Sync with GitHub Security Advisories

reedloden · reedloden · commit d7918cf06ce1 · 2023-03-14T19:38:03.000-07:00
* Add CVE-2018-1000074, CVE-2018-1000075, CVE-2018-1000077, CVE-2018-1000078, CVE-2018-1000079 for rubygems-update * Metadata updates for pdf_info/CVE-2022-36231, rubygems-update/CVE-2015-3900, rubygems-update/CVE-2017-0899, rubygems-update/CVE-2017-0900, rubygems-update/CVE-2017-0901, rubygems-update/CVE-2017-0902
diff --git a/gems/pdf_info/CVE-2022-36231.yml b/gems/pdf_info/CVE-2022-36231.yml
@@ -10,6 +10,7 @@ description: |
   a specially crafted payload may execute OS commands by using command chaining because
   during object initalization there is no validation performed and the user provided
   path is used.
+cvss_v3: 9.8
 related:
   url:
   - https://github.com/newspaperclub/pdf_info/issues/16
diff --git a/gems/rubygems-update/CVE-2015-3900.yml b/gems/rubygems-update/CVE-2015-3900.yml
@@ -3,6 +3,7 @@ gem: rubygems-update
 library: rubygems
 cve: 2015-3900
 osvdb: 122162
+ghsa: wp3j-rvfp-624h
 url: https://www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2015-007/?fid=6356
 title: 'CVE-2015-3900 rubygems: DNS hijacking vulnerability in api_endpoint()'
 date: 2015-05-14
@@ -15,6 +16,6 @@ description: RubyGems 2.0.x before 2.0.16, 2.2.x before 2.2.4, and 2.4.x before
   domain.
 cvss_v2: 5.0
 patched_versions:
-- ~> 2.0.16
-- ~> 2.2.4
-- '>= 2.4.7'
+- "~> 2.0.16"
+- "~> 2.2.4"
+- ">= 2.4.7"
diff --git a/gems/rubygems-update/CVE-2017-0899.yml b/gems/rubygems-update/CVE-2017-0899.yml
@@ -3,7 +3,7 @@ gem: rubygems-update
 library: rubygems
 cve: 2017-0899
 ghsa: 7gcp-2gmq-w3xh
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
+url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html
 title: RubyGems ANSI escape sequence vulnerability
 date: 2017-08-29
 description: |
diff --git a/gems/rubygems-update/CVE-2017-0900.yml b/gems/rubygems-update/CVE-2017-0900.yml
@@ -2,15 +2,17 @@
 gem: rubygems-update
 library: rubygems
 cve: 2017-0900
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
+ghsa: p7f2-rr42-m9xm
+url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html
 title: RubyGems DoS vulnerability in the query command
 date: 2017-08-29
 description: |
   RubyGems version 2.6.12 and earlier is vulnerable to maliciously crafted gem
   specifications to cause a denial of service attack against RubyGems clients
   who have issued a `query` command.
 cvss_v2: 5.0
+cvss_v3: 7.5
 patched_versions:
-- '>= 2.4.5.3'
-- '>= 2.5.2.1'
-- '>= 2.6.13'
+- ">= 2.4.5.3"
+- ">= 2.5.2.1"
+- ">= 2.6.13"
diff --git a/gems/rubygems-update/CVE-2017-0901.yml b/gems/rubygems-update/CVE-2017-0901.yml
@@ -3,9 +3,8 @@ gem: rubygems-update
 library: rubygems
 cve: 2017-0901
 ghsa: pm9x-4392-2c2p
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
-title: RubyGems vulnerability in the gem installer that allowed a malicious gem to
-  overwrite arbitrary files
+url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html
+title: RubyGems vulnerability in the gem installer that allowed a malicious gem to overwrite arbitrary files
 date: 2017-08-29
 description: |
   RubyGems version 2.6.12 and earlier fails to validate specification names,
diff --git a/gems/rubygems-update/CVE-2017-0902.yml b/gems/rubygems-update/CVE-2017-0902.yml
@@ -3,7 +3,7 @@ gem: rubygems-update
 library: rubygems
 cve: 2017-0902
 ghsa: 73w7-6w9g-gc8w
-url: http://blog.rubygems.org/2017/08/27/2.6.13-released.html
+url: https://blog.rubygems.org/2017/08/27/2.6.13-released.html
 title: RubyGems DNS request hijacking vulnerability
 date: 2017-08-29
 description: |
diff --git a/gems/rubygems-update/CVE-2018-1000074.yml b/gems/rubygems-update/CVE-2018-1000074.yml
@@ -0,0 +1,38 @@
+---
+gem: rubygems-update
+cve: 2018-1000074
+ghsa: qj2w-mw2r-pv39
+url: https://github.com/rubygems/rubygems/commit/254e3d0ee873c008c0b74e8b8abcbdab4caa0a6d
+title: RubyGems Deserialization of Untrusted Data vulnerability
+date: 2022-05-14
+description: |
+  RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
+  2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
+  earlier, prior to trunk revision 62422 contains a Deserialization of Untrusted Data
+  vulnerability in owner command that can result in code execution. This attack requires
+  the victim to run the `gem owner` command on a gem with a specially crafted YAML
+  file. This vulnerability is fixed in 2.7.6.
+cvss_v3: 7.8
+patched_versions:
+- ">= 2.7.6"
+related:
+  url:
+  - https://access.redhat.com/errata/RHSA-2018:3729
+  - https://access.redhat.com/errata/RHSA-2018:3730
+  - https://access.redhat.com/errata/RHSA-2018:3731
+  - https://access.redhat.com/errata/RHSA-2019:2028
+  - https://access.redhat.com/errata/RHSA-2020:0542
+  - https://access.redhat.com/errata/RHSA-2020:0591
+  - https://access.redhat.com/errata/RHSA-2020:0663
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00017.html
+  - https://lists.debian.org/debian-lts-announce/2018/08/msg00028.html
+  - https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
+  - https://usn.ubuntu.com/3621-1/
+  - https://usn.ubuntu.com/3621-2/
+  - https://usn.ubuntu.com/3685-1/
+  - https://www.debian.org/security/2018/dsa-4219
+  - https://www.debian.org/security/2018/dsa-4259
+  - http://blog.rubygems.org/2018/02/15/2.7.6-released.html
+  - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+  - https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
+  - https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
diff --git a/gems/rubygems-update/CVE-2018-1000075.yml b/gems/rubygems-update/CVE-2018-1000075.yml
@@ -0,0 +1,38 @@
+---
+gem: rubygems-update
+cve: 2018-1000075
+ghsa: 74pv-v9gh-h25p
+url: https://github.com/rubygems/rubygems/commit/92e98bf8f810bd812f919120d4832df51bc25d83
+title: RubyGems Infinite Loop vulnerability
+date: 2022-05-13
+description: |
+  RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
+  2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
+  earlier, prior to trunk revision 62422 contains a infinite loop caused by negative
+  size vulnerability in ruby gem package tar header that can result in a negative
+  size could cause an infinite loop.. This vulnerability appears to have been fixed
+  in 2.7.6.
+cvss_v3: 7.5
+patched_versions:
+- ">= 2.7.6"
+related:
+  url:
+  - https://access.redhat.com/errata/RHSA-2018:3729
+  - https://access.redhat.com/errata/RHSA-2018:3730
+  - https://access.redhat.com/errata/RHSA-2018:3731
+  - https://access.redhat.com/errata/RHSA-2019:2028
+  - https://access.redhat.com/errata/RHSA-2020:0542
+  - https://access.redhat.com/errata/RHSA-2020:0591
+  - https://access.redhat.com/errata/RHSA-2020:0663
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+  - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+  - https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
+  - https://usn.ubuntu.com/3621-1/
+  - https://www.debian.org/security/2018/dsa-4219
+  - https://www.debian.org/security/2018/dsa-4259
+  - http://blog.rubygems.org/2018/02/15/2.7.6-released.html
+  - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+  - https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
+  - https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
diff --git a/gems/rubygems-update/CVE-2018-1000077.yml b/gems/rubygems-update/CVE-2018-1000077.yml
@@ -0,0 +1,37 @@
+---
+gem: rubygems-update
+cve: 2018-1000077
+ghsa: gv86-43rv-79m2
+url: https://github.com/rubygems/rubygems/commit/feadefc2d351dcb95d6492f5ad17ebca546eb964
+title: RubyGems Improper Input Validation vulnerability
+date: 2022-05-14
+description: |
+  RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
+  2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
+  earlier, prior to trunk revision 62422 contains a Improper Input Validation vulnerability
+  in ruby gems specification homepage attribute that can result in a malicious gem
+  setting an invalid homepage URL. This vulnerability is fixed in 2.7.6.
+cvss_v3: 5.3
+patched_versions:
+- ">= 2.7.6"
+related:
+  url:
+  - https://access.redhat.com/errata/RHSA-2018:3729
+  - https://access.redhat.com/errata/RHSA-2018:3730
+  - https://access.redhat.com/errata/RHSA-2018:3731
+  - https://access.redhat.com/errata/RHSA-2019:2028
+  - https://access.redhat.com/errata/RHSA-2020:0542
+  - https://access.redhat.com/errata/RHSA-2020:0591
+  - https://access.redhat.com/errata/RHSA-2020:0663
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+  - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+  - https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
+  - https://usn.ubuntu.com/3621-1/
+  - https://www.debian.org/security/2018/dsa-4219
+  - https://www.debian.org/security/2018/dsa-4259
+  - http://blog.rubygems.org/2018/02/15/2.7.6-released.html
+  - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+  - https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
+  - https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
diff --git a/gems/rubygems-update/CVE-2018-1000078.yml b/gems/rubygems-update/CVE-2018-1000078.yml
@@ -0,0 +1,38 @@
+---
+gem: rubygems-update
+cve: 2018-1000078
+ghsa: 87qx-g5wg-mwmj
+url: https://github.com/rubygems/rubygems/commit/66a28b9275551384fdab45f3591a82d6b59952cb
+title: RubyGems Cross-site Scripting vulnerability
+date: 2022-05-14
+description: |
+  RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
+  2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
+  earlier, prior to trunk revision 62422 contains a Cross Site Scripting (XSS) vulnerability
+  in gem server display of homepage attribute that can result in XSS. This attack
+  requires the victim to browse to a malicious gem on a vulnerable gem server. This
+  vulnerability is fixed in 2.7.6.
+cvss_v3: 6.1
+patched_versions:
+- ">= 2.7.6"
+related:
+  url:
+  - https://access.redhat.com/errata/RHSA-2018:3729
+  - https://access.redhat.com/errata/RHSA-2018:3730
+  - https://access.redhat.com/errata/RHSA-2018:3731
+  - https://access.redhat.com/errata/RHSA-2019:2028
+  - https://access.redhat.com/errata/RHSA-2020:0542
+  - https://access.redhat.com/errata/RHSA-2020:0591
+  - https://access.redhat.com/errata/RHSA-2020:0663
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00000.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00001.html
+  - https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
+  - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+  - https://lists.debian.org/debian-lts-announce/2019/05/msg00028.html
+  - https://usn.ubuntu.com/3621-1/
+  - https://www.debian.org/security/2018/dsa-4219
+  - https://www.debian.org/security/2018/dsa-4259
+  - http://blog.rubygems.org/2018/02/15/2.7.6-released.html
+  - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+  - https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
+  - https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
diff --git a/gems/rubygems-update/CVE-2018-1000079.yml b/gems/rubygems-update/CVE-2018-1000079.yml
@@ -0,0 +1,37 @@
+---
+gem: rubygems-update
+cve: 2018-1000079
+ghsa: 8qxg-mff5-j3wc
+url: https://github.com/rubygems/rubygems/commit/666ef793cad42eed96f7aee1cdf77865db921099
+title: RubyGems Path Traversal vulnerability
+date: 2022-05-14
+description: |
+  RubyGems version Ruby 2.2 series: 2.2.9 and earlier, Ruby 2.3 series:
+  2.3.6 and earlier, Ruby 2.4 series: 2.4.3 and earlier, Ruby 2.5 series: 2.5.0 and
+  earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability
+  in gem installation that can result in the gem writing to arbitrary filesystem locations
+  during installation. This attack appears to be exploitable via installation of a
+  malicious gem. This vulnerability is fixed in 2.7.6.
+cvss_v3: 5.5
+patched_versions:
+- ">= 2.7.6"
+related:
+  url:
+  - https://github.com/rubygems/rubygems/commit/f83f911e19e27cbac1ccce7471d96642241dd759
+  - https://access.redhat.com/errata/RHSA-2018:3729
+  - https://access.redhat.com/errata/RHSA-2018:3730
+  - https://access.redhat.com/errata/RHSA-2018:3731
+  - https://access.redhat.com/errata/RHSA-2019:2028
+  - https://access.redhat.com/errata/RHSA-2020:0542
+  - https://access.redhat.com/errata/RHSA-2020:0591
+  - https://access.redhat.com/errata/RHSA-2020:0663
+  - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+  - https://usn.ubuntu.com/3621-1/
+  - https://www.debian.org/security/2018/dsa-4219
+  - https://www.debian.org/security/2018/dsa-4259
+  - http://blog.rubygems.org/2018/02/15/2.7.6-released.html
+  - http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
+  - https://github.com/jruby/jruby/commit/0b06b48ab4432237ce5fc1bef47f2c6bcf7843f7
+  - https://github.com/rubygems/rubygems/commit/5971b486d4dbb2bad5d3445b3801c456eb0ce183
+  - https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=895778
+  - https://security-tracker.debian.org/tracker/CVE-2018-1000079
