Add CVE-2019-16676 for Simple Form (#417)

tegon · reedloden · commit 20dca5f9af5c · 2019-09-29T23:59:55.000-07:00
diff --git a/gems/simple_form/CVE-2019-16676.yml b/gems/simple_form/CVE-2019-16676.yml
@@ -0,0 +1,15 @@
+---
+gem: simple_form
+cve: 2019-16676
+ghsa: r74q-gxcg-73hx
+url: https://github.com/plataformatec/simple_form/security/advisories/GHSA-r74q-gxcg-73hx
+title: simple_form Gem for Ruby Incorrect Access Control for forms based on user input
+date: 2019-09-27
+description: |
+  Simple Form before 5.0 has Incorrect Access Control in `file_method?` in `lib/simple_form/form_builder.rb`,
+  because a user-supplied string is invoked as a method call.
+  
+  This only happens for pages that build forms based on user input.
+
+patched_versions:
+  - ">= 5.0"
