diff --git a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml deleted file mode 100644 index a5ba31b828..0000000000 --- a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -gem: camaleon_cms -ghsa: 3hp8-6j24-m5gm -url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 -title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) -date: 2024-09-23 -description: | - The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently. - - Arbitrary file deletion can be exploited with following code path: - The parameter folder flows from the actions method: - ```ruby - def actions - authorize! :manage, :media if params[:media_action] != 'crop_url' - params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? - case params[:media_action] - [..] - when 'del_file' - cama_uploader.delete_file(params[:folder].gsub('//', '/')) - render plain: '' - ``` - into the method delete_file of the CamaleonCmsLocalUploader - class (when files are uploaded locally): - ```ruby - def delete_file(key) - file = File.join(@root_folder, key) - FileUtils.rm(file) if File.exist? file - @instance.hooks_run('after_delete', key) - get_media_collection.find_by_key(key).take.destroy - end - ``` - Where it is joined in an unchecked manner with the root folder and - then deleted. - - ## Proof of concept - The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below) - ``` - curl --path-as-is -i -s -k -X $'POST' \ - -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ - -b $'auth_token=[..]; _cms_session=[..]' \ - --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. - 2F.. - 2F.. - 2FREADME.md&media_action=del_file' \ - $'https:///admin/media/actions?actions=true' - ``` - - ## Impact - - This issue may lead to a defective CMS or system. - - ## Remediation - - Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the - targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. - - ## See also: - - [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) - [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) -patched_versions: -- ">= 2.8.1" -related: - url: - - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml - - https://github.com/advisories/GHSA-3hp8-6j24-m5gm diff --git a/gems/ejson2env/CVE-2025-48069.yml b/gems/ejson2env/CVE-2025-48069.yml new file mode 100644 index 0000000000..059d8f6ce8 --- /dev/null +++ b/gems/ejson2env/CVE-2025-48069.yml @@ -0,0 +1,48 @@ +--- +gem: ejson2env +cve: 2025-48069 +ghsa: 2c47-m757-32g6 +url: https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6 +title: Insufficient input sanitization in ejson2env +date: 2025-05-21 +description: | + ### Summary + The `ejson2env` tool has a vulnerability related to how it writes to + `stdout`. Specifically, the tool is intended to write an export + statement for environment variables and their values. However, due + to inadequate output sanitization, there is a potential risk where + variable names or values may include malicious content, resulting + in additional unintended commands being output to `stdout`. If this + output is improperly utilized in further command execution, it could + lead to command injection vulnerabilities, allowing an attacker to + execute arbitrary commands on the host system. + + ### Details + The vulnerability exists because environment variables are not + properly sanitized during the decryption phase, which enables + malicious keys or encrypted values to inject commands. + + ### Impact + An attacker with control over `.ejson` files can inject commands + in the environment where `source $(ejson2env)` or `eval ejson2env` + are executed. + + ### Mitigation + - Update to a version of `ejson2env` that sanitizes the output + during decryption or + - Do not use `ejson2env` to decrypt untrusted user secrets or + - Do not evaluate or execute the direct output from `ejson2env` + without removing nonprintable characters. + + ### Credit + Thanks to security researcher [Demonia](https://hackerone.com/demonia?type=user) + for reporting this issue. +cvss_v3: 6.6 +patched_versions: + - ">= 2.0.8" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-48069 + - https://github.com/Shopify/ejson2env/security/advisories/GHSA-2c47-m757-32g6 + - https://github.com/Shopify/ejson2env/commit/592b3ceea967fee8b064e70983e8cec087b6d840 + - https://github.com/advisories/GHSA-2c47-m757-32g6 diff --git a/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml b/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml deleted file mode 100644 index 60899d26a9..0000000000 --- a/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml +++ /dev/null @@ -1,54 +0,0 @@ ---- -gem: nokogiri -ghsa: vcc3-rw6f-jv97 -url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j -title: Use-after-free in libxml2 via Nokogiri::XML::Reader -date: 2024-03-18 -description: | - ### Summary - - Nokogiri upgrades its dependency libxml2 as follows: - - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 - - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 - - libxml2 v2.11.7 and v2.12.5 address the following vulnerability: - - CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 - - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 - - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 - - Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if - the packaged libraries are being used. If you've overridden defaults at installation time to use - system libraries instead of packaged libraries, you should instead pay attention to your distro's - libxml2 release announcements. - - JRuby users are not affected. - - ### Severity - - The Nokogiri maintainers have evaluated this as **Moderate**. - - ### Impact - - From the CVE description, this issue applies to the `xmlTextReader` module (which underlies - `Nokogiri::XML::Reader`): - - > When using the XML Reader interface with DTD validation and XInclude expansion enabled, - > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. - - ### Mitigation - - Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. - - Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile - and link Nokogiri against patched external libxml2 libraries which will also address these same - issues. -cvss_v3: 7.5 -patched_versions: -- "~> 1.15.6" -- ">= 1.16.2" -related: - url: - - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml - - https://github.com/advisories/GHSA-vcc3-rw6f-jv97 diff --git a/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml b/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml deleted file mode 100644 index 15823f8d72..0000000000 --- a/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml +++ /dev/null @@ -1,31 +0,0 @@ ---- -gem: omniauth-saml -ghsa: hw46-3hmr-x9xv -url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv -title: omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack - issue -date: 2025-03-12 -description: |- - ### Summary - There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml. - - The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0. - - Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0. - - ### Impact - Signature Wrapping Vulnerabilities allows an attacker to impersonate a user. -cvss_v4: 9.3 -patched_versions: -- "~> 1.10.6" -- "~> 2.1.3" -- ">= 2.2.3" -related: - url: - - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv - - https://github.com/omniauth/omniauth-saml/commit/0d5eaa0d808acb2ac96deadf5c750ac1cf2d92b5 - - https://github.com/omniauth/omniauth-saml/commit/2c8a482801808bbcb0188214bde74680b8018a35 - - https://github.com/omniauth/omniauth-saml/commit/7a348b49083462a566af41a5ae85e9f3af15b985 - - https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16 - - https://rubygems.org/gems/omniauth-saml/versions/2.2.3 - - https://github.com/advisories/GHSA-hw46-3hmr-x9xv diff --git a/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml b/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml deleted file mode 100644 index b8759ef756..0000000000 --- a/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -gem: user_agent_parser -ghsa: pcqq-5962-hvcw -url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw -title: Denial of Service in uap-core when processing crafted User-Agent strings -date: 2020-03-10 -description: |- - ### Impact - Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. - - ### Patches - Please update `uap-ruby` to >= v2.6.0 - - ### For more information - https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p - - Reported in `uap-core` by Ben Caller @bcaller -patched_versions: -- ">= 2.6.0" -related: - url: - - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw - - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a - - https://github.com/advisories/GHSA-pcqq-5962-hvcw