Sync with GitHub Security Advisories

reedloden · reedloden · commit 9bfad4be77cb · 2023-03-09T00:54:46.000-08:00
* Add devise_token_auth/CVE-2019-16751, geminabox/CVE-2017-14506, geminabox/CVE-2017-14683, nokogiri/CVE-2019-13118, nokogiri/CVE-2021-3517, rubygems-update/CVE-2018-1000073, rubygems-update/CVE-2018-1000076 * Update CVSSv3 and GHSA IDs for other vulnerabilities
diff --git a/gems/devise_token_auth/CVE-2019-16751.yml b/gems/devise_token_auth/CVE-2019-16751.yml
@@ -0,0 +1,18 @@
+---
+gem: devise_token_auth
+cve: 2019-16751
+ghsa: mvqr-r76c-wm5f
+url: https://github.com/lynndylanhurley/devise_token_auth/issues/1332
+title: Devise Token Auth vulnerable to Cross-site Scripting
+date: 2022-05-24
+description: |
+  An issue was discovered in Devise Token Auth through 1.1.2. The omniauth
+  failure endpoint is vulnerable to Reflected Cross Site Scripting (XSS) through the
+  message parameter. Unauthenticated attackers can craft a URL that executes a malicious
+  JavaScript payload in the victim's browser. This affects the fallback_render method
+  in the omniauth callbacks controller.
+cvss_v3: 6.1
+unaffected_versions:
+- "< 0.1.33"
+patched_versions:
+- ">= 1.1.3"
diff --git a/gems/geminabox/CVE-2017-14506.yml b/gems/geminabox/CVE-2017-14506.yml
@@ -0,0 +1,18 @@
+---
+gem: geminabox
+cve: 2017-14506
+ghsa: 98hq-3qvg-pg78
+url: http://baraktawily.blogspot.co.il/2017/09/gem-in-box-xss-vulenrability-cve-2017.html
+title: Gem in a Box vulnerable to Cross-site Scripting
+date: 2022-05-13
+description: |
+  geminabox (aka Gem in a Box) before 0.13.6 is vulnerable to Cross-site
+  Scripting (XSS), as demonstrated by uploading a gem file that has a crafted gem.homepage
+  value in its .gemspec file.
+cvss_v3: 5.4
+patched_versions:
+- ">= 0.13.6"
+related:
+  url:
+  - https://github.com/geminabox/geminabox/blob/master/CHANGELOG.md
+  - https://github.com/geminabox/geminabox/commit/99aaae196c4fc6ae0df28e186ca1e493ae658e02
diff --git a/gems/geminabox/CVE-2017-14683.yml b/gems/geminabox/CVE-2017-14683.yml
@@ -0,0 +1,17 @@
+---
+gem: geminabox
+cve: 2017-14683
+ghsa: qwv2-2x8g-g43g
+url: http://baraktawily.blogspot.co.il/2017/09/gem-in-box-xss-vulenrability-cve-2017.html
+title: Gem in a Box vulnerable to Cross-site Request Forgery
+date: 2022-05-13
+description: |
+  geminabox (aka Gem in a Box) before 0.13.7 has CSRF, as demonstrated
+  by an unintended gem upload.
+cvss_v3: 8.8
+patched_versions:
+- ">= 0.13.7"
+related:
+  url:
+  - https://github.com/geminabox/geminabox/blob/master/CHANGELOG.md
+  - https://github.com/geminabox/geminabox/commit/a01c4e8b3403624109499dec75eb6ee30bd01a55
diff --git a/gems/grape/CVE-2018-3769.yml b/gems/grape/CVE-2018-3769.yml
@@ -12,8 +12,9 @@ description: |
 
   Example:
   http://example.com/api/endpoint?format=%3Cscript%3Ealert(document.cookie)%3C/script%3E
+cvss_v3: 6.1
 patched_versions:
-- '>= 1.1.0'
+- ">= 1.1.0"
 related:
   url:
   - https://github.com/ruby-grape/grape/pull/1763
diff --git a/gems/nokogiri/CVE-2019-11068.yml b/gems/nokogiri/CVE-2019-11068.yml
@@ -1,9 +1,10 @@
 ---
 gem: nokogiri
 cve: 2019-11068
-date: 2019-04-22
+ghsa: qxcg-xjjg-66mj
 url: https://github.com/sparklemotion/nokogiri/issues/1892
 title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
+date: 2019-04-22
 description: |
   Nokogiri v1.10.3 has been released.
 
@@ -39,9 +40,9 @@ description: |
   Canonical rates this as "Priority: Medium".
 
   Debian rates this as "NVD Severity: High (attack range: remote)".
+cvss_v3: 9.8
 patched_versions:
-- '>= 1.10.3'
-
+- ">= 1.10.3"
 related:
   url:
   - https://groups.google.com/forum/#!msg/ruby-security-ann/_y80o1zZlOs/k4SDX6hoAAAJ
diff --git a/gems/nokogiri/CVE-2019-13118.yml b/gems/nokogiri/CVE-2019-13118.yml
@@ -0,0 +1,61 @@
+---
+gem: nokogiri
+cve: 2019-13118
+ghsa: cf46-6xxh-pc75
+url: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
+title: libxslt Type Confusion vulnerability that affects Nokogiri
+date: 2022-05-24
+description: |-
+  In `numbers.c` in libxslt 1.1.33, a type holding grouping characters of an `xsl:number` instruction was too narrow and an invalid character/length combination could be passed to `xsltNumberFormatDecimal`, leading to a read of uninitialized stack data.
+
+  Nokogiri prior to version 1.10.5 used a vulnerable version of libxslt. Nokogiri 1.10.5 updated libxslt to version 1.1.34 to address this and other vulnerabilities in libxslt.
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.10.5"
+related:
+  url:
+  - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15069
+  - https://gitlab.gnome.org/GNOME/libxslt/commit/6ce8de69330783977dd14f6569419489875fb71b
+  - https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
+  - https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
+  - https://lists.debian.org/debian-lts-announce/2019/07/msg00020.html
+  - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOYJKXPQCUNBMMQJWYXOR6QRUJZHEDRZ/
+  - https://oss-fuzz.com/testcase-detail/5197371471822848
+  - https://seclists.org/bugtraq/2019/Aug/21
+  - https://seclists.org/bugtraq/2019/Aug/22
+  - https://seclists.org/bugtraq/2019/Aug/23
+  - https://seclists.org/bugtraq/2019/Aug/25
+  - https://seclists.org/bugtraq/2019/Jul/35
+  - https://seclists.org/bugtraq/2019/Jul/36
+  - https://seclists.org/bugtraq/2019/Jul/37
+  - https://seclists.org/bugtraq/2019/Jul/40
+  - https://seclists.org/bugtraq/2019/Jul/41
+  - https://seclists.org/bugtraq/2019/Jul/42
+  - https://security.netapp.com/advisory/ntap-20190806-0004/
+  - https://security.netapp.com/advisory/ntap-20200122-0003/
+  - https://support.apple.com/kb/HT210346
+  - https://support.apple.com/kb/HT210348
+  - https://support.apple.com/kb/HT210351
+  - https://support.apple.com/kb/HT210353
+  - https://support.apple.com/kb/HT210356
+  - https://support.apple.com/kb/HT210357
+  - https://support.apple.com/kb/HT210358
+  - https://usn.ubuntu.com/4164-1/
+  - https://www.oracle.com/security-alerts/cpujan2020.html
+  - http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
+  - http://seclists.org/fulldisclosure/2019/Aug/11
+  - http://seclists.org/fulldisclosure/2019/Aug/13
+  - http://seclists.org/fulldisclosure/2019/Aug/14
+  - http://seclists.org/fulldisclosure/2019/Aug/15
+  - http://seclists.org/fulldisclosure/2019/Jul/22
+  - http://seclists.org/fulldisclosure/2019/Jul/23
+  - http://seclists.org/fulldisclosure/2019/Jul/24
+  - http://seclists.org/fulldisclosure/2019/Jul/26
+  - http://seclists.org/fulldisclosure/2019/Jul/31
+  - http://seclists.org/fulldisclosure/2019/Jul/37
+  - http://seclists.org/fulldisclosure/2019/Jul/38
+  - http://www.openwall.com/lists/oss-security/2019/11/17/2
+  - https://github.com/sparklemotion/nokogiri/issues/1943
+  - https://github.com/sparklemotion/nokogiri/commit/43a175339b47b8c604508813fc75b83f13cd173e
+  - https://github.com/sparklemotion/nokogiri/blob/f7aa3b0b29d6fe5fafe93dacd9b96b6b3d16b7ec/CHANGELOG.md?plain=1#L796
+  - https://github.com/sparklemotion/nokogiri/releases/tag/v1.10.5
diff --git a/gems/nokogiri/CVE-2021-3517.yml b/gems/nokogiri/CVE-2021-3517.yml
@@ -0,0 +1,32 @@
+---
+gem: nokogiri
+cve: 2021-3517
+ghsa: jw9f-hh49-cvp9
+url: https://bugzilla.redhat.com/show_bug.cgi?id=1954232
+title: Nokogiri contains libxml Out-of-bounds Write vulnerability
+date: 2022-05-24
+description: |-
+  There is a flaw in the xml entity encoding functionality of libxml2 in versions before 2.9.11. An attacker who is able to supply a crafted file to be processed by an application linked with the affected functionality of libxml2 could trigger an out-of-bounds read. The most likely impact of this flaw is to application availability, with some potential impact to confidentiality and integrity if an attacker is able to use memory information to further exploit the application.
+
+  Nokogiri prior to version 1.11.4 used a vulnerable version of libxml2. Nokogiri 1.11.4 updated libxml2 to version 2.9.11 to address this and other vulnerabilities in libxml2.
+cvss_v3: 8.6
+patched_versions:
+- ">= 1.11.4"
+related:
+  url:
+  - https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b@%3Cissues.bookkeeper.apache.org%3E
+  - https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4@%3Cissues.bookkeeper.apache.org%3E
+  - https://lists.debian.org/debian-lts-announce/2021/05/msg00008.html
+  - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BZOMV5J4PMZAORVT64BKLV6YIZAFDGX6/
+  - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QVM4UJ3376I6ZVOYMHBNX4GY3NIV52WV/
+  - https://security.gentoo.org/glsa/202107-05
+  - https://security.netapp.com/advisory/ntap-20210625-0002/
+  - https://security.netapp.com/advisory/ntap-20211022-0004/
+  - https://www.oracle.com/security-alerts/cpuapr2022.html
+  - https://www.oracle.com/security-alerts/cpujan2022.html
+  - https://www.oracle.com/security-alerts/cpuoct2021.html
+  - https://www.oracle.com/security-alerts/cpujul2022.html
+  - https://github.com/sparklemotion/nokogiri/issues/2233
+  - https://github.com/sparklemotion/nokogiri/issues/2274
+  - https://github.com/sparklemotion/nokogiri/blob/7c19ef5cc6b7c5c36827dd5495f857c6877ec8cf/CHANGELOG.md?plain=1#L579
+  - https://gitlab.gnome.org/GNOME/libxml2/-/commit/8598060bacada41a0eb09d95c97744ff4e428f8e
diff --git a/gems/rack/CVE-2023-27530.yml b/gems/rack/CVE-2023-27530.yml
@@ -1,6 +1,7 @@
 ---
 gem: rack
 cve: 2023-27530
+ghsa: 3h57-hmj3-gj3p
 url: https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
 title: Possible DoS Vulnerability in Multipart MIME parsing
 date: 2023-03-03
diff --git a/gems/rubygems-update/CVE-2017-0899.yml b/gems/rubygems-update/CVE-2017-0899.yml
@@ -2,6 +2,7 @@
 gem: rubygems-update
 library: rubygems
 cve: 2017-0899
+ghsa: 7gcp-2gmq-w3xh
 url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
 title: RubyGems ANSI escape sequence vulnerability
 date: 2017-08-29
@@ -10,7 +11,8 @@ description: |
   specifications that include terminal escape characters. Printing the gem
   specification would execute terminal escape sequences.
 cvss_v2: 7.5
+cvss_v3: 9.8
 patched_versions:
-- '>= 2.4.5.3'
-- '>= 2.5.2.1'
-- '>= 2.6.13'
+- ">= 2.4.5.3"
+- ">= 2.5.2.1"
+- ">= 2.6.13"
diff --git a/gems/rubygems-update/CVE-2017-0901.yml b/gems/rubygems-update/CVE-2017-0901.yml
@@ -2,6 +2,7 @@
 gem: rubygems-update
 library: rubygems
 cve: 2017-0901
+ghsa: pm9x-4392-2c2p
 url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
 title: RubyGems vulnerability in the gem installer that allowed a malicious gem to
   overwrite arbitrary files
@@ -11,7 +12,8 @@ description: |
   allowing a maliciously crafted gem to potentially overwrite any file on the
   filesystem.
 cvss_v2: 6.4
+cvss_v3: 7.5
 patched_versions:
-- '>= 2.4.5.3'
-- '>= 2.5.2.1'
-- '>= 2.6.13'
+- ">= 2.4.5.3"
+- ">= 2.5.2.1"
+- ">= 2.6.13"
diff --git a/gems/rubygems-update/CVE-2017-0902.yml b/gems/rubygems-update/CVE-2017-0902.yml
@@ -2,6 +2,7 @@
 gem: rubygems-update
 library: rubygems
 cve: 2017-0902
+ghsa: 73w7-6w9g-gc8w
 url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
 title: RubyGems DNS request hijacking vulnerability
 date: 2017-08-29
@@ -10,7 +11,8 @@ description: |
   vulnerability that allows a MITM attacker to force the RubyGems client to
   down load and install gems from a server that the attacker controls.
 cvss_v2: 6.8
+cvss_v3: 8.1
 patched_versions:
-- '>= 2.4.5.3'
-- '>= 2.5.2.1'
-- '>= 2.6.13'
+- ">= 2.4.5.3"
+- ">= 2.5.2.1"
+- ">= 2.6.13"
diff --git a/gems/rubygems-update/CVE-2017-0903.yml b/gems/rubygems-update/CVE-2017-0903.yml
@@ -2,6 +2,7 @@
 gem: rubygems-update
 library: rubygems
 cve: 2017-0903
+ghsa: mqwr-4qf2-2hcv
 url: https://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
 title: Unsafe Object Deserialization Vulnerability in RubyGems
 date: 2017-10-09
@@ -11,7 +12,8 @@ description: |
   white lists. Specially crafted serialized objects can possibly be used to
   escalate to remote code execution.
 cvss_v2: 7.5
+cvss_v3: 9.8
 unaffected_versions:
-- < 2.0.0
+- "< 2.0.0"
 patched_versions:
-- '>= 2.6.14'
+- ">= 2.6.14"
diff --git a/gems/rubygems-update/CVE-2018-1000073.yml b/gems/rubygems-update/CVE-2018-1000073.yml
@@ -0,0 +1,35 @@
+---
+gem: rubygems-update
+cve: 2018-1000073
+ghsa: gx69-6cp4-hxrj
+url: https://github.com/rubygems/rubygems/commit/1b931fc03b819b9a0214be3eaca844ef534175e2
+title: RubyGems Link Following vulnerability
+date: 2022-05-13
+description: |
+  RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
+  2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
+  earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability
+  in `install_location` function of `package.rb` that can result in path traversal
+  when writing to a symlinked basedir outside of the root. This vulnerability appears
+  to have been fixed in 2.7.6.
+cvss_v3: 7.5
+patched_versions:
+- ">= 2.7.6"
+related:
+  url:
+  - https://access.redhat.com/errata/RHSA-2018:3729
+  - https://access.redhat.com/errata/RHSA-2018:3730
+  - https://access.redhat.com/errata/RHSA-2018:3731
+  - https://access.redhat.com/errata/RHSA-2019:2028
+  - https://access.redhat.com/errata/RHSA-2020:0542
+  - https://access.redhat.com/errata/RHSA-2020:0591
+  - https://access.redhat.com/errata/RHSA-2020:0663
+  - https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
+  - https://usn.ubuntu.com/3621-1/
+  - https://www.debian.org/security/2018/dsa-4219
+  - https://www.debian.org/security/2018/dsa-4259
+  - http://blog.rubygems.org/2018/02/15/2.7.6-released.html
+  - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+  - https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
+  - https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
+  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=925986
diff --git a/gems/rubygems-update/CVE-2018-1000076.yml b/gems/rubygems-update/CVE-2018-1000076.yml
@@ -0,0 +1,39 @@
+---
+gem: rubygems-update
+cve: 2018-1000076
+ghsa: mc6j-h948-v2p6
+url: https://github.com/rubygems/rubygems/commit/f5042b879259b1f1ce95a0c5082622c646376693
+title: RubyGems Improper Verification of Cryptographic Signature vulnerability
+date: 2022-05-14
+description: |
+  RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
+  2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, and Ruby 2.5 series: 2.5.0
+  and earlier, prior to trunk revision 62422 contain an Improper Verification of Cryptographic
+  Signature vulnerability in package.rb. This can result in a mis-signed gem being
+  installed, as the tarball would contain multiple gem signatures. This vulnerability
+  has been fixed in 2.7.6.
+cvss_v3: 9.8
+unaffected_versions:
+- "< 2.2.0"
+patched_versions:
+- ">= 2.7.6"
+related:
+  url:
+  - https://access.redhat.com/errata/RHSA-2018:3729
+  - https://access.redhat.com/errata/RHSA-2018:3730
+  - https://access.redhat.com/errata/RHSA-2018:3731
+  - https://access.redhat.com/errata/RHSA-2019:2028
+  - https://access.redhat.com/errata/RHSA-2020:0542
+  - https://access.redhat.com/errata/RHSA-2020:0591
+  - https://access.redhat.com/errata/RHSA-2020:0663
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+  - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+  - https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
+  - https://usn.ubuntu.com/3621-1/
+  - https://www.debian.org/security/2018/dsa-4219
+  - https://www.debian.org/security/2018/dsa-4259
+  - http://blog.rubygems.org/2018/02/15/2.7.6-released.html
+  - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+  - https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
diff --git a/gems/webrick/CVE-2020-25613.yml b/gems/webrick/CVE-2020-25613.yml
@@ -1,12 +1,14 @@
 ---
 gem: webrick
 cve: 2020-25613
+ghsa: gwfg-cqmg-cf8f
 url: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
 title: Potential HTTP Request Smuggling Vulnerability in WEBrick
 date: 2020-09-29
 description: |
   WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to
   inconsistent interpretation between WEBrick and some HTTP proxy servers, which may
   allow the attacker to "smuggle" a request. See CWE-444 in detail.
+cvss_v3: 7.5
 patched_versions:
-- '>= 1.6.1'
+- ">= 1.6.1"
