Sync with GitHub Security Advisories

* Add curupira/CVE-2015-10053
* Add rack/CVE-2022-44571
* Add actionpack/CVE-2023-22792
* Add activesupport/CVE-2023-22796
* Add actionpack/CVE-2023-22797
* Add activerecord/CVE-2022-44566
* Add actionpack/CVE-2023-22795
* Add activerecord/CVE-2023-22794
* Add rack/CVE-2022-44570
* Add rack/CVE-2022-44572
* Add globalid/CVE-2023-22799

Author: reedloden

gems/actionpack/CVE-2023-22792.yml

@@ -0,0 +1,36 @@
+---
+gem: actionpack
+cve: 2023-22792
+ghsa: p84v-45xj-wwqj
+url: https://github.com/rails/rails/releases/tag/v7.0.4.1
+title: ReDoS based DoS vulnerability in Action Dispatch
+date: 2023-01-18
+description: |
+  There is a possible regular expression based DoS vulnerability in Action
+  Dispatch. This vulnerability has been assigned the CVE identifier
+  CVE-2023-22792.
+
+  Versions Affected: >= 3.0.0
+  Not affected: < 3.0.0
+  Fixed Versions: 6.1.7.1, 7.0.4.1
+
+  # Impact
+
+  Specially crafted cookies, in combination with a specially crafted
+  X_FORWARDED_HOST header can cause the regular expression engine to enter a
+  state of catastrophic backtracking. This can cause the process to use large
+  amounts of CPU and memory, leading to a possible DoS vulnerability All users
+  running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  # Workarounds
+
+  We recommend that all users upgrade to one of the FIXED versions. In the
+  meantime, users can mitigate this vulnerability by using a load balancer or
+  other device to filter out malicious X_FORWARDED_HOST headers before they
+  reach the application.
+unaffected_versions:
+- "< 3.0.0"
+patched_versions:
+- "~> 6.1.7, >= 6.1.7.1"
+- ">= 7.0.4.1"

gems/actionpack/CVE-2023-22795.yml

@@ -0,0 +1,36 @@
+---
+gem: actionpack
+cve: 2023-22795
+ghsa: 8xww-x3g3-6jcv
+url: https://github.com/rails/rails/releases/tag/v7.0.4.1
+title: ReDoS based DoS vulnerability in Action Dispatch
+date: 2023-01-18
+description: |-
+  There is a possible regular expression based DoS vulnerability in Action
+  Dispatch related to the If-None-Match header. This vulnerability has been
+  assigned the CVE identifier CVE-2023-22795.
+
+  Versions Affected: All
+  Not affected: None
+  Fixed Versions: 6.1.7.1, 7.0.4.1
+
+  # Impact
+
+  A specially crafted HTTP If-None-Match header can cause the regular
+  expression engine to enter a state of catastrophic backtracking, when on a
+  version of Ruby below 3.2.0. This can cause the process to use large amounts
+  of CPU and memory, leading to a possible DoS vulnerability All users running
+  an affected release should either upgrade or use one of the workarounds
+  immediately.
+
+  # Workarounds
+
+  We recommend that all users upgrade to one of the FIXED versions. In the
+  meantime, users can mitigate this vulnerability by using a load balancer or
+  other device to filter out malicious If-None-Match headers before they reach
+  the application.
+
+  Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
+patched_versions:
+- "~> 6.1.7, >= 6.1.7.1"
+- ">= 7.0.4.1"

gems/actionpack/CVE-2023-22797.yml

@@ -0,0 +1,40 @@
+---
+gem: actionpack
+cve: 2023-22797
+ghsa: 9445-4cr6-336r
+url: https://github.com/rails/rails/releases/tag/v7.0.4.1
+title: Open Redirect Vulnerability in Action Pack
+date: 2023-01-18
+description: |-
+  There is a vulnerability in Action Controller’s redirect_to. This
+  vulnerability has been assigned the CVE identifier CVE-2023-22797.
+
+  Versions Affected: >= 7.0.0
+  Not affected: < 7.0.0
+  Fixed Versions: 7.0.4.1
+
+  # Impact
+
+  There is a possible open redirect when using the redirect_to helper with
+  untrusted user input.
+
+  Vulnerable code will look like this:
+  ```
+  redirect_to(params[:some_param])
+  ```
+
+  Rails 7.0 introduced protection against open redirects from calling
+  redirect_to with untrusted user input. In prior versions the developer was
+  fully responsible for only providing trusted input. However the check
+  introduced could be bypassed by a carefully crafted URL.
+
+  All users running an affected release should either upgrade or use one of
+  the workarounds immediately.
+
+  # Workarounds
+
+  There are no feasible workarounds for this issue.
+unaffected_versions:
+- "< 7.0.0"
+patched_versions:
+- ">= 7.0.4.1"

gems/activerecord/CVE-2022-44566.yml

@@ -0,0 +1,32 @@
+---
+gem: activerecord
+cve: 2022-44566
+ghsa: 579w-22j4-4749
+url: https://github.com/rails/rails/releases/tag/v7.0.4.1
+title: Denial of Service Vulnerability in ActiveRecord’s PostgreSQL adapter
+date: 2023-01-18
+description: |
+  There is a potential denial of service vulnerability present in
+  ActiveRecord’s PostgreSQL adapter.
+
+  This has been assigned the CVE identifier CVE-2022-44566.
+
+  Versions Affected: All.
+  Not affected: None.
+  Fixed Versions: 7.0.4.1, 6.1.7.1
+
+  # Impact
+
+  In ActiveRecord <7.0.4.1 and <6.1.7.1, when a value outside the range for a
+  64bit signed integer is provided to the PostgreSQL connection adapter, it
+  will treat the target column type as numeric. Comparing integer values
+  against numeric values can result in a slow sequential scan resulting in
+  potential Denial of Service.
+
+  # Workarounds
+
+  Ensure that user supplied input which is provided to ActiveRecord clauses do
+  not contain integers wider than a signed 64bit representation or floats.
+patched_versions:
+- "~> 6.1.7, >= 6.1.7.1"
+- ">= 7.0.4.1"

gems/activerecord/CVE-2023-22794.yml

@@ -0,0 +1,60 @@
+---
+gem: activerecord
+cve: 2023-22794
+ghsa: hq7p-j377-6v63
+url: https://github.com/rails/rails/releases/tag/v7.0.4.1
+title: SQL Injection Vulnerability via ActiveRecord comments
+date: 2023-01-18
+description: |-
+  There is a possible vulnerability in ActiveRecord related to the
+  sanitization of comments. This vulnerability has been assigned the CVE
+  identifier CVE-2023-22794.
+
+  Versions Affected: >= 6.0.0
+  Not affected: < 6.0.0
+  Fixed Versions: 6.0.6.1, 6.1.7.1, 7.0.4.1
+
+  # Impact
+
+  Previously the implementation of escaping for comments was insufficient for
+
+  If malicious user input is passed to either the annotate query method, the
+  optimizer_hints query method, or through the QueryLogs interface which
+  automatically adds annotations, it may be sent to the database with
+  insufficient sanitization and be able to inject SQL outside of the comment.
+
+  In most cases these interfaces won’t be used with user input and users
+  should avoid doing so.
+
+  Example vulnerable code:
+  ```
+  Post.where(id: 1).annotate("#{params[:user_input]}")
+
+  Post.where(id: 1).optimizer_hints("#{params[:user_input]}")
+  ```
+
+  Example vulnerable QueryLogs configuration (the default configuration is not
+  vulnerable):
+  ```
+  config.active_record.query_log_tags = [
+    {
+      something: -> { <some value including user input> }
+    }
+  ]
+  ```
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  # Workarounds
+
+  Avoid passing user input to annotate and avoid using QueryLogs configuration
+  which can include user input.
+unaffected_versions:
+- "< 6.0.0"
+patched_versions:
+- "~> 6.0.6, >= 6.0.6.1"
+- "~> 6.1.7, >= 6.1.7.1"
+- ">= 7.0.4.1"
+related:
+  url:
+  - https://github.com/rails/rails/commit/d7aba06953f9fa789c411676b941d20df8ef73de

gems/activesupport/CVE-2023-22796.yml

@@ -0,0 +1,38 @@
+---
+gem: activesupport
+cve: 2023-22796
+ghsa: j6gc-792m-qgm2
+url: https://github.com/rails/rails/releases/tag/v7.0.4.1
+title: ReDoS based DoS vulnerability in Active Support’s underscore
+date: 2023-01-18
+description: |-
+  There is a possible regular expression based DoS vulnerability in Active
+  Support. This vulnerability has been assigned the CVE identifier
+  CVE-2023-22796.
+
+  Versions Affected: All
+  Not affected: None
+  Fixed Versions: 6.1.7.1, 7.0.4.1
+
+  # Impact
+
+  A specially crafted string passed to the underscore method can cause the
+  regular expression engine to enter a state of catastrophic backtracking.
+  This can cause the process to use large amounts of CPU and memory, leading
+  to a possible DoS vulnerability.
+
+  This affects String#underscore, ActiveSupport::Inflector.underscore,
+  String#titleize, and any other methods using these.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  # Workarounds
+
+  There are no feasible workarounds for this issue.
+
+  Users on Ruby 3.2.0 or greater may be able to reduce the impact by
+  configuring Regexp.timeout.
+patched_versions:
+- "~> 6.1.7, >= 6.1.7.1"
+- ">= 7.0.4.1"

gems/curupira/CVE-2015-10053.yml

@@ -0,0 +1,22 @@
+---
+gem: curupira
+cve: 2015-10053
+ghsa: 85gf-wr67-f83w
+url: https://github.com/prodigasistemas/curupira/commit/93a9a77896bb66c949acb8e64bceafc74bc8c271
+title: curupira is vulnerable to SQL injection
+date: 2023-01-16
+description: |
+  A vulnerability classified as critical has been found in prodigasistemas
+  curupira up to 0.1.3. Affected is an unknown function of the file
+  app/controllers/curupira/passwords_controller.rb.
+  The manipulation leads to sql injection. Upgrading to version 0.1.4 is able
+  to address this issue. The name of the patch is
+  93a9a77896bb66c949acb8e64bceafc74bc8c271. It is recommended to upgrade the
+  affected component. VDB-218394 is the identifier assigned to this
+  vulnerability.
+patched_versions:
+- ">= 0.1.4"
+related:
+  url:
+  - https://github.com/prodigasistemas/curupira/releases/tag/v0.1.4
+  - https://vuldb.com/?id.218394

gems/globalid/CVE-2023-22799.yml

@@ -0,0 +1,30 @@
+---
+gem: globalid
+cve: 2023-22799
+ghsa: 23c2-gwp5-pxw9
+url: https://github.com/rails/globalid/releases/tag/v1.0.1
+title: ReDoS based DoS vulnerability in GlobalID
+date: 2023-01-18
+description: |
+  There is a ReDoS based DoS vulnerability in the GlobalID gem. This
+  vulnerability has been assigned the CVE identifier CVE-2023-22799.
+
+  Versions Affected: >= 0.2.1
+  Not affected: < 0.2.1
+  Fixed Versions: 1.0.1
+
+  # Impact
+
+  There is a possible DoS vulnerability in the model name parsing section
+  of the GlobalID gem. Carefully crafted input can cause the regular
+  expression engine to take an unexpected amount of time. All users running
+  an affected release should either upgrade or use one of the workarounds
+  immediately.
+
+  # Workarounds
+
+  There are no feasible workarounds for this issue.
+unaffected_versions:
+- "< 0.2.1"
+patched_versions:
+- ">= 1.0.1"

gems/rack/CVE-2022-44570.yml

@@ -0,0 +1,31 @@
+---
+gem: rack
+cve: 2022-44570
+ghsa: 65f5-mfpf-vfhj
+url: https://github.com/rack/rack/releases/tag/v3.0.4.1
+title: Denial of service via header parsing in Rack
+date: 2023-01-18
+description: |
+  There is a possible denial of service vulnerability in the Range header
+  parsing component of Rack. This vulnerability has been assigned the CVE
+  identifier CVE-2022-44570.
+
+  Versions Affected: >= 1.5.0
+  Not affected: None.
+  Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1
+
+  # Impact
+
+  Carefully crafted input can cause the Range header parsing component in Rack
+  to take an unexpected amount of time, possibly resulting in a denial of
+  service attack vector. Any applications that deal with Range requests (such
+  as streaming applications, or applications that serve files) may be impacted.
+
+  # Workarounds
+
+  There are no feasible workarounds for this issue.
+patched_versions:
+- "~> 2.0.9, >= 2.0.9.2"
+- "~> 2.1.4, >= 2.1.4.2"
+- "~> 2.2.6, >= 2.2.6.2"
+- ">= 3.0.4.1"

gems/rack/CVE-2022-44571.yml

@@ -0,0 +1,32 @@
+---
+gem: rack
+cve: 2022-44571
+ghsa: 93pm-5p5f-3ghx
+url: https://github.com/rack/rack/releases/tag/v3.0.4.1
+title: Denial of Service Vulnerability in Rack Content-Disposition parsing
+date: 2023-01-18
+description: |
+  There is a denial of service vulnerability in the Content-Disposition parsing
+  component of Rack. This vulnerability has been assigned the CVE identifier
+  CVE-2022-44571.
+
+  Versions Affected: >= 2.0.0
+  Not affected: None.
+  Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1
+
+  # Impact
+
+  Carefully crafted input can cause Content-Disposition header parsing in Rack
+  to take an unexpected amount of time, possibly resulting in a denial of
+  service attack vector. This header is used typically used in multipart
+  parsing. Any applications that parse multipart posts using Rack (virtually
+  all Rails applications) are impacted.
+
+  # Workarounds
+
+  There are no feasible workarounds for this issue.
+patched_versions:
+- "~> 2.0.9, >= 2.0.9.2"
+- "~> 2.1.4, >= 2.1.4.2"
+- "~> 2.2.6, >= 2.2.6.1"
+- ">= 3.0.4.1"