23 modified files from github_advisory_sync.rb script (#581)

jasnow · web-flow · commit d9f10b2ad943 · 2023-04-19T14:22:56.000-07:00
23 GHSA=&gt;RAD sync'ed files
diff --git a/gems/actionmailer/CVE-2013-4389.yml b/gems/actionmailer/CVE-2013-4389.yml
@@ -2,15 +2,17 @@
 gem: actionmailer
 cve: 2013-4389
 osvdb: 98629
+ghsa: rg5m-3fqp-6px8
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-4389
 title: 'CVE-2013-4389 rubygem-actionmailer: email address processing DoS'
 date: 2013-10-16
-description: Multiple format string vulnerabilities in log_subscriber.rb files in
+description: |
+  Multiple format string vulnerabilities in log_subscriber.rb files in
   the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15
   allow remote attackers to cause a denial of service via a crafted e-mail address
   that is improperly handled during construction of a log message.
 cvss_v2: 4.3
 unaffected_versions:
-- ~> 2.3.2
+- "~> 2.3.2"
 patched_versions:
-- '>= 3.2.15'
+- ">= 3.2.15"
diff --git a/gems/actionpack/CVE-2013-0156.yml b/gems/actionpack/CVE-2013-0156.yml
@@ -3,19 +3,21 @@ gem: actionpack
 framework: rails
 cve: 2013-0156
 osvdb: 89026
+ghsa: jmgw-6vjg-jjwg
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-0156
 title: 'CVE-2013-0156 rubygem-activesupport: Multiple vulnerabilities in parameter
   parsing in ActionPack'
 date: 2013-01-08
-description: active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15,
+description: |
+  active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15,
   3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly
   restrict casts of string values, which allows remote attackers to conduct object-injection
   attacks and execute arbitrary code, or cause a denial of service (memory and CPU
   consumption) involving nested XML entity references, by leveraging Action Pack support
   for (1) YAML type conversion or (2) Symbol type conversion.
 cvss_v2: 10.0
 patched_versions:
-- ~> 2.3.15
-- ~> 3.0.19
-- ~> 3.1.10
-- '>= 3.2.11'
+- "~> 2.3.15"
+- "~> 3.0.19"
+- "~> 3.1.10"
+- ">= 3.2.11"
diff --git a/gems/actionpack/CVE-2013-1855.yml b/gems/actionpack/CVE-2013-1855.yml
@@ -3,10 +3,12 @@ gem: actionpack
 framework: rails
 cve: 2013-1855
 osvdb: 91452
+ghsa: q759-hwvc-m3jg
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-1855
 title: 'CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css'
 date: 2013-03-19
-description: The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+description: |
+  The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb
   in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before
   3.1.12, and 3.2.x before 3.2.13 does not properly handle \n (newline) characters,
   which makes it easier for remote attackers to conduct cross-site scripting (XSS)
@@ -15,6 +17,6 @@ description: The sanitize_css method in lib/action_controller/vendor/html-scanne
   XSS attacks against users of an application using Action Pack.
 cvss_v2: 4.3
 patched_versions:
-- ~> 2.3.18
-- ~> 3.1.12
-- '>= 3.2.13'
+- "~> 2.3.18"
+- "~> 3.1.12"
+- ">= 3.2.13"
diff --git a/gems/actionpack/CVE-2013-1857.yml b/gems/actionpack/CVE-2013-1857.yml
@@ -3,6 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-1857
 osvdb: 91454
+ghsa: j838-vfpq-fmf2
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-1857
 title: 'CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in
   the  helper of Ruby on Rails'
@@ -17,6 +18,6 @@ description: 'The sanitize helper in lib/action_controller/vendor/html-scanner/h
   Pack.'
 cvss_v2: 4.3
 patched_versions:
-- ~> 2.3.18
-- ~> 3.1.12
-- '>= 3.2.13'
+- "~> 2.3.18"
+- "~> 3.1.12"
+- ">= 3.2.13"
diff --git a/gems/actionpack/CVE-2013-4491.yml b/gems/actionpack/CVE-2013-4491.yml
@@ -3,6 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-4491
 osvdb: 100528
+ghsa: 699m-mcjm-9cw8
 url: https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
 title: Reflective XSS Vulnerability in Ruby on Rails
 date: 2013-12-03
@@ -15,5 +16,5 @@ description: |
   been assigned the identifier CVE-2013-4492.
 cvss_v2: 4.3
 patched_versions:
-- ~> 3.2.16
-- '>= 4.0.2'
+- "~> 3.2.16"
+- ">= 4.0.2"
diff --git a/gems/actionpack/CVE-2013-6414.yml b/gems/actionpack/CVE-2013-6414.yml
@@ -3,6 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-6414
 osvdb: 100525
+ghsa: mpxf-gcw2-pw5q
 url: https://groups.google.com/forum/#!topic/ruby-security-ann/A-ebV4WxzKg
 title: Denial of Service Vulnerability in Action View
 date: 2013-12-03
@@ -11,8 +12,7 @@ description: |
   Action View.
 cvss_v2: 5.0
 unaffected_versions:
-- ~> 2.3.0
-
+- "~> 2.3.0"
 patched_versions:
-- ~> 3.2.16
-- '>= 4.0.2'
+- "~> 3.2.16"
+- ">= 4.0.2"
diff --git a/gems/actionpack/CVE-2013-6415.yml b/gems/actionpack/CVE-2013-6415.yml
@@ -3,6 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-6415
 osvdb: 100524
+ghsa: 6h5q-96hp-9jgm
 url: https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
 title: XSS Vulnerability in number_to_currency
 date: 2013-12-03
@@ -13,5 +14,5 @@ description: |
   which pass user controlled data as the unit parameter are vulnerable to an XSS attack.
 cvss_v2: 4.3
 patched_versions:
-- ~> 3.2.16
-- '>= 4.0.2'
+- "~> 3.2.16"
+- ">= 4.0.2"
diff --git a/gems/actionpack/CVE-2013-6416.yml b/gems/actionpack/CVE-2013-6416.yml
@@ -3,6 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-6416
 osvdb: 100526
+ghsa: w37c-q653-qg95
 url: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM
 title: XSS Vulnerability in simple_format helper
 date: 2013-12-03
@@ -16,9 +17,8 @@ description: |
   attributes will be vulnerable to an XSS attack.
 cvss_v2: 4.3
 unaffected_versions:
-- ~> 2.3.0
-- ~> 3.1.0
-- ~> 3.2.0
-
+- "~> 2.3.0"
+- "~> 3.1.0"
+- "~> 3.2.0"
 patched_versions:
-- '>= 4.0.2'
+- ">= 4.0.2"
diff --git a/gems/actionpack/CVE-2013-6417.yml b/gems/actionpack/CVE-2013-6417.yml
@@ -3,6 +3,7 @@ gem: actionpack
 framework: rails
 cve: 2013-6417
 osvdb: 100527
+ghsa: wpw7-wxjm-cw8r
 url: https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4
 title: Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)
 date: 2013-12-03
@@ -17,5 +18,5 @@ description: |
   vulnerability.
 cvss_v2: 6.4
 patched_versions:
-- ~> 3.2.16
-- '>= 4.0.2'
+- "~> 3.2.16"
+- ">= 4.0.2"
diff --git a/gems/activerecord/CVE-2013-0155.yml b/gems/activerecord/CVE-2013-0155.yml
@@ -3,19 +3,21 @@ gem: activerecord
 framework: rails
 cve: 2013-0155
 osvdb: 89025
+ghsa: gppp-5xc5-wfpx
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-0155
 title: 'CVE-2013-0155 rubygem-actionpack, rubygem-activerecord: Unsafe Query Generation
   Risk in Ruby on Rails'
 date: 2013-01-08
-description: Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
+description: |
+  Ruby on Rails 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before
   3.2.11 does not properly consider differences in parameter handling between the
   Active Record component and the JSON implementation, which allows remote attackers
   to bypass intended database-query restrictions and perform NULL checks or trigger
   missing WHERE clauses via a crafted request, as demonstrated by certain "[nil]"
   values, a related issue to CVE-2012-2660 and CVE-2012-2694.
 cvss_v2: 10.0
 patched_versions:
-- ~> 2.3.16
-- ~> 3.0.19
-- ~> 3.1.10
-- '>= 3.2.11'
+- "~> 2.3.16"
+- "~> 3.0.19"
+- "~> 3.1.10"
+- ">= 3.2.11"
diff --git a/gems/activerecord/CVE-2013-0276.yml b/gems/activerecord/CVE-2013-0276.yml
@@ -3,14 +3,16 @@ gem: activerecord
 framework: rails
 cve: 2013-0276
 osvdb: 90072
+ghsa: gr44-7grc-37vq
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-0276
 title: 'CVE-2013-0276 rubygem-activerecord/rubygem-activemodel: circumvention of attr_protected'
 date: 2013-02-11
-description: ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and
+description: |
+  ActiveRecord in Ruby on Rails before 2.3.17, 3.1.x before 3.1.11, and
   3.2.x before 3.2.12 allows remote attackers to bypass the attr_protected protection
   mechanism and modify protected model attributes via a crafted request.
 cvss_v2: 5.0
 patched_versions:
-- ~> 2.3.17
-- ~> 3.1.11
-- '>= 3.2.12'
+- "~> 2.3.17"
+- "~> 3.1.11"
+- ">= 3.2.12"
diff --git a/gems/activerecord/CVE-2013-0277.yml b/gems/activerecord/CVE-2013-0277.yml
@@ -3,15 +3,17 @@ gem: activerecord
 framework: rails
 cve: 2013-0277
 osvdb: 90073
+ghsa: fhj9-cjjh-27vm
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-0277
 title: 'CVE-2013-0277 rubygem-activerecord: Serialized Attributes YAML Vulnerability
   with Rails 2.3 and 3.0'
 date: 2013-02-11
-description: ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows
+description: |
+  ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows
   remote attackers to cause a denial of service or execute arbitrary code via crafted
   serialized attributes that cause the +serialize+ helper to deserialize arbitrary
   YAML.
 cvss_v2: 10.0
 patched_versions:
-- ~> 2.3.17
-- '>= 3.1.0'
+- "~> 2.3.17"
+- ">= 3.1.0"
diff --git a/gems/activerecord/CVE-2013-1854.yml b/gems/activerecord/CVE-2013-1854.yml
@@ -3,10 +3,12 @@ gem: activerecord
 framework: rails
 cve: 2013-1854
 osvdb: 91453
+ghsa: 3crr-9vmg-864v
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-1854
 title: 'CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability'
 date: 2013-03-19
-description: The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x
+description: |
+  The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3.1.x
   before 3.1.12, and 3.2.x before 3.2.13 processes certain queries by converting hash
   keys to symbols, which allows remote attackers to cause a denial of service via
   crafted input to a where method. A flaw was found in the way Ruby on Rails handled
@@ -15,8 +17,8 @@ description: The Active Record component in Ruby on Rails 2.3.x before 2.3.18, 3
   would result in the creation of Ruby symbols, which were never garbage collected.
 cvss_v2: 7.8
 unaffected_versions:
-- ~> 3.0.0
+- "~> 3.0.0"
 patched_versions:
-- ~> 2.3.18
-- ~> 3.1.12
-- '>= 3.2.13'
+- "~> 2.3.18"
+- "~> 3.1.12"
+- ">= 3.2.13"
diff --git a/gems/activesupport/CVE-2013-0333.yml b/gems/activesupport/CVE-2013-0333.yml
@@ -3,15 +3,17 @@ gem: activesupport
 framework: rails
 cve: 2013-0333
 osvdb: 89594
+ghsa: xgr2-v94m-rc9g
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-0333
 title: 'CVE-2013-0333 rubygem-activesupport: json to yaml parsing'
 date: 2013-01-28
-description: lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before
+description: |
+  lib/active_support/json/backends/yaml.rb in Ruby on Rails 2.3.x before
   2.3.16 and 3.0.x before 3.0.20 does not properly convert JSON data to YAML data
   for processing by a YAML parser, which allows remote attackers to execute arbitrary
   code, conduct SQL injection attacks, or bypass authentication via crafted data that
   triggers unsafe decoding, a different vulnerability than CVE-2013-0156.
 cvss_v2: 9.3
 patched_versions:
-- ~> 2.3.16
-- '>= 3.0.20'
+- "~> 2.3.16"
+- ">= 3.0.20"
diff --git a/gems/activesupport/CVE-2013-1856.yml b/gems/activesupport/CVE-2013-1856.yml
@@ -4,6 +4,7 @@ framework: rails
 platform: jruby
 cve: 2013-1856
 osvdb: 91451
+ghsa: 9c2j-593q-3g82
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-1856
 title: XML Parsing Vulnerability affecting JRuby users
 date: 2013-03-19
@@ -18,8 +19,7 @@ description: |
   various denial of service attacks. Action Pack
 cvss_v2: 7.8
 unaffected_versions:
-- ~> 2.3.0
-
+- "~> 2.3.0"
 patched_versions:
-- ~> 3.1.12
-- '>= 3.2.13'
+- "~> 3.1.12"
+- ">= 3.2.13"
diff --git a/gems/aescrypt/CVE-2013-7463.yml b/gems/aescrypt/CVE-2013-7463.yml
@@ -1,10 +1,12 @@
 ---
 gem: aescrypt
 cve: 2013-7463
-date: 2013-10-01
+ghsa: 4c4w-3q45-hp9j
 url: https://github.com/Gurpartap/aescrypt/issues/4
 title: Vulnerability in aescrypt because IV is not randomized
+date: 2013-10-01
 description: |
   The aescrypt gem 1.0.0 for Ruby does not randomize the CBC IV for use with the
   AESCrypt.encrypt and AESCrypt.decrypt functions, which allows attackers to
   defeat cryptographic protection mechanisms via a chosen plaintext attack.
+cvss_v3: 7.5
diff --git a/gems/bio-basespace-sdk/CVE-2013-7111.yml b/gems/bio-basespace-sdk/CVE-2013-7111.yml
@@ -2,9 +2,11 @@
 gem: bio-basespace-sdk
 cve: 2013-7111
 osvdb: 101031
+ghsa: xwr3-fmgj-mmfr
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-7111
 title: Bio Basespace SDK Gem for Ruby Command Line API Key Disclosure
 date: 2013-12-14
-description: Bio Basespace SDK Gem for Ruby contains a flaw that is due to the API
+description: |
+  Bio Basespace SDK Gem for Ruby contains a flaw that is due to the API
   client code passing the API_KEY to a curl command. This may allow a local attacker
   to gain access to API key information by monitoring the process table.
diff --git a/gems/bundler/CVE-2013-0334.yml b/gems/bundler/CVE-2013-0334.yml
@@ -2,11 +2,12 @@
 gem: bundler
 cve: 2013-0334
 osvdb: 110004
+ghsa: 49jx-9cmc-xjxm
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-0334
-title: "CVE-2013-0334 rubygem-bundler: 'bundle install' may install a gem from a source\
-  \ other than expected"
+title: 'CVE-2013-0334 rubygem-bundler: ''bundle install'' may install a gem from a source other than expected'
 date: 2014-08-13
-description: Bundler before 1.7, when multiple top-level source lines are used, allows
+description: |
+  Bundler before 1.7, when multiple top-level source lines are used, allows
   remote attackers to install arbitrary gems by creating a gem with the same name
   as another gem in a different source. A flaw was found in the way Bundler handled
   gems available from multiple sources. An attacker with access to one of the sources
@@ -15,4 +16,4 @@ description: Bundler before 1.7, when multiple top-level source lines are used,
   malicious gem.
 cvss_v2: 5.0
 patched_versions:
-- '>= 1.7.0'
+- ">= 1.7.0"
diff --git a/gems/cocaine/CVE-2013-4457.yml b/gems/cocaine/CVE-2013-4457.yml
@@ -2,14 +2,16 @@
 gem: cocaine
 cve: 2013-4457
 osvdb: 98835
+ghsa: c43v-hrmg-56r4
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-4457
 title: Cocaine Gem for Ruby contains a flaw
 date: 2013-10-22
-description: Cocaine Gem for Ruby contains a flaw that is due to the method of variable
+description: |
+  Cocaine Gem for Ruby contains a flaw that is due to the method of variable
   interpolation used by the program. With a specially crafted object, a context-dependent
   attacker can execute arbitrary commands.
 cvss_v2: 6.8
 unaffected_versions:
-- < 0.4.0
+- "< 0.4.0"
 patched_versions:
-- '>= 0.5.3'
+- ">= 0.5.3"
diff --git a/gems/command_wrap/CVE-2013-1875.yml b/gems/command_wrap/CVE-2013-1875.yml
@@ -2,10 +2,12 @@
 gem: command_wrap
 cve: 2013-1875
 osvdb: 91450
+ghsa: p673-hjf2-pwfr
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-1875
 title: command_wrap Gem for Ruby URI Handling Arbitrary Command Injection
 date: 2013-03-18
-description: command_wrap Gem for Ruby contains a flaw that is triggered during the
+description: |
+  command_wrap Gem for Ruby contains a flaw that is triggered during the
   handling of input passed via the URL that contains a semicolon character (;). This
   will allow a remote attacker to inject arbitrary commands and have them executed
   in the context of the user clicking it.
diff --git a/gems/crack/CVE-2013-1800.yml b/gems/crack/CVE-2013-1800.yml
diff --git a/gems/cremefraiche/CVE-2013-2090.yml b/gems/cremefraiche/CVE-2013-2090.yml
diff --git a/gems/curl/CVE-2013-2617.yml b/gems/curl/CVE-2013-2617.yml
