GHSA SYNC: 20 new advisories

- gems/Autolab/CVE-2024-49376.yml
- gems/alchemy_cms/CVE-2018-18307.yml
- gems/arabic-prawn/CVE-2014-2322.yml
- gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml
- gems/fluentd-ui/CVE-2020-21514.yml
- gems/fluentd/CVE-2020-21514.yml
- gems/nokogiri/GHSA-fq42-c5rg-92c2.yml
- gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml
- gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml
- gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml
- gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml
- gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
- gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml
- gems/rails/CVE-2024-26143.yml
- gems/redcloth/CVE-2012-6684.yml
- gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml
- gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml
- gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml
- gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml
- gems/webrick/CVE-2009-4492.yml

Author: rakvium

gems/Autolab/CVE-2024-49376.yml

@@ -0,0 +1,34 @@
+---
+gem: Autolab
+cve: 2024-49376
+ghsa: v46j-h43h-rwrm
+url: https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm
+title: Autolab Misconfigured Reset Password Permissions
+date: 2024-10-25
+description: |
+  ### Impact
+  For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords.
+
+  ### Patches
+  This is fixed in v3.0.1.
+
+  ### Workarounds
+  No workarounds.
+
+  ### For more information
+  If you have any questions or comments about this advisory:
+
+  Open an issue in https://github.com/autolab/Autolab/
+  Email us at [[email protected]](mailto:[email protected])
+cvss_v3: 8.8
+cvss_v4: 7.1
+unaffected_versions:
+- "< 3.0.0"
+patched_versions:
+- ">= 3.0.1"
+related:
+  url:
+  - url: https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2024-49376
+  - url: https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b
+  - url: https://github.com/advisories/GHSA-v46j-h43h-rwrm

gems/alchemy_cms/CVE-2018-18307.yml

@@ -0,0 +1,21 @@
+---
+gem: alchemy_cms
+cve: 2018-18307
+ghsa: 7mj4-2984-955f
+url: http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
+title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field
+date: 2022-05-14
+description: A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS
+  via the /admin/pictures image filename field.
+cvss_v3: 5.9
+unaffected_versions:
+- "< 4.1.0"
+notes: Never patched
+related:
+  url:
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2018-18307
+  - url: http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
+  - url: https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
+  - url: https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
+  - url: https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
+  - url: https://github.com/advisories/GHSA-7mj4-2984-955f

gems/arabic-prawn/CVE-2014-2322.yml

@@ -0,0 +1,20 @@
+---
+gem: arabic-prawn
+cve: 2014-2322
+ghsa: hgmw-x865-hf9x
+url: http://www.openwall.com/lists/oss-security/2014/03/10/8
+title: Arabic Prawn allows remote attackers to execute arbitrary commands via shell
+  metacharacters
+date: 2017-10-24
+description: "`lib/string_utf_support.rb` in the Arabic Prawn 0.0.1 gem for Ruby allows
+  remote attackers to execute arbitrary commands via shell metacharacters in the (1)
+  downloaded_file or (2) url variable."
+cvss_v2: 7.5
+notes: Never patched
+related:
+  url:
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2014-2322
+  - url: http://www.openwall.com/lists/oss-security/2014/03/10/8
+  - url: http://www.openwall.com/lists/oss-security/2014/03/12/6
+  - url: https://web.archive.org/web/20160306235714/http://www.vapid.dhs.org/advisories/arabic-ruby-gem.html
+  - url: https://github.com/advisories/GHSA-hgmw-x865-hf9x

gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml

@@ -0,0 +1,67 @@
+---
+gem: camaleon_cms
+ghsa: 3hp8-6j24-m5gm
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
+date: 2024-09-23
+description: |
+  The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.
+
+  Arbitrary file deletion can be exploited with following code path:
+  The parameter folder flows from the actions method:
+  ```ruby
+    def actions
+      authorize! :manage, :media if params[:media_action] != 'crop_url'
+      params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+      case params[:media_action]
+      [..]
+      when 'del_file'
+        cama_uploader.delete_file(params[:folder].gsub('//', '/'))
+        render plain: ''
+  ```
+  into the method delete_file of the CamaleonCmsLocalUploader
+  class (when files are uploaded locally):
+  ```ruby
+  def delete_file(key)
+    file = File.join(@root_folder, key)
+    FileUtils.rm(file) if File.exist? file
+    @instance.hooks_run('after_delete', key)
+    get_media_collection.find_by_key(key).take.destroy
+  end
+  ```
+  Where it is joined in an unchecked manner with the root folder and
+  then deleted.
+
+  **Proof of concept**
+  The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)
+  ```
+  curl --path-as-is -i -s -k -X $'POST' \
+      -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
+      -b $'auth_token=[..]; _cms_session=[..]' \
+      --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
+  2F..
+  2F..
+  2FREADME.md&media_action=del_file' \
+      $'https://<camaleon-host>/admin/media/actions?actions=true'
+  ```
+
+  **Impact**
+
+  This issue may lead to a defective CMS or system.
+
+  **Remediation**
+
+  Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the
+  targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
+
+  **See also:**
+
+  [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+patched_versions:
+- ">= 2.8.1"
+related:
+  url:
+  - url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+  - url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml
+  - url: https://github.com/advisories/GHSA-3hp8-6j24-m5gm

gems/fluentd-ui/CVE-2020-21514.yml

@@ -0,0 +1,17 @@
+---
+gem: fluentd-ui
+cve: 2020-21514
+ghsa: wrxf-x8rm-6ggg
+url: https://github.com/fluent/fluentd/issues/2722
+title: Fluent Fluentd and Fluent-ui use default password
+date: 2023-04-04
+description: An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2
+  that allows attackers to gain escilated privileges and execute arbitrary code due
+  to use of a default password.
+cvss_v3: 8.8
+notes: Never patched
+related:
+  url:
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2020-21514
+  - url: https://github.com/fluent/fluentd/issues/2722
+  - url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg

gems/fluentd/CVE-2020-21514.yml

@@ -0,0 +1,17 @@
+---
+gem: fluentd
+cve: 2020-21514
+ghsa: wrxf-x8rm-6ggg
+url: https://github.com/fluent/fluentd/issues/2722
+title: Fluent Fluentd and Fluent-ui use default password
+date: 2023-04-04
+description: An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2
+  that allows attackers to gain escilated privileges and execute arbitrary code due
+  to use of a default password.
+cvss_v3: 8.8
+notes: Never patched
+related:
+  url:
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2020-21514
+  - url: https://github.com/fluent/fluentd/issues/2722
+  - url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg

gems/nokogiri/GHSA-fq42-c5rg-92c2.yml

@@ -0,0 +1,64 @@
+---
+gem: nokogiri
+ghsa: fq42-c5rg-92c2
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
+title: Vulnerable dependencies in Nokogiri
+date: 2022-02-25
+description: |
+  ### Summary
+
+  Nokogiri [v1.13.2](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies:
+
+  - vendored libxml2 from v2.9.12 to [v2.9.13](https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news)
+  - vendored libxslt from v1.1.34 to [v1.1.35](https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news)
+
+  Those library versions address the following upstream CVEs:
+
+  - libxslt: [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity)
+  - libxml2: [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below)
+
+  Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.
+
+  Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.
+
+
+  ### Mitigation
+
+  Upgrade to Nokogiri `>= 1.13.2`.
+
+  Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 `>= 2.9.13` and libxslt `>= 1.1.35`, which will also address these same CVEs.
+
+
+  ### Impact
+
+  #### libxslt [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560)
+
+  - CVSS3 score: 8.8 (High)
+  - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c
+
+  All versions of libxslt prior to v1.1.35 are affected.
+
+  Applications using **untrusted** XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.
+
+
+  #### libxml2 [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308)
+
+  - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
+  - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
+  - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html
+
+  The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an **untrusted** document with parse options `DTDVALID` set to true, and `NOENT` set to false.
+
+  An analysis of these parse options:
+
+  - While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
+  - `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.
+
+  It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing **untrusted** documents is vulnerable and should be upgraded immediately.
+cvss_v3: 8.8
+patched_versions:
+- ">= 1.13.2"
+related:
+  url:
+  - url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
+  - url: https://github.com/advisories/GHSA-fq42-c5rg-92c2

gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml

@@ -0,0 +1,41 @@
+---
+gem: nokogiri
+ghsa: gx8x-g87m-h5q6
+url: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
+title: Denial of Service (DoS) in Nokogiri on JRuby
+date: 2022-04-11
+description: |
+  ## Summary
+
+  Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity).
+
+  See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information.
+
+  Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.
+
+
+  ## Mitigation
+
+  Upgrade to Nokogiri `>= 1.13.4`.
+
+
+  ## Impact
+
+  ### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml
+
+  - **Severity**: High 7.5
+  - **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption
+  - **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.
+  - **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - url: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
+  - url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2022-24839
+  - url: https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
+  - url: https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - url: https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - url: https://github.com/advisories/GHSA-gx8x-g87m-h5q6

gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml

@@ -0,0 +1,30 @@
+---
+gem: nokogiri
+ghsa: v6gp-9mmm-c6p5
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
+title: Out-of-bounds Write in zlib affects Nokogiri
+date: 2022-04-11
+description: "## Summary\n\nNokogiri v1.13.4 updates the vendored zlib from 1.2.11
+  to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032).
+  That CVE is scored as CVSS 7.4 \"High\" on the NVD record as of 2022-04-05.\n\nPlease
+  note that this advisory only applies to the CRuby implementation of Nokogiri `<
+  1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this
+  document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby)
+  for a complete description of which platform gems vendor `zlib`. If you've overridden
+  defaults at installation time to use system libraries instead of packaged libraries,
+  you should instead pay attention to your distro's `zlib` release announcements.
+  \n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)
+  in zlib\n\n- **Severity**: High\n- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html)
+  Out of bounds write\n- **Description**: zlib before 1.2.12 allows memory corruption
+  when deflating (i.e., when compressing) if the input has many distant matches.\n\n"
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2018-25032
+  - url: https://github.com/advisories/GHSA-jc36-42cf-vqwj
+  - url: https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - url: https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - url: https://github.com/advisories/GHSA-v6gp-9mmm-c6p5

gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml

@@ -0,0 +1,54 @@
+---
+gem: nokogiri
+ghsa: vcc3-rw6f-jv97
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
+title: Use-after-free in libxml2 via Nokogiri::XML::Reader
+date: 2024-03-18
+description: |
+  ### Summary
+
+  Nokogiri upgrades its dependency libxml2 as follows:
+  - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
+  - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
+
+  libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
+
+  CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
+  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
+  - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
+
+  Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
+  the packaged libraries are being used. If you've overridden defaults at installation time to use
+  system libraries instead of packaged libraries, you should instead pay attention to your distro's
+  libxml2 release announcements.
+
+  JRuby users are not affected.
+
+  ### Severity
+
+  The Nokogiri maintainers have evaluated this as **Moderate**.
+
+  ### Impact
+
+  From the CVE description, this issue applies to the `xmlTextReader` module (which underlies
+  `Nokogiri::XML::Reader`):
+
+  > When using the XML Reader interface with DTD validation and XInclude expansion enabled,
+  > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
+
+  ### Mitigation
+
+  Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`.
+
+  Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
+  and link Nokogiri against patched external libxml2 libraries which will also address these same
+  issues.
+cvss_v3: 7.5
+patched_versions:
+- "~> 1.15.6"
+- ">= 1.16.2"
+related:
+  url:
+  - url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
+  - url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
+  - url: https://github.com/advisories/GHSA-vcc3-rw6f-jv97