/issues/26423 - - https://github.com/twbs/bootstrap/issues/26628 - - https://github.com/twbs/bootstrap/pull/26630 - - https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ - - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@ - - https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@ - - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@ - - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@ - - https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@ - - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@ - - https://seclists.org/bugtraq/2019/May/18 - - https://www.oracle.com/security-alerts/cpuApr2021.html - - http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html - - http://seclists.org/fulldisclosure/2019/May/10 - - http://seclists.org/fulldisclosure/2019/May/11 - - http://seclists.org/fulldisclosure/2019/May/13 - - https://github.com/advisories/GHSA-7mvr-5x2g-wfc8 - - https://github.com/twbs/bootstrap/issues/26428 - - https://github.com/twbs/bootstrap/commit/2d90d369bbc2bd2647620246c55cec8c4705e3d0 - - https://www.tenable.com/security/tns-2021-14 ---- +--- +layout: advisory +title: 'CVE-2018-14042 (bootstrap): Bootstrap Cross-site Scripting vulnerability' +comments: false +categories: +- bootstrap +advisory: + gem: bootstrap + cve: 2018-14042 + ghsa: 7mvr-5x2g-wfc8 + url: https://github.com/twbs/bootstrap/issues/26423 + title: Bootstrap Cross-site Scripting vulnerability + date: 2018-09-13 + description: | + In Bootstrap before 4.1.2, XSS is possible in the data-container property + of tooltip. This is similar to CVE-2018-14041. + cvss_v3: 6.1 + patched_versions: + - ">= 4.1.2" + related: + cve: + - 2018-14041 + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-14042 + - https://github.com/twbs/bootstrap/issues/26423 + - https://github.com/twbs/bootstrap/issues/26628 + - https://github.com/twbs/bootstrap/pull/26630 + - https://blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2/ + - https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@ + - https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@ + - https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@ + - https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@ + - https://lists.apache.org/thread.html/r3dc0cac8d856bca02bd6997355d7ff83027dcfc82f8646a29b89b714@ + - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@ + - https://seclists.org/bugtraq/2019/May/18 + - https://www.oracle.com/security-alerts/cpuApr2021.html + - http://packetstormsecurity.com/files/156743/OctoberCMS-Insecure-Dependencies.html + - http://seclists.org/fulldisclosure/2019/May/10 + - http://seclists.org/fulldisclosure/2019/May/11 + - http://seclists.org/fulldisclosure/2019/May/13 + - https://github.com/advisories/GHSA-7mvr-5x2g-wfc8 + - https://github.com/twbs/bootstrap/issues/26428 + - https://github.com/twbs/bootstrap/commit/2d90d369bbc2bd2647620246c55cec8c4705e3d0 + - https://www.tenable.com/security/tns-2021-14 +--- diff --git a/advisories/_posts/2018-09-14-CVE-2018-14643.md b/advisories/_posts/2018-09-14-CVE-2018-14643.md index 7c4da9b8..2346d8e7 100644 --- a/advisories/_posts/2018-09-14-CVE-2018-14643.md +++ b/advisories/_posts/2018-09-14-CVE-2018-14643.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2018-14643 (smart_proxy_dynflow): smart_proxy_dynflow gem authentication - bypass in Foreman remote execution feature' -comments: false -categories: -- smart_proxy_dynflow -advisory: - gem: smart_proxy_dynflow - cve: 2018-14643 - ghsa: gx5g-xcxj-cx2w - url: https://github.com/theforeman/smart_proxy_dynflow/pull/54 - title: smart_proxy_dynflow gem authentication bypass in Foreman remote execution - feature - date: 2018-09-14 - description: | - An authentication bypass flaw was found in the smart_proxy_dynflow component - used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary - commands on machines managed by vulnerable Foreman instances, in a highly privileged - context. - cvss_v2: 10.0 - cvss_v3: 9.8 - patched_versions: - - "~> 0.1.11" - - ">= 0.2.1" ---- +--- +layout: advisory +title: 'CVE-2018-14643 (smart_proxy_dynflow): smart_proxy_dynflow gem authentication + bypass in Foreman remote execution feature' +comments: false +categories: +- smart_proxy_dynflow +advisory: + gem: smart_proxy_dynflow + cve: 2018-14643 + ghsa: gx5g-xcxj-cx2w + url: https://github.com/theforeman/smart_proxy_dynflow/pull/54 + title: smart_proxy_dynflow gem authentication bypass in Foreman remote execution + feature + date: 2018-09-14 + description: | + An authentication bypass flaw was found in the smart_proxy_dynflow component + used by Foreman. A malicious attacker can use this flaw to remotely execute arbitrary + commands on machines managed by vulnerable Foreman instances, in a highly privileged + context. + cvss_v2: 10.0 + cvss_v3: 9.8 + patched_versions: + - "~> 0.1.11" + - ">= 0.2.1" +--- diff --git a/advisories/_posts/2018-09-28-CVE-2018-17567.md b/advisories/_posts/2018-09-28-CVE-2018-17567.md index fdb79f14..50dacaa1 100644 --- a/advisories/_posts/2018-09-28-CVE-2018-17567.md +++ b/advisories/_posts/2018-09-28-CVE-2018-17567.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2018-17567 (jekyll): Jekyll _config.yml privilege escalation' -comments: false -categories: -- jekyll -advisory: - gem: jekyll - cve: 2018-17567 - ghsa: 4xjh-m3qx-49wc - url: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/ - title: Jekyll _config.yml privilege escalation - date: 2018-09-28 - description: | - Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows - attackers to access arbitrary files by specifying a symlink in the "include" key - in the "_config.yml" file. - cvss_v3: 7.5 - patched_versions: - - "~> 3.6.3" - - "~> 3.7.4" - - ">= 3.8.4" ---- +--- +layout: advisory +title: 'CVE-2018-17567 (jekyll): Jekyll _config.yml privilege escalation' +comments: false +categories: +- jekyll +advisory: + gem: jekyll + cve: 2018-17567 + ghsa: 4xjh-m3qx-49wc + url: https://jekyllrb.com/news/2018/09/19/security-fixes-for-3-6-3-7-3-8/ + title: Jekyll _config.yml privilege escalation + date: 2018-09-28 + description: | + Jekyll through 3.6.2, 3.7.x through 3.7.3, and 3.8.x through 3.8.3 allows + attackers to access arbitrary files by specifying a symlink in the "include" key + in the "_config.yml" file. + cvss_v3: 7.5 + patched_versions: + - "~> 3.6.3" + - "~> 3.7.4" + - ">= 3.8.4" +--- diff --git a/advisories/_posts/2018-10-04-CVE-2018-14404.md b/advisories/_posts/2018-10-04-CVE-2018-14404.md index 4ff20be4..acd6ca80 100644 --- a/advisories/_posts/2018-10-04-CVE-2018-14404.md +++ b/advisories/_posts/2018-10-04-CVE-2018-14404.md @@ -1,78 +1,78 @@ ---- -layout: advisory -title: 'CVE-2018-14404 (nokogiri): Nokogiri gem, via libxml2, is affected by multiple - vulnerabilities' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2018-14404 - ghsa: 6qvp-r6r3-9p7h - url: https://github.com/sparklemotion/nokogiri/issues/1785 - title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities - date: 2018-10-04 - description: | - Nokogiri 1.8.5 has been released. - - This is a security and bugfix release. It addresses two CVEs in upstream - libxml2 rated as "medium" by Red Hat, for which details are below. - - If you're using your distro's system libraries, rather than Nokogiri's - vendored libraries, there's no security need to upgrade at this time, - though you may want to check with your distro whether they've patched this - (Canonical has patched Ubuntu packages). Note that these patches are not - yet (as of 2018-10-04) in an upstream release of libxml2. - - Full details about the security update are available in Github Issue #1785. - [#1785]: https://github.com/sparklemotion/nokogiri/issues/1785 - - ----- - - [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 - and CVE-2018-14567. Full details are available in #1785. Note that these - patches are not yet (as of 2018-10-04) in an upstream release of libxml2. - - ----- - - CVE-2018-14404 - - Permalink: - - https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html - - Description: - - A NULL pointer dereference vulnerability exists in the - xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when - parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR - case. Applications processing untrusted XSL format inputs with the use of - the libxml2 library may be vulnerable to a denial of service attack due - to a crash of the application - - Canonical rates this vulnerability as "Priority: Medium" - - ----- - - CVE-2018-14567 - - Permalink: - - https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html - - Description: - - infinite loop in LZMA decompression - - Canonical rates this vulnerability as "Priority: Medium" - cvss_v3: 7.5 - patched_versions: - - ">= 1.8.5" - related: - cve: - - 2018-14567 - url: - - https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ - - https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594 - - https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74 ---- +--- +layout: advisory +title: 'CVE-2018-14404 (nokogiri): Nokogiri gem, via libxml2, is affected by multiple + vulnerabilities' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2018-14404 + ghsa: 6qvp-r6r3-9p7h + url: https://github.com/sparklemotion/nokogiri/issues/1785 + title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities + date: 2018-10-04 + description: | + Nokogiri 1.8.5 has been released. + + This is a security and bugfix release. It addresses two CVEs in upstream + libxml2 rated as "medium" by Red Hat, for which details are below. + + If you're using your distro's system libraries, rather than Nokogiri's + vendored libraries, there's no security need to upgrade at this time, + though you may want to check with your distro whether they've patched this + (Canonical has patched Ubuntu packages). Note that these patches are not + yet (as of 2018-10-04) in an upstream release of libxml2. + + Full details about the security update are available in Github Issue #1785. + [#1785]: https://github.com/sparklemotion/nokogiri/issues/1785 + + ----- + + [MRI] Pulled in upstream patches from libxml2 that address CVE-2018-14404 + and CVE-2018-14567. Full details are available in #1785. Note that these + patches are not yet (as of 2018-10-04) in an upstream release of libxml2. + + ----- + + CVE-2018-14404 + + Permalink: + + https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14404.html + + Description: + + A NULL pointer dereference vulnerability exists in the + xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when + parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR + case. Applications processing untrusted XSL format inputs with the use of + the libxml2 library may be vulnerable to a denial of service attack due + to a crash of the application + + Canonical rates this vulnerability as "Priority: Medium" + + ----- + + CVE-2018-14567 + + Permalink: + + https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-14567.html + + Description: + + infinite loop in LZMA decompression + + Canonical rates this vulnerability as "Priority: Medium" + cvss_v3: 7.5 + patched_versions: + - ">= 1.8.5" + related: + cve: + - 2018-14567 + url: + - https://groups.google.com/forum/#!msg/ruby-security-ann/uVrmO2HjqQw/Fw3ocLI0BQAJ + - https://gitlab.gnome.org/GNOME/libxml2/commit/a436374994c47b12d5de1b8b1d191a098fa23594 + - https://gitlab.gnome.org/GNOME/libxml2/commit/2240fbf5912054af025fb6e01e26375100275e74 +--- diff --git a/advisories/_posts/2018-10-17-CVE-2018-16395.md b/advisories/_posts/2018-10-17-CVE-2018-16395.md index 5b6d452e..f94fb10c 100644 --- a/advisories/_posts/2018-10-17-CVE-2018-16395.md +++ b/advisories/_posts/2018-10-17-CVE-2018-16395.md @@ -1,50 +1,50 @@ ---- -layout: advisory -title: 'CVE-2018-16395 (openssl): Incorrect value comparison in Ruby openssl' -comments: false -categories: -- openssl -advisory: - gem: openssl - cve: 2018-16395 - ghsa: mmrq-6999-72v8 - url: https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ - title: Incorrect value comparison in Ruby openssl - date: 2018-10-17 - description: | - An issue was discovered in the OpenSSL library in Ruby when two OpenSSL::X509::Name - objects are compared using ==, depending on the ordering, non-equal objects may - return true. When the first argument is one character longer than the second, or - the second argument contains a character that is one less than a character in the - same position of the first argument, the result of == will be true. This could be - leveraged to create an illegitimate certificate that may be accepted as legitimate - and then used in signing or encryption operations. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 2.1.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-16395 - - https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ - - https://hackerone.com/reports/387250 - - https://access.redhat.com/errata/RHSA-2018:3729 - - https://access.redhat.com/errata/RHSA-2018:3730 - - https://access.redhat.com/errata/RHSA-2018:3731 - - https://access.redhat.com/errata/RHSA-2018:3738 - - https://access.redhat.com/errata/RHSA-2019:1948 - - https://access.redhat.com/errata/RHSA-2019:2565 - - https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html - - https://security.netapp.com/advisory/ntap-20190221-0002/ - - https://usn.ubuntu.com/3808-1/ - - https://www.debian.org/security/2018/dsa-4332 - - https://www.oracle.com/security-alerts/cpujan2020.html - - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/ - - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/ - - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/ - - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/ - - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html - - http://www.securitytracker.com/id/1042105 - - https://github.com/ruby/openssl/commit/f653cfa43f0f20e8c440122ea982382b6228e7f5 - - https://github.com/advisories/GHSA-mmrq-6999-72v8 ---- +--- +layout: advisory +title: 'CVE-2018-16395 (openssl): Incorrect value comparison in Ruby openssl' +comments: false +categories: +- openssl +advisory: + gem: openssl + cve: 2018-16395 + ghsa: mmrq-6999-72v8 + url: https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ + title: Incorrect value comparison in Ruby openssl + date: 2018-10-17 + description: | + An issue was discovered in the OpenSSL library in Ruby when two OpenSSL::X509::Name + objects are compared using ==, depending on the ordering, non-equal objects may + return true. When the first argument is one character longer than the second, or + the second argument contains a character that is one less than a character in the + same position of the first argument, the result of == will be true. This could be + leveraged to create an illegitimate certificate that may be accepted as legitimate + and then used in signing or encryption operations. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 2.1.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-16395 + - https://www.ruby-lang.org/en/news/2018/10/17/openssl-x509-name-equality-check-does-not-work-correctly-cve-2018-16395/ + - https://hackerone.com/reports/387250 + - https://access.redhat.com/errata/RHSA-2018:3729 + - https://access.redhat.com/errata/RHSA-2018:3730 + - https://access.redhat.com/errata/RHSA-2018:3731 + - https://access.redhat.com/errata/RHSA-2018:3738 + - https://access.redhat.com/errata/RHSA-2019:1948 + - https://access.redhat.com/errata/RHSA-2019:2565 + - https://lists.debian.org/debian-lts-announce/2018/10/msg00020.html + - https://security.netapp.com/advisory/ntap-20190221-0002/ + - https://usn.ubuntu.com/3808-1/ + - https://www.debian.org/security/2018/dsa-4332 + - https://www.oracle.com/security-alerts/cpujan2020.html + - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-3-8-released/ + - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-4-5-released/ + - https://www.ruby-lang.org/en/news/2018/10/17/ruby-2-5-2-released/ + - https://www.ruby-lang.org/en/news/2018/11/06/ruby-2-6-0-preview3-released/ + - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html + - http://www.securitytracker.com/id/1042105 + - https://github.com/ruby/openssl/commit/f653cfa43f0f20e8c440122ea982382b6228e7f5 + - https://github.com/advisories/GHSA-mmrq-6999-72v8 +--- diff --git a/advisories/_posts/2018-10-19-CVE-2018-18476.md b/advisories/_posts/2018-10-19-CVE-2018-18476.md index 2b5e4170..0e4ce83a 100644 --- a/advisories/_posts/2018-10-19-CVE-2018-18476.md +++ b/advisories/_posts/2018-10-19-CVE-2018-18476.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2018-18476 (mysql-binuuid-rails): mysql-binuuid-rails allows SQL Injection - by removing default string escaping' -comments: false -categories: -- mysql-binuuid-rails -advisory: - gem: mysql-binuuid-rails - cve: 2018-18476 - ghsa: 6j63-35hj-vmcg - url: https://gist.github.com/viraptor/881276ea61e8d56bac6e28454c79f1e6 - title: mysql-binuuid-rails allows SQL Injection by removing default string escaping - date: 2018-10-19 - description: | - mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes - default string escaping for affected database columns. ActiveRecord does not - explicitly escape the Binary data type (Type::Binary::Data) for mysql. - mysql-binuuid-rails uses a data type that is derived from the base Binary - type, except, it doesn’t convert the value to hex. Instead, it assumes the - string value provided is a valid hex string and doesn’t do any checks on it. - cvss_v3: 9.8 - patched_versions: - - ">= 1.1.1" - related: - url: - - https://github.com/nedap/mysql-binuuid-rails/pull/18 ---- +--- +layout: advisory +title: 'CVE-2018-18476 (mysql-binuuid-rails): mysql-binuuid-rails allows SQL Injection + by removing default string escaping' +comments: false +categories: +- mysql-binuuid-rails +advisory: + gem: mysql-binuuid-rails + cve: 2018-18476 + ghsa: 6j63-35hj-vmcg + url: https://gist.github.com/viraptor/881276ea61e8d56bac6e28454c79f1e6 + title: mysql-binuuid-rails allows SQL Injection by removing default string escaping + date: 2018-10-19 + description: | + mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes + default string escaping for affected database columns. ActiveRecord does not + explicitly escape the Binary data type (Type::Binary::Data) for mysql. + mysql-binuuid-rails uses a data type that is derived from the base Binary + type, except, it doesn’t convert the value to hex. Instead, it assumes the + string value provided is a valid hex string and doesn’t do any checks on it. + cvss_v3: 9.8 + patched_versions: + - ">= 1.1.1" + related: + url: + - https://github.com/nedap/mysql-binuuid-rails/pull/18 +--- diff --git a/advisories/_posts/2018-10-27-CVE-2018-1000842.md b/advisories/_posts/2018-10-27-CVE-2018-1000842.md index 22b30788..2435d6dd 100644 --- a/advisories/_posts/2018-10-27-CVE-2018-1000842.md +++ b/advisories/_posts/2018-10-27-CVE-2018-1000842.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2018-1000842 (fat_free_crm): fat_free_crm gem XSS vulnerability via query - parameter' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2018-1000842 - ghsa: j5rj-g695-342r - url: https://github.com/fatfreecrm/fat_free_crm/wiki/XSS-Vulnerability-%282018-10-27%29 - title: fat_free_crm gem XSS vulnerability via query parameter - date: 2018-10-27 - description: | - FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 - <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit - 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. - This attack appear to be exploitable via Content with Javascript payload will be - executed on end user browsers when they visit the page. This vulnerability appears - to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 0.18.1" - - "~> 0.17.3" - - "~> 0.16.4" - - "~> 0.15.2" - - "~> 0.14.2" ---- +--- +layout: advisory +title: 'CVE-2018-1000842 (fat_free_crm): fat_free_crm gem XSS vulnerability via query + parameter' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2018-1000842 + ghsa: j5rj-g695-342r + url: https://github.com/fatfreecrm/fat_free_crm/wiki/XSS-Vulnerability-%282018-10-27%29 + title: fat_free_crm gem XSS vulnerability via query parameter + date: 2018-10-27 + description: | + FatFreeCRM version <=0.14.1, >=0.15.0 <=0.15.1, >=0.16.0 <=0.16.3, >=0.17.0 + <=0.17.2, ==0.18.0 contains a Cross Site Scripting (XSS) vulnerability in commit + 6d60bc8ed010c4eda05d6645c64849f415f68d65 that can result in Javascript execution. + This attack appear to be exploitable via Content with Javascript payload will be + executed on end user browsers when they visit the page. This vulnerability appears + to have been fixed in 0.18.1, 0.17.3, 0.16.4, 0.15.2, 0.14.2. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 0.18.1" + - "~> 0.17.3" + - "~> 0.16.4" + - "~> 0.15.2" + - "~> 0.14.2" +--- diff --git a/advisories/_posts/2018-10-30-CVE-2018-16468.md b/advisories/_posts/2018-10-30-CVE-2018-16468.md index 948eb62d..611d94a8 100644 --- a/advisories/_posts/2018-10-30-CVE-2018-16468.md +++ b/advisories/_posts/2018-10-30-CVE-2018-16468.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2018-16468 (loofah): Loofah XSS Vulnerability' -comments: false -categories: -- loofah -advisory: - gem: loofah - cve: 2018-16468 - ghsa: g4xq-jx4w-4cjv - url: https://github.com/flavorjones/loofah/issues/154 - title: Loofah XSS Vulnerability - date: 2018-10-30 - description: | - In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in - sanitized output when a crafted SVG element is republished. - cvss_v3: 6.4 - patched_versions: - - ">= 2.2.3" - related: - url: - - https://hackerone.com/reports/429267 ---- +--- +layout: advisory +title: 'CVE-2018-16468 (loofah): Loofah XSS Vulnerability' +comments: false +categories: +- loofah +advisory: + gem: loofah + cve: 2018-16468 + ghsa: g4xq-jx4w-4cjv + url: https://github.com/flavorjones/loofah/issues/154 + title: Loofah XSS Vulnerability + date: 2018-10-30 + description: | + In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in + sanitized output when a crafted SVG element is republished. + cvss_v3: 6.4 + patched_versions: + - ">= 2.2.3" + related: + url: + - https://hackerone.com/reports/429267 +--- diff --git a/advisories/_posts/2018-11-05-CVE-2018-16470.md b/advisories/_posts/2018-11-05-CVE-2018-16470.md index 185b1c23..91c2f127 100644 --- a/advisories/_posts/2018-11-05-CVE-2018-16470.md +++ b/advisories/_posts/2018-11-05-CVE-2018-16470.md @@ -1,62 +1,62 @@ ---- -layout: advisory -title: 'CVE-2018-16470 (rack): Possible DoS vulnerability in Rack' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2018-16470 - ghsa: hg78-4f6x-99wq - url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk - title: Possible DoS vulnerability in Rack - date: 2018-11-05 - description: | - There is a possible DoS vulnerability in the multipart parser in Rack. This - vulnerability has been assigned the CVE identifier CVE-2018-16470. - - Versions Affected: 2.0.4, 2.0.5 - Not affected: <= 2.0.3 - Fixed Versions: 2.0.6 - - Impact - ------ - There is a possible DoS vulnerability in the multipart parser in Rack. - Carefully crafted requests can cause the multipart parser to enter a - pathological state, causing the parser to use CPU resources disproportionate to - the request size. - - Impacted code can look something like this: - - ``` - Rack::Request.new(env).params - ``` - - But any code that uses the multi-part parser may be vulnerable. - - Rack users that have manually adjusted the buffer size in the multipart parser - may be vulnerable as well. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The 2.0.6 release is available at the normal locations. - - Workarounds - ----------- - To work around this issue, the following code can be used: - - ``` - require "rack/multipart/parser" - - Rack::Multipart::Parser.send :remove_const, :BUFSIZE - Rack::Multipart::Parser.const_set :BUFSIZE, 16384 - ``` - cvss_v3: 7.5 - unaffected_versions: - - "<= 2.0.3" - patched_versions: - - ">= 2.0.6" ---- +--- +layout: advisory +title: 'CVE-2018-16470 (rack): Possible DoS vulnerability in Rack' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2018-16470 + ghsa: hg78-4f6x-99wq + url: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk + title: Possible DoS vulnerability in Rack + date: 2018-11-05 + description: | + There is a possible DoS vulnerability in the multipart parser in Rack. This + vulnerability has been assigned the CVE identifier CVE-2018-16470. + + Versions Affected: 2.0.4, 2.0.5 + Not affected: <= 2.0.3 + Fixed Versions: 2.0.6 + + Impact + ------ + There is a possible DoS vulnerability in the multipart parser in Rack. + Carefully crafted requests can cause the multipart parser to enter a + pathological state, causing the parser to use CPU resources disproportionate to + the request size. + + Impacted code can look something like this: + + ``` + Rack::Request.new(env).params + ``` + + But any code that uses the multi-part parser may be vulnerable. + + Rack users that have manually adjusted the buffer size in the multipart parser + may be vulnerable as well. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The 2.0.6 release is available at the normal locations. + + Workarounds + ----------- + To work around this issue, the following code can be used: + + ``` + require "rack/multipart/parser" + + Rack::Multipart::Parser.send :remove_const, :BUFSIZE + Rack::Multipart::Parser.const_set :BUFSIZE, 16384 + ``` + cvss_v3: 7.5 + unaffected_versions: + - "<= 2.0.3" + patched_versions: + - ">= 2.0.6" +--- diff --git a/advisories/_posts/2018-11-05-CVE-2018-16471.md b/advisories/_posts/2018-11-05-CVE-2018-16471.md index 1adb3471..7a64185d 100644 --- a/advisories/_posts/2018-11-05-CVE-2018-16471.md +++ b/advisories/_posts/2018-11-05-CVE-2018-16471.md @@ -1,87 +1,87 @@ ---- -layout: advisory -title: 'CVE-2018-16471 (rack): Possible XSS vulnerability in Rack' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2018-16471 - ghsa: 5r2p-j47h-mhpg - url: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o - title: Possible XSS vulnerability in Rack - date: 2018-11-05 - description: | - There is a possible vulnerability in Rack. This vulnerability has been - assigned the CVE identifier CVE-2018-16471. - - Versions Affected: All. - Not affected: None. - Fixed Versions: 2.0.6, 1.6.11 - - Impact - ------ - There is a possible XSS vulnerability in Rack. Carefully crafted requests can - impact the data returned by the `scheme` method on `Rack::Request`. - Applications that expect the scheme to be limited to "http" or "https" and do - not escape the return value could be vulnerable to an XSS attack. - - Vulnerable code looks something like this: - - ``` - <%= request.scheme.html_safe %> - ``` - - Note that applications using the normal escaping mechanisms provided by Rails - may not impacted, but applications that bypass the escaping mechanisms, or do - not use them may be vulnerable. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The 2.0.6 and 1.6.11 releases are available at the normal locations. - - Workarounds - ----------- - The following monkey patch can be applied to work around this issue: - - ``` - require "rack" - require "rack/request" - - class Rack::Request - SCHEME_WHITELIST = %w(https http).freeze - - def scheme - if get_header(Rack::HTTPS) == 'on' - 'https' - elsif get_header(HTTP_X_FORWARDED_SSL) == 'on' - 'https' - elsif forwarded_scheme - forwarded_scheme - else - get_header(Rack::RACK_URL_SCHEME) - end - end - - def forwarded_scheme - scheme_headers = [ - get_header(HTTP_X_FORWARDED_SCHEME), - get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0] - ] - - scheme_headers.each do |header| - return header if SCHEME_WHITELIST.include?(header) - end - - nil - end - end - ``` - cvss_v3: 6.1 - patched_versions: - - "~> 1.6.11" - - ">= 2.0.6" ---- +--- +layout: advisory +title: 'CVE-2018-16471 (rack): Possible XSS vulnerability in Rack' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2018-16471 + ghsa: 5r2p-j47h-mhpg + url: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o + title: Possible XSS vulnerability in Rack + date: 2018-11-05 + description: | + There is a possible vulnerability in Rack. This vulnerability has been + assigned the CVE identifier CVE-2018-16471. + + Versions Affected: All. + Not affected: None. + Fixed Versions: 2.0.6, 1.6.11 + + Impact + ------ + There is a possible XSS vulnerability in Rack. Carefully crafted requests can + impact the data returned by the `scheme` method on `Rack::Request`. + Applications that expect the scheme to be limited to "http" or "https" and do + not escape the return value could be vulnerable to an XSS attack. + + Vulnerable code looks something like this: + + ``` + <%= request.scheme.html_safe %> + ``` + + Note that applications using the normal escaping mechanisms provided by Rails + may not impacted, but applications that bypass the escaping mechanisms, or do + not use them may be vulnerable. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The 2.0.6 and 1.6.11 releases are available at the normal locations. + + Workarounds + ----------- + The following monkey patch can be applied to work around this issue: + + ``` + require "rack" + require "rack/request" + + class Rack::Request + SCHEME_WHITELIST = %w(https http).freeze + + def scheme + if get_header(Rack::HTTPS) == 'on' + 'https' + elsif get_header(HTTP_X_FORWARDED_SSL) == 'on' + 'https' + elsif forwarded_scheme + forwarded_scheme + else + get_header(Rack::RACK_URL_SCHEME) + end + end + + def forwarded_scheme + scheme_headers = [ + get_header(HTTP_X_FORWARDED_SCHEME), + get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0] + ] + + scheme_headers.each do |header| + return header if SCHEME_WHITELIST.include?(header) + end + + nil + end + end + ``` + cvss_v3: 6.1 + patched_versions: + - "~> 1.6.11" + - ">= 2.0.6" +--- diff --git a/advisories/_posts/2018-11-09-CVE-2018-1000855.md b/advisories/_posts/2018-11-09-CVE-2018-1000855.md index 3a4253c3..aa0c8cd2 100644 --- a/advisories/_posts/2018-11-09-CVE-2018-1000855.md +++ b/advisories/_posts/2018-11-09-CVE-2018-1000855.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2018-1000855 (easymon): Reflected XSS in Firefox in check endpoint' -comments: false -categories: -- easymon -advisory: - gem: easymon - cve: 2018-1000855 - ghsa: c289-47qf-rvrr - url: https://github.com/basecamp/easymon/issues/26 - title: Reflected XSS in Firefox in check endpoint - date: 2018-11-09 - description: | - When passing an invalid check name as parameter to the endpoint where - the easymon routes are mounted, a 406 response with a body that contains the invalid - check name unescaped is returned. Malicious JavaScript can be injected into that - invalid name and have it executed in Firefox - cvss_v3: 6.1 - patched_versions: - - ">= 1.4.1" - related: - url: - - https://github.com/basecamp/easymon/pull/25 ---- +--- +layout: advisory +title: 'CVE-2018-1000855 (easymon): Reflected XSS in Firefox in check endpoint' +comments: false +categories: +- easymon +advisory: + gem: easymon + cve: 2018-1000855 + ghsa: c289-47qf-rvrr + url: https://github.com/basecamp/easymon/issues/26 + title: Reflected XSS in Firefox in check endpoint + date: 2018-11-09 + description: | + When passing an invalid check name as parameter to the endpoint where + the easymon routes are mounted, a 406 response with a body that contains the invalid + check name unescaped is returned. Malicious JavaScript can be injected into that + invalid name and have it executed in Firefox + cvss_v3: 6.1 + patched_versions: + - ">= 1.4.1" + related: + url: + - https://github.com/basecamp/easymon/pull/25 +--- diff --git a/advisories/_posts/2018-11-27-CVE-2018-16476.md b/advisories/_posts/2018-11-27-CVE-2018-16476.md index 55a163fb..0f470dc2 100644 --- a/advisories/_posts/2018-11-27-CVE-2018-16476.md +++ b/advisories/_posts/2018-11-27-CVE-2018-16476.md @@ -1,45 +1,45 @@ ---- -layout: advisory -title: 'CVE-2018-16476 (activejob): Broken Access Control vulnerability in Active - Job' -comments: false -categories: -- activejob -- rails -advisory: - gem: activejob - framework: rails - cve: 2018-16476 - ghsa: q2qw-rmrh-vv42 - url: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw - title: Broken Access Control vulnerability in Active Job - date: 2018-11-27 - description: | - There is a vulnerability in Active Job. This vulnerability has been - assigned the CVE identifier CVE-2018-16476. - - Versions Affected: >= 4.2.0 - Not affected: < 4.2.0 - Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 - - Impact - ------ - Carefully crafted user input can cause Active Job to deserialize it using GlobalId - and allow an attacker to have access to information that they should not have. - - Vulnerable code will look something like this: - - MyJob.perform_later(user_input) - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - cvss_v3: 7.5 - unaffected_versions: - - "< 4.2.0" - patched_versions: - - "~> 4.2.11" - - "~> 5.0.7.1" - - "~> 5.1.6.1" - - "~> 5.1.7" - - ">= 5.2.1.1" ---- +--- +layout: advisory +title: 'CVE-2018-16476 (activejob): Broken Access Control vulnerability in Active + Job' +comments: false +categories: +- activejob +- rails +advisory: + gem: activejob + framework: rails + cve: 2018-16476 + ghsa: q2qw-rmrh-vv42 + url: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw + title: Broken Access Control vulnerability in Active Job + date: 2018-11-27 + description: | + There is a vulnerability in Active Job. This vulnerability has been + assigned the CVE identifier CVE-2018-16476. + + Versions Affected: >= 4.2.0 + Not affected: < 4.2.0 + Fixed Versions: 4.2.11, 5.0.7.1, 5.1.6.1, 5.2.1.1 + + Impact + ------ + Carefully crafted user input can cause Active Job to deserialize it using GlobalId + and allow an attacker to have access to information that they should not have. + + Vulnerable code will look something like this: + + MyJob.perform_later(user_input) + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + cvss_v3: 7.5 + unaffected_versions: + - "< 4.2.0" + patched_versions: + - "~> 4.2.11" + - "~> 5.0.7.1" + - "~> 5.1.6.1" + - "~> 5.1.7" + - ">= 5.2.1.1" +--- diff --git a/advisories/_posts/2018-11-27-CVE-2018-16477.md b/advisories/_posts/2018-11-27-CVE-2018-16477.md index 72f859a5..fcfded2c 100644 --- a/advisories/_posts/2018-11-27-CVE-2018-16477.md +++ b/advisories/_posts/2018-11-27-CVE-2018-16477.md @@ -1,50 +1,50 @@ ---- -layout: advisory -title: 'CVE-2018-16477 (activestorage): Bypass vulnerability in Active Storage' -comments: false -categories: -- activestorage -- rails -advisory: - gem: activestorage - framework: rails - cve: 2018-16477 - ghsa: 7rr7-rcjw-56vj - url: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg - title: Bypass vulnerability in Active Storage - date: 2018-11-27 - description: | - There is a vulnerability in Active Storage. This vulnerability has been - assigned the CVE identifier CVE-2018-16477. - - Versions Affected: >= 5.2.0 - Not affected: < 5.2.0 - Fixed Versions: 5.2.1.1 - - Impact - ------ - Signed download URLs generated by `ActiveStorage` for Google Cloud Storage - service and Disk service include `content-disposition` and `content-type` - parameters that an attacker can modify. This can be used to upload specially - crafted HTML files and have them served and executed inline. Combined with - other techniques such as cookie bombing and specially crafted AppCache manifests, - an attacker can gain access to private signed URLs within a specific storage path. - - Vulnerable apps are those using either GCS or the Disk service in production. - Other storage services such as S3 or Azure aren't affected. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. For those using GCS, it's also recommended to run the - following to update existing blobs: - - ``` - ActiveStorage::Blob.find_each do |blob| - blob.send :update_service_metadata - end - ``` - cvss_v3: 6.5 - unaffected_versions: - - "< 5.2.0" - patched_versions: - - ">= 5.2.1.1" ---- +--- +layout: advisory +title: 'CVE-2018-16477 (activestorage): Bypass vulnerability in Active Storage' +comments: false +categories: +- activestorage +- rails +advisory: + gem: activestorage + framework: rails + cve: 2018-16477 + ghsa: 7rr7-rcjw-56vj + url: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg + title: Bypass vulnerability in Active Storage + date: 2018-11-27 + description: | + There is a vulnerability in Active Storage. This vulnerability has been + assigned the CVE identifier CVE-2018-16477. + + Versions Affected: >= 5.2.0 + Not affected: < 5.2.0 + Fixed Versions: 5.2.1.1 + + Impact + ------ + Signed download URLs generated by `ActiveStorage` for Google Cloud Storage + service and Disk service include `content-disposition` and `content-type` + parameters that an attacker can modify. This can be used to upload specially + crafted HTML files and have them served and executed inline. Combined with + other techniques such as cookie bombing and specially crafted AppCache manifests, + an attacker can gain access to private signed URLs within a specific storage path. + + Vulnerable apps are those using either GCS or the Disk service in production. + Other storage services such as S3 or Azure aren't affected. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. For those using GCS, it's also recommended to run the + following to update existing blobs: + + ``` + ActiveStorage::Blob.find_each do |blob| + blob.send :update_service_metadata + end + ``` + cvss_v3: 6.5 + unaffected_versions: + - "< 5.2.0" + patched_versions: + - ">= 5.2.1.1" +--- diff --git a/advisories/_posts/2019-01-17-CVE-2018-20676.md b/advisories/_posts/2019-01-17-CVE-2018-20676.md index b123a970..7351745d 100644 --- a/advisories/_posts/2019-01-17-CVE-2018-20676.md +++ b/advisories/_posts/2019-01-17-CVE-2018-20676.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2018-20676 (bootstrap): XSS vulnerability that affects bootstrap' -comments: false -categories: -- bootstrap -advisory: - gem: bootstrap - cve: 2018-20676 - ghsa: 3mgp-fx93-9xv5 - url: https://github.com/advisories/GHSA-3mgp-fx93-9xv5 - title: XSS vulnerability that affects bootstrap - date: 2019-01-17 - description: | - In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport - attribute. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 3.4.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-20676 - - https://github.com/twbs/bootstrap/issues/27044 - - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906 - - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628 - - https://github.com/twbs/bootstrap/pull/27047 - - https://access.redhat.com/errata/RHBA-2019:1076 - - https://access.redhat.com/errata/RHBA-2019:1570 - - https://access.redhat.com/errata/RHSA-2019:1456 - - https://access.redhat.com/errata/RHSA-2019:3023 - - https://access.redhat.com/errata/RHSA-2020:0132 - - https://access.redhat.com/errata/RHSA-2020:0133 - - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@ - - https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d - - https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 - - https://github.com/advisories/GHSA-3mgp-fx93-9xv5 ---- +--- +layout: advisory +title: 'CVE-2018-20676 (bootstrap): XSS vulnerability that affects bootstrap' +comments: false +categories: +- bootstrap +advisory: + gem: bootstrap + cve: 2018-20676 + ghsa: 3mgp-fx93-9xv5 + url: https://github.com/advisories/GHSA-3mgp-fx93-9xv5 + title: XSS vulnerability that affects bootstrap + date: 2019-01-17 + description: | + In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport + attribute. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 3.4.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-20676 + - https://github.com/twbs/bootstrap/issues/27044 + - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906 + - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628 + - https://github.com/twbs/bootstrap/pull/27047 + - https://access.redhat.com/errata/RHBA-2019:1076 + - https://access.redhat.com/errata/RHBA-2019:1570 + - https://access.redhat.com/errata/RHSA-2019:1456 + - https://access.redhat.com/errata/RHSA-2019:3023 + - https://access.redhat.com/errata/RHSA-2020:0132 + - https://access.redhat.com/errata/RHSA-2020:0133 + - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@ + - https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d + - https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 + - https://github.com/advisories/GHSA-3mgp-fx93-9xv5 +--- diff --git a/advisories/_posts/2019-01-17-CVE-2018-20677.md b/advisories/_posts/2019-01-17-CVE-2018-20677.md index 31ed69fb..8ffd69bb 100644 --- a/advisories/_posts/2019-01-17-CVE-2018-20677.md +++ b/advisories/_posts/2019-01-17-CVE-2018-20677.md @@ -1,39 +1,39 @@ ---- -layout: advisory -title: 'CVE-2018-20677 (bootstrap): bootstrap Cross-site Scripting vulnerability' -comments: false -categories: -- bootstrap -advisory: - gem: bootstrap - cve: 2018-20677 - ghsa: ph58-4vrj-w6hr - url: https://github.com/advisories/GHSA-ph58-4vrj-w6hr - title: bootstrap Cross-site Scripting vulnerability - date: 2019-01-17 - description: | - In Bootstrap before 3.4.0, XSS is possible in the affix - configuration target property. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 3.4.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-20677 - - https://github.com/twbs/bootstrap/issues/27045 - - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906 - - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628 - - https://github.com/twbs/bootstrap/pull/27047 - - https://access.redhat.com/errata/RHBA-2019:1076 - - https://access.redhat.com/errata/RHBA-2019:1570 - - https://access.redhat.com/errata/RHSA-2019:1456 - - https://access.redhat.com/errata/RHSA-2019:3023 - - https://access.redhat.com/errata/RHSA-2020:0132 - - https://access.redhat.com/errata/RHSA-2020:0133 - - https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@ - - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@ - - https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d - - https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 - - https://github.com/advisories/GHSA-ph58-4vrj-w6hr ---- +--- +layout: advisory +title: 'CVE-2018-20677 (bootstrap): bootstrap Cross-site Scripting vulnerability' +comments: false +categories: +- bootstrap +advisory: + gem: bootstrap + cve: 2018-20677 + ghsa: ph58-4vrj-w6hr + url: https://github.com/advisories/GHSA-ph58-4vrj-w6hr + title: bootstrap Cross-site Scripting vulnerability + date: 2019-01-17 + description: | + In Bootstrap before 3.4.0, XSS is possible in the affix + configuration target property. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 3.4.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-20677 + - https://github.com/twbs/bootstrap/issues/27045 + - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452140906 + - https://github.com/twbs/bootstrap/issues/27915#issuecomment-452196628 + - https://github.com/twbs/bootstrap/pull/27047 + - https://access.redhat.com/errata/RHBA-2019:1076 + - https://access.redhat.com/errata/RHBA-2019:1570 + - https://access.redhat.com/errata/RHSA-2019:1456 + - https://access.redhat.com/errata/RHSA-2019:3023 + - https://access.redhat.com/errata/RHSA-2020:0132 + - https://access.redhat.com/errata/RHSA-2020:0133 + - https://lists.apache.org/thread.html/52e0e6b5df827ee7f1e68f7cc3babe61af3b2160f5d74a85469b7b0e@ + - https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@ + - https://github.com/twbs/bootstrap/commit/2a5ba23ce8f041f3548317acc992ed8a736b609d + - https://blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0 + - https://github.com/advisories/GHSA-ph58-4vrj-w6hr +--- diff --git a/advisories/_posts/2019-02-07-CVE-2018-16487.md b/advisories/_posts/2019-02-07-CVE-2018-16487.md index 62af7df2..d28882e0 100644 --- a/advisories/_posts/2019-02-07-CVE-2018-16487.md +++ b/advisories/_posts/2019-02-07-CVE-2018-16487.md @@ -1,39 +1,39 @@ ---- -layout: advisory -title: 'CVE-2018-16487 (lodash-rails): Prototype Pollution in lodash' -comments: false -categories: -- lodash-rails -advisory: - gem: lodash-rails - cve: 2018-16487 - ghsa: 4xc9-xhrj-v574 - url: https://github.com/advisories/GHSA-4xc9-xhrj-v574 - title: Prototype Pollution in lodash - date: 2019-02-07 - description: | - Versions of `lodash` before 4.17.11 are vulnerable to - prototype pollution. - - The vulnerable functions are 'defaultsDeep', 'merge', and - 'mergeWith' which allow a malicious user to modify the - prototype of `Object` via `{constructor: {prototype: - {...}}}` causing the addition or modification of an existing - property that will exist on all objects. - - ## Recommendation - - Update to version 4.17.11 or later. - cvss_v2: 6.8 - cvss_v3: 5.6 - patched_versions: - - ">= 4.17.11" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2018-16487 - - https://hackerone.com/reports/380873 - - https://www.npmjs.com/advisories/782 - - https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad - - https://security.netapp.com/advisory/ntap-20190919-0004 - - https://github.com/advisories/GHSA-4xc9-xhrj-v574 ---- +--- +layout: advisory +title: 'CVE-2018-16487 (lodash-rails): Prototype Pollution in lodash' +comments: false +categories: +- lodash-rails +advisory: + gem: lodash-rails + cve: 2018-16487 + ghsa: 4xc9-xhrj-v574 + url: https://github.com/advisories/GHSA-4xc9-xhrj-v574 + title: Prototype Pollution in lodash + date: 2019-02-07 + description: | + Versions of `lodash` before 4.17.11 are vulnerable to + prototype pollution. + + The vulnerable functions are 'defaultsDeep', 'merge', and + 'mergeWith' which allow a malicious user to modify the + prototype of `Object` via `{constructor: {prototype: + {...}}}` causing the addition or modification of an existing + property that will exist on all objects. + + ## Recommendation + + Update to version 4.17.11 or later. + cvss_v2: 6.8 + cvss_v3: 5.6 + patched_versions: + - ">= 4.17.11" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-16487 + - https://hackerone.com/reports/380873 + - https://www.npmjs.com/advisories/782 + - https://github.com/lodash/lodash/commit/90e6199a161b6445b01454517b40ef65ebecd2ad + - https://security.netapp.com/advisory/ntap-20190919-0004 + - https://github.com/advisories/GHSA-4xc9-xhrj-v574 +--- diff --git a/advisories/_posts/2019-02-07-CVE-2019-5421.md b/advisories/_posts/2019-02-07-CVE-2019-5421.md index 2892d15f..ac1dc3d7 100644 --- a/advisories/_posts/2019-02-07-CVE-2019-5421.md +++ b/advisories/_posts/2019-02-07-CVE-2019-5421.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2019-5421 (devise): Devise Gem for Ruby Time-of-check Time-of-use race - condition with lockable module' -comments: false -categories: -- devise -advisory: - gem: devise - cve: 2019-5421 - ghsa: 73rf-6mrf-759q - url: https://github.com/plataformatec/devise/issues/4981 - title: Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable - module - date: 2019-02-07 - description: | - Devise ruby gem before 4.6.0 when the `lockable` module is used is vulnerable to a - time-of-check time-of-use (TOCTOU) race condition due to `increment_failed_attempts` - within the `Devise::Models::Lockable` class not being concurrency safe. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 4.6.0" ---- +--- +layout: advisory +title: 'CVE-2019-5421 (devise): Devise Gem for Ruby Time-of-check Time-of-use race + condition with lockable module' +comments: false +categories: +- devise +advisory: + gem: devise + cve: 2019-5421 + ghsa: 73rf-6mrf-759q + url: https://github.com/plataformatec/devise/issues/4981 + title: Devise Gem for Ruby Time-of-check Time-of-use race condition with lockable + module + date: 2019-02-07 + description: | + Devise ruby gem before 4.6.0 when the `lockable` module is used is vulnerable to a + time-of-check time-of-use (TOCTOU) race condition due to `increment_failed_attempts` + within the `Devise::Models::Lockable` class not being concurrency safe. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 4.6.0" +--- diff --git a/advisories/_posts/2019-02-15-CVE-2019-8331.md b/advisories/_posts/2019-02-15-CVE-2019-8331.md index fa65218d..23622fae 100644 --- a/advisories/_posts/2019-02-15-CVE-2019-8331.md +++ b/advisories/_posts/2019-02-15-CVE-2019-8331.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2019-8331 (twitter-bootstrap-rails): twitter-bootstrap-rails vulnerable - to Cross-Site Scripting (XSS)' -comments: false -categories: -- twitter-bootstrap-rails -advisory: - gem: twitter-bootstrap-rails - cve: 2019-8331 - ghsa: 9v3m-8fp8-mj99 - url: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ - title: twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS) - date: 2019-02-15 - description: | - The seyhunak/twitter-bootstrap-rails gem includes a vendored version of - the Bootstrap JavaScript library. - - In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible - in the tooltip or popover data-template attribute. - - The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. - All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. - All versions of this gem are affected. - - # Workarounds - Until this gem is updated to use Bootstrap v3.4.1, users can replace it - with the official Twitter-maintained gems, `bootstrap-sass` (version 3.4.1) - or `bootstrap` (bootstrap 4 and 5). - cvss_v2: 4.3 - cvss_v3: 6.1 - related: - url: - - https://github.com/twbs/bootstrap-sass/releases/tag/v3.4.1 ---- +--- +layout: advisory +title: 'CVE-2019-8331 (twitter-bootstrap-rails): twitter-bootstrap-rails vulnerable + to Cross-Site Scripting (XSS)' +comments: false +categories: +- twitter-bootstrap-rails +advisory: + gem: twitter-bootstrap-rails + cve: 2019-8331 + ghsa: 9v3m-8fp8-mj99 + url: https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ + title: twitter-bootstrap-rails vulnerable to Cross-Site Scripting (XSS) + date: 2019-02-15 + description: | + The seyhunak/twitter-bootstrap-rails gem includes a vendored version of + the Bootstrap JavaScript library. + + In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible + in the tooltip or popover data-template attribute. + + The most recent version of this gem, 5.0.0, includes Bootstrap v 3.3.6. + All versions of Bootstrap before v 3.4.1 are affected by this vulnerability. + All versions of this gem are affected. + + # Workarounds + Until this gem is updated to use Bootstrap v3.4.1, users can replace it + with the official Twitter-maintained gems, `bootstrap-sass` (version 3.4.1) + or `bootstrap` (bootstrap 4 and 5). + cvss_v2: 4.3 + cvss_v3: 6.1 + related: + url: + - https://github.com/twbs/bootstrap-sass/releases/tag/v3.4.1 +--- diff --git a/advisories/_posts/2019-03-05-CVE-2019-8320.md b/advisories/_posts/2019-03-05-CVE-2019-8320.md index 85717233..38038934 100644 --- a/advisories/_posts/2019-03-05-CVE-2019-8320.md +++ b/advisories/_posts/2019-03-05-CVE-2019-8320.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2019-8320 (rubygems-update): Delete directory using symlink when decompressing - tar' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2019-8320 - ghsa: 5x32-c9mf-49cc - url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html - title: Delete directory using symlink when decompressing tar - date: 2019-03-05 - description: | - A Directory Traversal issue was discovered in RubyGems 2.7.6 and later - through 3.0.2. Before making new directories or touching files (which now - include path-checking code for symlinks), it would delete the target - destination. If that destination was hidden behind a symlink, a malicious gem - could delete arbitrary files on the user’s machine, presuming the attacker - could guess at paths. Given how frequently gem is run as sudo, and how - predictable paths are on modern systems (/tmp, /usr, etc.), this could - likely lead to data loss or an unusable system. - cvss_v3: 7.4 - unaffected_versions: - - "< 2.7.6" - patched_versions: - - ">= 3.0.3" - - "~> 2.7.9" ---- +--- +layout: advisory +title: 'CVE-2019-8320 (rubygems-update): Delete directory using symlink when decompressing + tar' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2019-8320 + ghsa: 5x32-c9mf-49cc + url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html + title: Delete directory using symlink when decompressing tar + date: 2019-03-05 + description: | + A Directory Traversal issue was discovered in RubyGems 2.7.6 and later + through 3.0.2. Before making new directories or touching files (which now + include path-checking code for symlinks), it would delete the target + destination. If that destination was hidden behind a symlink, a malicious gem + could delete arbitrary files on the user’s machine, presuming the attacker + could guess at paths. Given how frequently gem is run as sudo, and how + predictable paths are on modern systems (/tmp, /usr, etc.), this could + likely lead to data loss or an unusable system. + cvss_v3: 7.4 + unaffected_versions: + - "< 2.7.6" + patched_versions: + - ">= 3.0.3" + - "~> 2.7.9" +--- diff --git a/advisories/_posts/2019-03-05-CVE-2019-8321.md b/advisories/_posts/2019-03-05-CVE-2019-8321.md index 081187f4..95b9443a 100644 --- a/advisories/_posts/2019-03-05-CVE-2019-8321.md +++ b/advisories/_posts/2019-03-05-CVE-2019-8321.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2019-8321 (rubygems-update): Escape sequence injection vulnerability in - verbose' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2019-8321 - ghsa: fr32-gr5c-xq5c - url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html - title: Escape sequence injection vulnerability in verbose - date: 2019-03-05 - description: | - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since - Gem::UserInteraction#verbose calls say without escaping, escape sequence - injection is possible. - cvss_v3: 7.5 - unaffected_versions: - - "< 2.6" - patched_versions: - - ">= 3.0.3" - - "~> 2.7.9" ---- +--- +layout: advisory +title: 'CVE-2019-8321 (rubygems-update): Escape sequence injection vulnerability in + verbose' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2019-8321 + ghsa: fr32-gr5c-xq5c + url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html + title: Escape sequence injection vulnerability in verbose + date: 2019-03-05 + description: | + An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since + Gem::UserInteraction#verbose calls say without escaping, escape sequence + injection is possible. + cvss_v3: 7.5 + unaffected_versions: + - "< 2.6" + patched_versions: + - ">= 3.0.3" + - "~> 2.7.9" +--- diff --git a/advisories/_posts/2019-03-05-CVE-2019-8322.md b/advisories/_posts/2019-03-05-CVE-2019-8322.md index 8a9e03eb..a4b1d2b7 100644 --- a/advisories/_posts/2019-03-05-CVE-2019-8322.md +++ b/advisories/_posts/2019-03-05-CVE-2019-8322.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2019-8322 (rubygems-update): Escape sequence injection vulnerability in - gem owner' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2019-8322 - ghsa: mh37-8c3g-3fgc - url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html - title: Escape sequence injection vulnerability in gem owner - date: 2019-03-05 - description: | - An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem - owner command outputs the contents of the API response directly to stdout. - Therefore, if the response is crafted, escape sequence injection may occur. - cvss_v3: 7.5 - unaffected_versions: - - "< 2.6" - patched_versions: - - "~> 2.7.9" - - ">= 3.0.3" ---- +--- +layout: advisory +title: 'CVE-2019-8322 (rubygems-update): Escape sequence injection vulnerability in + gem owner' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2019-8322 + ghsa: mh37-8c3g-3fgc + url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html + title: Escape sequence injection vulnerability in gem owner + date: 2019-03-05 + description: | + An issue was discovered in RubyGems 2.6 and later through 3.0.2. The gem + owner command outputs the contents of the API response directly to stdout. + Therefore, if the response is crafted, escape sequence injection may occur. + cvss_v3: 7.5 + unaffected_versions: + - "< 2.6" + patched_versions: + - "~> 2.7.9" + - ">= 3.0.3" +--- diff --git a/advisories/_posts/2019-03-05-CVE-2019-8323.md b/advisories/_posts/2019-03-05-CVE-2019-8323.md index a7c41697..8c5b2fa1 100644 --- a/advisories/_posts/2019-03-05-CVE-2019-8323.md +++ b/advisories/_posts/2019-03-05-CVE-2019-8323.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2019-8323 (rubygems-update): Escape sequence injection vulnerability in - api response handling' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2019-8323 - ghsa: 3h4r-pjv6-cph9 - url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html - title: Escape sequence injection vulnerability in api response handling - date: 2019-03-05 - description: | - An issue was discovered in RubyGems 2.6 and later through 3.0.2. - Gem::GemcutterUtilities#with_response may output the API response to stdout - as it is. Therefore, if the API side modifies the response, escape sequence - injection may occur. - cvss_v3: 7.5 - unaffected_versions: - - "< 2.6" - patched_versions: - - ">= 3.0.3" - - "~> 2.7.9" ---- +--- +layout: advisory +title: 'CVE-2019-8323 (rubygems-update): Escape sequence injection vulnerability in + api response handling' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2019-8323 + ghsa: 3h4r-pjv6-cph9 + url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html + title: Escape sequence injection vulnerability in api response handling + date: 2019-03-05 + description: | + An issue was discovered in RubyGems 2.6 and later through 3.0.2. + Gem::GemcutterUtilities#with_response may output the API response to stdout + as it is. Therefore, if the API side modifies the response, escape sequence + injection may occur. + cvss_v3: 7.5 + unaffected_versions: + - "< 2.6" + patched_versions: + - ">= 3.0.3" + - "~> 2.7.9" +--- diff --git a/advisories/_posts/2019-03-05-CVE-2019-8324.md b/advisories/_posts/2019-03-05-CVE-2019-8324.md index cfc7e736..99929540 100644 --- a/advisories/_posts/2019-03-05-CVE-2019-8324.md +++ b/advisories/_posts/2019-03-05-CVE-2019-8324.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2019-8324 (rubygems-update): Installing a malicious gem may lead to arbitrary - code execution' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2019-8324 - ghsa: 76wm-422q-92mq - url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html - title: Installing a malicious gem may lead to arbitrary code execution - date: 2019-03-05 - description: | - An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted - gem with a multi-line name is not handled correctly. Therefore, an attacker - could inject arbitrary code to the stub line of gemspec, which is eval-ed by - code in ensure_loadable_spec during the preinstall check. - cvss_v3: 8.8 - unaffected_versions: - - "< 2.6" - patched_versions: - - ">= 3.0.3" - - "~> 2.7.9" ---- +--- +layout: advisory +title: 'CVE-2019-8324 (rubygems-update): Installing a malicious gem may lead to arbitrary + code execution' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2019-8324 + ghsa: 76wm-422q-92mq + url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html + title: Installing a malicious gem may lead to arbitrary code execution + date: 2019-03-05 + description: | + An issue was discovered in RubyGems 2.6 and later through 3.0.2. A crafted + gem with a multi-line name is not handled correctly. Therefore, an attacker + could inject arbitrary code to the stub line of gemspec, which is eval-ed by + code in ensure_loadable_spec during the preinstall check. + cvss_v3: 8.8 + unaffected_versions: + - "< 2.6" + patched_versions: + - ">= 3.0.3" + - "~> 2.7.9" +--- diff --git a/advisories/_posts/2019-03-05-CVE-2019-8325.md b/advisories/_posts/2019-03-05-CVE-2019-8325.md index 820f094d..390fcd23 100644 --- a/advisories/_posts/2019-03-05-CVE-2019-8325.md +++ b/advisories/_posts/2019-03-05-CVE-2019-8325.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2019-8325 (rubygems-update): Escape sequence injection vulnerability in - errors' -comments: false -categories: -- rubygems-update -- rubygems -advisory: - gem: rubygems-update - library: rubygems - cve: 2019-8325 - ghsa: 4wm8-fjv7-j774 - url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html - title: Escape sequence injection vulnerability in errors - date: 2019-03-05 - description: | - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since - Gem::CommandManager#run calls alert_error without escaping, escape sequence - injection is possible. (There are many ways to cause an error.) - cvss_v3: 7.5 - unaffected_versions: - - "< 2.6" - patched_versions: - - ">= 3.0.3" - - "~> 2.7.9" ---- +--- +layout: advisory +title: 'CVE-2019-8325 (rubygems-update): Escape sequence injection vulnerability in + errors' +comments: false +categories: +- rubygems-update +- rubygems +advisory: + gem: rubygems-update + library: rubygems + cve: 2019-8325 + ghsa: 4wm8-fjv7-j774 + url: https://blog.rubygems.org/2019/03/05/security-advisories-2019-03.html + title: Escape sequence injection vulnerability in errors + date: 2019-03-05 + description: | + An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since + Gem::CommandManager#run calls alert_error without escaping, escape sequence + injection is possible. (There are many ways to cause an error.) + cvss_v3: 7.5 + unaffected_versions: + - "< 2.6" + patched_versions: + - ">= 3.0.3" + - "~> 2.7.9" +--- diff --git a/advisories/_posts/2019-03-08-CVE-2018-6517.md b/advisories/_posts/2019-03-08-CVE-2018-6517.md index ad5a7f7f..54e68ad5 100644 --- a/advisories/_posts/2019-03-08-CVE-2018-6517.md +++ b/advisories/_posts/2019-03-08-CVE-2018-6517.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2018-6517 (chloride): Improper handling of ssh known_hosts file with Chloride' -comments: false -categories: -- chloride -advisory: - gem: chloride - cve: 2018-6517 - ghsa: 573x-jhqh-jg36 - url: https://puppet.com/security/cve/CVE-2018-6517 - title: Improper handling of ssh known_hosts file with Chloride - date: 2019-03-08 - description: | - Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints - for previously unknown hosts getting added to the user's known_hosts file without - confirmation. In version 0.3.0 this is updated so that the user's known_hosts file - is not updated by chloride. - cvss_v3: 5.0 - patched_versions: - - ">= 0.3.0" ---- +--- +layout: advisory +title: 'CVE-2018-6517 (chloride): Improper handling of ssh known_hosts file with Chloride' +comments: false +categories: +- chloride +advisory: + gem: chloride + cve: 2018-6517 + ghsa: 573x-jhqh-jg36 + url: https://puppet.com/security/cve/CVE-2018-6517 + title: Improper handling of ssh known_hosts file with Chloride + date: 2019-03-08 + description: | + Prior to version 0.3.0, chloride's use of net-ssh resulted in host fingerprints + for previously unknown hosts getting added to the user's known_hosts file without + confirmation. In version 0.3.0 this is updated so that the user's known_hosts file + is not updated by chloride. + cvss_v3: 5.0 + patched_versions: + - ">= 0.3.0" +--- diff --git a/advisories/_posts/2019-03-13-CVE-2019-5418.md b/advisories/_posts/2019-03-13-CVE-2019-5418.md index c4b8aedf..5f248da0 100644 --- a/advisories/_posts/2019-03-13-CVE-2019-5418.md +++ b/advisories/_posts/2019-03-13-CVE-2019-5418.md @@ -1,105 +1,105 @@ ---- -layout: advisory -title: 'CVE-2019-5418 (actionview): File Content Disclosure in Action View' -comments: false -categories: -- actionview -- rails -advisory: - gem: actionview - framework: rails - cve: 2019-5418 - ghsa: 86g5-2wh3-gc9j - url: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q - title: File Content Disclosure in Action View - date: 2019-03-13 - description: | - There is a possible file content disclosure vulnerability in Action View. This - vulnerability has been assigned the CVE identifier CVE-2019-5418. - - Versions Affected: All. - Not affected: None. - Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 - - Impact - ------ - There is a possible file content disclosure vulnerability in Action View. - Specially crafted accept headers in combination with calls to `render file:` - can cause arbitrary files on the target server to be rendered, disclosing the - file contents. - - The impact is limited to calls to `render` which render file contents without - a specified accept format. Impacted code in a controller looks something like - this: - - ``` - class UserController < ApplicationController - def index - render file: "#{Rails.root}/some/file" - end - end - ``` - - Rendering templates as opposed to files is not impacted by this vulnerability. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are - available at the normal locations. - - Workarounds - ----------- - This vulnerability can be mitigated by specifying a format for file rendering, - like this: - - ``` - class UserController < ApplicationController - def index - render file: "#{Rails.root}/some/file", formats: [:html] - end - end - ``` - - In summary, impacted calls to `render` look like this: - - ``` - render file: "#{Rails.root}/some/file" - ``` - - The vulnerability can be mitigated by changing to this: - - ``` - render file: "#{Rails.root}/some/file", formats: [:html] - ``` - - Other calls to `render` are not impacted. - - Alternatively, the following monkey patch can be applied in an initializer: - - ``` - $ cat config/initializers/formats_filter.rb - # frozen_string_literal: true - - ActionDispatch::Request.prepend(Module.new do - def formats - super().select do |format| - format.symbol || format.ref == "*/*" - end - end - end) - ``` - - Credits - ------- - Thanks to John Hawthorn of GitHub - cvss_v3: 7.5 - patched_versions: - - "~> 4.2.11, >= 4.2.11.1" - - "~> 5.0.7, >= 5.0.7.2" - - "~> 5.1.6, >= 5.1.6.2" - - "~> 5.2.2, >= 5.2.2.1" - - ">= 6.0.0.beta3" ---- +--- +layout: advisory +title: 'CVE-2019-5418 (actionview): File Content Disclosure in Action View' +comments: false +categories: +- actionview +- rails +advisory: + gem: actionview + framework: rails + cve: 2019-5418 + ghsa: 86g5-2wh3-gc9j + url: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q + title: File Content Disclosure in Action View + date: 2019-03-13 + description: | + There is a possible file content disclosure vulnerability in Action View. This + vulnerability has been assigned the CVE identifier CVE-2019-5418. + + Versions Affected: All. + Not affected: None. + Fixed Versions: 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, 4.2.11.1 + + Impact + ------ + There is a possible file content disclosure vulnerability in Action View. + Specially crafted accept headers in combination with calls to `render file:` + can cause arbitrary files on the target server to be rendered, disclosing the + file contents. + + The impact is limited to calls to `render` which render file contents without + a specified accept format. Impacted code in a controller looks something like + this: + + ``` + class UserController < ApplicationController + def index + render file: "#{Rails.root}/some/file" + end + end + ``` + + Rendering templates as opposed to files is not impacted by this vulnerability. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are + available at the normal locations. + + Workarounds + ----------- + This vulnerability can be mitigated by specifying a format for file rendering, + like this: + + ``` + class UserController < ApplicationController + def index + render file: "#{Rails.root}/some/file", formats: [:html] + end + end + ``` + + In summary, impacted calls to `render` look like this: + + ``` + render file: "#{Rails.root}/some/file" + ``` + + The vulnerability can be mitigated by changing to this: + + ``` + render file: "#{Rails.root}/some/file", formats: [:html] + ``` + + Other calls to `render` are not impacted. + + Alternatively, the following monkey patch can be applied in an initializer: + + ``` + $ cat config/initializers/formats_filter.rb + # frozen_string_literal: true + + ActionDispatch::Request.prepend(Module.new do + def formats + super().select do |format| + format.symbol || format.ref == "*/*" + end + end + end) + ``` + + Credits + ------- + Thanks to John Hawthorn of GitHub + cvss_v3: 7.5 + patched_versions: + - "~> 4.2.11, >= 4.2.11.1" + - "~> 5.0.7, >= 5.0.7.2" + - "~> 5.1.6, >= 5.1.6.2" + - "~> 5.2.2, >= 5.2.2.1" + - ">= 6.0.0.beta3" +--- diff --git a/advisories/_posts/2019-03-13-CVE-2019-5419.md b/advisories/_posts/2019-03-13-CVE-2019-5419.md index ef34c9e0..6d38294c 100644 --- a/advisories/_posts/2019-03-13-CVE-2019-5419.md +++ b/advisories/_posts/2019-03-13-CVE-2019-5419.md @@ -1,101 +1,101 @@ ---- -layout: advisory -title: 'CVE-2019-5419 (actionview): Denial of Service Vulnerability in Action View' -comments: false -categories: -- actionview -- rails -advisory: - gem: actionview - framework: rails - cve: 2019-5419 - ghsa: m63j-wh5w-c252 - url: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI - title: Denial of Service Vulnerability in Action View - date: 2019-03-13 - description: | - There is a potential denial of service vulnerability in actionview. - This vulnerability has been assigned the CVE identifier CVE-2019-5419. - - Impact - ------ - Specially crafted accept headers can cause the Action View template location - code to consume 100% CPU, causing the server unable to process requests. This - impacts all Rails applications that render views. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Workarounds - ----------- - This vulnerability can be mitigated by wrapping `render` calls with - `respond_to` blocks. For example, the following example is vulnerable: - - ``` - class UserController < ApplicationController - def index - render "index" - end - end - ``` - - But the following code is not vulnerable: - - ``` - class UserController < ApplicationController - def index - respond_to |format| - format.html { render "index" } - end - end - end - ``` - - Implicit rendering is impacted, so this code is vulnerable: - - ``` - class UserController < ApplicationController - def index - end - end - ``` - - But can be changed this this: - - ``` - class UserController < ApplicationController - def index - respond_to |format| - format.html { render "index" } - end - end - end - ``` - - Alternatively to specifying the format, the following monkey patch can be - applied in an initializer: - - ``` - $ cat config/initializers/formats_filter.rb - # frozen_string_literal: true - - ActionDispatch::Request.prepend(Module.new do - def formats - super().select do |format| - format.symbol || format.ref == "*/*" - end - end - end) - ``` - - Credits - ------- - Thanks to John Hawthorn of GitHub - cvss_v3: 7.5 - patched_versions: - - ">= 6.0.0.beta3" - - "~> 5.2.2, >= 5.2.2.1" - - "~> 5.1.6, >= 5.1.6.2" - - "~> 5.0.7, >= 5.0.7.2" - - "~> 4.2.11, >= 4.2.11.1" ---- +--- +layout: advisory +title: 'CVE-2019-5419 (actionview): Denial of Service Vulnerability in Action View' +comments: false +categories: +- actionview +- rails +advisory: + gem: actionview + framework: rails + cve: 2019-5419 + ghsa: m63j-wh5w-c252 + url: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI + title: Denial of Service Vulnerability in Action View + date: 2019-03-13 + description: | + There is a potential denial of service vulnerability in actionview. + This vulnerability has been assigned the CVE identifier CVE-2019-5419. + + Impact + ------ + Specially crafted accept headers can cause the Action View template location + code to consume 100% CPU, causing the server unable to process requests. This + impacts all Rails applications that render views. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Workarounds + ----------- + This vulnerability can be mitigated by wrapping `render` calls with + `respond_to` blocks. For example, the following example is vulnerable: + + ``` + class UserController < ApplicationController + def index + render "index" + end + end + ``` + + But the following code is not vulnerable: + + ``` + class UserController < ApplicationController + def index + respond_to |format| + format.html { render "index" } + end + end + end + ``` + + Implicit rendering is impacted, so this code is vulnerable: + + ``` + class UserController < ApplicationController + def index + end + end + ``` + + But can be changed this this: + + ``` + class UserController < ApplicationController + def index + respond_to |format| + format.html { render "index" } + end + end + end + ``` + + Alternatively to specifying the format, the following monkey patch can be + applied in an initializer: + + ``` + $ cat config/initializers/formats_filter.rb + # frozen_string_literal: true + + ActionDispatch::Request.prepend(Module.new do + def formats + super().select do |format| + format.symbol || format.ref == "*/*" + end + end + end) + ``` + + Credits + ------- + Thanks to John Hawthorn of GitHub + cvss_v3: 7.5 + patched_versions: + - ">= 6.0.0.beta3" + - "~> 5.2.2, >= 5.2.2.1" + - "~> 5.1.6, >= 5.1.6.2" + - "~> 5.0.7, >= 5.0.7.2" + - "~> 4.2.11, >= 4.2.11.1" +--- diff --git a/advisories/_posts/2019-03-13-CVE-2019-5420.md b/advisories/_posts/2019-03-13-CVE-2019-5420.md index c7a4e74e..9952ee5a 100644 --- a/advisories/_posts/2019-03-13-CVE-2019-5420.md +++ b/advisories/_posts/2019-03-13-CVE-2019-5420.md @@ -1,56 +1,56 @@ ---- -layout: advisory -title: 'CVE-2019-5420 (railties): Possible Remote Code Execution Exploit in Rails - Development Mode' -comments: false -categories: -- railties -- rails -advisory: - gem: railties - framework: rails - cve: 2019-5420 - ghsa: m42h-mh85-4qgc - url: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw - title: Possible Remote Code Execution Exploit in Rails Development Mode - date: 2019-03-13 - description: | - There is a possible a possible remote code executing exploit in Rails when in - development mode. This vulnerability has been assigned the CVE identifier - CVE-2019-5420. - - Versions Affected: 6.0.0.X, 5.2.X. - Not affected: < 5.2.0 - Fixed Versions: 6.0.0.beta3, 5.2.2.1 - - Impact - ------ - With some knowledge of a target application it is possible for an attacker to - guess the automatically generated development mode secret token. This secret - token can be used in combination with other Rails internals to escalate to a - remote code execution exploit. - - All users running an affected release should either upgrade or use one of the - workarounds immediately. - - Releases - -------- - The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations. - - Workarounds - ----------- - This issue can be mitigated by specifying a secret key in development mode. - In "config/environments/development.rb" add this: - - config.secret_key_base = SecureRandom.hex(64) - - Credits - ------- - Thanks to ooooooo_q - cvss_v3: 9.8 - unaffected_versions: - - "< 5.2.0" - patched_versions: - - "~> 5.2.2, >= 5.2.2.1" - - ">= 6.0.0.beta3" ---- +--- +layout: advisory +title: 'CVE-2019-5420 (railties): Possible Remote Code Execution Exploit in Rails + Development Mode' +comments: false +categories: +- railties +- rails +advisory: + gem: railties + framework: rails + cve: 2019-5420 + ghsa: m42h-mh85-4qgc + url: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw + title: Possible Remote Code Execution Exploit in Rails Development Mode + date: 2019-03-13 + description: | + There is a possible a possible remote code executing exploit in Rails when in + development mode. This vulnerability has been assigned the CVE identifier + CVE-2019-5420. + + Versions Affected: 6.0.0.X, 5.2.X. + Not affected: < 5.2.0 + Fixed Versions: 6.0.0.beta3, 5.2.2.1 + + Impact + ------ + With some knowledge of a target application it is possible for an attacker to + guess the automatically generated development mode secret token. This secret + token can be used in combination with other Rails internals to escalate to a + remote code execution exploit. + + All users running an affected release should either upgrade or use one of the + workarounds immediately. + + Releases + -------- + The 6.0.0.beta3 and 5.2.2.1 releases are available at the normal locations. + + Workarounds + ----------- + This issue can be mitigated by specifying a secret key in development mode. + In "config/environments/development.rb" add this: + + config.secret_key_base = SecureRandom.hex(64) + + Credits + ------- + Thanks to ooooooo_q + cvss_v3: 9.8 + unaffected_versions: + - "< 5.2.0" + patched_versions: + - "~> 5.2.2, >= 5.2.2.1" + - ">= 6.0.0.beta3" +--- diff --git a/advisories/_posts/2019-03-25-CVE-2019-9837.md b/advisories/_posts/2019-03-25-CVE-2019-9837.md index 24a907fa..c639ec09 100644 --- a/advisories/_posts/2019-03-25-CVE-2019-9837.md +++ b/advisories/_posts/2019-03-25-CVE-2019-9837.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2019-9837 (doorkeeper-openid_connect): Doorkeeper::OpenidConnect Open - Redirect' -comments: false -categories: -- doorkeeper-openid_connect -advisory: - gem: doorkeeper-openid_connect - cve: 2019-9837 - ghsa: vv4c-g6q7-p3q7 - url: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md#v154-2019-02-15 - title: Doorkeeper::OpenidConnect Open Redirect - date: 2019-03-25 - description: | - Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) - 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in - an OAuth authorization request (that results in an error response) with the 'openid' - scope and a prompt=none value. This allows phishing attacks against the authorization - flow. - cvss_v3: 6.1 - unaffected_versions: - - "< 1.4.0" - patched_versions: - - ">= 1.5.4" ---- +--- +layout: advisory +title: 'CVE-2019-9837 (doorkeeper-openid_connect): Doorkeeper::OpenidConnect Open + Redirect' +comments: false +categories: +- doorkeeper-openid_connect +advisory: + gem: doorkeeper-openid_connect + cve: 2019-9837 + ghsa: vv4c-g6q7-p3q7 + url: https://github.com/doorkeeper-gem/doorkeeper-openid_connect/blob/master/CHANGELOG.md#v154-2019-02-15 + title: Doorkeeper::OpenidConnect Open Redirect + date: 2019-03-25 + description: | + Doorkeeper::OpenidConnect (aka the OpenID Connect extension for Doorkeeper) + 1.4.x and 1.5.x before 1.5.4 has an open redirect via the redirect_uri field in + an OAuth authorization request (that results in an error response) with the 'openid' + scope and a prompt=none value. This allows phishing attacks against the authorization + flow. + cvss_v3: 6.1 + unaffected_versions: + - "< 1.4.0" + patched_versions: + - ">= 1.5.4" +--- diff --git a/advisories/_posts/2019-04-04-CVE-2019-10842.md b/advisories/_posts/2019-04-04-CVE-2019-10842.md index a7d8a18d..8c3efc22 100644 --- a/advisories/_posts/2019-04-04-CVE-2019-10842.md +++ b/advisories/_posts/2019-04-04-CVE-2019-10842.md @@ -1,32 +1,32 @@ ---- -layout: advisory -title: 'CVE-2019-10842 (bootstrap-sass): Remote code execution in bootstrap-sass' -comments: false -categories: -- bootstrap-sass -advisory: - gem: bootstrap-sass - cve: 2019-10842 - ghsa: vqqv-v9m2-48p2 - url: https://github.com/twbs/bootstrap-sass/issues/1195 - title: Remote code execution in bootstrap-sass - date: 2019-04-04 - description: | - Arbitrary code execution (via backdoor code, when - downloaded from rubygems.org) was discovered in - bootstrap-sass 3.2.0.3. - - Users are advised to upgrade immediately to 3.2.0.4 - - An unauthenticated attacker can craft the ___cfduid cookie value - with base64 arbitrary code to be executed via eval(), which can - be leveraged to execute arbitrary code on the target system. - (Note that there are three underscore characters in the cookie name. - This is unrelated to the __cfduid cookie that is legitimately used by - Cloudflare.) - cvss_v3: 9.8 - unaffected_versions: - - "<= 3.2.0.2" - patched_versions: - - ">= 3.2.0.4" ---- +--- +layout: advisory +title: 'CVE-2019-10842 (bootstrap-sass): Remote code execution in bootstrap-sass' +comments: false +categories: +- bootstrap-sass +advisory: + gem: bootstrap-sass + cve: 2019-10842 + ghsa: vqqv-v9m2-48p2 + url: https://github.com/twbs/bootstrap-sass/issues/1195 + title: Remote code execution in bootstrap-sass + date: 2019-04-04 + description: | + Arbitrary code execution (via backdoor code, when + downloaded from rubygems.org) was discovered in + bootstrap-sass 3.2.0.3. + + Users are advised to upgrade immediately to 3.2.0.4 + + An unauthenticated attacker can craft the ___cfduid cookie value + with base64 arbitrary code to be executed via eval(), which can + be leveraged to execute arbitrary code on the target system. + (Note that there are three underscore characters in the cookie name. + This is unrelated to the __cfduid cookie that is legitimately used by + Cloudflare.) + cvss_v3: 9.8 + unaffected_versions: + - "<= 3.2.0.2" + patched_versions: + - ">= 3.2.0.4" +--- diff --git a/advisories/_posts/2019-04-10-CVE-2019-16060.md b/advisories/_posts/2019-04-10-CVE-2019-16060.md index 5d35d99b..a4daff56 100644 --- a/advisories/_posts/2019-04-10-CVE-2019-16060.md +++ b/advisories/_posts/2019-04-10-CVE-2019-16060.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2019-16060 (airbrake-ruby): Blacklist keys are no longer being filtered - in airbrake-ruby' -comments: false -categories: -- airbrake-ruby -advisory: - gem: airbrake-ruby - cve: 2019-16060 - ghsa: 2p82-v77v-mppr - url: https://github.com/airbrake/airbrake-ruby/issues/468 - title: Blacklist keys are no longer being filtered in airbrake-ruby - date: 2019-04-10 - description: | - A flaw in airbrake-ruby v4.2.3 prevented user data from being filtered - prior to sending to Airbrake. Such data could be user passwords. Therefore, an app - could leak user passwords without knowing it. - cvss_v3: 9.8 - unaffected_versions: - - "< 4.2.3" - - "> 4.2.3" - patched_versions: - - ">= 4.2.4" - related: - url: - - https://github.com/airbrake/airbrake-ruby/pull/469 ---- +--- +layout: advisory +title: 'CVE-2019-16060 (airbrake-ruby): Blacklist keys are no longer being filtered + in airbrake-ruby' +comments: false +categories: +- airbrake-ruby +advisory: + gem: airbrake-ruby + cve: 2019-16060 + ghsa: 2p82-v77v-mppr + url: https://github.com/airbrake/airbrake-ruby/issues/468 + title: Blacklist keys are no longer being filtered in airbrake-ruby + date: 2019-04-10 + description: | + A flaw in airbrake-ruby v4.2.3 prevented user data from being filtered + prior to sending to Airbrake. Such data could be user passwords. Therefore, an app + could leak user passwords without knowing it. + cvss_v3: 9.8 + unaffected_versions: + - "< 4.2.3" + - "> 4.2.3" + patched_versions: + - ">= 4.2.4" + related: + url: + - https://github.com/airbrake/airbrake-ruby/pull/469 +--- diff --git a/advisories/_posts/2019-04-19-CVE-2019-11358.md b/advisories/_posts/2019-04-19-CVE-2019-11358.md index 4dbc9ab0..e2165bd3 100644 --- a/advisories/_posts/2019-04-19-CVE-2019-11358.md +++ b/advisories/_posts/2019-04-19-CVE-2019-11358.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2019-11358 (jquery-rails): Prototype pollution attack through jQuery $.extend' -comments: false -categories: -- jquery-rails -- rails -advisory: - gem: jquery-rails - framework: rails - cve: 2019-11358 - ghsa: 6c3j-c64m-qhgq - url: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ - title: Prototype pollution attack through jQuery $.extend - date: 2019-04-19 - description: | - jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of - bject.prototype pollution. If an unsanitized source object contained an - enumerable __proto__ property, it could extend the native Object.prototype. - cvss_v2: 4.3 - cvss_v3: 6.1 - patched_versions: - - ">= 4.3.4" - related: - url: - - https://hackerone.com/reports/454365 - - https://github.com/jquery/jquery/pull/4333 - - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b - - https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434 ---- +--- +layout: advisory +title: 'CVE-2019-11358 (jquery-rails): Prototype pollution attack through jQuery $.extend' +comments: false +categories: +- jquery-rails +- rails +advisory: + gem: jquery-rails + framework: rails + cve: 2019-11358 + ghsa: 6c3j-c64m-qhgq + url: https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/ + title: Prototype pollution attack through jQuery $.extend + date: 2019-04-19 + description: | + jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) because of + bject.prototype pollution. If an unsanitized source object contained an + enumerable __proto__ property, it could extend the native Object.prototype. + cvss_v2: 4.3 + cvss_v3: 6.1 + patched_versions: + - ">= 4.3.4" + related: + url: + - https://hackerone.com/reports/454365 + - https://github.com/jquery/jquery/pull/4333 + - https://github.com/jquery/jquery/commit/753d591aea698e57d6db58c9f722cd0808619b1b + - https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#434 +--- diff --git a/advisories/_posts/2019-04-22-CVE-2019-11068.md b/advisories/_posts/2019-04-22-CVE-2019-11068.md index 2178b2c3..517ecad7 100644 --- a/advisories/_posts/2019-04-22-CVE-2019-11068.md +++ b/advisories/_posts/2019-04-22-CVE-2019-11068.md @@ -1,57 +1,57 @@ ---- -layout: advisory -title: 'CVE-2019-11068 (nokogiri): Nokogiri gem, via libxslt, is affected by improper - access control vulnerability' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2019-11068 - ghsa: qxcg-xjjg-66mj - url: https://github.com/sparklemotion/nokogiri/issues/1892 - title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability - date: 2019-04-22 - description: | - Nokogiri v1.10.3 has been released. - - This is a security release. It addresses a CVE in upstream libxslt rated as - "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More - details are available below. - - If you're using your distro's system libraries, rather than Nokogiri's - vendored libraries, there's no security need to upgrade at this time, though - you may want to check with your distro whether they've patched this - (Canonical has patched Ubuntu packages). Note that this patch is not yet (as - of 2019-04-22) in an upstream release of libxslt. - - Full details about the security update are available in Github Issue - [#1892] https://github.com/sparklemotion/nokogiri/issues/1892. - - --- - - CVE-2019-11068 - - Permalinks are: - - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068 - - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068 - - Description: - - > libxslt through 1.1.33 allows bypass of a protection mechanism - > because callers of xsltCheckRead and xsltCheckWrite permit access - > even upon receiving a -1 error code. xsltCheckRead can return -1 for - > a crafted URL that is not actually invalid and is subsequently - > loaded. - - Canonical rates this as "Priority: Medium". - - Debian rates this as "NVD Severity: High (attack range: remote)". - cvss_v3: 9.8 - patched_versions: - - ">= 1.10.3" - related: - url: - - https://groups.google.com/forum/#!msg/ruby-security-ann/_y80o1zZlOs/k4SDX6hoAAAJ - - https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 ---- +--- +layout: advisory +title: 'CVE-2019-11068 (nokogiri): Nokogiri gem, via libxslt, is affected by improper + access control vulnerability' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2019-11068 + ghsa: qxcg-xjjg-66mj + url: https://github.com/sparklemotion/nokogiri/issues/1892 + title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability + date: 2019-04-22 + description: | + Nokogiri v1.10.3 has been released. + + This is a security release. It addresses a CVE in upstream libxslt rated as + "Priority: medium" by Canonical, and "NVD Severity: high" by Debian. More + details are available below. + + If you're using your distro's system libraries, rather than Nokogiri's + vendored libraries, there's no security need to upgrade at this time, though + you may want to check with your distro whether they've patched this + (Canonical has patched Ubuntu packages). Note that this patch is not yet (as + of 2019-04-22) in an upstream release of libxslt. + + Full details about the security update are available in Github Issue + [#1892] https://github.com/sparklemotion/nokogiri/issues/1892. + + --- + + CVE-2019-11068 + + Permalinks are: + - Canonical: https://people.canonical.com/~ubuntu-security/cve/CVE-2019-11068 + - Debian: https://security-tracker.debian.org/tracker/CVE-2019-11068 + + Description: + + > libxslt through 1.1.33 allows bypass of a protection mechanism + > because callers of xsltCheckRead and xsltCheckWrite permit access + > even upon receiving a -1 error code. xsltCheckRead can return -1 for + > a crafted URL that is not actually invalid and is subsequently + > loaded. + + Canonical rates this as "Priority: Medium". + + Debian rates this as "NVD Severity: High (attack range: remote)". + cvss_v3: 9.8 + patched_versions: + - ">= 1.10.3" + related: + url: + - https://groups.google.com/forum/#!msg/ruby-security-ann/_y80o1zZlOs/k4SDX6hoAAAJ + - https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 +--- diff --git a/advisories/_posts/2019-06-04-CVE-2019-12732.md b/advisories/_posts/2019-06-04-CVE-2019-12732.md index 471c7381..e20251f9 100644 --- a/advisories/_posts/2019-06-04-CVE-2019-12732.md +++ b/advisories/_posts/2019-06-04-CVE-2019-12732.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2019-12732 (chartkick): XSS Vulnerability in Chartkick Ruby Gem' -comments: false -categories: -- chartkick -advisory: - gem: chartkick - cve: 2019-12732 - ghsa: g45g-g52h-39rg - url: https://github.com/ankane/chartkick/issues/488 - title: XSS Vulnerability in Chartkick Ruby Gem - date: 2019-06-04 - description: | - Chartkick is vulnerable to a cross-site scripting (XSS) attack if - both the following conditions are met: - - Condition 1: - It's used with `ActiveSupport.escape_html_entities_in_json = false` - (this is not the default for Rails) - OR used with a non-Rails framework like Sinatra. - - Condition 2: - Untrusted data or options are passed to a chart. - - <%= line_chart params[:data], min: params[:min] %> - cvss_v3: 4.7 - patched_versions: - - ">= 3.2.0" ---- +--- +layout: advisory +title: 'CVE-2019-12732 (chartkick): XSS Vulnerability in Chartkick Ruby Gem' +comments: false +categories: +- chartkick +advisory: + gem: chartkick + cve: 2019-12732 + ghsa: g45g-g52h-39rg + url: https://github.com/ankane/chartkick/issues/488 + title: XSS Vulnerability in Chartkick Ruby Gem + date: 2019-06-04 + description: | + Chartkick is vulnerable to a cross-site scripting (XSS) attack if + both the following conditions are met: + + Condition 1: + It's used with `ActiveSupport.escape_html_entities_in_json = false` + (this is not the default for Rails) + OR used with a non-Rails framework like Sinatra. + + Condition 2: + Untrusted data or options are passed to a chart. + + <%= line_chart params[:data], min: params[:min] %> + cvss_v3: 4.7 + patched_versions: + - ">= 3.2.0" +--- diff --git a/advisories/_posts/2019-06-13-CVE-2019-11027.md b/advisories/_posts/2019-06-13-CVE-2019-11027.md index c838eb60..1cde9b31 100644 --- a/advisories/_posts/2019-06-13-CVE-2019-11027.md +++ b/advisories/_posts/2019-06-13-CVE-2019-11027.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2019-11027 (ruby-openid): ruby-openid SSRF via claimed_id request' -comments: false -categories: -- ruby-openid -advisory: - gem: ruby-openid - cve: 2019-11027 - ghsa: fqfj-cmh6-hj49 - url: https://github.com/openid/ruby-openid/issues/122 - date: 2019-06-13 - title: ruby-openid SSRF via claimed_id request - description: | - Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable - flaw. This library is used by Rails web applications to integrate with OpenID Providers. - Severity can range from medium to critical, depending on how a web application developer - chose to employ the ruby-openid library. Developers who based their OpenID integration - heavily on the "example app" provided by the project are at highest risk. - cvss_v3: 9.8 - patched_versions: - - ">= 2.9.0" ---- +--- +layout: advisory +title: 'CVE-2019-11027 (ruby-openid): ruby-openid SSRF via claimed_id request' +comments: false +categories: +- ruby-openid +advisory: + gem: ruby-openid + cve: 2019-11027 + ghsa: fqfj-cmh6-hj49 + url: https://github.com/openid/ruby-openid/issues/122 + date: 2019-06-13 + title: ruby-openid SSRF via claimed_id request + description: | + Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable + flaw. This library is used by Rails web applications to integrate with OpenID Providers. + Severity can range from medium to critical, depending on how a web application developer + chose to employ the ruby-openid library. Developers who based their OpenID integration + heavily on the "example app" provided by the project are at highest risk. + cvss_v3: 9.8 + patched_versions: + - ">= 2.9.0" +--- diff --git a/advisories/_posts/2019-07-01-CVE-2019-13146.md b/advisories/_posts/2019-07-01-CVE-2019-13146.md index dc7c8598..40ea0a98 100644 --- a/advisories/_posts/2019-07-01-CVE-2019-13146.md +++ b/advisories/_posts/2019-07-01-CVE-2019-13146.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2019-13146 (field_test): Arbitrary Variants Via Query Parameters' -comments: false -categories: -- field_test -advisory: - gem: field_test - cve: 2019-13146 - ghsa: wg9m-gw3h-hg83 - url: https://github.com/ankane/field_test/issues/17 - title: Arbitrary Variants Via Query Parameters - date: 2019-07-01 - description: | - Due to unvalidated input, an attacker can pass in - arbitrary variants via query parameters. - - If an application treats variants as trusted, this can - lead to potential vulnerabilities like SQL injection - or cross-site scripting (XSS). For instance: - - landing_page = field_test(:landing_page) - Page.where("key = '#{landing_page}'") - cvss_v3: 5.3 - unaffected_versions: - - "< 0.3.0" - patched_versions: - - ">= 0.3.1" ---- +--- +layout: advisory +title: 'CVE-2019-13146 (field_test): Arbitrary Variants Via Query Parameters' +comments: false +categories: +- field_test +advisory: + gem: field_test + cve: 2019-13146 + ghsa: wg9m-gw3h-hg83 + url: https://github.com/ankane/field_test/issues/17 + title: Arbitrary Variants Via Query Parameters + date: 2019-07-01 + description: | + Due to unvalidated input, an attacker can pass in + arbitrary variants via query parameters. + + If an application treats variants as trusted, this can + lead to potential vulnerabilities like SQL injection + or cross-site scripting (XSS). For instance: + + landing_page = field_test(:landing_page) + Page.where("key = '#{landing_page}'") + cvss_v3: 5.3 + unaffected_versions: + - "< 0.3.0" + patched_versions: + - ">= 0.3.1" +--- diff --git a/advisories/_posts/2019-07-02-CVE-2019-1020001.md b/advisories/_posts/2019-07-02-CVE-2019-1020001.md index d022fdcc..1293a69e 100644 --- a/advisories/_posts/2019-07-02-CVE-2019-1020001.md +++ b/advisories/_posts/2019-07-02-CVE-2019-1020001.md @@ -1,30 +1,30 @@ ---- -layout: advisory -title: 'CVE-2019-1020001 (yard): Arbitrary path traversal and file access via `yard - server`' -comments: false -categories: -- yard -advisory: - gem: yard - cve: 2019-1020001 - ghsa: xfhh-rx56-rxcr - url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr - date: 2019-07-02 - title: Arbitrary path traversal and file access via `yard server` - description: | - A path traversal vulnerability was discovered in YARD <= 0.9.19 when using - `yard server` to serve documentation. This bug would allow unsanitized HTTP - requests to access arbitrary files on the machine of a yard server host under - certain conditions. - - The issue is resolved in v0.9.20 and later. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 0.9.20" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2019-1020001 - - https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr ---- +--- +layout: advisory +title: 'CVE-2019-1020001 (yard): Arbitrary path traversal and file access via `yard + server`' +comments: false +categories: +- yard +advisory: + gem: yard + cve: 2019-1020001 + ghsa: xfhh-rx56-rxcr + url: https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr + date: 2019-07-02 + title: Arbitrary path traversal and file access via `yard server` + description: | + A path traversal vulnerability was discovered in YARD <= 0.9.19 when using + `yard server` to serve documentation. This bug would allow unsanitized HTTP + requests to access arbitrary files on the machine of a yard server host under + certain conditions. + + The issue is resolved in v0.9.20 and later. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 0.9.20" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2019-1020001 + - https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr +--- diff --git a/advisories/_posts/2019-07-05-CVE-2019-13354.md b/advisories/_posts/2019-07-05-CVE-2019-13354.md index f125d2ba..7a530d16 100644 --- a/advisories/_posts/2019-07-05-CVE-2019-13354.md +++ b/advisories/_posts/2019-07-05-CVE-2019-13354.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2019-13354 (strong_password): strong_password Ruby gem malicious version - causing Remote Code Execution vulnerability' -comments: false -categories: -- strong_password -advisory: - gem: strong_password - cve: 2019-13354 - ghsa: 5h5r-ffc4-c455 - url: https://withatwist.dev/strong-password-rubygem-hijacked.html - title: strong_password Ruby gem malicious version causing Remote Code Execution - vulnerability - date: 2019-07-05 - description: | - The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The - malicious actor published v0.0.7 containing malicious code that enables an attacker - to execute remote code in production. - - Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible. - cvss_v3: 9.8 - unaffected_versions: - - "< 0.0.7" - patched_versions: - - ">= 0.0.8" ---- +--- +layout: advisory +title: 'CVE-2019-13354 (strong_password): strong_password Ruby gem malicious version + causing Remote Code Execution vulnerability' +comments: false +categories: +- strong_password +advisory: + gem: strong_password + cve: 2019-13354 + ghsa: 5h5r-ffc4-c455 + url: https://withatwist.dev/strong-password-rubygem-hijacked.html + title: strong_password Ruby gem malicious version causing Remote Code Execution + vulnerability + date: 2019-07-05 + description: | + The `strong_password` gem on RubyGems.org was hijacked by a malicious actor. The + malicious actor published v0.0.7 containing malicious code that enables an attacker + to execute remote code in production. + + Upgrade `strong_password` to v0.0.8 to ensure no malicious code execution is possible. + cvss_v3: 9.8 + unaffected_versions: + - "< 0.0.7" + patched_versions: + - ">= 0.0.8" +--- diff --git a/advisories/_posts/2019-07-10-CVE-2019-10744.md b/advisories/_posts/2019-07-10-CVE-2019-10744.md index 70916034..d9ef5aec 100644 --- a/advisories/_posts/2019-07-10-CVE-2019-10744.md +++ b/advisories/_posts/2019-07-10-CVE-2019-10744.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2019-10744 (lodash-rails): Prototype Pollution in lodash' -comments: false -categories: -- lodash-rails -advisory: - gem: lodash-rails - cve: 2019-10744 - ghsa: jf85-cpcp-j695 - url: https://github.com/advisories/GHSA-jf85-cpcp-j695 - title: Prototype Pollution in lodash - date: 2019-07-10 - description: | - Versions of `lodash` before 4.17.12 are vulnerable to Prototype - Pollution. The function `defaultsDeep` allows a malicious user - to modify the prototype of `Object` via - `{constructor: {prototype: {...}}}` causing the addition or - modification of an existing property that will exist on all objects. - - ## Recommendation - - Update to version 4.17.12 or later. - cvss_v2: 6.4 - cvss_v3: 9.1 - patched_versions: - - ">= 4.17.12" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2019-10744 - - https://github.com/lodash/lodash/pull/4336 - - https://snyk.io/vuln/SNYK-JS-LODASH-450202 - - https://www.npmjs.com/advisories/1065 - - https://access.redhat.com/errata/RHSA-2019:3024 - - https://support.f5.com/csp/article/K47105354 - - https://www.oracle.com/security-alerts/cpujan2021.html - - https://www.oracle.com/security-alerts/cpuoct2020.html - - https://security.netapp.com/advisory/ntap-20191004-0005 - - https://github.com/advisories/GHSA-jf85-cpcp-j695 ---- +--- +layout: advisory +title: 'CVE-2019-10744 (lodash-rails): Prototype Pollution in lodash' +comments: false +categories: +- lodash-rails +advisory: + gem: lodash-rails + cve: 2019-10744 + ghsa: jf85-cpcp-j695 + url: https://github.com/advisories/GHSA-jf85-cpcp-j695 + title: Prototype Pollution in lodash + date: 2019-07-10 + description: | + Versions of `lodash` before 4.17.12 are vulnerable to Prototype + Pollution. The function `defaultsDeep` allows a malicious user + to modify the prototype of `Object` via + `{constructor: {prototype: {...}}}` causing the addition or + modification of an existing property that will exist on all objects. + + ## Recommendation + + Update to version 4.17.12 or later. + cvss_v2: 6.4 + cvss_v3: 9.1 + patched_versions: + - ">= 4.17.12" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2019-10744 + - https://github.com/lodash/lodash/pull/4336 + - https://snyk.io/vuln/SNYK-JS-LODASH-450202 + - https://www.npmjs.com/advisories/1065 + - https://access.redhat.com/errata/RHSA-2019:3024 + - https://support.f5.com/csp/article/K47105354 + - https://www.oracle.com/security-alerts/cpujan2021.html + - https://www.oracle.com/security-alerts/cpuoct2020.html + - https://security.netapp.com/advisory/ntap-20191004-0005 + - https://github.com/advisories/GHSA-jf85-cpcp-j695 +--- diff --git a/advisories/_posts/2019-07-12-CVE-2019-13574.md b/advisories/_posts/2019-07-12-CVE-2019-13574.md index 47701bf7..f56eaec1 100644 --- a/advisories/_posts/2019-07-12-CVE-2019-13574.md +++ b/advisories/_posts/2019-07-12-CVE-2019-13574.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2019-13574 (mini_magick): Remote command execution via filename' -comments: false -categories: -- mini_magick -advisory: - gem: mini_magick - cve: 2019-13574 - ghsa: r7j3-vvh2-xrpj - url: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ - title: Remote command execution via filename - date: 2019-07-12 - description: | - A remote shell execution vulnerability when using MiniMagick::Image.open with URL coming from unsanitized user input. - e.g. `MiniMagick::Image.open("| touch.txt")` - cvss_v3: 7.5 - patched_versions: - - ">= 4.9.4" - related: - url: - - https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851 ---- +--- +layout: advisory +title: 'CVE-2019-13574 (mini_magick): Remote command execution via filename' +comments: false +categories: +- mini_magick +advisory: + gem: mini_magick + cve: 2019-13574 + ghsa: r7j3-vvh2-xrpj + url: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ + title: Remote command execution via filename + date: 2019-07-12 + description: | + A remote shell execution vulnerability when using MiniMagick::Image.open with URL coming from unsanitized user input. + e.g. `MiniMagick::Image.open("| touch.txt")` + cvss_v3: 7.5 + patched_versions: + - ">= 4.9.4" + related: + url: + - https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851 +--- diff --git a/advisories/_posts/2019-07-16-CVE-2019-1010306.md b/advisories/_posts/2019-07-16-CVE-2019-1010306.md index 2633cc91..4f4c425c 100644 --- a/advisories/_posts/2019-07-16-CVE-2019-1010306.md +++ b/advisories/_posts/2019-07-16-CVE-2019-1010306.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2019-1010306 (slanger): Arbitrary command execution in slanger' -comments: false -categories: -- slanger -advisory: - gem: slanger - cve: 2019-1010306 - ghsa: rg32-m3hf-772v - url: https://github.com/stevegraham/slanger/pull/238 - date: 2019-07-16 - title: Arbitrary command execution in slanger - description: | - A remote attacker can execute arbitrary commands by sending a crafted request to the server. - - This is due to the use of `Oj.load` instead of `Oj.strict_load` when processing messages. - - Note that `slanger` is no longer maintained. - patched_versions: - - ">= 0.6.1" - cvss_v3: 9.8 ---- +--- +layout: advisory +title: 'CVE-2019-1010306 (slanger): Arbitrary command execution in slanger' +comments: false +categories: +- slanger +advisory: + gem: slanger + cve: 2019-1010306 + ghsa: rg32-m3hf-772v + url: https://github.com/stevegraham/slanger/pull/238 + date: 2019-07-16 + title: Arbitrary command execution in slanger + description: | + A remote attacker can execute arbitrary commands by sending a crafted request to the server. + + This is due to the use of `Oj.load` instead of `Oj.strict_load` when processing messages. + + Note that `slanger` is no longer maintained. + patched_versions: + - ">= 0.6.1" + cvss_v3: 9.8 +--- diff --git a/advisories/_posts/2019-07-16-CVE-2019-13589.md b/advisories/_posts/2019-07-16-CVE-2019-13589.md index 83f6f093..3b6143f4 100644 --- a/advisories/_posts/2019-07-16-CVE-2019-13589.md +++ b/advisories/_posts/2019-07-16-CVE-2019-13589.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2019-13589 (paranoid2): Code backdoor in paranoid2' -comments: false -categories: -- paranoid2 -advisory: - gem: paranoid2 - cve: 2019-13589 - ghsa: 4g4c-8gqh-m4vm - url: https://github.com/rubygems/rubygems.org/issues/2051 - date: 2019-07-16 - title: Code backdoor in paranoid2 - description: | - The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included - a code-execution backdoor inserted by a third party. - - The current version, without this backdoor, is 1.1.5. - cvss_v3: 9.8 - unaffected_versions: - - "> 1.1.6" - - "< 1.1.6" ---- +--- +layout: advisory +title: 'CVE-2019-13589 (paranoid2): Code backdoor in paranoid2' +comments: false +categories: +- paranoid2 +advisory: + gem: paranoid2 + cve: 2019-13589 + ghsa: 4g4c-8gqh-m4vm + url: https://github.com/rubygems/rubygems.org/issues/2051 + date: 2019-07-16 + title: Code backdoor in paranoid2 + description: | + The paranoid2 gem 1.1.6 for Ruby, as distributed on RubyGems.org, included + a code-execution backdoor inserted by a third party. + + The current version, without this backdoor, is 1.1.5. + cvss_v3: 9.8 + unaffected_versions: + - "> 1.1.6" + - "< 1.1.6" +--- diff --git a/advisories/_posts/2019-07-19-CVE-2019-1010266.md b/advisories/_posts/2019-07-19-CVE-2019-1010266.md index 580bfcb2..f793c45b 100644 --- a/advisories/_posts/2019-07-19-CVE-2019-1010266.md +++ b/advisories/_posts/2019-07-19-CVE-2019-1010266.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2019-1010266 (lodash-rails): Regular Expression Denial of Service (ReDoS) - in lodash' -comments: false -categories: -- lodash-rails -advisory: - gem: lodash-rails - cve: 2019-1010266 - ghsa: x5rq-j2xg-h7qm - url: https://github.com/advisories/GHSA-x5rq-j2xg-h7qm - title: Regular Expression Denial of Service (ReDoS) in lodash - date: 2019-07-19 - description: | - lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled - Resource Consumption. The impact is: Denial of service. The - component is: Date handler. The attack vector is: Attacker - provides very long strings, which the library attempts - to match using a regular expression. - - The fixed version is: 4.7.11. - cvss_v3: 6.5 - patched_versions: - - ">= 4.17.11" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2019-1010266 - - https://github.com/lodash/lodash/issues/3359 - - https://snyk.io/vuln/SNYK-JS-LODASH-73639 - - https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347 - - https://github.com/lodash/lodash/wiki/Changelog - - https://security.netapp.com/advisory/ntap-20190919-0004 - - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm ---- +--- +layout: advisory +title: 'CVE-2019-1010266 (lodash-rails): Regular Expression Denial of Service (ReDoS) + in lodash' +comments: false +categories: +- lodash-rails +advisory: + gem: lodash-rails + cve: 2019-1010266 + ghsa: x5rq-j2xg-h7qm + url: https://github.com/advisories/GHSA-x5rq-j2xg-h7qm + title: Regular Expression Denial of Service (ReDoS) in lodash + date: 2019-07-19 + description: | + lodash prior to 4.7.11 is affected by: CWE-400: Uncontrolled + Resource Consumption. The impact is: Denial of service. The + component is: Date handler. The attack vector is: Attacker + provides very long strings, which the library attempts + to match using a regular expression. + + The fixed version is: 4.7.11. + cvss_v3: 6.5 + patched_versions: + - ">= 4.17.11" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2019-1010266 + - https://github.com/lodash/lodash/issues/3359 + - https://snyk.io/vuln/SNYK-JS-LODASH-73639 + - https://github.com/lodash/lodash/commit/5c08f18d365b64063bfbfa686cbb97cdd6267347 + - https://github.com/lodash/lodash/wiki/Changelog + - https://security.netapp.com/advisory/ntap-20190919-0004 + - https://github.com/advisories/GHSA-x5rq-j2xg-h7qm +--- diff --git a/advisories/_posts/2019-07-26-CVE-2019-1010191.md b/advisories/_posts/2019-07-26-CVE-2019-1010191.md index 1a42371e..28b3f96f 100644 --- a/advisories/_posts/2019-07-26-CVE-2019-1010191.md +++ b/advisories/_posts/2019-07-26-CVE-2019-1010191.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2019-1010191 (marginalia): SQL injection vulnerability via Marginalia::Comment' -comments: false -categories: -- marginalia -advisory: - gem: marginalia - cve: 2019-1010191 - ghsa: hrj5-qp7x-rpg6 - url: https://github.com/basecamp/marginalia/pull/73 - title: SQL injection vulnerability via Marginalia::Comment - date: 2019-07-26 - description: | - The 'marginalia' gem is affected by a SQL Injection vulnerability. All SQL - queries are affected when a user controller argument is added as a component. - - This affects users that add a component that is user controller, for instance - a parameter or a header. - - The issue is resolved in version 1.6. - cvss_v3: 9.8 - patched_versions: - - ">= 1.6" ---- +--- +layout: advisory +title: 'CVE-2019-1010191 (marginalia): SQL injection vulnerability via Marginalia::Comment' +comments: false +categories: +- marginalia +advisory: + gem: marginalia + cve: 2019-1010191 + ghsa: hrj5-qp7x-rpg6 + url: https://github.com/basecamp/marginalia/pull/73 + title: SQL injection vulnerability via Marginalia::Comment + date: 2019-07-26 + description: | + The 'marginalia' gem is affected by a SQL Injection vulnerability. All SQL + queries are affected when a user controller argument is added as a component. + + This affects users that add a component that is user controller, for instance + a parameter or a header. + + The issue is resolved in version 1.6. + cvss_v3: 9.8 + patched_versions: + - ">= 1.6" +--- diff --git a/advisories/_posts/2019-07-31-CVE-2018-20857.md b/advisories/_posts/2019-07-31-CVE-2018-20857.md index 3df09de1..40450bd2 100644 --- a/advisories/_posts/2019-07-31-CVE-2018-20857.md +++ b/advisories/_posts/2019-07-31-CVE-2018-20857.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2018-20857 (samlr): samlr XML nodes comment attack' -comments: false -categories: -- samlr -advisory: - gem: samlr - cve: 2018-20857 - ghsa: qpxp-5j56-gg3x - url: https://github.com/zendesk/samlr/pull/29 - date: 2019-07-31 - title: samlr XML nodes comment attack - description: | - Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as - a name_id node with user@example.com followed by . and then the attacker's - domain name. - cvss_v3: 7.5 - patched_versions: - - ">= 2.6.2" ---- +--- +layout: advisory +title: 'CVE-2018-20857 (samlr): samlr XML nodes comment attack' +comments: false +categories: +- samlr +advisory: + gem: samlr + cve: 2018-20857 + ghsa: qpxp-5j56-gg3x + url: https://github.com/zendesk/samlr/pull/29 + date: 2019-07-31 + title: samlr XML nodes comment attack + description: | + Zendesk Samlr before 2.6.2 allows an XML nodes comment attack such as + a name_id node with user@example.com followed by . and then the attacker's + domain name. + cvss_v3: 7.5 + patched_versions: + - ">= 2.6.2" +--- diff --git a/advisories/_posts/2019-07-31-CVE-2019-14281.md b/advisories/_posts/2019-07-31-CVE-2019-14281.md index 153c2832..bb200103 100644 --- a/advisories/_posts/2019-07-31-CVE-2019-14281.md +++ b/advisories/_posts/2019-07-31-CVE-2019-14281.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2019-14281 (datagrid): Code execution backdoor in datagrid' -comments: false -categories: -- datagrid -advisory: - gem: datagrid - cve: 2019-14281 - ghsa: rqp5-pg7w-832p - url: https://github.com/rubygems/rubygems.org/issues/2072 - date: 2019-07-31 - title: Code execution backdoor in datagrid - description: | - The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included - a code-execution backdoor inserted by a third party. - unaffected_versions: - - "< 1.0.6" - - "> 1.0.6" - cvss_v3: 9.8 ---- +--- +layout: advisory +title: 'CVE-2019-14281 (datagrid): Code execution backdoor in datagrid' +comments: false +categories: +- datagrid +advisory: + gem: datagrid + cve: 2019-14281 + ghsa: rqp5-pg7w-832p + url: https://github.com/rubygems/rubygems.org/issues/2072 + date: 2019-07-31 + title: Code execution backdoor in datagrid + description: | + The datagrid gem 1.0.6 for Ruby, as distributed on RubyGems.org, included + a code-execution backdoor inserted by a third party. + unaffected_versions: + - "< 1.0.6" + - "> 1.0.6" + cvss_v3: 9.8 +--- diff --git a/advisories/_posts/2019-07-31-CVE-2019-14282.md b/advisories/_posts/2019-07-31-CVE-2019-14282.md index 4359fb8c..0db7f11d 100644 --- a/advisories/_posts/2019-07-31-CVE-2019-14282.md +++ b/advisories/_posts/2019-07-31-CVE-2019-14282.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2019-14282 (simple_captcha2): Code backdoor in simple_captcha2' -comments: false -categories: -- simple_captcha2 -advisory: - gem: simple_captcha2 - cve: 2019-14282 - ghsa: wg6j-r28m-7293 - url: https://github.com/rubygems/rubygems.org/issues/2073 - title: Code backdoor in simple_captcha2 - date: 2019-07-31 - description: | - The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org, - included a code-execution backdoor inserted by a third party. - cvss_v3: 9.8 - unaffected_versions: - - "< 0.2.3" - - "> 0.2.3" ---- +--- +layout: advisory +title: 'CVE-2019-14282 (simple_captcha2): Code backdoor in simple_captcha2' +comments: false +categories: +- simple_captcha2 +advisory: + gem: simple_captcha2 + cve: 2019-14282 + ghsa: wg6j-r28m-7293 + url: https://github.com/rubygems/rubygems.org/issues/2073 + title: Code backdoor in simple_captcha2 + date: 2019-07-31 + description: | + The simple_captcha2 gem 0.2.3 for Ruby, as distributed on RubyGems.org, + included a code-execution backdoor inserted by a third party. + cvss_v3: 9.8 + unaffected_versions: + - "< 0.2.3" + - "> 0.2.3" +--- diff --git a/advisories/_posts/2019-08-11-CVE-2019-5477.md b/advisories/_posts/2019-08-11-CVE-2019-5477.md index 3bba01c7..1fb6e39a 100644 --- a/advisories/_posts/2019-08-11-CVE-2019-5477.md +++ b/advisories/_posts/2019-08-11-CVE-2019-5477.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2019-5477 (rexical): Rexical Command Injection Vulnerability' -comments: false -categories: -- rexical -advisory: - gem: rexical - cve: 2019-5477 - ghsa: cr5j-953j-xw5p - url: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926 - title: Rexical Command Injection Vulnerability - date: 2019-08-11 - description: | - A command injection vulnerability appears in code generated by the Rexical - gem versions v1.0.6 and earlier. It allows commands to be executed in a - subprocess by Ruby's `Kernel.open` method. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 1.0.7" - related: - url: - - https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06 - - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ ---- +--- +layout: advisory +title: 'CVE-2019-5477 (rexical): Rexical Command Injection Vulnerability' +comments: false +categories: +- rexical +advisory: + gem: rexical + cve: 2019-5477 + ghsa: cr5j-953j-xw5p + url: https://github.com/tenderlove/rexical/commit/a652474dbc66be350055db3e8f9b3a7b3fd75926 + title: Rexical Command Injection Vulnerability + date: 2019-08-11 + description: | + A command injection vulnerability appears in code generated by the Rexical + gem versions v1.0.6 and earlier. It allows commands to be executed in a + subprocess by Ruby's `Kernel.open` method. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 1.0.7" + related: + url: + - https://github.com/tenderlove/rexical/blob/master/CHANGELOG.rdoc#107--2019-08-06 + - https://groups.google.com/forum/#!msg/ruby-security-ann/YMnKFsASOAE/Fw3ocLI0BQAJ +--- diff --git a/advisories/_posts/2019-08-19-CVE-2019-15224.md b/advisories/_posts/2019-08-19-CVE-2019-15224.md index 679c2a74..ae8ea715 100644 --- a/advisories/_posts/2019-08-19-CVE-2019-15224.md +++ b/advisories/_posts/2019-08-19-CVE-2019-15224.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2019-15224 (rest-client): Code execution backdoor in rest-client' -comments: false -categories: -- rest-client -advisory: - gem: rest-client - cve: 2019-15224 - ghsa: 333g-rpr4-7hxq - url: https://github.com/rest-client/rest-client/issues/713 - title: Code execution backdoor in rest-client - date: 2019-08-19 - description: | - The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, - included a code-execution backdoor inserted by a third party. - cvss_v3: 9.8 - unaffected_versions: - - "<= 1.6.9" - - ">= 1.6.14" ---- +--- +layout: advisory +title: 'CVE-2019-15224 (rest-client): Code execution backdoor in rest-client' +comments: false +categories: +- rest-client +advisory: + gem: rest-client + cve: 2019-15224 + ghsa: 333g-rpr4-7hxq + url: https://github.com/rest-client/rest-client/issues/713 + title: Code execution backdoor in rest-client + date: 2019-08-19 + description: | + The rest-client gem 1.6.13 for Ruby, as distributed on RubyGems.org, + included a code-execution backdoor inserted by a third party. + cvss_v3: 9.8 + unaffected_versions: + - "<= 1.6.9" + - ">= 1.6.14" +--- diff --git a/advisories/_posts/2019-08-20-CVE-2019-15224.md b/advisories/_posts/2019-08-20-CVE-2019-15224.md index 29f6435b..24b3564b 100644 --- a/advisories/_posts/2019-08-20-CVE-2019-15224.md +++ b/advisories/_posts/2019-08-20-CVE-2019-15224.md @@ -1,27 +1,27 @@ ---- -layout: advisory -title: 'CVE-2019-15224 (omniauth_amazon): Code execution backdoor in omniauth_amazon' -comments: false -categories: -- omniauth_amazon -advisory: - gem: omniauth_amazon - cve: 2019-15224 - ghsa: 333g-rpr4-7hxq - url: https://github.com/rubygems.org/issues/2097 - title: Code execution backdoor in omniauth_amazon - date: 2019-08-20 - description: | - The omniauth_amazon gem 1.0.1 for Ruby, as distributed on RubyGems.org, included a - code-execution backdoor inserted by a third party. - - Users of an affected version should consider downgrading to the last non-affected version of - 1.0.1. - cvss_v3: 9.8 - unaffected_versions: - - "< 1.0.1" - - "> 1.0.1" - related: - url: - - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019 ---- +--- +layout: advisory +title: 'CVE-2019-15224 (omniauth_amazon): Code execution backdoor in omniauth_amazon' +comments: false +categories: +- omniauth_amazon +advisory: + gem: omniauth_amazon + cve: 2019-15224 + ghsa: 333g-rpr4-7hxq + url: https://github.com/rubygems.org/issues/2097 + title: Code execution backdoor in omniauth_amazon + date: 2019-08-20 + description: | + The omniauth_amazon gem 1.0.1 for Ruby, as distributed on RubyGems.org, included a + code-execution backdoor inserted by a third party. + + Users of an affected version should consider downgrading to the last non-affected version of + 1.0.1. + cvss_v3: 9.8 + unaffected_versions: + - "< 1.0.1" + - "> 1.0.1" + related: + url: + - https://github.com/rubygems/rubygems.org/wiki/Gems-yanked-and-accounts-locked#19-aug-2019 +--- diff --git a/advisories/_posts/2019-08-21-CVE-2018-20975.md b/advisories/_posts/2019-08-21-CVE-2018-20975.md index 8212b341..19c735e2 100644 --- a/advisories/_posts/2019-08-21-CVE-2018-20975.md +++ b/advisories/_posts/2019-08-21-CVE-2018-20975.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2018-20975 (fat_free_crm): fat_free_crm XSS via query parameter of tags_helper - method' -comments: false -categories: -- fat_free_crm -advisory: - gem: fat_free_crm - cve: 2018-20975 - ghsa: 4p8f-mmfj-r45g - url: https://github.com/fatfreecrm/fat_free_crm/commit/6d60bc8ed010c4eda05d6645c64849f415f68d65 - date: 2019-08-21 - title: fat_free_crm XSS via query parameter of tags_helper method - description: 'Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb. - - ' - cvss_v3: 6.1 - patched_versions: - - ">= 0.18.1" ---- +--- +layout: advisory +title: 'CVE-2018-20975 (fat_free_crm): fat_free_crm XSS via query parameter of tags_helper + method' +comments: false +categories: +- fat_free_crm +advisory: + gem: fat_free_crm + cve: 2018-20975 + ghsa: 4p8f-mmfj-r45g + url: https://github.com/fatfreecrm/fat_free_crm/commit/6d60bc8ed010c4eda05d6645c64849f415f68d65 + date: 2019-08-21 + title: fat_free_crm XSS via query parameter of tags_helper method + description: 'Fat Free CRM before 0.18.1 has XSS in the tags_helper in app/helpers/tags_helper.rb. + + ' + cvss_v3: 6.1 + patched_versions: + - ">= 0.18.1" +--- diff --git a/advisories/_posts/2019-08-29-CVE-2020-8130.md b/advisories/_posts/2019-08-29-CVE-2020-8130.md index ca01184a..50270011 100644 --- a/advisories/_posts/2019-08-29-CVE-2020-8130.md +++ b/advisories/_posts/2019-08-29-CVE-2020-8130.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2020-8130 (rake): OS Command Injection in Rake' -comments: false -categories: -- rake -advisory: - gem: rake - cve: 2020-8130 - ghsa: jppv-gw3r-w3q8 - date: 2019-08-29 - url: https://github.com/advisories/GHSA-jppv-gw3r-w3q8 - title: OS Command Injection in Rake - description: | - There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in - Rake::FileList when supplying a filename that begins with the pipe character - `|`. - cvss_v2: 9.3 - cvss_v3: 8.1 - patched_versions: - - ">= 12.3.3" ---- +--- +layout: advisory +title: 'CVE-2020-8130 (rake): OS Command Injection in Rake' +comments: false +categories: +- rake +advisory: + gem: rake + cve: 2020-8130 + ghsa: jppv-gw3r-w3q8 + date: 2019-08-29 + url: https://github.com/advisories/GHSA-jppv-gw3r-w3q8 + title: OS Command Injection in Rake + description: | + There is an OS command injection vulnerability in Ruby Rake < 12.3.3 in + Rake::FileList when supplying a filename that begins with the pipe character + `|`. + cvss_v2: 9.3 + cvss_v3: 8.1 + patched_versions: + - ">= 12.3.3" +--- diff --git a/advisories/_posts/2019-09-08-CVE-2019-16109.md b/advisories/_posts/2019-09-08-CVE-2019-16109.md index 42f44e1d..86546a1b 100644 --- a/advisories/_posts/2019-09-08-CVE-2019-16109.md +++ b/advisories/_posts/2019-09-08-CVE-2019-16109.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2019-16109 (devise): Devise Gem for Ruby confirmation token validation - with a blank string' -comments: false -categories: -- devise -advisory: - gem: devise - cve: 2019-16109 - ghsa: fcjw-8rhj-gwwc - url: https://github.com/plataformatec/devise/issues/5071 - title: Devise Gem for Ruby confirmation token validation with a blank string - date: 2019-09-08 - description: | - Devise before 4.7.1 confirms accounts upon receiving a request with a blank - confirmation_token, if a database record has a blank value in the confirmation_token column. - However, there is no scenario within Devise itself in which such database records would exist. - cvss_v3: 5.3 - patched_versions: - - ">= 4.7.1" ---- +--- +layout: advisory +title: 'CVE-2019-16109 (devise): Devise Gem for Ruby confirmation token validation + with a blank string' +comments: false +categories: +- devise +advisory: + gem: devise + cve: 2019-16109 + ghsa: fcjw-8rhj-gwwc + url: https://github.com/plataformatec/devise/issues/5071 + title: Devise Gem for Ruby confirmation token validation with a blank string + date: 2019-09-08 + description: | + Devise before 4.7.1 confirms accounts upon receiving a request with a blank + confirmation_token, if a database record has a blank value in the confirmation_token column. + However, there is no scenario within Devise itself in which such database records would exist. + cvss_v3: 5.3 + patched_versions: + - ">= 4.7.1" +--- diff --git a/advisories/_posts/2019-09-12-CVE-2019-16892.md b/advisories/_posts/2019-09-12-CVE-2019-16892.md index 35c4e5b0..46bb3926 100644 --- a/advisories/_posts/2019-09-12-CVE-2019-16892.md +++ b/advisories/_posts/2019-09-12-CVE-2019-16892.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2019-16892 (rubyzip): Denial of Service in rubyzip ("zip bombs")' -comments: false -categories: -- rubyzip -advisory: - gem: rubyzip - cve: 2019-16892 - ghsa: 5m2v-hc64-56h6 - url: https://github.com/rubyzip/rubyzip/pull/403 - title: Denial of Service in rubyzip ("zip bombs") - date: 2019-09-12 - description: | - In Rubyzip before 1.3.0, a crafted ZIP file can bypass application - checks on ZIP entry sizes because data about the uncompressed size - can be spoofed. This allows attackers to cause a denial of service - (disk consumption). - cvss_v3: 5.5 - patched_versions: - - ">= 1.3.0" ---- +--- +layout: advisory +title: 'CVE-2019-16892 (rubyzip): Denial of Service in rubyzip ("zip bombs")' +comments: false +categories: +- rubyzip +advisory: + gem: rubyzip + cve: 2019-16892 + ghsa: 5m2v-hc64-56h6 + url: https://github.com/rubyzip/rubyzip/pull/403 + title: Denial of Service in rubyzip ("zip bombs") + date: 2019-09-12 + description: | + In Rubyzip before 1.3.0, a crafted ZIP file can bypass application + checks on ZIP entry sizes because data about the uncompressed size + can be spoofed. This allows attackers to cause a denial of service + (disk consumption). + cvss_v3: 5.5 + patched_versions: + - ">= 1.3.0" +--- diff --git a/advisories/_posts/2019-09-23-CVE-2019-16145.md b/advisories/_posts/2019-09-23-CVE-2019-16145.md index 4527ae73..87d35e1f 100644 --- a/advisories/_posts/2019-09-23-CVE-2019-16145.md +++ b/advisories/_posts/2019-09-23-CVE-2019-16145.md @@ -1,19 +1,19 @@ ---- -layout: advisory -title: 'CVE-2019-16145 (padrino-contrib): padrino-contrib XSS via caption parameter - of breadcrumbs helper' -comments: false -categories: -- padrino-contrib -advisory: - gem: padrino-contrib - cve: 2019-16145 - ghsa: rwpr-83g3-96g7 - url: https://github.com/padrino/padrino-contrib/pull/35 - date: 2019-09-23 - title: padrino-contrib XSS via caption parameter of breadcrumbs helper - description: | - The breadcrumbs contributed module through 0.2.0 for Padrino Framework - allows XSS via a caption. - cvss_v3: 6.1 ---- +--- +layout: advisory +title: 'CVE-2019-16145 (padrino-contrib): padrino-contrib XSS via caption parameter + of breadcrumbs helper' +comments: false +categories: +- padrino-contrib +advisory: + gem: padrino-contrib + cve: 2019-16145 + ghsa: rwpr-83g3-96g7 + url: https://github.com/padrino/padrino-contrib/pull/35 + date: 2019-09-23 + title: padrino-contrib XSS via caption parameter of breadcrumbs helper + description: | + The breadcrumbs contributed module through 0.2.0 for Padrino Framework + allows XSS via a caption. + cvss_v3: 6.1 +--- diff --git a/advisories/_posts/2019-09-23-CVE-2019-16377.md b/advisories/_posts/2019-09-23-CVE-2019-16377.md index b2624af4..818fd8aa 100644 --- a/advisories/_posts/2019-09-23-CVE-2019-16377.md +++ b/advisories/_posts/2019-09-23-CVE-2019-16377.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2019-16377 (consul): Consul gem insufficient authentication check - Multiple - powers in one controller are not always checked correctly' -comments: false -categories: -- consul -advisory: - gem: consul - cve: 2019-16377 - ghsa: 8jhx-9gf4-hhf5 - url: https://github.com/makandra/consul/issues/49 - title: Consul gem insufficient authentication check - Multiple powers in one controller - are not always checked correctly - date: 2019-09-23 - description: | - With the consul ruby gem before 1.0.3, if a controller checks multiple powers - using `:if` or `:except` conditions, these conditions are erroneously applied - to all power checks in that controller. This can lead to skipped power checks - and hence unauthenticated access to certain controller actions. - cvss_v3: 9.8 - patched_versions: - - ">= 1.0.3" ---- +--- +layout: advisory +title: 'CVE-2019-16377 (consul): Consul gem insufficient authentication check - Multiple + powers in one controller are not always checked correctly' +comments: false +categories: +- consul +advisory: + gem: consul + cve: 2019-16377 + ghsa: 8jhx-9gf4-hhf5 + url: https://github.com/makandra/consul/issues/49 + title: Consul gem insufficient authentication check - Multiple powers in one controller + are not always checked correctly + date: 2019-09-23 + description: | + With the consul ruby gem before 1.0.3, if a controller checks multiple powers + using `:if` or `:except` conditions, these conditions are erroneously applied + to all power checks in that controller. This can lead to skipped power checks + and hence unauthenticated access to certain controller actions. + cvss_v3: 9.8 + patched_versions: + - ">= 1.0.3" +--- diff --git a/advisories/_posts/2019-09-27-CVE-2019-16676.md b/advisories/_posts/2019-09-27-CVE-2019-16676.md index 7bb17df2..9d1372e3 100644 --- a/advisories/_posts/2019-09-27-CVE-2019-16676.md +++ b/advisories/_posts/2019-09-27-CVE-2019-16676.md @@ -1,24 +1,24 @@ ---- -layout: advisory -title: 'CVE-2019-16676 (simple_form): simple_form Gem for Ruby Incorrect Access Control - for forms based on user input' -comments: false -categories: -- simple_form -advisory: - gem: simple_form - cve: 2019-16676 - ghsa: r74q-gxcg-73hx - url: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx - title: simple_form Gem for Ruby Incorrect Access Control for forms based on user - input - date: 2019-09-27 - description: | - Simple Form before 5.0 has Incorrect Access Control in `file_method?` in `lib/simple_form/form_builder.rb`, - because a user-supplied string is invoked as a method call. - - This only happens for pages that build forms based on user input. - cvss_v3: 9.8 - patched_versions: - - ">= 5.0" ---- +--- +layout: advisory +title: 'CVE-2019-16676 (simple_form): simple_form Gem for Ruby Incorrect Access Control + for forms based on user input' +comments: false +categories: +- simple_form +advisory: + gem: simple_form + cve: 2019-16676 + ghsa: r74q-gxcg-73hx + url: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx + title: simple_form Gem for Ruby Incorrect Access Control for forms based on user + input + date: 2019-09-27 + description: | + Simple Form before 5.0 has Incorrect Access Control in `file_method?` in `lib/simple_form/form_builder.rb`, + because a user-supplied string is invoked as a method call. + + This only happens for pages that build forms based on user input. + cvss_v3: 9.8 + patched_versions: + - ">= 5.0" +--- diff --git a/advisories/_posts/2019-10-07-CVE-2024-22050.md b/advisories/_posts/2019-10-07-CVE-2024-22050.md index 2f7c2a69..40b2e315 100644 --- a/advisories/_posts/2019-10-07-CVE-2024-22050.md +++ b/advisories/_posts/2019-10-07-CVE-2024-22050.md @@ -1,53 +1,53 @@ ---- -layout: advisory -title: 'CVE-2024-22050 (iodine): Malicious URL drafting attack against iodines static - file server may allow path traversal' -comments: false -categories: -- iodine -advisory: - gem: iodine - cve: 2024-22050 - ghsa: 85rf-xh54-whp3 - url: https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3 - title: Malicious URL drafting attack against iodines static file server may allow - path traversal - date: 2019-10-07 - description: | - ### Impact - - A path traversal vulnerability was detected in iodine's static - file service. This vulnerability effects any application running - iodine's static file server on an effected iodine version. - - Malicious URL drafting may cause the static file server to attempt - a response containing data from files that shouldn't be normally - accessible from the public folder. - - ### Patches - - The vulnerability was patched in version 0.7.34. Please upgrade - to the latest version. - - ### Workarounds - - A possible workaround would be to disable the static file service - and it's `X-Sendfile` support, sending static files using nginx - or a source code solution (sending the data dynamically). - - However, it would be better to upgrade iodine to the latest - version, as it also contains non-security related fixes. - - ### For more information - If you have any questions or comments about this advisory: - * Email [Boaz Segev](https://github.com/boazsegev) - cvss_v3: 7.5 - patched_versions: - - ">= 0.7.34" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2024-22050 - - https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3 - - https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889 - - https://github.com/advisories/GHSA-85rf-xh54-whp3 ---- +--- +layout: advisory +title: 'CVE-2024-22050 (iodine): Malicious URL drafting attack against iodines static + file server may allow path traversal' +comments: false +categories: +- iodine +advisory: + gem: iodine + cve: 2024-22050 + ghsa: 85rf-xh54-whp3 + url: https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3 + title: Malicious URL drafting attack against iodines static file server may allow + path traversal + date: 2019-10-07 + description: | + ### Impact + + A path traversal vulnerability was detected in iodine's static + file service. This vulnerability effects any application running + iodine's static file server on an effected iodine version. + + Malicious URL drafting may cause the static file server to attempt + a response containing data from files that shouldn't be normally + accessible from the public folder. + + ### Patches + + The vulnerability was patched in version 0.7.34. Please upgrade + to the latest version. + + ### Workarounds + + A possible workaround would be to disable the static file service + and it's `X-Sendfile` support, sending static files using nginx + or a source code solution (sending the data dynamically). + + However, it would be better to upgrade iodine to the latest + version, as it also contains non-security related fixes. + + ### For more information + If you have any questions or comments about this advisory: + * Email [Boaz Segev](https://github.com/boazsegev) + cvss_v3: 7.5 + patched_versions: + - ">= 0.7.34" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2024-22050 + - https://github.com/boazsegev/iodine/security/advisories/GHSA-85rf-xh54-whp3 + - https://github.com/boazsegev/iodine/commit/5558233fb7defda706b4f9c87c17759705949889 + - https://github.com/advisories/GHSA-85rf-xh54-whp3 +--- diff --git a/advisories/_posts/2019-10-14-CVE-2019-17383.md b/advisories/_posts/2019-10-14-CVE-2019-17383.md index 3012cc9f..0464c780 100644 --- a/advisories/_posts/2019-10-14-CVE-2019-17383.md +++ b/advisories/_posts/2019-10-14-CVE-2019-17383.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2019-17383 (netaddr): netaddr world-writeable file permissions' -comments: false -categories: -- netaddr -advisory: - gem: netaddr - cve: 2019-17383 - ghsa: 49pj-69vf-c689 - url: https://github.com/dspinhirne/netaddr-rb/pull/20 - date: 2019-10-14 - title: netaddr world-writeable file permissions - description: | - The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions, - such that a gem install may result in 0777 permissions in the target filesystem. - cvss_v3: 9.8 - patched_versions: - - "~> 1.5.3" - - ">= 2.0.4" ---- +--- +layout: advisory +title: 'CVE-2019-17383 (netaddr): netaddr world-writeable file permissions' +comments: false +categories: +- netaddr +advisory: + gem: netaddr + cve: 2019-17383 + ghsa: 49pj-69vf-c689 + url: https://github.com/dspinhirne/netaddr-rb/pull/20 + date: 2019-10-14 + title: netaddr world-writeable file permissions + description: | + The netaddr gem before 2.0.4 for Ruby has misconfigured file permissions, + such that a gem install may result in 0777 permissions in the target filesystem. + cvss_v3: 9.8 + patched_versions: + - "~> 1.5.3" + - ">= 2.0.4" +--- diff --git a/advisories/_posts/2019-10-22-CVE-2019-15587.md b/advisories/_posts/2019-10-22-CVE-2019-15587.md index 5f6bec99..be1e7735 100644 --- a/advisories/_posts/2019-10-22-CVE-2019-15587.md +++ b/advisories/_posts/2019-10-22-CVE-2019-15587.md @@ -1,20 +1,20 @@ ---- -layout: advisory -title: 'CVE-2019-15587 (loofah): Loofah XSS Vulnerability' -comments: false -categories: -- loofah -advisory: - gem: loofah - cve: 2019-15587 - ghsa: c3gv-9cxf-6f57 - url: https://github.com/flavorjones/loofah/issues/171 - title: Loofah XSS Vulnerability - date: 2019-10-22 - description: | - In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in - sanitized output when a crafted SVG element is republished. - cvss_v3: 6.4 - patched_versions: - - ">= 2.3.1" ---- +--- +layout: advisory +title: 'CVE-2019-15587 (loofah): Loofah XSS Vulnerability' +comments: false +categories: +- loofah +advisory: + gem: loofah + cve: 2019-15587 + ghsa: c3gv-9cxf-6f57 + url: https://github.com/flavorjones/loofah/issues/171 + title: Loofah XSS Vulnerability + date: 2019-10-22 + description: | + In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in + sanitized output when a crafted SVG element is republished. + cvss_v3: 6.4 + patched_versions: + - ">= 2.3.1" +--- diff --git a/advisories/_posts/2019-10-24-CVE-2019-18409.md b/advisories/_posts/2019-10-24-CVE-2019-18409.md index 6f3ff171..a4263fec 100644 --- a/advisories/_posts/2019-10-24-CVE-2019-18409.md +++ b/advisories/_posts/2019-10-24-CVE-2019-18409.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2019-18409 (ruby_parser-legacy): ruby_parser-legacy world writable files - allow local privilege escalation' -comments: false -categories: -- ruby_parser-legacy -advisory: - gem: ruby_parser-legacy - cve: 2019-18409 - ghsa: hhwc-8g49-j8jx - url: https://github.com/zenspider/ruby_parser-legacy/issues/1 - title: ruby_parser-legacy world writable files allow local privilege escalation - date: 2019-10-24 - description: | - The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local - privilege escalation because of world-writable files. For example, - if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, - a local user can insert malicious code into the - ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file. - cvss_v2: 4.6 - cvss_v3: 7.8 ---- +--- +layout: advisory +title: 'CVE-2019-18409 (ruby_parser-legacy): ruby_parser-legacy world writable files + allow local privilege escalation' +comments: false +categories: +- ruby_parser-legacy +advisory: + gem: ruby_parser-legacy + cve: 2019-18409 + ghsa: hhwc-8g49-j8jx + url: https://github.com/zenspider/ruby_parser-legacy/issues/1 + title: ruby_parser-legacy world writable files allow local privilege escalation + date: 2019-10-24 + description: | + The ruby_parser-legacy (aka legacy) gem 1.0.0 for Ruby allows local + privilege escalation because of world-writable files. For example, + if the brakeman gem (which has a legacy dependency) 4.5.0 through 4.7.0 is used, + a local user can insert malicious code into the + ruby_parser-legacy-1.0.0/lib/ruby_parser/legacy/ruby_parser.rb file. + cvss_v2: 4.6 + cvss_v3: 7.8 +--- diff --git a/advisories/_posts/2019-10-31-CVE-2019-13117.md b/advisories/_posts/2019-10-31-CVE-2019-13117.md index 8100513a..e2f2fc5d 100644 --- a/advisories/_posts/2019-10-31-CVE-2019-13117.md +++ b/advisories/_posts/2019-10-31-CVE-2019-13117.md @@ -1,87 +1,87 @@ ---- -layout: advisory -title: 'CVE-2019-13117 (nokogiri): Nokogiri gem, via libxslt, is affected by multiple - vulnerabilities' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2019-13117 - ghsa: 4hm9-844j-jmxp - url: https://github.com/sparklemotion/nokogiri/issues/1943 - title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities - date: 2019-10-31 - description: | - Nokogiri v1.10.5 has been released. - - This is a security release. It addresses three CVEs in upstream libxml2, - for which details are below. - - If you're using your distro's system libraries, rather than Nokogiri's - vendored libraries, there's no security need to upgrade at this time, - though you may want to check with your distro whether they've patched this - (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses - these vulnerabilities. - - Full details about the security update are available in Github Issue - [#1943] https://github.com/sparklemotion/nokogiri/issues/1943. - - --- - - CVE-2019-13117 - - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html - - Priority: Low - - Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings - could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This - could allow an attacker to discern whether a byte on the stack contains the - characters A, a, I, i, or 0, or any other character. - - Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 - - --- - - CVE-2019-13118 - - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html - - Priority: Low - - Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an - xsl:number instruction was too narrow and an invalid character/length - combination could be passed to xsltNumberFormatDecimal, leading to a read - of uninitialized stack data - - Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b - - --- - - CVE-2019-18197 - - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html - - Priority: Medium - - Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't - reset under certain circumstances. If the relevant memory area happened to - be freed and reused in a certain way, a bounds check could fail and memory - outside a buffer could be written to, or uninitialized data could be - disclosed. - - Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 - patched_versions: - - ">= 1.10.5" - related: - cve: - - 2019-13118 - - 2019-18197 - url: - - https://groups.google.com/d/msg/ruby-security-ann/-Wq4aouIA3Q/yc76ZHemBgAJ - - https://usn.ubuntu.com/4164-1/ - - https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 - - https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b - - https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 ---- +--- +layout: advisory +title: 'CVE-2019-13117 (nokogiri): Nokogiri gem, via libxslt, is affected by multiple + vulnerabilities' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2019-13117 + ghsa: 4hm9-844j-jmxp + url: https://github.com/sparklemotion/nokogiri/issues/1943 + title: Nokogiri gem, via libxslt, is affected by multiple vulnerabilities + date: 2019-10-31 + description: | + Nokogiri v1.10.5 has been released. + + This is a security release. It addresses three CVEs in upstream libxml2, + for which details are below. + + If you're using your distro's system libraries, rather than Nokogiri's + vendored libraries, there's no security need to upgrade at this time, + though you may want to check with your distro whether they've patched this + (Canonical has patched Ubuntu packages). Note that libxslt 1.1.34 addresses + these vulnerabilities. + + Full details about the security update are available in Github Issue + [#1943] https://github.com/sparklemotion/nokogiri/issues/1943. + + --- + + CVE-2019-13117 + + https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13117.html + + Priority: Low + + Description: In numbers.c in libxslt 1.1.33, an xsl:number with certain format strings + could lead to a uninitialized read in xsltNumberFormatInsertNumbers. This + could allow an attacker to discern whether a byte on the stack contains the + characters A, a, I, i, or 0, or any other character. + + Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 + + --- + + CVE-2019-13118 + + https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-13118.html + + Priority: Low + + Description: In numbers.c in libxslt 1.1.33, a type holding grouping characters of an + xsl:number instruction was too narrow and an invalid character/length + combination could be passed to xsltNumberFormatDecimal, leading to a read + of uninitialized stack data + + Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b + + --- + + CVE-2019-18197 + + https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-18197.html + + Priority: Medium + + Description: In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't + reset under certain circumstances. If the relevant memory area happened to + be freed and reused in a certain way, a bounds check could fail and memory + outside a buffer could be written to, or uninitialized data could be + disclosed. + + Patched with commit https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 + patched_versions: + - ">= 1.10.5" + related: + cve: + - 2019-13118 + - 2019-18197 + url: + - https://groups.google.com/d/msg/ruby-security-ann/-Wq4aouIA3Q/yc76ZHemBgAJ + - https://usn.ubuntu.com/4164-1/ + - https://gitlab.gnome.org/GNOME/libxslt/commit/c5eb6cf3aba0af048596106ed839b4ae17ecbcb1 + - https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b + - https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285 +--- diff --git a/advisories/_posts/2019-11-09-CVE-2019-18841.md b/advisories/_posts/2019-11-09-CVE-2019-18841.md index f5adc85b..7b062e4d 100644 --- a/advisories/_posts/2019-11-09-CVE-2019-18841.md +++ b/advisories/_posts/2019-11-09-CVE-2019-18841.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2019-18841 (chartkick): Prototype Pollution in Chartkick.js 3.1.x' -comments: false -categories: -- chartkick -advisory: - gem: chartkick - cve: 2019-18841 - ghsa: 5pm8-492c-92p5 - url: https://github.com/ankane/chartkick.js/issues/117 - title: Prototype Pollution in Chartkick.js 3.1.x - date: 2019-11-09 - description: | - A specially crafted response in data loaded via URL - can cause prototype pollution in JavaScript. - cvss_v3: 7.3 - unaffected_versions: - - "< 3.1.0" - patched_versions: - - ">= 3.3.0" ---- +--- +layout: advisory +title: 'CVE-2019-18841 (chartkick): Prototype Pollution in Chartkick.js 3.1.x' +comments: false +categories: +- chartkick +advisory: + gem: chartkick + cve: 2019-18841 + ghsa: 5pm8-492c-92p5 + url: https://github.com/ankane/chartkick.js/issues/117 + title: Prototype Pollution in Chartkick.js 3.1.x + date: 2019-11-09 + description: | + A specially crafted response in data loaded via URL + can cause prototype pollution in JavaScript. + cvss_v3: 7.3 + unaffected_versions: + - "< 3.1.0" + patched_versions: + - ">= 3.3.0" +--- diff --git a/advisories/_posts/2019-11-14-CVE-2019-18848.md b/advisories/_posts/2019-11-14-CVE-2019-18848.md index c9a2d0d2..1380784e 100644 --- a/advisories/_posts/2019-11-14-CVE-2019-18848.md +++ b/advisories/_posts/2019-11-14-CVE-2019-18848.md @@ -1,22 +1,22 @@ ---- -layout: advisory -title: 'CVE-2019-18848 (json-jwt): json-jwt improper input validation due to lack - of element count when splitting string' -comments: false -categories: -- json-jwt -advisory: - gem: json-jwt - cve: 2019-18848 - ghsa: cff7-6h4q-q5pj - url: https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a - date: 2019-11-14 - title: json-jwt improper input validation due to lack of element count when splitting - string - description: | - The json-jwt gem before 1.11.0 for Ruby lacks an element count during - the splitting of a JWE string. - cvss_v3: 7.5 - patched_versions: - - ">= 1.11.0" ---- +--- +layout: advisory +title: 'CVE-2019-18848 (json-jwt): json-jwt improper input validation due to lack + of element count when splitting string' +comments: false +categories: +- json-jwt +advisory: + gem: json-jwt + cve: 2019-18848 + ghsa: cff7-6h4q-q5pj + url: https://github.com/nov/json-jwt/commit/ada16e772906efdd035e3df49cb2ae372f0f948a + date: 2019-11-14 + title: json-jwt improper input validation due to lack of element count when splitting + string + description: | + The json-jwt gem before 1.11.0 for Ruby lacks an element count during + the splitting of a JWE string. + cvss_v3: 7.5 + patched_versions: + - ">= 1.11.0" +--- diff --git a/advisories/_posts/2019-11-15-CVE-2019-18978.md b/advisories/_posts/2019-11-15-CVE-2019-18978.md index 05a974d4..3a5bce9b 100644 --- a/advisories/_posts/2019-11-15-CVE-2019-18978.md +++ b/advisories/_posts/2019-11-15-CVE-2019-18978.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2019-18978 (rack-cors): rack-cors directory traversal via path' -comments: false -categories: -- rack-cors -advisory: - gem: rack-cors - cve: 2019-18978 - ghsa: pf8f-w267-mq2h - url: https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d - title: rack-cors directory traversal via path - date: 2019-11-15 - description: | - An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem - before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources - because resource matching does not ensure that pathnames are in a canonical format. - cvss_v3: 5.3 - patched_versions: - - ">= 1.0.4" ---- +--- +layout: advisory +title: 'CVE-2019-18978 (rack-cors): rack-cors directory traversal via path' +comments: false +categories: +- rack-cors +advisory: + gem: rack-cors + cve: 2019-18978 + ghsa: pf8f-w267-mq2h + url: https://github.com/cyu/rack-cors/commit/e4d4fc362a4315808927011cbe5afcfe5486f17d + title: rack-cors directory traversal via path + date: 2019-11-15 + description: | + An issue was discovered in the rack-cors (aka Rack CORS Middleware) gem + before 1.0.4 for Ruby. It allows ../ directory traversal to access private resources + because resource matching does not ensure that pathnames are in a canonical format. + cvss_v3: 5.3 + patched_versions: + - ">= 1.0.4" +--- diff --git a/advisories/_posts/2019-12-05-CVE-2019-16770.md b/advisories/_posts/2019-12-05-CVE-2019-16770.md index fdcb9603..5c8a0e44 100644 --- a/advisories/_posts/2019-12-05-CVE-2019-16770.md +++ b/advisories/_posts/2019-12-05-CVE-2019-16770.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2019-16770 (puma): Keepalive thread overload/DoS in puma' -comments: false -categories: -- puma -advisory: - gem: puma - cve: 2019-16770 - ghsa: 7xx3-m584-x994 - url: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 - date: 2019-12-05 - title: Keepalive thread overload/DoS in puma - description: | - A poorly-behaved client could use keepalive requests to monopolize - Puma's reactor and create a denial of service attack. - - If more keepalive connections to Puma are opened than there are - threads available, additional connections will wait permanently if - the attacker sends requests frequently enough. - cvss_v3: 8.8 - cvss_v2: 6.8 - patched_versions: - - "~> 3.12.2" - - ">= 4.3.1" ---- +--- +layout: advisory +title: 'CVE-2019-16770 (puma): Keepalive thread overload/DoS in puma' +comments: false +categories: +- puma +advisory: + gem: puma + cve: 2019-16770 + ghsa: 7xx3-m584-x994 + url: https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 + date: 2019-12-05 + title: Keepalive thread overload/DoS in puma + description: | + A poorly-behaved client could use keepalive requests to monopolize + Puma's reactor and create a denial of service attack. + + If more keepalive connections to Puma are opened than there are + threads available, additional connections will wait permanently if + the attacker sends requests frequently enough. + cvss_v3: 8.8 + cvss_v2: 6.8 + patched_versions: + - "~> 3.12.2" + - ">= 4.3.1" +--- diff --git a/advisories/_posts/2019-12-16-CVE-2019-16779.md b/advisories/_posts/2019-12-16-CVE-2019-16779.md index 839f1e91..64a15608 100644 --- a/advisories/_posts/2019-12-16-CVE-2019-16779.md +++ b/advisories/_posts/2019-12-16-CVE-2019-16779.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2019-16779 (excon): Race condition when using persistent connections' -comments: false -categories: -- excon -advisory: - gem: excon - cve: 2019-16779 - ghsa: q58g-455p-8vw9 - url: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 - date: 2019-12-16 - title: Race condition when using persistent connections - description: | - There was a race condition around persistent connections, where a connection - which is interrupted (such as by a timeout) would leave data on the socket. - Subsequent requests would then read this data, returning content from the - previous response. The race condition window appears to be short, and it - would be difficult to purposefully exploit this. - - Users can workaround the problem by disabling persistent connections, though - this may cause performance implications. - cvss_v3: 5.8 - patched_versions: - - ">= 0.71.0" - related: - url: - - https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 ---- +--- +layout: advisory +title: 'CVE-2019-16779 (excon): Race condition when using persistent connections' +comments: false +categories: +- excon +advisory: + gem: excon + cve: 2019-16779 + ghsa: q58g-455p-8vw9 + url: https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 + date: 2019-12-16 + title: Race condition when using persistent connections + description: | + There was a race condition around persistent connections, where a connection + which is interrupted (such as by a timeout) would leave data on the socket. + Subsequent requests would then read this data, returning content from the + previous response. The race condition window appears to be short, and it + would be difficult to purposefully exploit this. + + Users can workaround the problem by disabling persistent connections, though + this may cause performance implications. + cvss_v3: 5.8 + patched_versions: + - ">= 0.71.0" + related: + url: + - https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 +--- diff --git a/advisories/_posts/2019-12-18-CVE-2019-16782.md b/advisories/_posts/2019-12-18-CVE-2019-16782.md index 23d639d4..15f42619 100644 --- a/advisories/_posts/2019-12-18-CVE-2019-16782.md +++ b/advisories/_posts/2019-12-18-CVE-2019-16782.md @@ -1,39 +1,39 @@ ---- -layout: advisory -title: 'CVE-2019-16782 (rack): Possible information leak / session hijack vulnerability' -comments: false -categories: -- rack -advisory: - gem: rack - cve: 2019-16782 - ghsa: hrqr-hxpp-chr3 - url: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 - date: 2019-12-18 - title: Possible information leak / session hijack vulnerability - description: | - There's a possible information leak / session hijack vulnerability in Rack. - - Attackers may be able to find and hijack sessions by using timing attacks - targeting the session id. Session ids are usually stored and indexed in a - database that uses some kind of scheme for speeding up lookups of that - session id. By carefully measuring the amount of time it takes to look up - a session, an attacker may be able to find a valid session id and hijack - the session. - - The session id itself may be generated randomly, but the way the session is - indexed by the backing store does not use a secure comparison. - - Impact: - - The session id stored in a cookie is the same id that is used when querying - the backing session storage engine. Most storage mechanisms (for example a - database) use some sort of indexing in order to speed up the lookup of that - id. By carefully timing requests and session lookup failures, an attacker - may be able to perform a timing attack to determine an existing session id - and hijack that session. - cvss_v3: 6.3 - patched_versions: - - "~> 1.6.12" - - ">= 2.0.8" ---- +--- +layout: advisory +title: 'CVE-2019-16782 (rack): Possible information leak / session hijack vulnerability' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2019-16782 + ghsa: hrqr-hxpp-chr3 + url: https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3 + date: 2019-12-18 + title: Possible information leak / session hijack vulnerability + description: | + There's a possible information leak / session hijack vulnerability in Rack. + + Attackers may be able to find and hijack sessions by using timing attacks + targeting the session id. Session ids are usually stored and indexed in a + database that uses some kind of scheme for speeding up lookups of that + session id. By carefully measuring the amount of time it takes to look up + a session, an attacker may be able to find a valid session id and hijack + the session. + + The session id itself may be generated randomly, but the way the session is + indexed by the backing store does not use a secure comparison. + + Impact: + + The session id stored in a cookie is the same id that is used when querying + the backing session storage engine. Most storage mechanisms (for example a + database) use some sort of indexing in order to speed up the lookup of that + id. By carefully timing requests and session lookup failures, an attacker + may be able to perform a timing attack to determine an existing session id + and hijack that session. + cvss_v3: 6.3 + patched_versions: + - "~> 1.6.12" + - ">= 2.0.8" +--- diff --git a/advisories/_posts/2019-12-26-CVE-2019-19919.md b/advisories/_posts/2019-12-26-CVE-2019-19919.md index 81b105dd..4a335d7a 100644 --- a/advisories/_posts/2019-12-26-CVE-2019-19919.md +++ b/advisories/_posts/2019-12-26-CVE-2019-19919.md @@ -1,28 +1,28 @@ ---- -layout: advisory -title: 'CVE-2019-19919 (bootstrap-wysihtml5-rails): Prototype Pollution in handlebars' -comments: false -categories: -- bootstrap-wysihtml5-rails -advisory: - gem: bootstrap-wysihtml5-rails - cve: 2019-19919 - ghsa: w457-6q6x-cgp9 - url: https://github.com/advisories/GHSA-w457-6q6x-cgp9 - title: Prototype Pollution in handlebars - date: 2019-12-26 - description: | - The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. - Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. - - Versions Affected: 0.3.3.5-0.3.3.8 - Not affected: < 0.3.3.5 - Fixed Versions: None - - Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. - Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute - arbitrary code through crafted payloads. - cvss_v3: 9.8 - unaffected_versions: - - "< 0.3.3.5" ---- +--- +layout: advisory +title: 'CVE-2019-19919 (bootstrap-wysihtml5-rails): Prototype Pollution in handlebars' +comments: false +categories: +- bootstrap-wysihtml5-rails +advisory: + gem: bootstrap-wysihtml5-rails + cve: 2019-19919 + ghsa: w457-6q6x-cgp9 + url: https://github.com/advisories/GHSA-w457-6q6x-cgp9 + title: Prototype Pollution in handlebars + date: 2019-12-26 + description: | + The bootstrap-wysihtml5-rails gem includes the vendored JavaScript library 'handlebars.js'. + Versions 0.3.3.7-0.3.3.8 include handlebars 3.0.2, and versions 0.3.3.5-0.3.3.6 include handlebars 1.3.0. + + Versions Affected: 0.3.3.5-0.3.3.8 + Not affected: < 0.3.3.5 + Fixed Versions: None + + Versions of handlebars prior to 3.0.8 or 4.3.0 are vulnerable to Prototype Pollution leading to Remote Code Execution. + Templates may alter an Objects' __proto__ and __defineGetter__ properties, which may allow an attacker to execute + arbitrary code through crafted payloads. + cvss_v3: 9.8 + unaffected_versions: + - "< 0.3.3.5" +--- diff --git a/advisories/_posts/2020-01-09-CVE-2014-3211.md b/advisories/_posts/2020-01-09-CVE-2014-3211.md index b384ab5f..0de7cf9c 100644 --- a/advisories/_posts/2020-01-09-CVE-2014-3211.md +++ b/advisories/_posts/2020-01-09-CVE-2014-3211.md @@ -1,33 +1,33 @@ ---- -layout: advisory -title: 'CVE-2014-3211 (publify_core): Publify vulnerable to DoS attack' -comments: false -categories: -- publify_core -advisory: - gem: publify_core - cve: 2014-3211 - ghsa: vq74-9583-hrm4 - url: https://github.com/publify/publify/releases/tag/v8.0.2 - title: Publify vulnerable to DoS attack - date: 2020-01-09 - description: 'Publify before 8.0.2 is vulnerable to a Denial of Service attack - - ' - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 8.0.2" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2014-3211 - - https://cve.report/CVE-2014-3211 - - https://github.com/publify/publify/releases/tag/v8.0.2 - - https://publify.github.io - - https://rubygems.org/gems/publify_core - - https://rubygems.org/gems/typo - - https://github.com/advisories/GHSA-vq74-9583-hrm4 - notes: | - Found "Formerly known as Typo" at https://github.com/publify/publify - FYI: Gem publify_core oldest release is 9.0.0.pre1 (11/13/2016); ---- +--- +layout: advisory +title: 'CVE-2014-3211 (publify_core): Publify vulnerable to DoS attack' +comments: false +categories: +- publify_core +advisory: + gem: publify_core + cve: 2014-3211 + ghsa: vq74-9583-hrm4 + url: https://github.com/publify/publify/releases/tag/v8.0.2 + title: Publify vulnerable to DoS attack + date: 2020-01-09 + description: 'Publify before 8.0.2 is vulnerable to a Denial of Service attack + + ' + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 8.0.2" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-3211 + - https://cve.report/CVE-2014-3211 + - https://github.com/publify/publify/releases/tag/v8.0.2 + - https://publify.github.io + - https://rubygems.org/gems/publify_core + - https://rubygems.org/gems/typo + - https://github.com/advisories/GHSA-vq74-9583-hrm4 + notes: | + Found "Formerly known as Typo" at https://github.com/publify/publify + FYI: Gem publify_core oldest release is 9.0.0.pre1 (11/13/2016); +--- diff --git a/advisories/_posts/2020-01-23-CVE-2020-5216.md b/advisories/_posts/2020-01-23-CVE-2020-5216.md index 21bd5c03..dca69430 100644 --- a/advisories/_posts/2020-01-23-CVE-2020-5216.md +++ b/advisories/_posts/2020-01-23-CVE-2020-5216.md @@ -1,57 +1,57 @@ ---- -layout: advisory -title: 'CVE-2020-5216 (secure_headers): secure_headers header injection due to newline' -comments: false -categories: -- secure_headers -advisory: - gem: secure_headers - cve: 2020-5216 - ghsa: w978-rmpf-qmwg - url: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg - date: 2020-01-23 - title: secure_headers header injection due to newline - description: | - If user-supplied input was passed into append/override_content_security_policy_directives, - a newline could be injected leading to limited header injection. - - Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy - header with the remaining value of the original string. It will continue to create new headers - for each newline. - - e.g. - - ``` - override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"]) - ``` - - would result in - - ``` - Content-Security-Policy: ... script-src: mycdn.com - Content-Security-Policy: injected - Content-Security-Policy: rest-of-the-header - ``` - - CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: - - ``` - override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) - ``` - - ``` - Content-Security-Policy: ... script-src: mycdn.com - Content-Security-Policy: default-src 'none'; report-uri evil.com - Content-Security-Policy: rest-of-the-header - ``` - - Workarounds - ``` - override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) - ``` - cvss_v3: 4.4 - patched_versions: - - "~> 3.9" - - "~> 5.2" - - ">= 6.3.0" ---- +--- +layout: advisory +title: 'CVE-2020-5216 (secure_headers): secure_headers header injection due to newline' +comments: false +categories: +- secure_headers +advisory: + gem: secure_headers + cve: 2020-5216 + ghsa: w978-rmpf-qmwg + url: https://github.com/twitter/secure_headers/security/advisories/GHSA-w978-rmpf-qmwg + date: 2020-01-23 + title: secure_headers header injection due to newline + description: | + If user-supplied input was passed into append/override_content_security_policy_directives, + a newline could be injected leading to limited header injection. + + Upon seeing a newline in the header, rails will silently create a new Content-Security-Policy + header with the remaining value of the original string. It will continue to create new headers + for each newline. + + e.g. + + ``` + override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"]) + ``` + + would result in + + ``` + Content-Security-Policy: ... script-src: mycdn.com + Content-Security-Policy: injected + Content-Security-Policy: rest-of-the-header + ``` + + CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: + + ``` + override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) + ``` + + ``` + Content-Security-Policy: ... script-src: mycdn.com + Content-Security-Policy: default-src 'none'; report-uri evil.com + Content-Security-Policy: rest-of-the-header + ``` + + Workarounds + ``` + override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) + ``` + cvss_v3: 4.4 + patched_versions: + - "~> 3.9" + - "~> 5.2" + - ">= 6.3.0" +--- diff --git a/advisories/_posts/2020-01-23-CVE-2020-5217.md b/advisories/_posts/2020-01-23-CVE-2020-5217.md index c11742bc..51ea38b6 100644 --- a/advisories/_posts/2020-01-23-CVE-2020-5217.md +++ b/advisories/_posts/2020-01-23-CVE-2020-5217.md @@ -1,47 +1,47 @@ ---- -layout: advisory -title: 'CVE-2020-5217 (secure_headers): secure_headers directive injection using semicolon' -comments: false -categories: -- secure_headers -advisory: - gem: secure_headers - cve: 2020-5217 - ghsa: xq52-rv6w-397c - url: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c - date: 2020-01-23 - title: secure_headers directive injection using semicolon - description: | - If user-supplied input was passed into append/override_content_security_policy_directives, - a semicolon could be injected leading to directive injection. - - This could be used to e.g. override a script-src directive. Duplicate directives are ignored - and the first one wins. The directives in secure_headers are sorted alphabetically so they - pretty much all come before script-src. A previously undefined directive would receive a value - even if SecureHeaders::OPT_OUT was supplied. - - The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning - when this happens. This will result in innocuous browser console messages if being - exploited/accidentally used. In future releases, we will raise application errors resulting in - 500s. - - > Duplicate script-src directives detected. All but the first instance will be ignored. - - See https://www.w3.org/TR/CSP3/#parse-serialized-policy - - > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was - > ignored. A console warning might be appropriate, for example. - - # Workarounds - - If you are passing user input into the above methods, you could filter out the input: - - ``` - override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")]) - ``` - cvss_v3: 4.4 - patched_versions: - - "~> 3.8" - - "~> 5.1" - - ">= 6.2.0" ---- +--- +layout: advisory +title: 'CVE-2020-5217 (secure_headers): secure_headers directive injection using semicolon' +comments: false +categories: +- secure_headers +advisory: + gem: secure_headers + cve: 2020-5217 + ghsa: xq52-rv6w-397c + url: https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c + date: 2020-01-23 + title: secure_headers directive injection using semicolon + description: | + If user-supplied input was passed into append/override_content_security_policy_directives, + a semicolon could be injected leading to directive injection. + + This could be used to e.g. override a script-src directive. Duplicate directives are ignored + and the first one wins. The directives in secure_headers are sorted alphabetically so they + pretty much all come before script-src. A previously undefined directive would receive a value + even if SecureHeaders::OPT_OUT was supplied. + + The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning + when this happens. This will result in innocuous browser console messages if being + exploited/accidentally used. In future releases, we will raise application errors resulting in + 500s. + + > Duplicate script-src directives detected. All but the first instance will be ignored. + + See https://www.w3.org/TR/CSP3/#parse-serialized-policy + + > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was + > ignored. A console warning might be appropriate, for example. + + # Workarounds + + If you are passing user input into the above methods, you could filter out the input: + + ``` + override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")]) + ``` + cvss_v3: 4.4 + patched_versions: + - "~> 3.8" + - "~> 5.1" + - ">= 6.2.0" +--- diff --git a/advisories/_posts/2020-01-25-CVE-2020-7981.md b/advisories/_posts/2020-01-25-CVE-2020-7981.md index 72cf627c..14e492c2 100644 --- a/advisories/_posts/2020-01-25-CVE-2020-7981.md +++ b/advisories/_posts/2020-01-25-CVE-2020-7981.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2020-7981 (geocoder): Geocoder gem for Ruby contains possible SQL injection - vulnerability' -comments: false -categories: -- geocoder -advisory: - gem: geocoder - cve: 2020-7981 - ghsa: 864j-6qpp-cmrr - url: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23 - title: Geocoder gem for Ruby contains possible SQL injection vulnerability - date: 2020-01-25 - description: | - sql.rb in Geocoder allows Boolean-based SQL injection when within_bounding_box - is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data. - cvss_v2: 7.5 - cvss_v3: 9.8 - patched_versions: - - ">= 1.6.1" - related: - url: - - https://github.com/alexreisner/geocoder/compare/v1.6.0...v1.6.1 - - https://github.com/alexreisner/geocoder/commit/dcdc3d8675411edce3965941a2ca7c441ca48613 ---- +--- +layout: advisory +title: 'CVE-2020-7981 (geocoder): Geocoder gem for Ruby contains possible SQL injection + vulnerability' +comments: false +categories: +- geocoder +advisory: + gem: geocoder + cve: 2020-7981 + ghsa: 864j-6qpp-cmrr + url: https://github.com/alexreisner/geocoder/blob/master/CHANGELOG.md#161-2020-jan-23 + title: Geocoder gem for Ruby contains possible SQL injection vulnerability + date: 2020-01-25 + description: | + sql.rb in Geocoder allows Boolean-based SQL injection when within_bounding_box + is used in conjunction with untrusted sw_lat, sw_lng, ne_lat, or ne_lng data. + cvss_v2: 7.5 + cvss_v3: 9.8 + patched_versions: + - ">= 1.6.1" + related: + url: + - https://github.com/alexreisner/geocoder/compare/v1.6.0...v1.6.1 + - https://github.com/alexreisner/geocoder/commit/dcdc3d8675411edce3965941a2ca7c441ca48613 +--- diff --git a/advisories/_posts/2020-02-10-CVE-2020-5241.md b/advisories/_posts/2020-02-10-CVE-2020-5241.md index 7aeefd96..0ccb53bc 100644 --- a/advisories/_posts/2020-02-10-CVE-2020-5241.md +++ b/advisories/_posts/2020-02-10-CVE-2020-5241.md @@ -1,23 +1,23 @@ ---- -layout: advisory -title: 'CVE-2020-5241 (matestack-ui-core): matestack-ui-core is vulnerable to XSS/Script - injection' -comments: false -categories: -- matestack-ui-core -advisory: - gem: matestack-ui-core - cve: 2020-5241 - ghsa: 3jqw-vv45-mjhh - url: https://github.com/matestack/matestack-ui-core/security/advisories/GHSA-3jqw-vv45-mjhh - title: matestack-ui-core is vulnerable to XSS/Script injection - date: 2020-02-10 - description: | - matestack-ui-core does not excape strings by default and does not cover this in the docs. - matestack-ui-core should escape strings by default in order to prevent XSS/Script injection vulnerability. - v0.7.4 fixes that by escaping strings by default. - cvss_v2: 10.0 - cvss_v3: 9.8 - patched_versions: - - ">= 0.7.4" ---- +--- +layout: advisory +title: 'CVE-2020-5241 (matestack-ui-core): matestack-ui-core is vulnerable to XSS/Script + injection' +comments: false +categories: +- matestack-ui-core +advisory: + gem: matestack-ui-core + cve: 2020-5241 + ghsa: 3jqw-vv45-mjhh + url: https://github.com/matestack/matestack-ui-core/security/advisories/GHSA-3jqw-vv45-mjhh + title: matestack-ui-core is vulnerable to XSS/Script injection + date: 2020-02-10 + description: | + matestack-ui-core does not excape strings by default and does not cover this in the docs. + matestack-ui-core should escape strings by default in order to prevent XSS/Script injection vulnerability. + v0.7.4 fixes that by escaping strings by default. + cvss_v2: 10.0 + cvss_v3: 9.8 + patched_versions: + - ">= 0.7.4" +--- diff --git a/advisories/_posts/2020-02-12-CVE-2020-7595.md b/advisories/_posts/2020-02-12-CVE-2020-7595.md index 56058022..8109c9c0 100644 --- a/advisories/_posts/2020-02-12-CVE-2020-7595.md +++ b/advisories/_posts/2020-02-12-CVE-2020-7595.md @@ -1,26 +1,26 @@ ---- -layout: advisory -title: 'CVE-2020-7595 (nokogiri): libxml2 2.9.10 has an infinite loop in a certain - end-of-file situation' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - cve: 2020-7595 - ghsa: 7553-jr98-vx47 - url: https://github.com/sparklemotion/nokogiri/issues/1992 - title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation - date: 2020-02-12 - description: |2 - - Nokogiri has backported the patch for CVE-2020-7595 into its vendored version - of libxml2, and released this as v1.10.8 - - CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and - so Nokogiri versions <= v1.10.7 are vulnerable. - cvss_v2: 5.0 - cvss_v3: 7.5 - patched_versions: - - ">= 1.10.8" ---- +--- +layout: advisory +title: 'CVE-2020-7595 (nokogiri): libxml2 2.9.10 has an infinite loop in a certain + end-of-file situation' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + cve: 2020-7595 + ghsa: 7553-jr98-vx47 + url: https://github.com/sparklemotion/nokogiri/issues/1992 + title: libxml2 2.9.10 has an infinite loop in a certain end-of-file situation + date: 2020-02-12 + description: |2 + + Nokogiri has backported the patch for CVE-2020-7595 into its vendored version + of libxml2, and released this as v1.10.8 + + CVE-2020-7595 has not yet been addressed in an upstream libxml2 release, and + so Nokogiri versions <= v1.10.7 are vulnerable. + cvss_v2: 5.0 + cvss_v3: 7.5 + patched_versions: + - ">= 1.10.8" +--- diff --git a/advisories/_posts/2020-02-14-CVE-2019-10780.md b/advisories/_posts/2020-02-14-CVE-2019-10780.md index 9ac2e600..1ad01398 100644 --- a/advisories/_posts/2020-02-14-CVE-2019-10780.md +++ b/advisories/_posts/2020-02-14-CVE-2019-10780.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2019-10780 (bibtex-ruby): OS command injection in BibTeX-Ruby' -comments: false -categories: -- bibtex-ruby -advisory: - gem: bibtex-ruby - cve: 2019-10780 - ghsa: c5r5-7pfh-6qg6 - url: https://github.com/advisories/GHSA-c5r5-7pfh-6qg6 - date: 2020-02-14 - title: OS command injection in BibTeX-Ruby - description: | - BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized - user input being passed directly to the built-in Ruby Kernel.open method through - BibTeX.open. - cvss_v3: 9.8 - patched_versions: - - ">= 5.1.0" ---- +--- +layout: advisory +title: 'CVE-2019-10780 (bibtex-ruby): OS command injection in BibTeX-Ruby' +comments: false +categories: +- bibtex-ruby +advisory: + gem: bibtex-ruby + cve: 2019-10780 + ghsa: c5r5-7pfh-6qg6 + url: https://github.com/advisories/GHSA-c5r5-7pfh-6qg6 + date: 2020-02-14 + title: OS command injection in BibTeX-Ruby + description: | + BibTeX-ruby before 5.1.0 allows shell command injection due to unsanitized + user input being passed directly to the built-in Ruby Kernel.open method through + BibTeX.open. + cvss_v3: 9.8 + patched_versions: + - ">= 5.1.0" +--- diff --git a/advisories/_posts/2020-02-27-CVE-2020-5247.md b/advisories/_posts/2020-02-27-CVE-2020-5247.md index ba57df14..e4ce24f7 100644 --- a/advisories/_posts/2020-02-27-CVE-2020-5247.md +++ b/advisories/_posts/2020-02-27-CVE-2020-5247.md @@ -1,29 +1,29 @@ ---- -layout: advisory -title: 'CVE-2020-5247 (puma): HTTP Response Splitting vulnerability in puma' -comments: false -categories: -- puma -advisory: - gem: puma - cve: 2020-5247 - ghsa: 84j7-475p-hp8v - url: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v - date: 2020-02-27 - title: HTTP Response Splitting vulnerability in puma - description: | - If an application using Puma allows untrusted input in a response header, - an attacker can use newline characters (i.e. CR, LF) to end the header and - inject malicious content, such as additional headers or an entirely new - response body. This vulnerability is known as HTTP Response Splitting. - - While not an attack in itself, response splitting is a vector for several - other attacks, such as cross-site scripting (XSS). - cvss_v3: 6.5 - patched_versions: - - "~> 3.12.4" - - ">= 4.3.3" - related: - cve: - - 2019-16254 ---- +--- +layout: advisory +title: 'CVE-2020-5247 (puma): HTTP Response Splitting vulnerability in puma' +comments: false +categories: +- puma +advisory: + gem: puma + cve: 2020-5247 + ghsa: 84j7-475p-hp8v + url: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v + date: 2020-02-27 + title: HTTP Response Splitting vulnerability in puma + description: | + If an application using Puma allows untrusted input in a response header, + an attacker can use newline characters (i.e. CR, LF) to end the header and + inject malicious content, such as additional headers or an entirely new + response body. This vulnerability is known as HTTP Response Splitting. + + While not an attack in itself, response splitting is a vector for several + other attacks, such as cross-site scripting (XSS). + cvss_v3: 6.5 + patched_versions: + - "~> 3.12.4" + - ">= 4.3.3" + related: + cve: + - 2019-16254 +--- diff --git a/advisories/_posts/2020-03-03-CVE-2020-5249.md b/advisories/_posts/2020-03-03-CVE-2020-5249.md index d31f91f9..bc3d4995 100644 --- a/advisories/_posts/2020-03-03-CVE-2020-5249.md +++ b/advisories/_posts/2020-03-03-CVE-2020-5249.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2020-5249 (puma): HTTP Response Splitting (Early Hints) in Puma' -comments: false -categories: -- puma -advisory: - gem: puma - cve: 2020-5249 - ghsa: 33vf-4xgg-9r58 - url: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 - date: 2020-03-03 - title: HTTP Response Splitting (Early Hints) in Puma - description: | - ### Impact - If an application using Puma allows untrusted input in an early-hints header, - an attacker can use a carriage return character to end the header and inject - malicious content, such as additional headers or an entirely new response body. - This vulnerability is known as [HTTP Response - Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting) - - While not an attack in itself, response splitting is a vector for several other - attacks, such as cross-site scripting (XSS). - - This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), - which fixed this vulnerability but only for regular responses. - - ### Patches - This has been fixed in 4.3.3 and 3.12.4. - - ### Workarounds - Users can not allow untrusted/user input in the Early Hints response header. - cvss_v3: 6.5 - patched_versions: - - "~> 3.12.4" - - ">= 4.3.3" - related: - cve: - - 2020-5247 ---- +--- +layout: advisory +title: 'CVE-2020-5249 (puma): HTTP Response Splitting (Early Hints) in Puma' +comments: false +categories: +- puma +advisory: + gem: puma + cve: 2020-5249 + ghsa: 33vf-4xgg-9r58 + url: https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 + date: 2020-03-03 + title: HTTP Response Splitting (Early Hints) in Puma + description: | + ### Impact + If an application using Puma allows untrusted input in an early-hints header, + an attacker can use a carriage return character to end the header and inject + malicious content, such as additional headers or an entirely new response body. + This vulnerability is known as [HTTP Response + Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting) + + While not an attack in itself, response splitting is a vector for several other + attacks, such as cross-site scripting (XSS). + + This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), + which fixed this vulnerability but only for regular responses. + + ### Patches + This has been fixed in 4.3.3 and 3.12.4. + + ### Workarounds + Users can not allow untrusted/user input in the Early Hints response header. + cvss_v3: 6.5 + patched_versions: + - "~> 3.12.4" + - ">= 4.3.3" + related: + cve: + - 2020-5247 +--- diff --git a/advisories/_posts/2020-03-10-CVE-2020-5243.md b/advisories/_posts/2020-03-10-CVE-2020-5243.md index a6989346..3756e5fe 100644 --- a/advisories/_posts/2020-03-10-CVE-2020-5243.md +++ b/advisories/_posts/2020-03-10-CVE-2020-5243.md @@ -1,37 +1,37 @@ ---- -layout: advisory -title: 'CVE-2020-5243 (user_agent_parser): Denial of Service in uap-core when processing - crafted User-Agent strings' -comments: false -categories: -- user_agent_parser -advisory: - gem: user_agent_parser - cve: 2020-5243 - ghsa: pcqq-5962-hvcw - url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw - date: 2020-03-10 - title: Denial of Service in uap-core when processing crafted User-Agent strings - description: | - ### Impact - Some regexes are vulnerable to regular expression denial of service (REDoS) due to - overlapping capture groups. This allows remote attackers to overload a server by - setting the User-Agent header in an HTTP(S) request to maliciously crafted long - strings. - - ### Patches - Please update `uap-ruby` to >= v2.6.0 - - ### For more information - https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p - cvss_v3: 5.7 - patched_versions: - - ">= 2.6.0" - related: - ghsa: - - cmcx-xhr8-3w9p - url: - - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw - - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a - - https://github.com/advisories/GHSA-pcqq-5962-hvcw ---- +--- +layout: advisory +title: 'CVE-2020-5243 (user_agent_parser): Denial of Service in uap-core when processing + crafted User-Agent strings' +comments: false +categories: +- user_agent_parser +advisory: + gem: user_agent_parser + cve: 2020-5243 + ghsa: pcqq-5962-hvcw + url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw + date: 2020-03-10 + title: Denial of Service in uap-core when processing crafted User-Agent strings + description: | + ### Impact + Some regexes are vulnerable to regular expression denial of service (REDoS) due to + overlapping capture groups. This allows remote attackers to overload a server by + setting the User-Agent header in an HTTP(S) request to maliciously crafted long + strings. + + ### Patches + Please update `uap-ruby` to >= v2.6.0 + + ### For more information + https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p + cvss_v3: 5.7 + patched_versions: + - ">= 2.6.0" + related: + ghsa: + - cmcx-xhr8-3w9p + url: + - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw + - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a + - https://github.com/advisories/GHSA-pcqq-5962-hvcw +--- diff --git a/advisories/_posts/2020-03-14-CVE-2020-36190.md b/advisories/_posts/2020-03-14-CVE-2020-36190.md index fb8cb77a..47422a61 100644 --- a/advisories/_posts/2020-03-14-CVE-2020-36190.md +++ b/advisories/_posts/2020-03-14-CVE-2020-36190.md @@ -1,21 +1,21 @@ ---- -layout: advisory -title: 'CVE-2020-36190 (rails_admin): rails_admin ruby gem XSS vulnerability' -comments: false -categories: -- rails_admin -advisory: - gem: rails_admin - cve: 2020-36190 - ghsa: wjx2-7hqq-8h7m - url: https://github.com/sferik/rails_admin/commit/d72090ec6a07c3b9b7b48ab50f3d405f91ff4375 - title: rails_admin ruby gem XSS vulnerability - date: 2020-03-14 - description: | - RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows - XSS via nested forms. - cvss_v3: 6.1 - patched_versions: - - "~> 1.4.3" - - ">= 2.0.2" ---- +--- +layout: advisory +title: 'CVE-2020-36190 (rails_admin): rails_admin ruby gem XSS vulnerability' +comments: false +categories: +- rails_admin +advisory: + gem: rails_admin + cve: 2020-36190 + ghsa: wjx2-7hqq-8h7m + url: https://github.com/sferik/rails_admin/commit/d72090ec6a07c3b9b7b48ab50f3d405f91ff4375 + title: rails_admin ruby gem XSS vulnerability + date: 2020-03-14 + description: | + RailsAdmin (aka rails_admin) before 1.4.3 and 2.x before 2.0.2 allows + XSS via nested forms. + cvss_v3: 6.1 + patched_versions: + - "~> 1.4.3" + - ">= 2.0.2" +--- diff --git a/advisories/_posts/2020-03-14-CVE-2020-5257.md b/advisories/_posts/2020-03-14-CVE-2020-5257.md index e8d75270..c20f0e44 100644 --- a/advisories/_posts/2020-03-14-CVE-2020-5257.md +++ b/advisories/_posts/2020-03-14-CVE-2020-5257.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2020-5257 (administrate): Sort order SQL injection via `direction` parameter - in administrate' -comments: false -categories: -- administrate -advisory: - gem: administrate - cve: 2020-5257 - ghsa: 2p5p-m353-833w - title: Sort order SQL injection via `direction` parameter in administrate - date: 2020-03-14 - url: https://github.com/advisories/GHSA-2p5p-m353-833w - description: | - In Administrate (rubygem) before version 0.13.0, when sorting by attributes - on a dashboard, the direction parameter was not validated before being - interpolated into the SQL query. - - This could present a SQL injection if the attacker were able to modify the - direction parameter and bypass ActiveRecord SQL protections. - - Whilst this does have a high-impact, to exploit this you need access to the - Administrate dashboards, which should generally be behind authentication. - cvss_v3: 7.7 - patched_versions: - - ">= 0.13.0" - related: - url: - - https://github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3 ---- +--- +layout: advisory +title: 'CVE-2020-5257 (administrate): Sort order SQL injection via `direction` parameter + in administrate' +comments: false +categories: +- administrate +advisory: + gem: administrate + cve: 2020-5257 + ghsa: 2p5p-m353-833w + title: Sort order SQL injection via `direction` parameter in administrate + date: 2020-03-14 + url: https://github.com/advisories/GHSA-2p5p-m353-833w + description: | + In Administrate (rubygem) before version 0.13.0, when sorting by attributes + on a dashboard, the direction parameter was not validated before being + interpolated into the SQL query. + + This could present a SQL injection if the attacker were able to modify the + direction parameter and bypass ActiveRecord SQL protections. + + Whilst this does have a high-impact, to exploit this you need access to the + Administrate dashboards, which should generally be behind authentication. + cvss_v3: 7.7 + patched_versions: + - ">= 0.13.0" + related: + url: + - https://github.com/thoughtbot/administrate/commit/3ab838b83c5f565fba50e0c6f66fe4517f98eed3 +--- diff --git a/advisories/_posts/2020-03-19-CVE-2020-10663.md b/advisories/_posts/2020-03-19-CVE-2020-10663.md index a3bc0ebc..82699938 100644 --- a/advisories/_posts/2020-03-19-CVE-2020-10663.md +++ b/advisories/_posts/2020-03-19-CVE-2020-10663.md @@ -1,43 +1,43 @@ ---- -layout: advisory -title: 'CVE-2020-10663 (json): json Gem for Ruby Unsafe Object Creation Vulnerability - (additional fix)' -comments: false -categories: -- json -advisory: - gem: json - cve: 2020-10663 - ghsa: jphg-qwrw-7w9g - url: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ - title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) - date: 2020-03-19 - description: | - There is an unsafe object creation vulnerability in the json gem bundled with - Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. - We strongly recommend upgrading the json gem. - - Details - ------- - - When parsing certain JSON documents, the json gem (including the one bundled - with Ruby) can be coerced into creating arbitrary objects in the target system. - - This is the same issue as CVE-2013-0269. The previous fix was incomplete, which - addressed JSON.parse(user_input), but didn’t address some other styles of JSON - parsing including JSON(user_input) and JSON.parse(user_input, nil). - - See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a - Denial of Service by creating many garbage-uncollectable Symbol objects, but - this kind of attack is no longer valid because Symbol objects are now - garbage-collectable. However, creating arbitrary objects may cause severe - security consequences depending upon the application code. - cvss_v3: 7.5 - patched_versions: - - ">= 2.3.0" - related: - cve: - - 2013-0269 - url: - - https://groups.google.com/forum/#!topic/ruby-security-ann/ermX1eQqqKA ---- +--- +layout: advisory +title: 'CVE-2020-10663 (json): json Gem for Ruby Unsafe Object Creation Vulnerability + (additional fix)' +comments: false +categories: +- json +advisory: + gem: json + cve: 2020-10663 + ghsa: jphg-qwrw-7w9g + url: https://www.ruby-lang.org/en/news/2020/03/19/json-dos-cve-2020-10663/ + title: json Gem for Ruby Unsafe Object Creation Vulnerability (additional fix) + date: 2020-03-19 + description: | + There is an unsafe object creation vulnerability in the json gem bundled with + Ruby. This vulnerability has been assigned the CVE identifier CVE-2020-10663. + We strongly recommend upgrading the json gem. + + Details + ------- + + When parsing certain JSON documents, the json gem (including the one bundled + with Ruby) can be coerced into creating arbitrary objects in the target system. + + This is the same issue as CVE-2013-0269. The previous fix was incomplete, which + addressed JSON.parse(user_input), but didn’t address some other styles of JSON + parsing including JSON(user_input) and JSON.parse(user_input, nil). + + See CVE-2013-0269 in detail. Note that the issue was exploitable to cause a + Denial of Service by creating many garbage-uncollectable Symbol objects, but + this kind of attack is no longer valid because Symbol objects are now + garbage-collectable. However, creating arbitrary objects may cause severe + security consequences depending upon the application code. + cvss_v3: 7.5 + patched_versions: + - ">= 2.3.0" + related: + cve: + - 2013-0269 + url: + - https://groups.google.com/forum/#!topic/ruby-security-ann/ermX1eQqqKA +--- diff --git a/advisories/_posts/2020-03-19-CVE-2020-5267.md b/advisories/_posts/2020-03-19-CVE-2020-5267.md index 816adc71..0aa43e7b 100644 --- a/advisories/_posts/2020-03-19-CVE-2020-5267.md +++ b/advisories/_posts/2020-03-19-CVE-2020-5267.md @@ -1,78 +1,78 @@ ---- -layout: advisory -title: 'CVE-2020-5267 (actionview): Possible XSS vulnerability in ActionView' -comments: false -categories: -- actionview -- rails -advisory: - gem: actionview - framework: rails - cve: 2020-5267 - ghsa: 65cv-r6x7-79hv - url: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 - title: Possible XSS vulnerability in ActionView - date: 2020-03-19 - description: | - There is a possible XSS vulnerability in ActionView's JavaScript literal - escape helpers. Views that use the `j` or `escape_javascript` methods - may be susceptible to XSS attacks. - - Versions Affected: All. - Not affected: None. - Fixed Versions: 6.0.2.2, 5.2.4.2 - - Impact - ------ - There is a possible XSS vulnerability in the `j` and `escape_javascript` - methods in ActionView. These methods are used for escaping JavaScript string - literals. Impacted code will look something like this: - - ```erb - - ``` - - or - - ```erb - - ``` - - Releases - -------- - The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations. - - Workarounds - ----------- - For those that can't upgrade, the following monkey patch may be used: - - ```ruby - ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( - { - "`" => "\\`", - "$" => "\\$" - } - ) - - module ActionView::Helpers::JavaScriptHelper - alias :old_ej :escape_javascript - alias :old_j :j - - def escape_javascript(javascript) - javascript = javascript.to_s - if javascript.empty? - result = "" - else - result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) - end - javascript.html_safe? ? result.html_safe : result - end - - alias :j :escape_javascript - end - ``` - cvss_v3: 4.0 - patched_versions: - - "~> 5.2.4, >= 5.2.4.2" - - ">= 6.0.2.2" ---- +--- +layout: advisory +title: 'CVE-2020-5267 (actionview): Possible XSS vulnerability in ActionView' +comments: false +categories: +- actionview +- rails +advisory: + gem: actionview + framework: rails + cve: 2020-5267 + ghsa: 65cv-r6x7-79hv + url: https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8 + title: Possible XSS vulnerability in ActionView + date: 2020-03-19 + description: | + There is a possible XSS vulnerability in ActionView's JavaScript literal + escape helpers. Views that use the `j` or `escape_javascript` methods + may be susceptible to XSS attacks. + + Versions Affected: All. + Not affected: None. + Fixed Versions: 6.0.2.2, 5.2.4.2 + + Impact + ------ + There is a possible XSS vulnerability in the `j` and `escape_javascript` + methods in ActionView. These methods are used for escaping JavaScript string + literals. Impacted code will look something like this: + + ```erb + + ``` + + or + + ```erb + + ``` + + Releases + -------- + The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations. + + Workarounds + ----------- + For those that can't upgrade, the following monkey patch may be used: + + ```ruby + ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( + { + "`" => "\\`", + "$" => "\\$" + } + ) + + module ActionView::Helpers::JavaScriptHelper + alias :old_ej :escape_javascript + alias :old_j :j + + def escape_javascript(javascript) + javascript = javascript.to_s + if javascript.empty? + result = "" + else + result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) + end + javascript.html_safe? ? result.html_safe : result + end + + alias :j :escape_javascript + end + ``` + cvss_v3: 4.0 + patched_versions: + - "~> 5.2.4, >= 5.2.4.2" + - ">= 6.0.2.2" +--- diff --git a/advisories/_posts/2020-04-29-CVE-2015-4411.md b/advisories/_posts/2020-04-29-CVE-2015-4411.md index fbafe775..d96fa893 100644 --- a/advisories/_posts/2020-04-29-CVE-2015-4411.md +++ b/advisories/_posts/2020-04-29-CVE-2015-4411.md @@ -1,25 +1,25 @@ ---- -layout: advisory -title: 'CVE-2015-4411 (bson): Potential denial of service in bson rubygem' -comments: false -categories: -- bson -advisory: - gem: bson - cve: 2015-4411 - ghsa: qh4w-7pw3-p4rp - url: https://github.com/advisories/GHSA-qh4w-7pw3-p4rp - date: 2020-04-29 - title: Potential denial of service in bson rubygem - description: | - The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 - as used in rubygem-moped allows remote attackers to cause a denial of service (worker - resource consumption) via a crafted string. NOTE: This issue is due to an incomplete - fix to CVE-2015-4410. - cvss_v3: 7.5 - patched_versions: - - ">= 3.0.4" - related: - cve: - - 2015-4410 ---- +--- +layout: advisory +title: 'CVE-2015-4411 (bson): Potential denial of service in bson rubygem' +comments: false +categories: +- bson +advisory: + gem: bson + cve: 2015-4411 + ghsa: qh4w-7pw3-p4rp + url: https://github.com/advisories/GHSA-qh4w-7pw3-p4rp + date: 2020-04-29 + title: Potential denial of service in bson rubygem + description: | + The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 + as used in rubygem-moped allows remote attackers to cause a denial of service (worker + resource consumption) via a crafted string. NOTE: This issue is due to an incomplete + fix to CVE-2015-4410. + cvss_v3: 7.5 + patched_versions: + - ">= 3.0.4" + related: + cve: + - 2015-4410 +--- diff --git a/advisories/_posts/2020-04-29-CVE-2020-11020.md b/advisories/_posts/2020-04-29-CVE-2020-11020.md index d4436969..96f0ffd5 100644 --- a/advisories/_posts/2020-04-29-CVE-2020-11020.md +++ b/advisories/_posts/2020-04-29-CVE-2020-11020.md @@ -1,95 +1,95 @@ ---- -layout: advisory -title: 'CVE-2020-11020 (faye): Authentication and extension bypass in Faye' -comments: false -categories: -- faye -advisory: - gem: faye - cve: 2020-11020 - ghsa: qpg4-4w7w-2mq5 - url: https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5 - date: 2020-04-29 - title: Authentication and extension bypass in Faye - description: | - On 20 April 2020 it was reported to me that the potential for authentication - bypass exists in [Faye][1]'s extension system. This vulnerability has existed in - the Node.js and Ruby versions of the server since version 0.5.0, when extensions - were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and - 1.2.5, which we are releasing today. - - The vulnerability allows any client to bypass checks put in place by server-side - extensions, by appending extra segments to the message channel. For example, the - Faye [extension docs][2] suggest that users implement access control for - subscriptions by checking incoming messages for the `/meta/subscribe` channel, - for example: - - ```js - server.addExtension({ - incoming: function(message, callback) { - if (message.channel === '/meta/subscribe') { - if (message.ext.authToken !== 'my super secret password') { - message.error = 'Invalid auth token'; - } - } - callback(message); - } - }); - ``` - - A bug in the server's code for recognising the special `/meta/*` channels, which - trigger connection and subscription events, means that a client can bypass this - check by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`: - - ```json - { - "channel": "/meta/subscribe/x", - "clientId": "3jrc6602npj4gyp6bn5ap2wqzjtb2q3", - "subscription": "/foo" - } - ``` - - This message will not be checked by the above extension, as it checks the - message's channel is exactly equal to `/meta/subscribe`. But it will still be - processed as a subscription request by the server, so the client becomes - subscribed to the channel `/foo` without supplying the necessary credentials. - - The vulnerability is caused by the way the Faye server recognises meta channels. - It will treat a message to any channel that's a prefix-match for one of the - special channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`, - `/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for - that channel. So, a message to `/meta/subscribe/x` is still processed as a - subscription request, for example. - - An authentication bypass for subscription requests is the most serious effect of - this but all other meta channels are susceptible to similar manipulation. - - This parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. - These should be drop-in replacements for prior versions and you should upgrade - immediately if you are running any prior version. - - If you are unable to install one of these versions, you can make your extensions - catch all messages the server would process by checking the channel _begins_ - with the expected channel name, for example: - - ```js - server.addExtension({ - incoming: function(message, callback) { - if (message.channel.startsWith('/meta/subscribe')) { - // authentication logic - } - callback(message); - } - }); - ``` - - [1]: https://faye.jcoglan.com/ - [2]: https://faye.jcoglan.com/node/extensions.html - cvss_v3: 8.5 - patched_versions: - - "~> 1.0.4" - - "~> 1.1.3" - - ">= 1.2.5" - unaffected_versions: - - "< 0.5.0" ---- +--- +layout: advisory +title: 'CVE-2020-11020 (faye): Authentication and extension bypass in Faye' +comments: false +categories: +- faye +advisory: + gem: faye + cve: 2020-11020 + ghsa: qpg4-4w7w-2mq5 + url: https://github.com/faye/faye/security/advisories/GHSA-qpg4-4w7w-2mq5 + date: 2020-04-29 + title: Authentication and extension bypass in Faye + description: | + On 20 April 2020 it was reported to me that the potential for authentication + bypass exists in [Faye][1]'s extension system. This vulnerability has existed in + the Node.js and Ruby versions of the server since version 0.5.0, when extensions + were first introduced, in July 2010. It is patched in versions 1.0.4, 1.1.3 and + 1.2.5, which we are releasing today. + + The vulnerability allows any client to bypass checks put in place by server-side + extensions, by appending extra segments to the message channel. For example, the + Faye [extension docs][2] suggest that users implement access control for + subscriptions by checking incoming messages for the `/meta/subscribe` channel, + for example: + + ```js + server.addExtension({ + incoming: function(message, callback) { + if (message.channel === '/meta/subscribe') { + if (message.ext.authToken !== 'my super secret password') { + message.error = 'Invalid auth token'; + } + } + callback(message); + } + }); + ``` + + A bug in the server's code for recognising the special `/meta/*` channels, which + trigger connection and subscription events, means that a client can bypass this + check by sending a message to `/meta/subscribe/x` rather than `/meta/subscribe`: + + ```json + { + "channel": "/meta/subscribe/x", + "clientId": "3jrc6602npj4gyp6bn5ap2wqzjtb2q3", + "subscription": "/foo" + } + ``` + + This message will not be checked by the above extension, as it checks the + message's channel is exactly equal to `/meta/subscribe`. But it will still be + processed as a subscription request by the server, so the client becomes + subscribed to the channel `/foo` without supplying the necessary credentials. + + The vulnerability is caused by the way the Faye server recognises meta channels. + It will treat a message to any channel that's a prefix-match for one of the + special channels `/meta/handshake`, `/meta/connect`, `/meta/subscribe`, + `/meta/unsubscribe` or `/meta/disconnect`, as though it were an exact match for + that channel. So, a message to `/meta/subscribe/x` is still processed as a + subscription request, for example. + + An authentication bypass for subscription requests is the most serious effect of + this but all other meta channels are susceptible to similar manipulation. + + This parsing bug in the server is fixed in versions 1.0.4, 1.1.3 and 1.2.5. + These should be drop-in replacements for prior versions and you should upgrade + immediately if you are running any prior version. + + If you are unable to install one of these versions, you can make your extensions + catch all messages the server would process by checking the channel _begins_ + with the expected channel name, for example: + + ```js + server.addExtension({ + incoming: function(message, callback) { + if (message.channel.startsWith('/meta/subscribe')) { + // authentication logic + } + callback(message); + } + }); + ``` + + [1]: https://faye.jcoglan.com/ + [2]: https://faye.jcoglan.com/node/extensions.html + cvss_v3: 8.5 + patched_versions: + - "~> 1.0.4" + - "~> 1.1.3" + - ">= 1.2.5" + unaffected_versions: + - "< 0.5.0" +--- diff --git a/advisories/_posts/2020-04-29-CVE-2020-11022.md b/advisories/_posts/2020-04-29-CVE-2020-11022.md index 8ff4bb77..3e6b5318 100644 --- a/advisories/_posts/2020-04-29-CVE-2020-11022.md +++ b/advisories/_posts/2020-04-29-CVE-2020-11022.md @@ -1,101 +1,101 @@ ---- -layout: advisory -title: 'CVE-2020-11022 (jquery-rails): Potential XSS vulnerability in jQuery' -comments: false -categories: -- jquery-rails -- rails -advisory: - gem: jquery-rails - framework: rails - cve: 2020-11022 - ghsa: gxr4-xjj5-5px2 - url: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 - title: Potential XSS vulnerability in jQuery - date: 2020-04-29 - description: | - ### Impact - Passing HTML from untrusted sources - even after sanitizing it - to - one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, - and others) may execute untrusted code. - - ### Patches - This problem is patched in jQuery 3.5.0. - - ### Workarounds - To workaround the issue without upgrading, adding the following to - your code: - ```js - jQuery.htmlPrefilter = function( html ) { - return html; - }; - ``` - You need to use at least jQuery 1.12/2.2 or newer to be able to - apply this workaround. - - ### References - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ - https://jquery.com/upgrade-guide/3.5/ - - ### For more information - If you have any questions or comments about this advisory, search - for a relevant issue in - [the jQuery repo](https://github.com/jquery/jquery/issues). - - If you don't find an answer, open a new issue." - cvss_v2: 4.3 - cvss_v3: 6.9 - unaffected_versions: - - "< 1.2.0" - patched_versions: - - ">= 3.5.0" - related: - url: - - https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 - - https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77 - - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ - - https://jquery.com/upgrade-guide/3.5/ - - https://nvd.nist.gov/vuln/detail/CVE-2020-11022 - - https://security.netapp.com/advisory/ntap-20200511-0006/ - - https://www.drupal.org/sa-core-2020-002 - - https://www.debian.org/security/2020/dsa-4693 - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/ - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/ - - https://www.oracle.com/security-alerts/cpujul2020.html - - http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html - - https://security.gentoo.org/glsa/202007-03 - - http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html - - https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@ - - https://github.com/advisories/GHSA-gxr4-xjj5-5px2 - - https://www.npmjs.com/advisories/1518 - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/ - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/ - - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/ - - https://www.oracle.com/security-alerts/cpuoct2020.html - - https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@ - - https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@ - - http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html - - https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@ - - https://www.tenable.com/security/tns-2020-10 - - https://www.tenable.com/security/tns-2020-11 - - https://www.oracle.com/security-alerts/cpujan2021.html - - https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@ - - https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@ - - https://www.tenable.com/security/tns-2021-02 - - https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html - - http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html - - https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@ - - https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@ - - https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@ - - https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@ - - https://www.tenable.com/security/tns-2021-10 - - https://www.oracle.com/security-alerts/cpuApr2021.html - - https://www.oracle.com//security-alerts/cpujul2021.html - - https://www.oracle.com/security-alerts/cpuoct2021.html - - https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@ - - https://github.com/jquery/jquery/releases/tag/3.5.0 - - https://www.oracle.com/security-alerts/cpujan2022.html - - https://www.oracle.com/security-alerts/cpuapr2022.html - - https://www.oracle.com/security-alerts/cpujul2022.html - - https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html ---- +--- +layout: advisory +title: 'CVE-2020-11022 (jquery-rails): Potential XSS vulnerability in jQuery' +comments: false +categories: +- jquery-rails +- rails +advisory: + gem: jquery-rails + framework: rails + cve: 2020-11022 + ghsa: gxr4-xjj5-5px2 + url: https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 + title: Potential XSS vulnerability in jQuery + date: 2020-04-29 + description: | + ### Impact + Passing HTML from untrusted sources - even after sanitizing it - to + one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, + and others) may execute untrusted code. + + ### Patches + This problem is patched in jQuery 3.5.0. + + ### Workarounds + To workaround the issue without upgrading, adding the following to + your code: + ```js + jQuery.htmlPrefilter = function( html ) { + return html; + }; + ``` + You need to use at least jQuery 1.12/2.2 or newer to be able to + apply this workaround. + + ### References + https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ + https://jquery.com/upgrade-guide/3.5/ + + ### For more information + If you have any questions or comments about this advisory, search + for a relevant issue in + [the jQuery repo](https://github.com/jquery/jquery/issues). + + If you don't find an answer, open a new issue." + cvss_v2: 4.3 + cvss_v3: 6.9 + unaffected_versions: + - "< 1.2.0" + patched_versions: + - ">= 3.5.0" + related: + url: + - https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2 + - https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77 + - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ + - https://jquery.com/upgrade-guide/3.5/ + - https://nvd.nist.gov/vuln/detail/CVE-2020-11022 + - https://security.netapp.com/advisory/ntap-20200511-0006/ + - https://www.drupal.org/sa-core-2020-002 + - https://www.debian.org/security/2020/dsa-4693 + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/ + - https://www.oracle.com/security-alerts/cpujul2020.html + - http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html + - https://security.gentoo.org/glsa/202007-03 + - http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html + - https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@ + - https://github.com/advisories/GHSA-gxr4-xjj5-5px2 + - https://www.npmjs.com/advisories/1518 + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/ + - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/ + - https://www.oracle.com/security-alerts/cpuoct2020.html + - https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@ + - https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@ + - http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html + - https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@ + - https://www.tenable.com/security/tns-2020-10 + - https://www.tenable.com/security/tns-2020-11 + - https://www.oracle.com/security-alerts/cpujan2021.html + - https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@ + - https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@ + - https://www.tenable.com/security/tns-2021-02 + - https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html + - http://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html + - https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@ + - https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@ + - https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@ + - https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@ + - https://www.tenable.com/security/tns-2021-10 + - https://www.oracle.com/security-alerts/cpuApr2021.html + - https://www.oracle.com//security-alerts/cpujul2021.html + - https://www.oracle.com/security-alerts/cpuoct2021.html + - https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@ + - https://github.com/jquery/jquery/releases/tag/3.5.0 + - https://www.oracle.com/security-alerts/cpujan2022.html + - https://www.oracle.com/security-alerts/cpuapr2022.html + - https://www.oracle.com/security-alerts/cpujul2022.html + - https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html +--- diff --git a/advisories/_posts/2020-04-29-CVE-2020-11023.md b/advisories/_posts/2020-04-29-CVE-2020-11023.md index bda15a51..bd51dfb1 100644 --- a/advisories/_posts/2020-04-29-CVE-2020-11023.md +++ b/advisories/_posts/2020-04-29-CVE-2020-11023.md @@ -1,34 +1,34 @@ ---- -layout: advisory -title: 'CVE-2020-11023 (jquery-rails): Potential XSS vulnerability in jQuery' -comments: false -categories: -- jquery-rails -- rails -advisory: - gem: jquery-rails - framework: rails - cve: 2020-11023 - ghsa: jpcq-cgw6-v4j6 - date: 2020-04-29 - url: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released - title: Potential XSS vulnerability in jQuery - description: | - ## Impact - - Passing HTML containing `
` - - `onerror` attributes on images: `` - - Other HTML attributes that can execute JavaScript - - ### Patches - - A fix is currently in development. Users should upgrade to - version **0.2.1** or later once released. - - The patch escapes all HTML attribute values using `CGI.escapeHTML` - to prevent injection attacks. - - ### Workarounds - - Until a patched version is available, users can implement one or - more of these mitigations: - - 1. **Sanitize output**: Pass the HTML output through a sanitization - library like [Sanitize](https://github.com/rgrove/sanitize) or - [Loofah](https://github.com/flavorjones/loofah): - - ```ruby - html = ProsemirrorToHtml.render(document) - safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) - ``` - - 2. **Implement Content Security Policy (CSP)**: Add strict CSP - headers to prevent inline JavaScript execution: - - ``` - Content-Security-Policy: default-src 'self'; script-src 'self' - ``` - - 3. **Input validation**: If possible, validate and sanitize - ProseMirror documents before conversion to prevent malicious - content from entering the system. - - ### References - - - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 - - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) - - [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html) - cvss_v3: 7.6 - patched_versions: - - ">= 0.2.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2025-64501 - - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx - - https://github.com/etaminstudio/prosemirror_to_html/releases/tag/v0.2.1 - - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 - - https://github.com/advisories/GHSA-52c5-vh7f-26fx ---- +--- +layout: advisory +title: 'CVE-2025-64501 (prosemirror_to_html): Cross-Site Scripting (XSS) vulnerability + through unescaped HTML attribute values' +comments: false +categories: +- prosemirror_to_html +advisory: + gem: prosemirror_to_html + cve: 2025-64501 + ghsa: 52c5-vh7f-26fx + url: https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx + title: Cross-Site Scripting (XSS) vulnerability through unescaped HTML attribute + values + date: 2025-11-06 + description: | + ### Impact + + The prosemirror_to_html gem is vulnerable to Cross-Site Scripting + (XSS) attacks through malicious HTML attribute values. While tag + content is properly escaped, attribute values are not, allowing + attackers to inject arbitrary JavaScript code. + + **Who is impacted:** + + - Any application using prosemirror_to_html to convert ProseMirror + documents to HTML + - Applications that process user-generated ProseMirror content are + at highest risk + - End users viewing the rendered HTML output could have malicious + JavaScript executed in their browsers + + **Attack vectors include:** + + - `href` attributes with `javascript:` protocol: `` + - Event handlers: `
` + - `onerror` attributes on images: `` + - Other HTML attributes that can execute JavaScript + + ### Patches + + A fix is currently in development. Users should upgrade to + version **0.2.1** or later once released. + + The patch escapes all HTML attribute values using `CGI.escapeHTML` + to prevent injection attacks. + + ### Workarounds + + Until a patched version is available, users can implement one or + more of these mitigations: + + 1. **Sanitize output**: Pass the HTML output through a sanitization + library like [Sanitize](https://github.com/rgrove/sanitize) or + [Loofah](https://github.com/flavorjones/loofah): + + ```ruby + html = ProsemirrorToHtml.render(document) + safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) + ``` + + 2. **Implement Content Security Policy (CSP)**: Add strict CSP + headers to prevent inline JavaScript execution: + + ``` + Content-Security-Policy: default-src 'self'; script-src 'self' + ``` + + 3. **Input validation**: If possible, validate and sanitize + ProseMirror documents before conversion to prevent malicious + content from entering the system. + + ### References + + - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 + - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + - [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html) + cvss_v3: 7.6 + patched_versions: + - ">= 0.2.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-64501 + - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx + - https://github.com/etaminstudio/prosemirror_to_html/releases/tag/v0.2.1 + - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 + - https://github.com/advisories/GHSA-52c5-vh7f-26fx +--- diff --git a/advisories/_posts/2025-11-13-GHSA-4249-gjr8-jpq3.md b/advisories/_posts/2025-11-13-GHSA-4249-gjr8-jpq3.md index c8e8bd6e..a2adc33f 100644 --- a/advisories/_posts/2025-11-13-GHSA-4249-gjr8-jpq3.md +++ b/advisories/_posts/2025-11-13-GHSA-4249-gjr8-jpq3.md @@ -1,83 +1,83 @@ ---- -layout: advisory -title: 'GHSA-4249-gjr8-jpq3 (prosemirror_to_html): ProsemirrorToHtml has a Cross-Site - Scripting (XSS) vulnerability through unescaped HTML attribute values' -comments: false -categories: -- prosemirror_to_html -advisory: - gem: prosemirror_to_html - ghsa: 4249-gjr8-jpq3 - url: https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx - title: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through - unescaped HTML attribute values - date: 2025-11-13 - description: | - ### Impact - - The prosemirror_to_html gem is vulnerable to Cross-Site Scripting - (XSS) attacks through malicious HTML attribute values. While tag - content is properly escaped, attribute values are not, allowing - attackers to inject arbitrary JavaScript code. - - **Who is impacted:** - - - Any application using prosemirror_to_html to convert ProseMirror - documents to HTML - - Applications that process user-generated ProseMirror content are - at highest risk - - End users viewing the rendered HTML output could have malicious - JavaScript executed in their browsers - - **Attack vectors include:** - - - `href` attributes with `javascript:` protocol: - `` - - Event handlers: `
` - - `onerror` attributes on images: `` - - Other HTML attributes that can execute JavaScript - - ### Patches - - A fix is currently in development. Users should upgrade to version - **0.2.1** or later once released. The patch escapes all HTML attribute - values using `CGI.escapeHTML` to prevent injection attacks. - - ### Workarounds - - Until a patched version is available, users can implement one or - more of these mitigations: - - 1. **Sanitize output**: Pass the HTML output through a sanitization - library like [Sanitize](https://github.com/rgrove/sanitize) or - [Loofah](https://github.com/flavorjones/loofah): - - ```ruby - html = ProsemirrorToHtml.render(document) - safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) - ``` - - 2. **Implement Content Security Policy (CSP)**: Add strict CSP - headers to prevent inline JavaScript execution: - ``` - Content-Security-Policy: default-src 'self'; script-src 'self' - ``` - - 3. **Input validation**: If possible, validate and sanitize - ProseMirror documents before conversion to prevent malicious - content from entering the system. - - ### References - - - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 - - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) - patched_versions: - - ">= 0.2.1" - related: - url: - - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx - - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 - - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html - - https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 - - https://github.com/advisories/GHSA-4249-gjr8-jpq3 ---- +--- +layout: advisory +title: 'GHSA-4249-gjr8-jpq3 (prosemirror_to_html): ProsemirrorToHtml has a Cross-Site + Scripting (XSS) vulnerability through unescaped HTML attribute values' +comments: false +categories: +- prosemirror_to_html +advisory: + gem: prosemirror_to_html + ghsa: 4249-gjr8-jpq3 + url: https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx + title: ProsemirrorToHtml has a Cross-Site Scripting (XSS) vulnerability through + unescaped HTML attribute values + date: 2025-11-13 + description: | + ### Impact + + The prosemirror_to_html gem is vulnerable to Cross-Site Scripting + (XSS) attacks through malicious HTML attribute values. While tag + content is properly escaped, attribute values are not, allowing + attackers to inject arbitrary JavaScript code. + + **Who is impacted:** + + - Any application using prosemirror_to_html to convert ProseMirror + documents to HTML + - Applications that process user-generated ProseMirror content are + at highest risk + - End users viewing the rendered HTML output could have malicious + JavaScript executed in their browsers + + **Attack vectors include:** + + - `href` attributes with `javascript:` protocol: + `` + - Event handlers: `
` + - `onerror` attributes on images: `` + - Other HTML attributes that can execute JavaScript + + ### Patches + + A fix is currently in development. Users should upgrade to version + **0.2.1** or later once released. The patch escapes all HTML attribute + values using `CGI.escapeHTML` to prevent injection attacks. + + ### Workarounds + + Until a patched version is available, users can implement one or + more of these mitigations: + + 1. **Sanitize output**: Pass the HTML output through a sanitization + library like [Sanitize](https://github.com/rgrove/sanitize) or + [Loofah](https://github.com/flavorjones/loofah): + + ```ruby + html = ProsemirrorToHtml.render(document) + safe_html = Sanitize.fragment(html, Sanitize::Config::RELAXED) + ``` + + 2. **Implement Content Security Policy (CSP)**: Add strict CSP + headers to prevent inline JavaScript execution: + ``` + Content-Security-Policy: default-src 'self'; script-src 'self' + ``` + + 3. **Input validation**: If possible, validate and sanitize + ProseMirror documents before conversion to prevent malicious + content from entering the system. + + ### References + + - Vulnerable code: https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 + - [OWASP XSS Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html) + patched_versions: + - ">= 0.2.1" + related: + url: + - https://github.com/etaminstudio/prosemirror_to_html/security/advisories/GHSA-52c5-vh7f-26fx + - https://github.com/etaminstudio/prosemirror_to_html/commit/4d59f94f550bcabeec30d298791bbdd883298ad8 + - https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html + - https://github.com/etaminstudio/prosemirror_to_html/blob/ea8beb32f6c37f29f042ba4155ccf18504da716e/lib/prosemirror_to_html.rb#L249 + - https://github.com/advisories/GHSA-4249-gjr8-jpq3 +--- diff --git a/advisories/_posts/2025-12-08-CVE-2025-66567.md b/advisories/_posts/2025-12-08-CVE-2025-66567.md index 8236ab43..7344cc0f 100644 --- a/advisories/_posts/2025-12-08-CVE-2025-66567.md +++ b/advisories/_posts/2025-12-08-CVE-2025-66567.md @@ -1,41 +1,41 @@ ---- -layout: advisory -title: 'CVE-2025-66567 (ruby-saml): Ruby-saml has a SAML authentication bypass due - to namespace handling (parser differential)' -comments: false -categories: -- ruby-saml -advisory: - gem: ruby-saml - cve: 2025-66567 - ghsa: 9v8j-x534-2fx3 - url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 - title: Ruby-saml has a SAML authentication bypass due to namespace handling (parser - differential) - date: 2025-12-08 - description: | - ### Summary - - Ruby-saml up to and including 1.12.4, there is an authentication - bypass vulnerability because of an incomplete fix for CVE-2025-25292. - ReXML and Nokogiri parse XML differently, the parsers can generate - entirely different document structures from the same XML input. - That allows an attacker to be able to execute a Signature Wrapping - attack. The vulnerability does not affect the version 1.18.0. - - ### Impact - - That allows an attacker to be able to execute a Signature Wrapping - attack and bypass the authentication - cvss_v3: 9.1 - cvss_v4: 9.3 - patched_versions: - - ">= 1.18.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2025-66567 - - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 - - https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 - - https://github.com/advisories/GHSA-754f-8gm6-c4r2 - - https://github.com/advisories/GHSA-9v8j-x534-2fx3 ---- +--- +layout: advisory +title: 'CVE-2025-66567 (ruby-saml): Ruby-saml has a SAML authentication bypass due + to namespace handling (parser differential)' +comments: false +categories: +- ruby-saml +advisory: + gem: ruby-saml + cve: 2025-66567 + ghsa: 9v8j-x534-2fx3 + url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 + title: Ruby-saml has a SAML authentication bypass due to namespace handling (parser + differential) + date: 2025-12-08 + description: | + ### Summary + + Ruby-saml up to and including 1.12.4, there is an authentication + bypass vulnerability because of an incomplete fix for CVE-2025-25292. + ReXML and Nokogiri parse XML differently, the parsers can generate + entirely different document structures from the same XML input. + That allows an attacker to be able to execute a Signature Wrapping + attack. The vulnerability does not affect the version 1.18.0. + + ### Impact + + That allows an attacker to be able to execute a Signature Wrapping + attack and bypass the authentication + cvss_v3: 9.1 + cvss_v4: 9.3 + patched_versions: + - ">= 1.18.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-66567 + - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-9v8j-x534-2fx3 + - https://github.com/SAML-Toolkits/ruby-saml/commit/e9c1cdbd0f9afa467b585de279db0cbd0fb8ae97 + - https://github.com/advisories/GHSA-754f-8gm6-c4r2 + - https://github.com/advisories/GHSA-9v8j-x534-2fx3 +--- diff --git a/advisories/_posts/2025-12-08-CVE-2025-66568.md b/advisories/_posts/2025-12-08-CVE-2025-66568.md index 8c07766d..72bf2667 100644 --- a/advisories/_posts/2025-12-08-CVE-2025-66568.md +++ b/advisories/_posts/2025-12-08-CVE-2025-66568.md @@ -1,52 +1,52 @@ ---- -layout: advisory -title: 'CVE-2025-66568 (ruby-saml): Ruby-saml allows a Libxml2 Canonicalization error - to bypass Digest/Signature validation' -comments: false -categories: -- ruby-saml -advisory: - gem: ruby-saml - cve: 2025-66568 - ghsa: x4h9-gwv3-r4m4 - url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4 - title: Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature - validation - date: 2025-12-08 - description: | - ### Summary - - Ruby-saml up to and including 1.12.4, there is an authentication - bypass vulnerability because of an issue at libxml2 canonicalization - process used by Nokogiri for document transformation. That allows - an attacker to be able to execute a Signature Wrapping attack. - The vulnerability does not affect the version 1.18.0. - - ### Details - - When libxml2’s canonicalization is invoked on an invalid XML input, - it may return an empty string rather than a canonicalized node. - ruby-saml then proceeds to compute the DigestValue over this empty - string, treating it as if canonicalization succeeded. - - ### Impact - - 1. Digest bypass: By crafting input that causes canonicalization to - yield an empty string, the attacker can manipulate validation to - pass incorrectly. - - 2. Signature replay on empty canonical form: If an empty string has - been signed once (e.g., in a prior interaction or via a - misconfigured flow), that signature can potentially be replayed - to bypass authentication. - cvss_v3: 9.1 - cvss_v4: 9.3 - patched_versions: - - ">= 1.18.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2025-66568 - - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4 - - https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a - - https://github.com/advisories/GHSA-x4h9-gwv3-r4m4 ---- +--- +layout: advisory +title: 'CVE-2025-66568 (ruby-saml): Ruby-saml allows a Libxml2 Canonicalization error + to bypass Digest/Signature validation' +comments: false +categories: +- ruby-saml +advisory: + gem: ruby-saml + cve: 2025-66568 + ghsa: x4h9-gwv3-r4m4 + url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4 + title: Ruby-saml allows a Libxml2 Canonicalization error to bypass Digest/Signature + validation + date: 2025-12-08 + description: | + ### Summary + + Ruby-saml up to and including 1.12.4, there is an authentication + bypass vulnerability because of an issue at libxml2 canonicalization + process used by Nokogiri for document transformation. That allows + an attacker to be able to execute a Signature Wrapping attack. + The vulnerability does not affect the version 1.18.0. + + ### Details + + When libxml2’s canonicalization is invoked on an invalid XML input, + it may return an empty string rather than a canonicalized node. + ruby-saml then proceeds to compute the DigestValue over this empty + string, treating it as if canonicalization succeeded. + + ### Impact + + 1. Digest bypass: By crafting input that causes canonicalization to + yield an empty string, the attacker can manipulate validation to + pass incorrectly. + + 2. Signature replay on empty canonical form: If an empty string has + been signed once (e.g., in a prior interaction or via a + misconfigured flow), that signature can potentially be replayed + to bypass authentication. + cvss_v3: 9.1 + cvss_v4: 9.3 + patched_versions: + - ">= 1.18.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-66568 + - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-x4h9-gwv3-r4m4 + - https://github.com/SAML-Toolkits/ruby-saml/commit/acac9e9cc0b9a507882c614f25d41f8b47be349a + - https://github.com/advisories/GHSA-x4h9-gwv3-r4m4 +--- diff --git a/advisories/_posts/2025-12-16-CVE-2025-68113.md b/advisories/_posts/2025-12-16-CVE-2025-68113.md index a2c324b4..e0ba3873 100644 --- a/advisories/_posts/2025-12-16-CVE-2025-68113.md +++ b/advisories/_posts/2025-12-16-CVE-2025-68113.md @@ -1,66 +1,66 @@ ---- -layout: advisory -title: 'CVE-2025-68113 (altcha): ALTCHA Proof-of-Work Vulnerable to Challenge Splicing - and Replay' -comments: false -categories: -- altcha -advisory: - gem: altcha - cve: 2025-68113 - ghsa: 6gvq-jcmp-8959 - url: https://github.com/altcha-org/altcha-lib/security/advisories/GHSA-6gvq-jcmp-8959 - title: ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay - date: 2025-12-16 - description: | - ### Impact - - A cryptographic semantic binding flaw in ALTCHA libraries allows - challenge payload splicing, which may enable replay attacks. The - HMAC signature does not unambiguously bind challenge parameters to - the nonce, allowing an attacker to reinterpret a valid proof-of-work - submission with a modified expiration value. - - This may allow previously solved challenges to be reused beyond - their intended lifetime, depending on server-side replay handling - and deployment assumptions. - - The vulnerability primarily impacts abuse-prevention mechanisms such - as rate limiting and bot mitigation. - - It does not directly affect data confidentiality or integrity. - - ### Patches - - This issue has been addressed by enforcing explicit semantic - separation between challenge parameters and the nonce during - HMAC computation. - - Users are advised to upgrade to patched versions. - - ### Workarounds - - As a mitigation, implementations may append a delimiter to the - end of the `salt` value prior to HMAC computation (for example, - `?expires=%s - ``` - - The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL: - - ```html - javascript:alert(1) - ``` - - Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application. - - ## Impact - - If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`. - - When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry). - - ## Mitigation - - * Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`). - * Avoid exposing user-controlled directories via `Rack::Directory`. - * Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. - * Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes. - cvss_v3: 5.4 - patched_versions: - - "~> 2.2.22" - - "~> 3.1.20" - - ">= 3.2.5" - related: - url: - - https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp - - https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff - - https://github.com/advisories/GHSA-whrj-4476-wvmp ---- +--- +layout: advisory +title: 'CVE-2026-25500 (rack): Stored XSS in Rack::Directory via javascript: filenames + rendered into anchor href' +comments: false +categories: +- rack +advisory: + gem: rack + cve: 2026-25500 + ghsa: whrj-4476-wvmp + url: https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp + title: 'Stored XSS in Rack::Directory via javascript: filenames rendered into anchor + href' + date: 2026-02-17 + description: |- + ## Summary + + `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application. + + This results in a client-side XSS condition in directory listings generated by `Rack::Directory`. + + ## Details + + `Rack::Directory` renders directory entries using an HTML row template similar to: + + ```html + %s + ``` + + The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL: + + ```html + javascript:alert(1) + ``` + + Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application. + + ## Impact + + If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`. + + When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry). + + ## Mitigation + + * Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`). + * Avoid exposing user-controlled directories via `Rack::Directory`. + * Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. + * Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes. + cvss_v3: 5.4 + patched_versions: + - "~> 2.2.22" + - "~> 3.1.20" + - ">= 3.2.5" + related: + url: + - https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp + - https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff + - https://github.com/advisories/GHSA-whrj-4476-wvmp +--- diff --git a/advisories/_posts/2026-02-18-GHSA-wx95-c6cv-8532.md b/advisories/_posts/2026-02-18-GHSA-wx95-c6cv-8532.md index e5530891..9a9cfa79 100644 --- a/advisories/_posts/2026-02-18-GHSA-wx95-c6cv-8532.md +++ b/advisories/_posts/2026-02-18-GHSA-wx95-c6cv-8532.md @@ -1,54 +1,54 @@ ---- -layout: advisory -title: 'GHSA-wx95-c6cv-8532 (nokogiri): Nokogiri does not check the return value from - xmlC14NExecute' -comments: false -categories: -- nokogiri -advisory: - gem: nokogiri - ghsa: wx95-c6cv-8532 - url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532 - title: Nokogiri does not check the return value from xmlC14NExecute - date: 2026-02-18 - description: | - ## Summary - - Nokogiri's CRuby extension fails to check the return value from - `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` - and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, - an empty string is returned instead of raising an exception. This - incorrect return value may allow downstream libraries to accept - invalid or incomplete canonicalized XML, which has been demonstrated - to enable signature validation bypass in SAML libraries. - - JRuby is not affected, as the Java implementation correctly - raises `RuntimeError` on canonicalization failure. - - ## Mitigation - - Upgrade to Nokogiri `>= 1.19.1`. - - ## Severity - - The maintainers have assessed this as **Medium** severity. Nokogiri - itself is a parsing library without a clear security boundary - related to canonicalization, so the direct impact is that a method - returns incorrect data on invalid input. However, this behavior - was exploited in practice to bypass SAML signature validation - in downstream libraries (see References). - - ## Credit - - This vulnerability was responsibly reported by HackerOne - researcher `d4d`. - cvss_v3: 5.3 - unaffected_versions: - - "< 1.5.1" - patched_versions: - - ">= 1.19.1" - related: - url: - - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532 - - https://github.com/advisories/GHSA-wx95-c6cv-8532 ---- +--- +layout: advisory +title: 'GHSA-wx95-c6cv-8532 (nokogiri): Nokogiri does not check the return value from + xmlC14NExecute' +comments: false +categories: +- nokogiri +advisory: + gem: nokogiri + ghsa: wx95-c6cv-8532 + url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532 + title: Nokogiri does not check the return value from xmlC14NExecute + date: 2026-02-18 + description: | + ## Summary + + Nokogiri's CRuby extension fails to check the return value from + `xmlC14NExecute` in the method `Nokogiri::XML::Document#canonicalize` + and `Nokogiri::XML::Node#canonicalize`. When canonicalization fails, + an empty string is returned instead of raising an exception. This + incorrect return value may allow downstream libraries to accept + invalid or incomplete canonicalized XML, which has been demonstrated + to enable signature validation bypass in SAML libraries. + + JRuby is not affected, as the Java implementation correctly + raises `RuntimeError` on canonicalization failure. + + ## Mitigation + + Upgrade to Nokogiri `>= 1.19.1`. + + ## Severity + + The maintainers have assessed this as **Medium** severity. Nokogiri + itself is a parsing library without a clear security boundary + related to canonicalization, so the direct impact is that a method + returns incorrect data on invalid input. However, this behavior + was exploited in practice to bypass SAML signature validation + in downstream libraries (see References). + + ## Credit + + This vulnerability was responsibly reported by HackerOne + researcher `d4d`. + cvss_v3: 5.3 + unaffected_versions: + - "< 1.5.1" + patched_versions: + - ">= 1.19.1" + related: + url: + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-wx95-c6cv-8532 + - https://github.com/advisories/GHSA-wx95-c6cv-8532 +--- diff --git a/advisories/_posts/2026-02-27-CVE-2026-0980.md b/advisories/_posts/2026-02-27-CVE-2026-0980.md index dd89e3b9..f47c83ed 100644 --- a/advisories/_posts/2026-02-27-CVE-2026-0980.md +++ b/advisories/_posts/2026-02-27-CVE-2026-0980.md @@ -1,31 +1,31 @@ ---- -layout: advisory -title: 'CVE-2026-0980 (rubyipmi): rubyipmi is vulnerable to OS Command Injection through - malicious usernames' -comments: false -categories: -- rubyipmi -advisory: - gem: rubyipmi - cve: 2026-0980 - ghsa: hfcp-477w-3wjw - url: https://access.redhat.com/security/cve/CVE-2026-0980 - title: rubyipmi is vulnerable to OS Command Injection through malicious usernames - date: 2026-02-27 - description: | - A flaw was found in rubyipmi, a gem used in the Baseboard Management - Controller (BMC) component of Red Hat Satellite. An authenticated - attacker with host creation or update permissions could exploit this - vulnerability by crafting a malicious username for the BMC interface. - This could lead to remote code execution (RCE) on the system. - cvss_v3: 8.3 - patched_versions: - - ">= 0.13.0" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2026-0980 - - https://access.redhat.com/security/cve/CVE-2026-0980 - - https://bugzilla.redhat.com/show_bug.cgi?id=2429874 - - https://github.com/logicminds/rubyipmi/commit/252503a7b4dca68388165883b0322024e344a215 - - https://github.com/advisories/GHSA-hfcp-477w-3wjw ---- +--- +layout: advisory +title: 'CVE-2026-0980 (rubyipmi): rubyipmi is vulnerable to OS Command Injection through + malicious usernames' +comments: false +categories: +- rubyipmi +advisory: + gem: rubyipmi + cve: 2026-0980 + ghsa: hfcp-477w-3wjw + url: https://access.redhat.com/security/cve/CVE-2026-0980 + title: rubyipmi is vulnerable to OS Command Injection through malicious usernames + date: 2026-02-27 + description: | + A flaw was found in rubyipmi, a gem used in the Baseboard Management + Controller (BMC) component of Red Hat Satellite. An authenticated + attacker with host creation or update permissions could exploit this + vulnerability by crafting a malicious username for the BMC interface. + This could lead to remote code execution (RCE) on the system. + cvss_v3: 8.3 + patched_versions: + - ">= 0.13.0" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-0980 + - https://access.redhat.com/security/cve/CVE-2026-0980 + - https://bugzilla.redhat.com/show_bug.cgi?id=2429874 + - https://github.com/logicminds/rubyipmi/commit/252503a7b4dca68388165883b0322024e344a215 + - https://github.com/advisories/GHSA-hfcp-477w-3wjw +--- diff --git a/advisories/_posts/2026-03-05-CVE-2026-27820.md b/advisories/_posts/2026-03-05-CVE-2026-27820.md index e2654854..a9e1de3e 100644 --- a/advisories/_posts/2026-03-05-CVE-2026-27820.md +++ b/advisories/_posts/2026-03-05-CVE-2026-27820.md @@ -1,55 +1,55 @@ ---- -layout: advisory -title: 'CVE-2026-27820 (zlib): Buffer overflow vulnerability in Zlib::GzipReader' -comments: false -categories: -- zlib -advisory: - gem: zlib - cve: 2026-27820 - url: https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820 - title: Buffer overflow vulnerability in Zlib::GzipReader - date: 2026-03-05 - description: | - A buffer overflow vulnerability exists in Zlib::GzipReader. - This vulnerability has been assigned the CVE identifier - CVE-2026-27820. We recommend upgrading the zlib gem. - - ## Details - - The zstream_buffer_ungets function prepends caller-provided bytes - ahead of previously produced output but fails to guarantee the - backing Ruby string has enough capacity before the memmove shifts - the existing data. This can lead to memory corruption when the - buffer length exceeds capacity. - - ## Recommended action - - We recommend to update the zlib gem to version 3.2.3 or later. - In order to ensure compatibility with bundled version in older - Ruby series, you may update as follows instead: - - * For Ruby 3.2 users: Update to zlib 3.0.1 - * For Ruby 3.3 users: Update to zlib 3.1.2 - * You can use gem update zlib to update it. If you are using - bundler, please add gem "zlib", ">= 3.2.3" to your Gemfile. - - ## Affected versions: - - zlib gem 3.2.2 or lower - - ## Credits - - Thanks to calysteon for reporting this issue. Also thanks to - nobu for creating the patch. - patched_versions: - - "~> 3.0.1" - - "~> 3.1.2" - - ">= 3.2.3" - related: - url: - - https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820 - - https://rubygems.org/gems/zlib/versions/3.2.3 - - https://rubygems.org/gems/zlib/versions/3.1.2 - - https://rubygems.org/gems/zlib/versions/3.0.1 ---- +--- +layout: advisory +title: 'CVE-2026-27820 (zlib): Buffer overflow vulnerability in Zlib::GzipReader' +comments: false +categories: +- zlib +advisory: + gem: zlib + cve: 2026-27820 + url: https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820 + title: Buffer overflow vulnerability in Zlib::GzipReader + date: 2026-03-05 + description: | + A buffer overflow vulnerability exists in Zlib::GzipReader. + This vulnerability has been assigned the CVE identifier + CVE-2026-27820. We recommend upgrading the zlib gem. + + ## Details + + The zstream_buffer_ungets function prepends caller-provided bytes + ahead of previously produced output but fails to guarantee the + backing Ruby string has enough capacity before the memmove shifts + the existing data. This can lead to memory corruption when the + buffer length exceeds capacity. + + ## Recommended action + + We recommend to update the zlib gem to version 3.2.3 or later. + In order to ensure compatibility with bundled version in older + Ruby series, you may update as follows instead: + + * For Ruby 3.2 users: Update to zlib 3.0.1 + * For Ruby 3.3 users: Update to zlib 3.1.2 + * You can use gem update zlib to update it. If you are using + bundler, please add gem "zlib", ">= 3.2.3" to your Gemfile. + + ## Affected versions: + + zlib gem 3.2.2 or lower + + ## Credits + + Thanks to calysteon for reporting this issue. Also thanks to + nobu for creating the patch. + patched_versions: + - "~> 3.0.1" + - "~> 3.1.2" + - ">= 3.2.3" + related: + url: + - https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820 + - https://rubygems.org/gems/zlib/versions/3.2.3 + - https://rubygems.org/gems/zlib/versions/3.1.2 + - https://rubygems.org/gems/zlib/versions/3.0.1 +--- diff --git a/advisories/_posts/2026-03-10-CVE-2026-1776.md b/advisories/_posts/2026-03-10-CVE-2026-1776.md index d7c7719d..43b6f662 100644 --- a/advisories/_posts/2026-03-10-CVE-2026-1776.md +++ b/advisories/_posts/2026-03-10-CVE-2026-1776.md @@ -1,41 +1,41 @@ ---- -layout: advisory -title: 'CVE-2026-1776 (camaleon_cms): Camaleon CMS vulnerable to Path Traversal through - AWS S3 uploader implementation' -comments: false -categories: -- camaleon_cms -advisory: - gem: camaleon_cms - cve: 2026-1776 - ghsa: jw5g-f64p-6x78 - url: https://nvd.nist.gov/vuln/detail/CVE-2026-1776 - title: Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation - date: 2026-03-10 - description: | - Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, - contain a path traversal vulnerability in the AWS S3 uploader - implementation that allows authenticated users to read arbitrary - files from the web server’s filesystem. The issue occurs in the - download_private_file functionality when the application is - configured to use the CamaleonCmsAwsUploader backend. Unlike the - local uploader implementation, the AWS uploader does not validate - file paths with valid_folder_path?, allowing directory traversal - sequences to be supplied via the file parameter. As a result, any - authenticated user, including low-privileged registered users, can - access sensitive files such as /etc/passwd. This issue represents a - bypass of the incomplete fix for CVE-2024-46987 and affects - deployments using the AWS S3 storage backend. - cvss_v4: 6.0 - unaffected_versions: - - "< 2.4.5.0" - notes: Never patched; last release was 2.9.1 - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2026-1776 - - https://github.com/owen2345/camaleon-cms/pull/1127 - - https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af - - https://camaleon.website - - https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read - - https://github.com/advisories/GHSA-jw5g-f64p-6x78 ---- +--- +layout: advisory +title: 'CVE-2026-1776 (camaleon_cms): Camaleon CMS vulnerable to Path Traversal through + AWS S3 uploader implementation' +comments: false +categories: +- camaleon_cms +advisory: + gem: camaleon_cms + cve: 2026-1776 + ghsa: jw5g-f64p-6x78 + url: https://nvd.nist.gov/vuln/detail/CVE-2026-1776 + title: Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation + date: 2026-03-10 + description: | + Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, + contain a path traversal vulnerability in the AWS S3 uploader + implementation that allows authenticated users to read arbitrary + files from the web server’s filesystem. The issue occurs in the + download_private_file functionality when the application is + configured to use the CamaleonCmsAwsUploader backend. Unlike the + local uploader implementation, the AWS uploader does not validate + file paths with valid_folder_path?, allowing directory traversal + sequences to be supplied via the file parameter. As a result, any + authenticated user, including low-privileged registered users, can + access sensitive files such as /etc/passwd. This issue represents a + bypass of the incomplete fix for CVE-2024-46987 and affects + deployments using the AWS S3 storage backend. + cvss_v4: 6.0 + unaffected_versions: + - "< 2.4.5.0" + notes: Never patched; last release was 2.9.1 + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-1776 + - https://github.com/owen2345/camaleon-cms/pull/1127 + - https://github.com/owen2345/camaleon-cms/commit/f54a77e2a7be601215ea1b396038c589a0cab9af + - https://camaleon.website + - https://www.vulncheck.com/advisories/camaleon-cms-aws-uploader-authenticated-path-traversal-arbitrary-file-read + - https://github.com/advisories/GHSA-jw5g-f64p-6x78 +--- diff --git a/advisories/_posts/2026-03-11-CVE-2026-31830.md b/advisories/_posts/2026-03-11-CVE-2026-31830.md index c9ccb775..d1f344cb 100644 --- a/advisories/_posts/2026-03-11-CVE-2026-31830.md +++ b/advisories/_posts/2026-03-11-CVE-2026-31830.md @@ -1,64 +1,64 @@ ---- -layout: advisory -title: 'CVE-2026-31830 (sigstore): sigstore-ruby verifier returns success for DSSE - bundles with mismatched in-toto subject digest' -comments: false -categories: -- sigstore -advisory: - gem: sigstore - cve: 2026-31830 - ghsa: mhg6-2q2v-9h2c - url: https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c - title: sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto - subject digest - date: 2026-03-11 - description: | - ### Summary - - `Sigstore::Verifier#verify` does not propagate the `VerificationFailure` - returned by `verify_in_toto` when the artifact digest does not match - the digest in the in-toto attestation subject. As a result, verification - of DSSE bundles containing in-toto statements returns `VerificationSuccess` - regardless of whether the artifact matches the attested subject. - - ### Details - - In `lib/sigstore/verifier.rb`, the verify method calls `verify_in_toto` - (line 176) without capturing or checking its return value: - - `verify_in_toto(input, in_toto)` - - When `verify_in_toto` detects a digest mismatch, it returns a - `VerificationFailure` object. Because the caller discards this - return value, execution unconditionally falls through to return - `VerificationSuccess`. This is the only verification sub-check in - the method (out of 12) whose failure is not propagated. - - The message_signature code path is not affected. - - ### Impact - - An attacker who possesses a valid signed DSSE bundle containing an - in-toto attestation for artifact A can present it as a valid attestation - for a different artifact B. All other verification checks (DSSE envelope - signature, certificate chain, Rekor inclusion, SCTs, policy) pass because - they are independent of the artifact content. Only the in-toto subject - digest check detects the mismatch, and its result is discarded. - - This allows an attacker to bypass artifact-to-attestation binding for - any consumer that relies on `Sigstore::Verifier#verify` to validate - DSSE/in-toto bundles. - - ### Workarounds - - None. Consumers cannot work around this without patching the library. - cvss_v3: 7.5 - patched_versions: - - ">= 0.2.3" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2026-31830 - - https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c - - https://github.com/advisories/GHSA-mhg6-2q2v-9h2c ---- +--- +layout: advisory +title: 'CVE-2026-31830 (sigstore): sigstore-ruby verifier returns success for DSSE + bundles with mismatched in-toto subject digest' +comments: false +categories: +- sigstore +advisory: + gem: sigstore + cve: 2026-31830 + ghsa: mhg6-2q2v-9h2c + url: https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c + title: sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto + subject digest + date: 2026-03-11 + description: | + ### Summary + + `Sigstore::Verifier#verify` does not propagate the `VerificationFailure` + returned by `verify_in_toto` when the artifact digest does not match + the digest in the in-toto attestation subject. As a result, verification + of DSSE bundles containing in-toto statements returns `VerificationSuccess` + regardless of whether the artifact matches the attested subject. + + ### Details + + In `lib/sigstore/verifier.rb`, the verify method calls `verify_in_toto` + (line 176) without capturing or checking its return value: + + `verify_in_toto(input, in_toto)` + + When `verify_in_toto` detects a digest mismatch, it returns a + `VerificationFailure` object. Because the caller discards this + return value, execution unconditionally falls through to return + `VerificationSuccess`. This is the only verification sub-check in + the method (out of 12) whose failure is not propagated. + + The message_signature code path is not affected. + + ### Impact + + An attacker who possesses a valid signed DSSE bundle containing an + in-toto attestation for artifact A can present it as a valid attestation + for a different artifact B. All other verification checks (DSSE envelope + signature, certificate chain, Rekor inclusion, SCTs, policy) pass because + they are independent of the artifact content. Only the in-toto subject + digest check detects the mismatch, and its result is discarded. + + This allows an attacker to bypass artifact-to-attestation binding for + any consumer that relies on `Sigstore::Verifier#verify` to validate + DSSE/in-toto bundles. + + ### Workarounds + + None. Consumers cannot work around this without patching the library. + cvss_v3: 7.5 + patched_versions: + - ">= 0.2.3" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-31830 + - https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c + - https://github.com/advisories/GHSA-mhg6-2q2v-9h2c +--- diff --git a/advisories/_posts/2026-03-12-GHSA-qmpg-8xg6-ph5q.md b/advisories/_posts/2026-03-12-GHSA-qmpg-8xg6-ph5q.md index 504a3b01..e19dc2bf 100644 --- a/advisories/_posts/2026-03-12-GHSA-qmpg-8xg6-ph5q.md +++ b/advisories/_posts/2026-03-12-GHSA-qmpg-8xg6-ph5q.md @@ -1,46 +1,46 @@ ---- -layout: advisory -title: 'GHSA-qmpg-8xg6-ph5q (action_text-trix): Trix has a Stored XSS vulnerability - through serialized attributes' -comments: false -categories: -- action_text-trix -advisory: - gem: action_text-trix - ghsa: qmpg-8xg6-ph5q - url: https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q - title: Trix has a Stored XSS vulnerability through serialized attributes - date: 2026-03-12 - description: | - ### Impact - - The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS - attacks when a `data-trix-serialized-attributes` attribute bypasses - the DOMPurify sanitizer. - - An attacker could craft HTML containing a `data-trix-serialized-attributes` - attribute with a malicious payload that, when the content is rendered, - could execute arbitrary JavaScript code within the context of the user's - session, potentially leading to unauthorized actions being performed - or sensitive information being disclosed. - - ### Patches - - Update Recommendation: Users should upgrade to Trix editor - version 2.1.17 or later. - - ### References - - The XSS vulnerability was responsibly reported by Hackerone - researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma). - cvss_v3: 4.6 - patched_versions: - - ">= 2.1.17" - related: - url: - - https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q - - https://github.com/basecamp/trix/releases/tag/v2.1.17 - - https://github.com/basecamp/trix/pull/1282 - - https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc - - https://github.com/advisories/GHSA-qmpg-8xg6-ph5q ---- +--- +layout: advisory +title: 'GHSA-qmpg-8xg6-ph5q (action_text-trix): Trix has a Stored XSS vulnerability + through serialized attributes' +comments: false +categories: +- action_text-trix +advisory: + gem: action_text-trix + ghsa: qmpg-8xg6-ph5q + url: https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q + title: Trix has a Stored XSS vulnerability through serialized attributes + date: 2026-03-12 + description: | + ### Impact + + The Trix editor, in versions prior to 2.1.17, is vulnerable to XSS + attacks when a `data-trix-serialized-attributes` attribute bypasses + the DOMPurify sanitizer. + + An attacker could craft HTML containing a `data-trix-serialized-attributes` + attribute with a malicious payload that, when the content is rendered, + could execute arbitrary JavaScript code within the context of the user's + session, potentially leading to unauthorized actions being performed + or sensitive information being disclosed. + + ### Patches + + Update Recommendation: Users should upgrade to Trix editor + version 2.1.17 or later. + + ### References + + The XSS vulnerability was responsibly reported by Hackerone + researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma). + cvss_v3: 4.6 + patched_versions: + - ">= 2.1.17" + related: + url: + - https://github.com/basecamp/trix/security/advisories/GHSA-qmpg-8xg6-ph5q + - https://github.com/basecamp/trix/releases/tag/v2.1.17 + - https://github.com/basecamp/trix/pull/1282 + - https://github.com/basecamp/trix/commit/53197ab5a142e6b0b76127cb790726b274eaf1bc + - https://github.com/advisories/GHSA-qmpg-8xg6-ph5q +--- diff --git a/advisories/_posts/2026-03-16-CVE-2026-32700.md b/advisories/_posts/2026-03-16-CVE-2026-32700.md index c7a504c3..b21f164e 100644 --- a/advisories/_posts/2026-03-16-CVE-2026-32700.md +++ b/advisories/_posts/2026-03-16-CVE-2026-32700.md @@ -1,69 +1,69 @@ ---- -layout: advisory -title: 'CVE-2026-32700 (devise): Confirmable "change email" race condition permits - user to confirm email they have no access to' -comments: false -categories: -- devise -advisory: - gem: devise - cve: 2026-32700 - ghsa: 57hq-95w6-v4fc - url: https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc - title: Confirmable "change email" race condition permits user to confirm email they - have no access to - date: 2026-03-16 - description: | - ## Impact - - A race condition in Devise's Confirmable module allows an attacker - to confirm an email address they do not own. This affects any Devise - application using the reconfirmable option (the default when using - Confirmable with email changes). - - By sending two concurrent email change requests, an attacker can - desynchronize the confirmation_token and unconfirmed_email fields. - The confirmation token is sent to an email the attacker controls, - but the unconfirmed_email in the database points to a victim's - email address. When the attacker uses the token, the victim's email - is confirmed on the attacker's account. - - ## Patch - - This is patched in Devise v5.0.3. Users should upgrade as soon as possible. - - ## Workaround - - Applications can override this specific method from Devise models - to force unconfirmed_email to be persisted when unchanged: - (assuming your model is User) - - ``` - class User < ApplicationRecord - protected - - def postpone_email_change_until_confirmation_and_regenerate_confirmation_token - unconfirmed_email_will_change! - super - end - end - ``` - - Note: Mongoid does not seem to respect that will_change! should - force the attribute to be persisted, even if it did not really - change, so you might have to implement a workaround similar to - Devise by setting changed_attributes["unconfirmed_email"] = nil as well. - patched_versions: - - ">= 5.0.3" - related: - url: - - https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released - - https://github.com/heartcombo/devise/pull/5784 - - https://github.com/heartcombo/devise/issues/5783 - - https://portswigger.net/research/smashing-the-state-machine - - https://groups.google.com/g/heartcombo/c/ieiLJhG4EGE/m/PNlIQv54AAAJ - - https://groups.google.com/g/heartcombo/c/o9mtkcfvt_g/m/SABX6rp8AgAJ - - https://groups.google.com/g/heartcombo/c/XDII89RV6Ak/m/AJMOyayNAgAJ - - https://groups.google.com/g/heartcombo/c/TWge7vKELhc/m/gRTrgKz4CQAJ - - https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc ---- +--- +layout: advisory +title: 'CVE-2026-32700 (devise): Confirmable "change email" race condition permits + user to confirm email they have no access to' +comments: false +categories: +- devise +advisory: + gem: devise + cve: 2026-32700 + ghsa: 57hq-95w6-v4fc + url: https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc + title: Confirmable "change email" race condition permits user to confirm email they + have no access to + date: 2026-03-16 + description: | + ## Impact + + A race condition in Devise's Confirmable module allows an attacker + to confirm an email address they do not own. This affects any Devise + application using the reconfirmable option (the default when using + Confirmable with email changes). + + By sending two concurrent email change requests, an attacker can + desynchronize the confirmation_token and unconfirmed_email fields. + The confirmation token is sent to an email the attacker controls, + but the unconfirmed_email in the database points to a victim's + email address. When the attacker uses the token, the victim's email + is confirmed on the attacker's account. + + ## Patch + + This is patched in Devise v5.0.3. Users should upgrade as soon as possible. + + ## Workaround + + Applications can override this specific method from Devise models + to force unconfirmed_email to be persisted when unchanged: + (assuming your model is User) + + ``` + class User < ApplicationRecord + protected + + def postpone_email_change_until_confirmation_and_regenerate_confirmation_token + unconfirmed_email_will_change! + super + end + end + ``` + + Note: Mongoid does not seem to respect that will_change! should + force the attribute to be persisted, even if it did not really + change, so you might have to implement a workaround similar to + Devise by setting changed_attributes["unconfirmed_email"] = nil as well. + patched_versions: + - ">= 5.0.3" + related: + url: + - https://about.gitlab.com/releases/2023/01/09/security-release-gitlab-15-7-2-released + - https://github.com/heartcombo/devise/pull/5784 + - https://github.com/heartcombo/devise/issues/5783 + - https://portswigger.net/research/smashing-the-state-machine + - https://groups.google.com/g/heartcombo/c/ieiLJhG4EGE/m/PNlIQv54AAAJ + - https://groups.google.com/g/heartcombo/c/o9mtkcfvt_g/m/SABX6rp8AgAJ + - https://groups.google.com/g/heartcombo/c/XDII89RV6Ak/m/AJMOyayNAgAJ + - https://groups.google.com/g/heartcombo/c/TWge7vKELhc/m/gRTrgKz4CQAJ + - https://github.com/heartcombo/devise/security/advisories/GHSA-57hq-95w6-v4fc +--- diff --git a/advisories/_posts/2026-03-17-CVE-2026-4324.md b/advisories/_posts/2026-03-17-CVE-2026-4324.md index c645e69e..9958e6d7 100644 --- a/advisories/_posts/2026-03-17-CVE-2026-4324.md +++ b/advisories/_posts/2026-03-17-CVE-2026-4324.md @@ -1,35 +1,35 @@ ---- -layout: advisory -title: 'CVE-2026-4324 (katello): Katello - Denial of Service and potential information - disclosure via SQL injection''' -comments: false -categories: -- katello -advisory: - gem: katello - cve: 2026-4324 - ghsa: fwj4-6wgp-mpxm - url: https://access.redhat.com/security/cve/CVE-2026-4324 - title: Katello - Denial of Service and potential information disclosure via SQL - injection' - date: 2026-03-17 - description: | - A flaw was found in the Katello plugin for Red Hat Satellite. This - vulnerability, caused by improper sanitization of user-provided - input, allows a remote attacker to inject arbitrary SQL commands - into the sort_by parameter of the /api/hosts/bootc_images API - endpoint. This can lead to a Denial of Service (DoS) by triggering - database errors, and potentially enable Boolean-based Blind SQL - injection, which could allow an attacker to extract sensitive - information from the database. - cvss_v3: 5.4 - patched_versions: - - ">= 4.19.1" - related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2026-4324 - - https://access.redhat.com/security/cve/CVE-2026-4324 - - https://bugzilla.redhat.com/show_bug.cgi?id=2448349 - - https://github.com/Katello/katello/commit/a0a793b08d4f0a897ee985d79a687ad043f99e57 - - https://github.com/advisories/GHSA-fwj4-6wgp-mpxm ---- +--- +layout: advisory +title: 'CVE-2026-4324 (katello): Katello - Denial of Service and potential information + disclosure via SQL injection''' +comments: false +categories: +- katello +advisory: + gem: katello + cve: 2026-4324 + ghsa: fwj4-6wgp-mpxm + url: https://access.redhat.com/security/cve/CVE-2026-4324 + title: Katello - Denial of Service and potential information disclosure via SQL + injection' + date: 2026-03-17 + description: | + A flaw was found in the Katello plugin for Red Hat Satellite. This + vulnerability, caused by improper sanitization of user-provided + input, allows a remote attacker to inject arbitrary SQL commands + into the sort_by parameter of the /api/hosts/bootc_images API + endpoint. This can lead to a Denial of Service (DoS) by triggering + database errors, and potentially enable Boolean-based Blind SQL + injection, which could allow an attacker to extract sensitive + information from the database. + cvss_v3: 5.4 + patched_versions: + - ">= 4.19.1" + related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2026-4324 + - https://access.redhat.com/security/cve/CVE-2026-4324 + - https://bugzilla.redhat.com/show_bug.cgi?id=2448349 + - https://github.com/Katello/katello/commit/a0a793b08d4f0a897ee985d79a687ad043f99e57 + - https://github.com/advisories/GHSA-fwj4-6wgp-mpxm +--- diff --git a/advisories/_posts/2026-03-18-CVE-2026-33209.md b/advisories/_posts/2026-03-18-CVE-2026-33209.md index d6cc459d..995be623 100644 --- a/advisories/_posts/2026-03-18-CVE-2026-33209.md +++ b/advisories/_posts/2026-03-18-CVE-2026-33209.md @@ -1,40 +1,40 @@ ---- -layout: advisory -title: 'CVE-2026-33209 (avo): Avo has a XSS vulnerability on `return_to` param' -comments: false -categories: -- avo -advisory: - gem: avo - cve: 2026-33209 - ghsa: 762r-27w2-q22j - url: https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j - title: Avo has a XSS vulnerability on `return_to` param - date: 2026-03-18 - description: | - ## Description - - A reflected cross-site scripting (XSS) vulnerability exists in - the `return_to` query parameter used in the avo interface. - - An attacker can craft a malicious URL that injects arbitrary - JavaScript, which is executed when he clicks a dynamically - generated navigation button. - - ## Impact - - This vulnerability may allow execution of arbitrary JavaScript - in the context of the application. - - Impact varies depending on deployment: - - In unauthenticated setups: exploitable via crafted links sent to users. - - In authenticated setups: limited to authenticated users and - requires interaction. - cvss_v4: 5.3 - patched_versions: - - ">= 3.30.3" - related: - url: - - https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j - - https://github.com/advisories/GHSA-762r-27w2-q22j ---- +--- +layout: advisory +title: 'CVE-2026-33209 (avo): Avo has a XSS vulnerability on `return_to` param' +comments: false +categories: +- avo +advisory: + gem: avo + cve: 2026-33209 + ghsa: 762r-27w2-q22j + url: https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j + title: Avo has a XSS vulnerability on `return_to` param + date: 2026-03-18 + description: | + ## Description + + A reflected cross-site scripting (XSS) vulnerability exists in + the `return_to` query parameter used in the avo interface. + + An attacker can craft a malicious URL that injects arbitrary + JavaScript, which is executed when he clicks a dynamically + generated navigation button. + + ## Impact + + This vulnerability may allow execution of arbitrary JavaScript + in the context of the application. + + Impact varies depending on deployment: + - In unauthenticated setups: exploitable via crafted links sent to users. + - In authenticated setups: limited to authenticated users and + requires interaction. + cvss_v4: 5.3 + patched_versions: + - ">= 3.30.3" + related: + url: + - https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j + - https://github.com/advisories/GHSA-762r-27w2-q22j +--- diff --git a/advisories/_posts/2026-03-18-GHSA-46fp-8f5p-pf2m.md b/advisories/_posts/2026-03-18-GHSA-46fp-8f5p-pf2m.md index c536403f..59ad5b54 100644 --- a/advisories/_posts/2026-03-18-GHSA-46fp-8f5p-pf2m.md +++ b/advisories/_posts/2026-03-18-GHSA-46fp-8f5p-pf2m.md @@ -1,62 +1,62 @@ ---- -layout: advisory -title: 'GHSA-46fp-8f5p-pf2m (loofah): Improper detection of disallowed URIs by Loofah - `allowed_uri?`' -comments: false -categories: -- loofah -advisory: - gem: loofah - ghsa: 46fp-8f5p-pf2m - url: https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m - title: Improper detection of disallowed URIs by Loofah `allowed_uri?` - date: 2026-03-18 - description: | - ## Summary - - `Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject - `javascript:` URIs when the scheme is split by HTML entity-encoded - control characters such as ` ` (carriage return), ` ` - (line feed), or ` ` (tab). - - ## Details - - The `allowed_uri?` method strips literal control characters before - decoding HTML entities. Payloads like `java script:alert(1)` - survive the control character strip, then ` ` is decoded to - a carriage return, producing `java\rscript:alert(1)`. - - Note that the Loofah sanitizer's default `sanitize()` path is - **not affected** because Nokogiri decodes HTML entities during - parsing before Loofah evaluates the URI protocol. This issue only - affects direct callers of the `allowed_uri?` string-level helper - when passing HTML-encoded strings. - - ## Impact - - Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to - validate user-controlled URLs and then render approved URLs into - `href` or other browser-interpreted URI attributes may be - vulnerable to cross-site scripting (XSS). - - This only affects Loofah `2.25.0`. - - ## Mitigation - - Upgrade to Loofah >= `2.25.1`. - - ## Credit - - Responsibly reported by HackOne user `@smlee`. - unaffected_versions: - - "< 2.25.0" - patched_versions: - - ">= 2.25.1" - related: - url: - - https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m - - https://github.com/flavorjones/loofah/releases/tag/v2.25.1 - - https://github.com/flavorjones/loofah/commit/f4ebc9c5193dde759a57541062e490e86fc7c068 - - https://github.com/advisories/GHSA-2j22-pr5w-6gq8 - - https://github.com/advisories/GHSA-46fp-8f5p-pf2m ---- +--- +layout: advisory +title: 'GHSA-46fp-8f5p-pf2m (loofah): Improper detection of disallowed URIs by Loofah + `allowed_uri?`' +comments: false +categories: +- loofah +advisory: + gem: loofah + ghsa: 46fp-8f5p-pf2m + url: https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m + title: Improper detection of disallowed URIs by Loofah `allowed_uri?` + date: 2026-03-18 + description: | + ## Summary + + `Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject + `javascript:` URIs when the scheme is split by HTML entity-encoded + control characters such as ` ` (carriage return), ` ` + (line feed), or ` ` (tab). + + ## Details + + The `allowed_uri?` method strips literal control characters before + decoding HTML entities. Payloads like `java script:alert(1)` + survive the control character strip, then ` ` is decoded to + a carriage return, producing `java\rscript:alert(1)`. + + Note that the Loofah sanitizer's default `sanitize()` path is + **not affected** because Nokogiri decodes HTML entities during + parsing before Loofah evaluates the URI protocol. This issue only + affects direct callers of the `allowed_uri?` string-level helper + when passing HTML-encoded strings. + + ## Impact + + Applications that call `Loofah::HTML5::Scrub.allowed_uri?` to + validate user-controlled URLs and then render approved URLs into + `href` or other browser-interpreted URI attributes may be + vulnerable to cross-site scripting (XSS). + + This only affects Loofah `2.25.0`. + + ## Mitigation + + Upgrade to Loofah >= `2.25.1`. + + ## Credit + + Responsibly reported by HackOne user `@smlee`. + unaffected_versions: + - "< 2.25.0" + patched_versions: + - ">= 2.25.1" + related: + url: + - https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m + - https://github.com/flavorjones/loofah/releases/tag/v2.25.1 + - https://github.com/flavorjones/loofah/commit/f4ebc9c5193dde759a57541062e490e86fc7c068 + - https://github.com/advisories/GHSA-2j22-pr5w-6gq8 + - https://github.com/advisories/GHSA-46fp-8f5p-pf2m +--- diff --git a/advisories/_posts/2026-03-19-CVE-2026-33210.md b/advisories/_posts/2026-03-19-CVE-2026-33210.md index 43bb6465..8e3a55f1 100644 --- a/advisories/_posts/2026-03-19-CVE-2026-33210.md +++ b/advisories/_posts/2026-03-19-CVE-2026-33210.md @@ -1,42 +1,42 @@ ---- -layout: advisory -title: 'CVE-2026-33210 (json): Ruby JSON has a format string injection vulnerability' -comments: false -categories: -- json -advisory: - gem: json - cve: 2026-33210 - ghsa: 3m6g-2423-7cp3 - url: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3 - title: Ruby JSON has a format string injection vulnerability - date: 2026-03-19 - description: | - ### Impact - - A format string injection vulnerability than that lead to denial of - service attacks or information disclosure, when the `allow_duplicate_key: - false` parsing option is used to parse user supplied documents. - - This option isn't the default, if you didn't opt-in to use it, - you are not impacted. - - ### Patches - - Patched in `2.19.2`. - - ### Workarounds - - The issue can be avoided by not using the `allow_duplicate_key: false` - parsing option. - unaffected_versions: - - "< 2.14.0" - patched_versions: - - "~> 2.15.2.1" - - "~> 2.17.1.2" - - ">= 2.19.2" - related: - url: - - https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3 - - https://github.com/advisories/GHSA-3m6g-2423-7cp3 ---- +--- +layout: advisory +title: 'CVE-2026-33210 (json): Ruby JSON has a format string injection vulnerability' +comments: false +categories: +- json +advisory: + gem: json + cve: 2026-33210 + ghsa: 3m6g-2423-7cp3 + url: https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3 + title: Ruby JSON has a format string injection vulnerability + date: 2026-03-19 + description: | + ### Impact + + A format string injection vulnerability than that lead to denial of + service attacks or information disclosure, when the `allow_duplicate_key: + false` parsing option is used to parse user supplied documents. + + This option isn't the default, if you didn't opt-in to use it, + you are not impacted. + + ### Patches + + Patched in `2.19.2`. + + ### Workarounds + + The issue can be avoided by not using the `allow_duplicate_key: false` + parsing option. + unaffected_versions: + - "< 2.14.0" + patched_versions: + - "~> 2.15.2.1" + - "~> 2.17.1.2" + - ">= 2.19.2" + related: + url: + - https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3 + - https://github.com/advisories/GHSA-3m6g-2423-7cp3 +--- diff --git a/advisories/_posts/2026-03-19-CVE-2026-33306.md b/advisories/_posts/2026-03-19-CVE-2026-33306.md index 9bca66b9..a46a117c 100644 --- a/advisories/_posts/2026-03-19-CVE-2026-33306.md +++ b/advisories/_posts/2026-03-19-CVE-2026-33306.md @@ -1,51 +1,51 @@ ---- -layout: advisory -title: 'CVE-2026-33306 (bcrypt): bcrypt-ruby has an Integer Overflow that Causes Zero - Key-Strengthening Iterations at Cost=31 on JRuby' -comments: false -categories: -- bcrypt -advisory: - gem: bcrypt - cve: 2026-33306 - ghsa: f27w-vcwj-c954 - url: https://github.com/advisories/GHSA-f27w-vcwj-c954 - title: bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations - at Cost=31 on JRuby - date: 2026-03-19 - description: | - ### Impact - - An integer overflow in the Java BCrypt implementation for JRuby can - cause zero iterations in the strengthening loop. Impacted - applications must be setting the cost to 31 to see this happen. - - The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes - the key-strengthening round count as a signed 32-bit integer. - When `cost=31` (the maximum allowed by the gem), signed integer - overflow causes the round count to become negative, and the - strengthening loop executes **zero iterations**. This collapses - bcrypt from 2^31 rounds of exponential key-strengthening to - effectively constant-time computation — only the initial - EksBlowfish key setup and final 64x encryption phase remain. - - The resulting hash looks valid (`$2a$31$...`) and verifies - correctly via `checkpw`, making the weakness invisible to the - application. This issue is triggered only when cost=31 is - used or when verifying a `$2a$31$` hash. - - ### Patches - - This problem has been fixed in version 3.1.22 - - ### Workarounds - - Set the cost to something less than 31. - patched_versions: - - ">= 3.1.22" - related: - url: - - https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954 - - https://github.com/bcrypt-ruby/bcrypt-ruby/commit/5faa2748331d3edc661c127ef2fbb3afcb6b02a4 - - https://github.com/advisories/GHSA-f27w-vcwj-c954 ---- +--- +layout: advisory +title: 'CVE-2026-33306 (bcrypt): bcrypt-ruby has an Integer Overflow that Causes Zero + Key-Strengthening Iterations at Cost=31 on JRuby' +comments: false +categories: +- bcrypt +advisory: + gem: bcrypt + cve: 2026-33306 + ghsa: f27w-vcwj-c954 + url: https://github.com/advisories/GHSA-f27w-vcwj-c954 + title: bcrypt-ruby has an Integer Overflow that Causes Zero Key-Strengthening Iterations + at Cost=31 on JRuby + date: 2026-03-19 + description: | + ### Impact + + An integer overflow in the Java BCrypt implementation for JRuby can + cause zero iterations in the strengthening loop. Impacted + applications must be setting the cost to 31 to see this happen. + + The JRuby implementation of bcrypt-ruby (`BCrypt.java`) computes + the key-strengthening round count as a signed 32-bit integer. + When `cost=31` (the maximum allowed by the gem), signed integer + overflow causes the round count to become negative, and the + strengthening loop executes **zero iterations**. This collapses + bcrypt from 2^31 rounds of exponential key-strengthening to + effectively constant-time computation — only the initial + EksBlowfish key setup and final 64x encryption phase remain. + + The resulting hash looks valid (`$2a$31$...`) and verifies + correctly via `checkpw`, making the weakness invisible to the + application. This issue is triggered only when cost=31 is + used or when verifying a `$2a$31$` hash. + + ### Patches + + This problem has been fixed in version 3.1.22 + + ### Workarounds + + Set the cost to something less than 31. + patched_versions: + - ">= 3.1.22" + related: + url: + - https://github.com/bcrypt-ruby/bcrypt-ruby/security/advisories/GHSA-f27w-vcwj-c954 + - https://github.com/bcrypt-ruby/bcrypt-ruby/commit/5faa2748331d3edc661c127ef2fbb3afcb6b02a4 + - https://github.com/advisories/GHSA-f27w-vcwj-c954 +--- diff --git a/advisories/_posts/2026-03-20-CVE-2026-33286.md b/advisories/_posts/2026-03-20-CVE-2026-33286.md index 106cde59..7e1da2eb 100644 --- a/advisories/_posts/2026-03-20-CVE-2026-33286.md +++ b/advisories/_posts/2026-03-20-CVE-2026-33286.md @@ -1,61 +1,61 @@ ---- -layout: advisory -title: 'CVE-2026-33286 (graphiti): Graphiti Affected by Arbitrary Method Execution - via Unvalidated Relationship Names' -comments: false -categories: -- graphiti -advisory: - gem: graphiti - cve: 2026-33286 - ghsa: 3m5v-4xp5-gjg2 - url: https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2 - title: Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship - Names - date: 2026-03-20 - description: | - ### Summary - - An arbitrary method execution vulnerability has been found which - affects Graphiti's JSONAPI write functionality. An attacker can - craft a malicious JSONAPI payload with arbitrary relationship - names to invoke any public method on the underlying model - instance, class or its associations. - - ### Impact - - Any application exposing Graphiti write endpoints (create/update/delete) - to untrusted users is affected. - - The `Graphiti::Util::ValidationResponse#all_valid?` method recursively - calls `model.send(name)` using relationship names taken directly from - user-supplied JSONAPI payloads, without validating them against the - resource's configured sideloads. This allows an attacker to potentially - run any public method on a given model instance, on the instance class - or associated instances or classes, including destructive operations. - - ### Patches - - This is patched in Graphiti **v1.10.2**. - Users should upgrade as soon as possible. - - ### Workarounds - - If upgrading to v1.10.2 is not immediately possible, consider one - or more of the following mitigations: - - - **Restrict write access**: Ensure Graphiti write endpoints - (create/update/delete) are not accessible to untrusted users. - - **Authentication & authorisation**: Apply strong authentication - and authorisation checks before any write operation is processed, - for example use Rails strong parameters to ensure only valid - parameters are processed." - cvss_v3: 9.1 - patched_versions: - - ">= 1.10.2" - related: - url: - - https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2 - - https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/graphiti/CVE-2026-33286.yml - - https://github.com/advisories/GHSA-3m5v-4xp5-gjg2 ---- +--- +layout: advisory +title: 'CVE-2026-33286 (graphiti): Graphiti Affected by Arbitrary Method Execution + via Unvalidated Relationship Names' +comments: false +categories: +- graphiti +advisory: + gem: graphiti + cve: 2026-33286 + ghsa: 3m5v-4xp5-gjg2 + url: https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2 + title: Graphiti Affected by Arbitrary Method Execution via Unvalidated Relationship + Names + date: 2026-03-20 + description: | + ### Summary + + An arbitrary method execution vulnerability has been found which + affects Graphiti's JSONAPI write functionality. An attacker can + craft a malicious JSONAPI payload with arbitrary relationship + names to invoke any public method on the underlying model + instance, class or its associations. + + ### Impact + + Any application exposing Graphiti write endpoints (create/update/delete) + to untrusted users is affected. + + The `Graphiti::Util::ValidationResponse#all_valid?` method recursively + calls `model.send(name)` using relationship names taken directly from + user-supplied JSONAPI payloads, without validating them against the + resource's configured sideloads. This allows an attacker to potentially + run any public method on a given model instance, on the instance class + or associated instances or classes, including destructive operations. + + ### Patches + + This is patched in Graphiti **v1.10.2**. + Users should upgrade as soon as possible. + + ### Workarounds + + If upgrading to v1.10.2 is not immediately possible, consider one + or more of the following mitigations: + + - **Restrict write access**: Ensure Graphiti write endpoints + (create/update/delete) are not accessible to untrusted users. + - **Authentication & authorisation**: Apply strong authentication + and authorisation checks before any write operation is processed, + for example use Rails strong parameters to ensure only valid + parameters are processed." + cvss_v3: 9.1 + patched_versions: + - ">= 1.10.2" + related: + url: + - https://github.com/graphiti-api/graphiti/security/advisories/GHSA-3m5v-4xp5-gjg2 + - https://gitlab.com/gitlab-org/security-products/gemnasium-db/-/blob/master/gem/graphiti/CVE-2026-33286.yml + - https://github.com/advisories/GHSA-3m5v-4xp5-gjg2 +--- diff --git a/advisories/_posts/2026-03-24-CVE-2026-33635.md b/advisories/_posts/2026-03-24-CVE-2026-33635.md index 663f3e86..90448dee 100644 --- a/advisories/_posts/2026-03-24-CVE-2026-33635.md +++ b/advisories/_posts/2026-03-24-CVE-2026-33635.md @@ -1,59 +1,59 @@ ---- -layout: advisory -title: 'CVE-2026-33635 (icalendar): iCalendar has ICS injection via unsanitized URI - property values' -comments: false -categories: -- icalendar -advisory: - gem: icalendar - cve: 2026-33635 - ghsa: pv9c-9mfh-hvxq - url: https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq - title: iCalendar has ICS injection via unsanitized URI property values - date: 2026-03-24 - description: | - ### Summary - - .ics serialization does not properly sanitize URI property values, - enabling ICS injection through attacker-controlled input, adding - arbitrary calendar lines to the output. - - ### Details - - `Icalendar::Values::Uri` falls back to the raw input string when - `URI.parse` fails and later serializes it with `value.to_s` without - removing or escaping `\r` or `\n` characters. That value is embedded - directly into the final ICS line by the normal serializer, so a - payload containing CRLF can terminate the original property and - create a new ICS property or component. (It looks like you can - inject via url, source, image, organizer, attach, attendee, - conference, tzurl because of this) - - Relevant code: - - `lib/icalendar/values/uri.rb:16` - - ### Impact - - Applications that generate `.ics` files from partially untrusted - metadata are impacted. As a result, downstream calendar clients - or importers may process attacker-supplied content as if it were - legitimate event data, such as added attendees, modified URLs, - alarms, or other calendar fields. - - ## Fix - - Reject raw CR and LF characters in `URI`-typed values before - serialization, or escape/encode them so they cannot terminate - the current ICS content line. - cvss_v3: 4.3 - unaffected_versions: - - "< 2.0.0" - patched_versions: - - ">= 2.12.2" - related: - url: - - https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq - - https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265 - - https://github.com/advisories/GHSA-pv9c-9mfh-hvxq ---- +--- +layout: advisory +title: 'CVE-2026-33635 (icalendar): iCalendar has ICS injection via unsanitized URI + property values' +comments: false +categories: +- icalendar +advisory: + gem: icalendar + cve: 2026-33635 + ghsa: pv9c-9mfh-hvxq + url: https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq + title: iCalendar has ICS injection via unsanitized URI property values + date: 2026-03-24 + description: | + ### Summary + + .ics serialization does not properly sanitize URI property values, + enabling ICS injection through attacker-controlled input, adding + arbitrary calendar lines to the output. + + ### Details + + `Icalendar::Values::Uri` falls back to the raw input string when + `URI.parse` fails and later serializes it with `value.to_s` without + removing or escaping `\r` or `\n` characters. That value is embedded + directly into the final ICS line by the normal serializer, so a + payload containing CRLF can terminate the original property and + create a new ICS property or component. (It looks like you can + inject via url, source, image, organizer, attach, attendee, + conference, tzurl because of this) + + Relevant code: + - `lib/icalendar/values/uri.rb:16` + + ### Impact + + Applications that generate `.ics` files from partially untrusted + metadata are impacted. As a result, downstream calendar clients + or importers may process attacker-supplied content as if it were + legitimate event data, such as added attendees, modified URLs, + alarms, or other calendar fields. + + ## Fix + + Reject raw CR and LF characters in `URI`-typed values before + serialization, or escape/encode them so they cannot terminate + the current ICS content line. + cvss_v3: 4.3 + unaffected_versions: + - "< 2.0.0" + patched_versions: + - ">= 2.12.2" + related: + url: + - https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq + - https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265 + - https://github.com/advisories/GHSA-pv9c-9mfh-hvxq +--- diff --git a/advisories/_posts/2026-03-25-CVE-2026-33658.md b/advisories/_posts/2026-03-25-CVE-2026-33658.md index 302d07f4..0162610c 100644 --- a/advisories/_posts/2026-03-25-CVE-2026-33658.md +++ b/advisories/_posts/2026-03-25-CVE-2026-33658.md @@ -1,38 +1,38 @@ ---- -layout: advisory -title: 'CVE-2026-33658 (activestorage): Rails Active Storage has a possible DoS vulnerability - in proxy mode via multi-range requests' -comments: false -categories: -- activestorage -- rails -advisory: - gem: activestorage - framework: rails - cve: 2026-33658 - ghsa: p9fm-f462-ggrg - url: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg - title: Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range - requests - date: 2026-03-25 - description: | - ## Impact - - Active Storage’s proxy controller does not limit the number of byte - ranges in an HTTP Range header. A request with thousands of small - ranges causes disproportionate CPU usage compared to a normal - request for the same file, possibly resulting in a DoS vulnerability. - patched_versions: - - "~> 7.2.3, >= 7.2.3.1" - - "~> 8.0.4, >= 8.0.4.1" - - ">= 8.1.2.1" - related: - url: - - https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906 - - https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released - - https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch - - https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c.patch - - https://github.com/rails/rails/commit/b8a1665824a43d71cd6406cf9adcae842ceb1c22.patch - - https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg - - https://github.com/advisories/GHSA-p9fm-f462-ggrg ---- +--- +layout: advisory +title: 'CVE-2026-33658 (activestorage): Rails Active Storage has a possible DoS vulnerability + in proxy mode via multi-range requests' +comments: false +categories: +- activestorage +- rails +advisory: + gem: activestorage + framework: rails + cve: 2026-33658 + ghsa: p9fm-f462-ggrg + url: https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg + title: Rails Active Storage has a possible DoS vulnerability in proxy mode via multi-range + requests + date: 2026-03-25 + description: | + ## Impact + + Active Storage’s proxy controller does not limit the number of byte + ranges in an HTTP Range header. A request with thousands of small + ranges causes disproportionate CPU usage compared to a normal + request for the same file, possibly resulting in a DoS vulnerability. + patched_versions: + - "~> 7.2.3, >= 7.2.3.1" + - "~> 8.0.4, >= 8.0.4.1" + - ">= 8.1.2.1" + related: + url: + - https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906 + - https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released + - https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch + - https://github.com/rails/rails/commit/d7da4ef03f99035fba5add8828646f1e9173549c.patch + - https://github.com/rails/rails/commit/b8a1665824a43d71cd6406cf9adcae842ceb1c22.patch + - https://github.com/rails/rails/security/advisories/GHSA-p9fm-f462-ggrg + - https://github.com/advisories/GHSA-p9fm-f462-ggrg +--- diff --git a/advisories/_posts/2026-03-27-CVE-2026-33946.md b/advisories/_posts/2026-03-27-CVE-2026-33946.md index 1d241780..cdf02ced 100644 --- a/advisories/_posts/2026-03-27-CVE-2026-33946.md +++ b/advisories/_posts/2026-03-27-CVE-2026-33946.md @@ -1,61 +1,61 @@ ---- -layout: advisory -title: 'CVE-2026-33946 (mcp): MCP Ruby SDK - Insufficient Session Binding Allows SSE - Stream Hijacking via Session ID Replay' -comments: false -categories: -- mcp -advisory: - gem: mcp - cve: 2026-33946 - ghsa: qvqr-5cv7-wh35 - url: https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35 - title: MCP Ruby SDK - Insufficient Session Binding Allows SSE Stream Hijacking via - Session ID Replay - date: 2026-03-27 - description: | - ### Summary - - The Ruby SDK's [streamable_http_transport.rb](https://github.com/modelcontextprotocol/ruby-sdk/blob/main/lib/mcp/server/transports/streamable_http_transport.rb) - implementation contains a session hijacking vulnerability. An attacker - who obtains a valid session ID can completely hijack the victim's - Server-Sent Events (SSE) stream and intercept all real-time data. - - ### Details - - **Root Cause** - - The StreamableHTTPTransport implementation stores only one SSE stream - object per session ID and lacks: - - - Session-to-user identity binding - - Ownership validation when establishing SSE connections - - Protection against multiple simultaneous connections to the same session - - ### Impact - - While the absence of user binding may not pose immediate risks if - session IDs are not used to store sensitive data or state, the - fundamental purpose of session IDs is to maintain stateful connections. - If the SDK or its consumers utilize session IDs for sensitive operations - without proper user binding controls, this creates a potential security - vulnerability. For example: In the case of the Ruby SDK, the attacker - was able to hijack the stream and receive all the tool responses - belonging to the victim. The tool responses can be sensitive - confidential data. - cvss_v3: 8.2 - patched_versions: - - ">= 0.9.2" - related: - url: - - https://www.cve.org/CVERecord?id=CVE-2026-33946 - - https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2 - - https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35 - - https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb - - https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874 - - https://hackerone.com/reports/3556146 - - https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97 - - https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2 - - https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685 - - https://github.com/advisories/GHSA-qvqr-5cv7-wh35 ---- +--- +layout: advisory +title: 'CVE-2026-33946 (mcp): MCP Ruby SDK - Insufficient Session Binding Allows SSE + Stream Hijacking via Session ID Replay' +comments: false +categories: +- mcp +advisory: + gem: mcp + cve: 2026-33946 + ghsa: qvqr-5cv7-wh35 + url: https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35 + title: MCP Ruby SDK - Insufficient Session Binding Allows SSE Stream Hijacking via + Session ID Replay + date: 2026-03-27 + description: | + ### Summary + + The Ruby SDK's [streamable_http_transport.rb](https://github.com/modelcontextprotocol/ruby-sdk/blob/main/lib/mcp/server/transports/streamable_http_transport.rb) + implementation contains a session hijacking vulnerability. An attacker + who obtains a valid session ID can completely hijack the victim's + Server-Sent Events (SSE) stream and intercept all real-time data. + + ### Details + + **Root Cause** + + The StreamableHTTPTransport implementation stores only one SSE stream + object per session ID and lacks: + + - Session-to-user identity binding + - Ownership validation when establishing SSE connections + - Protection against multiple simultaneous connections to the same session + + ### Impact + + While the absence of user binding may not pose immediate risks if + session IDs are not used to store sensitive data or state, the + fundamental purpose of session IDs is to maintain stateful connections. + If the SDK or its consumers utilize session IDs for sensitive operations + without proper user binding controls, this creates a potential security + vulnerability. For example: In the case of the Ruby SDK, the attacker + was able to hijack the stream and receive all the tool responses + belonging to the victim. The tool responses can be sensitive + confidential data. + cvss_v3: 8.2 + patched_versions: + - ">= 0.9.2" + related: + url: + - https://www.cve.org/CVERecord?id=CVE-2026-33946 + - https://github.com/modelcontextprotocol/ruby-sdk/releases/tag/v0.9.2 + - https://github.com/modelcontextprotocol/ruby-sdk/security/advisories/GHSA-qvqr-5cv7-wh35 + - https://github.com/modelcontextprotocol/ruby-sdk/blob/main/examples/streamable_http_server.rb + - https://github.com/modelcontextprotocol/ruby-sdk/commit/db40143402d65b4fb6923cec42d2d72cb89b3874 + - https://hackerone.com/reports/3556146 + - https://github.com/modelcontextprotocol/csharp-sdk/blob/main/src/ModelContextProtocol.AspNetCore/SseHandler.cs#L93-L97 + - https://github.com/modelcontextprotocol/go-sdk/blob/main/mcp/streamable.go#L281C1-L288C2 + - https://github.com/modelcontextprotocol/python-sdk/blob/main/src/mcp/server/streamable_http.py#L680-L685 + - https://github.com/advisories/GHSA-qvqr-5cv7-wh35 +--- diff --git a/advisories/_posts/2026-03-27-CVE-2026-34060.md b/advisories/_posts/2026-03-27-CVE-2026-34060.md index 75cf2979..c3017206 100644 --- a/advisories/_posts/2026-03-27-CVE-2026-34060.md +++ b/advisories/_posts/2026-03-27-CVE-2026-34060.md @@ -1,66 +1,66 @@ ---- -layout: advisory -title: 'CVE-2026-34060 (ruby-lsp): Ruby LSP has arbitrary code execution through branch - setting' -comments: false -categories: -- ruby-lsp -advisory: - gem: ruby-lsp - cve: 2026-34060 - ghsa: c4r5-fxqw-vh93 - url: https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93 - title: Ruby LSP has arbitrary code execution through branch setting - date: 2026-03-27 - description: |2 - - ## Summary - - The `rubyLsp.branch` VS Code workspace setting was interpolated without - sanitization into a generated Gemfile, allowing arbitrary Ruby code - execution when a user opens a project containing a malicious - `.vscode/settings.json`. - - Other editors that support workspace setting that get automatically - applied upon opening the editor and trusting the workspace are also - impacted since the server is the component that performs the interpolation. - - ## Details - - The `branch` CLI argument passed to the `ruby-lsp` server was - interpolated in the generated `.ruby-lsp/Gemfile` without sanitization. - Editors that allow defining settings saved at the workspace level - (e.g.: `.vscode/settings.json`) that gets automatically applied open - the possibility to craft a malicious repository that once opened and - trusted in the editor would run arbitrary code. - - ## Impact - - Code execution with the privileges of the user who opens the malicious - project. Ruby LSP assumes workspace code is trusted and so opening - the editor on an untrusted workspace can lead to executing potentially - dangerous code. - - ## Remediation - - The `rubyLsp.branch` setting has been removed entirely. VS Code extensions - auto-update by default, so most users will receive the fix without - action. Users who have disabled auto-updates should update to extension - version >= 0.10.2. - - The `branch` CLI flag was also entirely removed from the `ruby-lsp` - gem. For users that don't add `ruby-lsp` to their Gemfiles, the - server should auto-update. Users with the `ruby-lsp` in the Gemfile - and locked to a specific version should update to >= 0.26.9. - cvss_v2: 7.5 - cvss_v3: 9.8 - cvss_v4: 7.1 - patched_versions: - - ">= 0.26.9" - related: - url: - - https://www.tenable.com/cve/CVE-2026-34060 - - https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93 - - https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9 - - https://github.com/advisories/GHSA-c4r5-fxqw-vh93 ---- +--- +layout: advisory +title: 'CVE-2026-34060 (ruby-lsp): Ruby LSP has arbitrary code execution through branch + setting' +comments: false +categories: +- ruby-lsp +advisory: + gem: ruby-lsp + cve: 2026-34060 + ghsa: c4r5-fxqw-vh93 + url: https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93 + title: Ruby LSP has arbitrary code execution through branch setting + date: 2026-03-27 + description: |2 + + ## Summary + + The `rubyLsp.branch` VS Code workspace setting was interpolated without + sanitization into a generated Gemfile, allowing arbitrary Ruby code + execution when a user opens a project containing a malicious + `.vscode/settings.json`. + + Other editors that support workspace setting that get automatically + applied upon opening the editor and trusting the workspace are also + impacted since the server is the component that performs the interpolation. + + ## Details + + The `branch` CLI argument passed to the `ruby-lsp` server was + interpolated in the generated `.ruby-lsp/Gemfile` without sanitization. + Editors that allow defining settings saved at the workspace level + (e.g.: `.vscode/settings.json`) that gets automatically applied open + the possibility to craft a malicious repository that once opened and + trusted in the editor would run arbitrary code. + + ## Impact + + Code execution with the privileges of the user who opens the malicious + project. Ruby LSP assumes workspace code is trusted and so opening + the editor on an untrusted workspace can lead to executing potentially + dangerous code. + + ## Remediation + + The `rubyLsp.branch` setting has been removed entirely. VS Code extensions + auto-update by default, so most users will receive the fix without + action. Users who have disabled auto-updates should update to extension + version >= 0.10.2. + + The `branch` CLI flag was also entirely removed from the `ruby-lsp` + gem. For users that don't add `ruby-lsp` to their Gemfiles, the + server should auto-update. Users with the `ruby-lsp` in the Gemfile + and locked to a specific version should update to >= 0.26.9. + cvss_v2: 7.5 + cvss_v3: 9.8 + cvss_v4: 7.1 + patched_versions: + - ">= 0.26.9" + related: + url: + - https://www.tenable.com/cve/CVE-2026-34060 + - https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-c4r5-fxqw-vh93 + - https://github.com/Shopify/ruby-lsp/releases/tag/v0.26.9 + - https://github.com/advisories/GHSA-c4r5-fxqw-vh93 +--- diff --git a/advisories/_posts/2026-03-29-GHSA-53p3-c7vp-4mcc.md b/advisories/_posts/2026-03-29-GHSA-53p3-c7vp-4mcc.md new file mode 100644 index 00000000..466c3155 --- /dev/null +++ b/advisories/_posts/2026-03-29-GHSA-53p3-c7vp-4mcc.md @@ -0,0 +1,52 @@ +--- +layout: advisory +title: 'GHSA-53p3-c7vp-4mcc (action_text-trix): Trix is vulnerable to XSS through + JSON deserialization bypass in drag-and-drop (Level0InputController)' +comments: false +categories: +- action_text-trix +advisory: + gem: action_text-trix + ghsa: 53p3-c7vp-4mcc + url: https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc + title: Trix is vulnerable to XSS through JSON deserialization bypass in drag-and-drop + (Level0InputController) + date: 2026-03-29 + description: | + ### Impact + + The Trix editor, in versions prior to 2.1.18, is vulnerable to XSS + when a crafted `application/x-trix-document` JSON payload is dropped + into the editor in environments using the fallback Level0InputController + (e.g., embedded WebViews lacking Input Events Level 2 support). + + The `StringPiece.fromJSON` method trusted `href` attributes from the + JSON payload without sanitization. An attacker could craft a draggable + element containing a `javascript:` URI in the href attribute that, + when dropped into a vulnerable editor, would bypass DOMPurify + sanitization and inject executable JavaScript into the DOM. + + Exploitation requires a specific environment (Level0InputController + fallback) and social engineering (victim must drag and drop + attacker-controlled content into the editor). Applications using + server-side HTML sanitization (such as Rails' built-in sanitizer) + are additionally protected, as the payload is neutralized on save. + + ### Patches + + Update Recommendation: Users should upgrade to Trix editor + version 2.1.18 or later. + + ### References + + The XSS vulnerability was responsibly reported by Hackerone + researcher [newbiefromcoma](https://hackerone.com/newbiefromcoma). + patched_versions: + - ">= 2.1.18" + related: + url: + - https://github.com/basecamp/trix/security/advisories/GHSA-53p3-c7vp-4mcc + - https://github.com/basecamp/trix/releases/tag/v2.1.18 + - https://github.com/basecamp/trix/commit/9c0a993d9fc2ffe9d56b013b030bc238f9c0557c + - https://github.com/advisories/GHSA-53p3-c7vp-4mcc +--- From 338776c42039ea3c460966e3fec8def25655534f Mon Sep 17 00:00:00 2001 From: kallal79 Date: Tue, 31 Mar 2026 08:10:11 +0530 Subject: [PATCH 2/2] Fix Advisory Template Issue #8: Add Rails Security format compliance - Enhanced advisory.html layout with professional styling and Rails Security format - Added comprehensive CSS styling with responsive design and color-coded severity indicators - Improved CVSS scoring display with proper severity classification - Added support for impact, workarounds, patches, and credits sections - Enhanced version display with styled badges for patched/unaffected versions - Updated Rakefile with enhanced advisory generation support - Added CSS link to head.html for proper styling integration Addresses Issue #8: Add Advisory template based on Rails Security advisory format --- Rakefile | 30 ++++++- _includes/head.html | 1 + _layouts/advisory.html | 131 ++++++++++++++++++++++-------- assets/css/advisory.css | 171 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 297 insertions(+), 36 deletions(-) create mode 100644 assets/css/advisory.css diff --git a/Rakefile b/Rakefile index a1f8f6f4..c3106846 100644 --- a/Rakefile +++ b/Rakefile @@ -24,13 +24,41 @@ namespace :advisories do slug = "#{advisory['date']}-#{id}" post = File.join('advisories', '_posts', "#{slug}.md") + # Enhanced advisory processing with Rails Security format support + enhanced_advisory = advisory.dup + + # Process description for better formatting + if enhanced_advisory['description'] + enhanced_advisory['description'] = enhanced_advisory['description'].strip + end + + # Add impact section if available + if advisory['impact'] + enhanced_advisory['impact'] = advisory['impact'].strip + end + + # Add workarounds section if available + if advisory['workarounds'] + enhanced_advisory['workarounds'] = advisory['workarounds'].strip + end + + # Process patches if available + if advisory['patches'] + enhanced_advisory['patches'] = advisory['patches'] + end + + # Process credits if available + if advisory['credits'] + enhanced_advisory['credits'] = advisory['credits'] + end + File.open(post, 'w') do |file| header = { 'layout' => 'advisory', 'title' => "#{id} (#{advisory['gem']}): #{advisory['title']}", 'comments' => false, 'categories' => [advisory['gem'], advisory['library'], advisory['framework'], advisory['platform']].compact, - 'advisory' => advisory + 'advisory' => enhanced_advisory } YAML.dump(header, file) diff --git a/_includes/head.html b/_includes/head.html index 2de27189..4f4a77a0 100644 --- a/_includes/head.html +++ b/_includes/head.html @@ -23,6 +23,7 @@ + diff --git a/_layouts/advisory.html b/_layouts/advisory.html index 0b9f6508..ba373023 100644 --- a/_layouts/advisory.html +++ b/_layouts/advisory.html @@ -2,35 +2,44 @@ layout: post --- -

ADVISORIES

+
+

{{ page.advisory.title }}

+ {% if page.advisory.date %} +

Published: {{ page.advisory.date | date: "%B %d, %Y" }}

+ {% endif %} +
-
    +

    SECURITY IDENTIFIERS

    + +

    GEM

    @@ -90,61 +99,113 @@

    PLATFORM

    {% if page.advisory.cvss_v2 or page.advisory.cvss_v3 %}

    SEVERITY

    +
    {% if page.advisory.cvss_v3 %} {% assign cvss_v3 = page.advisory.cvss_v3 %} -

    CVSS v3.x: {{ cvss_v3 }} ( - {%- if cvss_v3 == 0.0 -%} - None - {%- elsif cvss_v3 >= 0.1 and cvss_v3 <= 3.9 -%} - Low - {%- elsif cvss_v3 >= 4.0 and cvss_v3 <= 6.9 -%} - Medium - {%- elsif cvss_v3 >= 7.0 and cvss_v3 <= 8.9 -%} - High - {%- elsif cvss_v3 >= 9.0 and cvss_v3 <= 10.0 -%} - Critical - {%- endif -%} -)

    +
    +

    CVSS v3.x: {{ cvss_v3 }} ( + {%- if cvss_v3 == 0.0 -%} + None + {%- elsif cvss_v3 >= 0.1 and cvss_v3 <= 3.9 -%} + Low + {%- elsif cvss_v3 >= 4.0 and cvss_v3 <= 6.9 -%} + Medium + {%- elsif cvss_v3 >= 7.0 and cvss_v3 <= 8.9 -%} + High + {%- elsif cvss_v3 >= 9.0 and cvss_v3 <= 10.0 -%} + Critical + {%- endif -%} + )

    +
    {% endif %} + {% if page.advisory.cvss_v2 %} {% assign cvss_v2 = page.advisory.cvss_v2 %} -

    CVSS v2.0: {{ cvss_v2 }} ( - {%- if cvss_v2 >= 0.0 and cvss_v2 <= 3.9 -%} - Low - {%- elsif cvss_v2 >= 4.0 and cvss_v2 <= 6.9 -%} - Medium - {%- elsif cvss_v2 >= 7.0 and cvss_v2 <= 10.0 -%} - High - {%- endif -%} -)

    +
    +

    CVSS v2.0: {{ cvss_v2 }} ( + {%- if cvss_v2 >= 0.0 and cvss_v2 <= 3.9 -%} + Low + {%- elsif cvss_v2 >= 4.0 and cvss_v2 <= 6.9 -%} + Medium + {%- elsif cvss_v2 >= 7.0 and cvss_v2 <= 10.0 -%} + High + {%- endif -%} + )

    +
    {% endif %} +
    {% endif %} {% if page.advisory.unaffected_versions %}

    UNAFFECTED VERSIONS

    -
      +
      {% for version in page.advisory.unaffected_versions %} -
    • {{ version | escape }}
      • + {{ version | escape }} {% endfor %} -
    +
{% endif %}

PATCHED VERSIONS

+
{% if page.advisory.patched_versions %} -
    {% for version in page.advisory.patched_versions %} -
  • {{ version | escape }}
    • + {{ version | escape }} {% endfor %} -
{% else %} -

None.

+

None available.

{% endif %} +

DESCRIPTION

+
{{ page.advisory.description | xml_escape | markdownify }} +
+ +{% if page.advisory.impact %} +

IMPACT

+ +
+{{ page.advisory.impact | xml_escape | markdownify }} +
+{% endif %} + +{% if page.advisory.workarounds %} +

WORKAROUNDS

+ +
+{{ page.advisory.workarounds | xml_escape | markdownify }} +
+{% endif %} + +{% if page.advisory.patches %} +

PATCHES

+ + +{% endif %} + +{% if page.advisory.credits %} +

CREDITS

+ +
+{% if page.advisory.credits.size > 0 %} +

Thank you to the following security researchers:

+
    + {% for credit in page.advisory.credits %} +
  • {{ credit }}
    • + {% endfor %} +
+{% else %} +

{{ page.advisory.credits }}

+{% endif %} +
+{% endif %} {% if page.advisory.related %}

RELATED

diff --git a/assets/css/advisory.css b/assets/css/advisory.css new file mode 100644 index 00000000..8fb75633 --- /dev/null +++ b/assets/css/advisory.css @@ -0,0 +1,171 @@ +/* Advisory Template Styles */ + +.advisory-header { + border-bottom: 2px solid #e1e4e8; + padding-bottom: 1rem; + margin-bottom: 2rem; +} + +.advisory-header h2 { + color: #24292e; + font-size: 1.8rem; + margin-bottom: 0.5rem; +} + +.advisory-date { + color: #586069; + font-size: 0.9rem; + margin: 0; +} + +.advisory-identifiers { + list-style: none; + padding: 0; + background: #f6f8fa; + border: 1px solid #e1e4e8; + border-radius: 6px; + padding: 1rem; +} + +.advisory-identifiers li { + margin-bottom: 0.5rem; +} + +.advisory-identifiers li:last-child { + margin-bottom: 0; +} + +.severity-section { + background: #fff5b4; + border: 1px solid #d1d5da; + border-radius: 6px; + padding: 1rem; + margin-bottom: 1rem; +} + +.cvss-score { + margin-bottom: 0.5rem; +} + +.cvss-score:last-child { + margin-bottom: 0; +} + +.severity-none { + color: #28a745; + font-weight: bold; +} + +.severity-low { + color: #28a745; + font-weight: bold; +} + +.severity-medium { + color: #ffc107; + font-weight: bold; +} + +.severity-high { + color: #fd7e14; + font-weight: bold; +} + +.severity-critical { + color: #dc3545; + font-weight: bold; +} + +.version-list { + display: flex; + flex-wrap: wrap; + gap: 0.5rem; + margin-bottom: 1rem; +} + +.version-badge { + display: inline-block; + padding: 0.25rem 0.5rem; + border-radius: 3px; + font-size: 0.875rem; + font-weight: 500; +} + +.version-badge.unaffected { + background-color: #d4edda; + color: #155724; + border: 1px solid #c3e6cb; +} + +.version-badge.patched { + background-color: #cce5ff; + color: #004085; + border: 1px solid #b3d7ff; +} + +.version-badge code { + background: none; + padding: 0; + color: inherit; + font-size: inherit; +} + +.no-patches { + color: #dc3545; + font-style: italic; +} + +.advisory-description, +.advisory-impact, +.advisory-workarounds { + background: #f8f9fa; + border-left: 4px solid #007bff; + padding: 1rem; + margin-bottom: 1rem; +} + +.advisory-impact { + border-left-color: #dc3545; +} + +.advisory-workarounds { + border-left-color: #28a745; +} + +.patch-list { + background: #f6f8fa; + border: 1px solid #e1e4e8; + border-radius: 6px; + padding: 1rem; +} + +.patch-list li { + margin-bottom: 0.5rem; +} + +.patch-list li:last-child { + margin-bottom: 0; +} + +.advisory-credits { + background: #fff3cd; + border: 1px solid #ffeaa7; + border-radius: 6px; + padding: 1rem; +} + +.advisory-credits ul { + margin-bottom: 0; +} + +/* Responsive design */ +@media (max-width: 768px) { + .version-list { + flex-direction: column; + } + + .version-badge { + display: block; + text-align: center; + } +} \ No newline at end of file