Sync with GitHub Security Advisories

reedloden · reedloden · commit 4921d4347c39 · 2023-01-23T13:11:35.000-05:00
* Add exiftool_vendored/GHSA-q95h-cqrv-8jv5, fat_free_crm/CVE-2019-10226, publify_core/CVE-2022-2815, publify_core/CVE-2023-0299, sisimai/CVE-2022-4891 * Update CVSSv3 for fat_free_crm/CVE-2015-1585
diff --git a/gems/exiftool_vendored/GHSA-q95h-cqrv-8jv5.yml b/gems/exiftool_vendored/GHSA-q95h-cqrv-8jv5.yml
@@ -0,0 +1,23 @@
+---
+gem: exiftool_vendored
+ghsa: q95h-cqrv-8jv5
+url: https://github.com/exiftool-rb/exiftool_vendored.rb/security/advisories/GHSA-q95h-cqrv-8jv5
+title: ExifTool vulnerable to arbitrary code execution
+date: 2023-01-20
+description: |-
+  ### Impact
+  Arbitrary code execution can occur when running `exiftool` against files with hostile metadata payloads
+
+  ### Patches
+  ExifTool has already been patched in version 12.24. `exiftool_vendored.rb`, which vendors ExifTool, includes this patch in [v12.25.0](https://github.com/exiftool-rb/exiftool_vendored.rb/releases/tag/v12.25.0).
+
+  ### Workarounds
+  No
+cvss_v3: 7.8
+patched_versions:
+- ">= 12.25.0"
+related:
+  url:
+  - https://twitter.com/wcbowling/status/1385803927321415687
+  cve:
+  - 2021-22204
diff --git a/gems/fat_free_crm/CVE-2015-1585.yml b/gems/fat_free_crm/CVE-2015-1585.yml
@@ -1,7 +1,8 @@
 ---
 gem: fat_free_crm
-osvdb: 118465
 cve: 2015-1585
+osvdb: 118465
+ghsa: wx7c-8j35-mpg8
 url: https://nvd.nist.gov/vuln/detail/CVE-2015-1585
 title: Fat Free CRM Gem being vulnerable to CSRF-type attacks
 date: 2015-02-16
@@ -14,4 +15,4 @@ description: |
   users.
 cvss_v2: 6.8
 patched_versions:
-- '>= 0.13.6'
+- ">= 0.13.6"
diff --git a/gems/fat_free_crm/CVE-2019-10226.yml b/gems/fat_free_crm/CVE-2019-10226.yml
@@ -0,0 +1,11 @@
+---
+gem: fat_free_crm
+cve: 2019-10226
+ghsa: gmg5-r3c4-3fm9
+url: http://packetstormsecurity.com/files/152263/Fat-Free-CRM-0.19.0-HTML-Injection.html
+title: Fat Free CRM Cross-site Scripting vulnerability
+date: 2022-05-24
+description: |
+  HTML Injection has been discovered in the v0.19.0 version of the Fat
+  Free CRM product via an authenticated request to the /comments URI.
+cvss_v3: 5.4
diff --git a/gems/publify_core/CVE-2022-2815.yml b/gems/publify_core/CVE-2022-2815.yml
@@ -0,0 +1,17 @@
+---
+gem: publify_core
+cve: 2022-2815
+ghsa: 79wq-g4v9-gfj4
+url: https://github.com/publify/publify/commit/af69097d349f4c00f244c51cd3c3e937fd3387cd
+title: Publify Core does not strip metadata from images
+date: 2023-01-14
+description: |
+  Insecure Storage of Sensitive Information in GitHub repository publify/publify
+  prior to 9.2.10.
+cvss_v3: 6.5
+patched_versions:
+- ">= 9.2.10"
+related:
+  url:
+  - https://huntr.dev/bounties/22fdcc39-8c1a-4e4c-8eae-be3fd764f8b4
+  - https://github.com/publify/publify_core/commit/33f897c12b6efdcdfd8cf9df924deba0f878b71e
diff --git a/gems/publify_core/CVE-2023-0299.yml b/gems/publify_core/CVE-2023-0299.yml
@@ -0,0 +1,16 @@
+---
+gem: publify_core
+cve: 2023-0299
+ghsa: q3rm-f527-ghxj
+url: https://github.com/publify/publify/commit/ca46da283572b4f8c0b5aa245008756c8a5fd1b1
+title: Publify Improper Input Validation vulnerability
+date: 2023-01-14
+description: |
+  Improper Input Validation in GitHub repository publify/publify prior
+  to 9.2.10.
+patched_versions:
+- ">= 9.2.10"
+related:
+  url:
+  - https://huntr.dev/bounties/0049774b-1857-46dc-a834-f1fb15138c53
+  - https://github.com/publify/publify_core/commit/34f6e9c98e0e3b3f9896f9676b3d6442220e2b4e
diff --git a/gems/sisimai/CVE-2022-4891.yml b/gems/sisimai/CVE-2022-4891.yml
@@ -0,0 +1,22 @@
+---
+gem: sisimai
+cve: 2022-4891
+ghsa: vm74-j4wq-82xj
+url: https://github.com/sisimai/rb-sisimai/pull/244
+title: Sisimai Inefficient Regular Expression Complexity vulnerability
+date: 2023-01-17
+description: |
+  A vulnerability has been found in Sisimai up to 4.25.14p11 and classified
+  as problematic. This vulnerability affects the function `to_plain` of the file `lib/sisimai/string.rb`.
+  The manipulation leads to inefficient regular expression complexity. The exploit
+  has been disclosed to the public and may be used. Upgrading to version 4.25.14p12
+  is able to address this issue. The name of the patch is 51fe2e6521c9c02b421b383943dc9e4bbbe65d4e.
+  It is recommended to upgrade the affected component.
+patched_versions:
+- ">= 4.25.14p12"
+related:
+  url:
+  - https://github.com/sisimai/rb-sisimai/commit/51fe2e6521c9c02b421b383943dc9e4bbbe65d4e
+  - https://gist.githubusercontent.com/gmcabrita/e5dc0332473fc2e3a7a407434c8d21c7/raw/00b12035e5e1b685469f143b94301a50306376ba/example.html
+  - https://github.com/sisimai/rb-sisimai/releases/tag/v4.25.14p12
+  - https://vuldb.com/?id.218452
