Sync with GitHub Security Advisories

reedloden · reedloden · commit 0758aeef7a2a · 2023-03-09T00:09:10.000-08:00
* Add elastic-apm/CVE-2019-7615 * Add pdf_info/CVE-2022-36231 * Add missing CVSSv3 scores to other issues
diff --git a/gems/actionpack/CVE-2023-22797.yml b/gems/actionpack/CVE-2023-22797.yml
@@ -34,6 +34,7 @@ description: |-
   # Workarounds
 
   There are no feasible workarounds for this issue.
+cvss_v3: 6.1
 unaffected_versions:
 - "< 7.0.0"
 patched_versions:
diff --git a/gems/activerecord/CVE-2022-44566.yml b/gems/activerecord/CVE-2022-44566.yml
@@ -27,6 +27,7 @@ description: |
 
   Ensure that user supplied input which is provided to ActiveRecord clauses do
   not contain integers wider than a signed 64bit representation or floats.
+cvss_v3: 7.5
 patched_versions:
 - "~> 5.2.8, >= 5.2.8.15"  # Rails LTS
 - "~> 6.1.7, >= 6.1.7.1"
diff --git a/gems/activerecord/CVE-2023-22794.yml b/gems/activerecord/CVE-2023-22794.yml
@@ -49,6 +49,7 @@ description: |-
 
   Avoid passing user input to annotate and avoid using QueryLogs configuration
   which can include user input.
+cvss_v3: 8.8
 unaffected_versions:
 - "< 6.0.0"
 patched_versions:
diff --git a/gems/elastic-apm/CVE-2019-7615.yml b/gems/elastic-apm/CVE-2019-7615.yml
@@ -0,0 +1,19 @@
+---
+gem: elastic-apm
+cve: 2019-7615
+ghsa: 35j2-p8fh-x966
+url: https://github.com/elastic/apm-agent-ruby/pull/449
+title: Elastic APM agent for Ruby vulnerable to Improper Certificate Validation
+date: 2022-05-24
+description: |
+  A TLS certificate validation flaw was found in Elastic APM agent for
+  Ruby versions before 2.9.0. When specifying a trusted server CA certificate via
+  the `server_ca_cert` setting, the Ruby agent would not properly verify the certificate
+  returned by the APM server. This could result in a man in the middle style attack
+  against the Ruby agent.
+cvss_v3: 7.4
+patched_versions:
+- ">= 2.9.0"
+related:
+  url:
+  - https://www.elastic.co/community/security/
diff --git a/gems/pdf_info/CVE-2022-36231.yml b/gems/pdf_info/CVE-2022-36231.yml
@@ -0,0 +1,16 @@
+---
+gem: pdf_info
+cve: 2022-36231
+ghsa: 9fh3-j99m-f4v7
+url: https://github.com/affix/CVE-2022-36231
+title: Code injection in pdf_info
+date: 2023-02-24
+description: |
+  pdf_info 0.5.3 is vulnerable to Command Execution. An attacker using
+  a specially crafted payload may execute OS commands by using command chaining because
+  during object initalization there is no validation performed and the user provided
+  path is used.
+related:
+  url:
+  - https://github.com/newspaperclub/pdf_info/issues/16
+  - https://github.com/newspaperclub/pdf_info/pull/15
diff --git a/gems/rails-html-sanitizer/CVE-2018-3741.yml b/gems/rails-html-sanitizer/CVE-2018-3741.yml
@@ -12,8 +12,9 @@ description: |
   on target applications.
 
   This issue is similar to CVE-2018-8048 in Loofah.
+cvss_v3: 6.1
 patched_versions:
-- '>= 1.0.4'
+- ">= 1.0.4"
 related:
   cve:
   - 2018-8048
diff --git a/gems/restforce/CVE-2018-3777.yml b/gems/restforce/CVE-2018-3777.yml
@@ -32,6 +32,7 @@ description: |
   If possible, applications should track salesforce IDs internally, rather than
   passing user-supplied IDs to salesforce. Such practice mitigates this
   vulnerability, and in general is desirable for ensuring strong access control.
+cvss_v3: 9.8
 patched_versions:
-- ~> 2.5.4
-- '>= 3.0.0'
+- "~> 2.5.4"
+- ">= 3.0.0"
