GHSA SYNC: new advisories

- gems/Autolab/CVE-2024-49376.yml
- gems/alchemy_cms/CVE-2018-18307.yml
- gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml
- gems/fluentd-ui/CVE-2020-21514.yml
- gems/fluentd/CVE-2020-21514.yml
- gems/nokogiri/GHSA-fq42-c5rg-92c2.yml
- gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml
- gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml
- gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml
- gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml
- gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
- gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml
- gems/rails/CVE-2024-26143.yml
- gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml
- gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml
- gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml
- gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml
- gems/webrick/CVE-2009-4492.yml

Author: rakvium

gems/Autolab/CVE-2024-49376.yml

@@ -0,0 +1,34 @@
+---
+gem: Autolab
+cve: 2024-49376
+ghsa: v46j-h43h-rwrm
+url: https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm
+title: Autolab Misconfigured Reset Password Permissions
+date: 2024-10-25
+description: |
+  ### Impact
+  For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords.
+
+  ### Patches
+  This is fixed in v3.0.1.
+
+  ### Workarounds
+  No workarounds.
+
+  ### For more information
+  If you have any questions or comments about this advisory:
+
+  Open an issue in https://github.com/autolab/Autolab/
+  Email us at [[email protected]](mailto:[email protected])
+cvss_v3: 8.8
+cvss_v4: 7.1
+unaffected_versions:
+- "< 3.0.0"
+patched_versions:
+- ">= 3.0.1"
+related:
+  url:
+  - url: https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2024-49376
+  - url: https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b
+  - url: https://github.com/advisories/GHSA-v46j-h43h-rwrm

gems/alchemy_cms/CVE-2018-18307.yml

@@ -0,0 +1,21 @@
+---
+gem: alchemy_cms
+cve: 2018-18307
+ghsa: 7mj4-2984-955f
+url: http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
+title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field
+date: 2022-05-14
+description: A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS
+  via the /admin/pictures image filename field.
+cvss_v3: 5.9
+unaffected_versions:
+- "< 4.1.0"
+notes: Never patched
+related:
+  url:
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2018-18307
+  - url: http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
+  - url: https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
+  - url: https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
+  - url: https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
+  - url: https://github.com/advisories/GHSA-7mj4-2984-955f

gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml

@@ -0,0 +1,67 @@
+---
+gem: camaleon_cms
+ghsa: 3hp8-6j24-m5gm
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
+date: 2024-09-23
+description: |
+  The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.
+
+  Arbitrary file deletion can be exploited with following code path:
+  The parameter folder flows from the actions method:
+  ```ruby
+    def actions
+      authorize! :manage, :media if params[:media_action] != 'crop_url'
+      params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+      case params[:media_action]
+      [..]
+      when 'del_file'
+        cama_uploader.delete_file(params[:folder].gsub('//', '/'))
+        render plain: ''
+  ```
+  into the method delete_file of the CamaleonCmsLocalUploader
+  class (when files are uploaded locally):
+  ```ruby
+  def delete_file(key)
+    file = File.join(@root_folder, key)
+    FileUtils.rm(file) if File.exist? file
+    @instance.hooks_run('after_delete', key)
+    get_media_collection.find_by_key(key).take.destroy
+  end
+  ```
+  Where it is joined in an unchecked manner with the root folder and
+  then deleted.
+
+  **Proof of concept**
+  The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)
+  ```
+  curl --path-as-is -i -s -k -X $'POST' \
+      -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
+      -b $'auth_token=[..]; _cms_session=[..]' \
+      --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
+  2F..
+  2F..
+  2FREADME.md&media_action=del_file' \
+      $'https://<camaleon-host>/admin/media/actions?actions=true'
+  ```
+
+  **Impact**
+
+  This issue may lead to a defective CMS or system.
+
+  **Remediation**
+
+  Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the
+  targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
+
+  **See also:**
+
+  [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+patched_versions:
+- ">= 2.8.1"
+related:
+  url:
+  - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml
+  - https://github.com/advisories/GHSA-3hp8-6j24-m5gm

gems/fluentd-ui/CVE-2020-21514.yml

@@ -0,0 +1,18 @@
+---
+gem: fluentd-ui
+cve: 2020-21514
+ghsa: wrxf-x8rm-6ggg
+url: https://github.com/fluent/fluentd/issues/2722
+title: Fluent Fluentd and Fluent-ui use default password
+date: 2023-04-04
+description: |
+  An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2
+  that allows attackers to gain escilated privileges and execute arbitrary code due
+  to use of a default password.
+cvss_v3: 8.8
+notes: Never patched
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-21514
+    - https://github.com/fluent/fluentd/issues/2722
+    - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg

gems/fluentd/CVE-2020-21514.yml

@@ -0,0 +1,18 @@
+---
+gem: fluentd
+cve: 2020-21514
+ghsa: wrxf-x8rm-6ggg
+url: https://github.com/fluent/fluentd/issues/2722
+title: Fluent Fluentd and Fluent-ui use default password
+date: 2023-04-04
+description: |
+  An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2
+  that allows attackers to gain escilated privileges and execute arbitrary code due
+  to use of a default password.
+cvss_v3: 8.8
+notes: Never patched
+related:
+  url:
+  - url: https://nvd.nist.gov/vuln/detail/CVE-2020-21514
+  - url: https://github.com/fluent/fluentd/issues/2722
+  - url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg

gems/nokogiri/GHSA-fq42-c5rg-92c2.yml

@@ -0,0 +1,64 @@
+---
+gem: nokogiri
+ghsa: fq42-c5rg-92c2
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
+title: Vulnerable dependencies in Nokogiri
+date: 2022-02-25
+description: |
+  ### Summary
+
+  Nokogiri [v1.13.2](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies:
+
+  - vendored libxml2 from v2.9.12 to [v2.9.13](https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news)
+  - vendored libxslt from v1.1.34 to [v1.1.35](https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news)
+
+  Those library versions address the following upstream CVEs:
+
+  - libxslt: [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity)
+  - libxml2: [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below)
+
+  Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs.
+
+  Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements.
+
+
+  ### Mitigation
+
+  Upgrade to Nokogiri `>= 1.13.2`.
+
+  Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 `>= 2.9.13` and libxslt `>= 1.1.35`, which will also address these same CVEs.
+
+
+  ### Impact
+
+  #### libxslt [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560)
+
+  - CVSS3 score: 8.8 (High)
+  - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c
+
+  All versions of libxslt prior to v1.1.35 are affected.
+
+  Applications using **untrusted** XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately.
+
+
+  #### libxml2 [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308)
+
+  - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score.
+  - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12
+  - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html
+
+  The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an **untrusted** document with parse options `DTDVALID` set to true, and `NOENT` set to false.
+
+  An analysis of these parse options:
+
+  - While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later.
+  - `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly.
+
+  It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing **untrusted** documents is vulnerable and should be upgraded immediately.
+cvss_v3: 8.8
+patched_versions:
+- ">= 1.13.2"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2
+  - https://github.com/advisories/GHSA-fq42-c5rg-92c2

gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml

@@ -0,0 +1,41 @@
+---
+gem: nokogiri
+ghsa: gx8x-g87m-h5q6
+url: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
+title: Denial of Service (DoS) in Nokogiri on JRuby
+date: 2022-04-11
+description: |
+  ## Summary
+
+  Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity).
+
+  See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information.
+
+  Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.
+
+
+  ## Mitigation
+
+  Upgrade to Nokogiri `>= 1.13.4`.
+
+
+  ## Impact
+
+  ### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml
+
+  - **Severity**: High 7.5
+  - **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption
+  - **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.
+  - **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv)
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6
+  - https://nvd.nist.gov/vuln/detail/CVE-2022-24839
+  - https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d
+  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - https://github.com/advisories/GHSA-gx8x-g87m-h5q6

gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml

@@ -0,0 +1,30 @@
+---
+gem: nokogiri
+ghsa: v6gp-9mmm-c6p5
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
+title: Out-of-bounds Write in zlib affects Nokogiri
+date: 2022-04-11
+description: "## Summary\n\nNokogiri v1.13.4 updates the vendored zlib from 1.2.11
+  to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032).
+  That CVE is scored as CVSS 7.4 \"High\" on the NVD record as of 2022-04-05.\n\nPlease
+  note that this advisory only applies to the CRuby implementation of Nokogiri `<
+  1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this
+  document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby)
+  for a complete description of which platform gems vendor `zlib`. If you've overridden
+  defaults at installation time to use system libraries instead of packaged libraries,
+  you should instead pay attention to your distro's `zlib` release announcements.
+  \n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)
+  in zlib\n\n- **Severity**: High\n- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html)
+  Out of bounds write\n- **Description**: zlib before 1.2.12 allows memory corruption
+  when deflating (i.e., when compressing) if the input has many distant matches.\n\n"
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5
+  - https://nvd.nist.gov/vuln/detail/CVE-2018-25032
+  - https://github.com/advisories/GHSA-jc36-42cf-vqwj
+  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - https://github.com/advisories/GHSA-v6gp-9mmm-c6p5

gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml

@@ -0,0 +1,54 @@
+---
+gem: nokogiri
+ghsa: vcc3-rw6f-jv97
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
+title: Use-after-free in libxml2 via Nokogiri::XML::Reader
+date: 2024-03-18
+description: |
+  ### Summary
+
+  Nokogiri upgrades its dependency libxml2 as follows:
+  - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
+  - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
+
+  libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
+
+  CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
+  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
+  - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
+
+  Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
+  the packaged libraries are being used. If you've overridden defaults at installation time to use
+  system libraries instead of packaged libraries, you should instead pay attention to your distro's
+  libxml2 release announcements.
+
+  JRuby users are not affected.
+
+  ### Severity
+
+  The Nokogiri maintainers have evaluated this as **Moderate**.
+
+  ### Impact
+
+  From the CVE description, this issue applies to the `xmlTextReader` module (which underlies
+  `Nokogiri::XML::Reader`):
+
+  > When using the XML Reader interface with DTD validation and XInclude expansion enabled,
+  > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
+
+  ### Mitigation
+
+  Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`.
+
+  Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
+  and link Nokogiri against patched external libxml2 libraries which will also address these same
+  issues.
+cvss_v3: 7.5
+patched_versions:
+- "~> 1.15.6"
+- ">= 1.16.2"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
+  - https://github.com/advisories/GHSA-vcc3-rw6f-jv97

gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml

@@ -0,0 +1,37 @@
+---
+gem: nokogiri
+ghsa: xxx9-3xcr-gjj3
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
+title: XML Injection in Xerces Java affects Nokogiri
+date: 2022-04-11
+description: |+
+  ## Summary
+
+  Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record.
+
+  Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`.
+
+  ## Mitigation
+
+  Upgrade to Nokogiri `>= v1.13.4`.
+
+  ## Impact
+
+  ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J
+
+  - **Severity**: Medium
+  - **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection)
+  - **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
+  - **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj
+
+cvss_v3: 6.5
+patched_versions:
+- ">= 1.13.4"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3
+  - https://nvd.nist.gov/vuln/detail/CVE-2022-23437
+  - https://github.com/advisories/GHSA-h65f-jvqw-m9fj
+  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4
+  - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer
+  - https://github.com/advisories/GHSA-xxx9-3xcr-gjj3