Sync with GitHub Security Advisories

* Add inline_svg/CVE-2020-36644 and oxidized-web/CVE-2019-25088
* Add metadata for existing vulnerabilities git/CVE-2022-46648, keynote/CVE-2017-20159, pghero/CVE-2023-22626

Author: reedloden

gems/git/CVE-2022-46648.yml

@@ -1,6 +1,7 @@
 ---
 gem: git
 cve: 2022-46648
+ghsa: pfpr-3463-c6jh
 url: https://github.com/ruby-git/ruby-git/pull/602
 title: Potential remote code execution in ruby-git
 date: 2023-01-05
@@ -15,10 +16,10 @@ description: |
   remote code execution. Version 1.13.0 of the git gem was released which
   correctly parses any quoted file names.
 cvss_v3: 5.5
-patched_versions:
-  - '>= 1.13.0'
 unaffected_versions:
-  - '< 1.2.0'
+- "< 1.2.0"
+patched_versions:
+- ">= 1.13.0"
 related:
   url:
-    - https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0
+  - https://github.com/ruby-git/ruby-git/releases/tag/v1.13.0

gems/inline_svg/CVE-2020-36644.yml

@@ -0,0 +1,23 @@
+---
+gem: inline_svg
+cve: 2020-36644
+ghsa: p33q-4h4m-j994
+url: https://github.com/jamesmartin/inline_svg/pull/117
+title: Inline SVG vulnerable to Cross-site Scripting
+date: 2023-01-07
+description: |
+  A vulnerability has been found in jamesmartin Inline SVG up to 1.7.1
+  and classified as problematic. Affected by this vulnerability is an unknown functionality
+  of the file `lib/inline_svg/action_view/helpers.rb` of the component `URL Parameter
+  Handler`. The manipulation of the argument filename leads to cross site scripting.
+  The attack can be launched remotely. Upgrading to version 1.7.2 is able to address
+  this issue. The name of the patch is f5363b351508486021f99e083c92068cf2943621. It
+  is recommended to upgrade the affected component. The identifier VDB-217597 was
+  assigned to this vulnerability.
+patched_versions:
+- ">= 1.7.2"
+related:
+  url:
+  - https://github.com/jamesmartin/inline_svg/commit/f5363b351508486021f99e083c92068cf2943621
+  - https://github.com/jamesmartin/inline_svg/releases/tag/v1.7.2
+  - https://vuldb.com/?id.217597

gems/keynote/CVE-2017-20159.yml

@@ -13,6 +13,7 @@ description: |
   this issue. The name of the patch is 05be4356b0a6ca7de48da926a9b997beb5ffeb4a. It
   is recommended to upgrade the affected component. VDB-217142 is the identifier assigned
   to this vulnerability.
+cvss_v3: 6.1
 patched_versions:
 - ">= 1.0.0"
 related:

gems/oxidized-web/CVE-2019-25088.yml

@@ -0,0 +1,19 @@
+---
+gem: oxidized-web
+cve: 2019-25088
+ghsa: 8qwh-rm6c-jv96
+url: https://github.com/ytti/oxidized-web/pull/195
+title: Oxidized Web vulnerable to Cross-site Scripting
+date: 2022-12-27
+description: |
+  A vulnerability was found in ytti Oxidized Web. It has been classified
+  as problematic. Affected is an unknown function of the file `lib/oxidized/web/views/conf_search.haml`.
+  The manipulation of the argument `to_research` leads to cross site scripting. It
+  is possible to launch the attack remotely. The name of the patch is 55ab9bdc68b03ebce9280b8746ef31d7fdedcc45.
+  It is recommended to apply a patch to fix this issue. VDB-216870 is the identifier
+  assigned to this vulnerability.
+cvss_v3: 5.4
+related:
+  url:
+  - https://github.com/ytti/oxidized-web/commit/55ab9bdc68b03ebce9280b8746ef31d7fdedcc45
+  - https://vuldb.com/?id.216870

gems/pghero/CVE-2023-22626.yml

@@ -1,6 +1,7 @@
 ---
 gem: pghero
 cve: 2023-22626
+ghsa: vf99-xw26-86g5
 url: https://github.com/ankane/pghero/issues/439
 title: Information Disclosure Through EXPLAIN Feature
 date: 2023-01-04
@@ -10,5 +11,6 @@ description: |
   appear in an error message. If the PgHero database user has superuser privileges
   (not recommended), the user can use file access functions to read files on the
   database server.
+cvss_v3: 7.5
 patched_versions:
 - ">= 3.1.0"