GHSA SYNC: new advisories (#873)

---------

Co-authored-by: Postmodern <postmodern.mod3@gmail.com>

Author: rakvium

gems/alchemy_cms/CVE-2018-18307.yml

@@ -0,0 +1,22 @@
+---
+gem: alchemy_cms
+cve: 2018-18307
+ghsa: 7mj4-2984-955f
+url: https://nvd.nist.gov/vuln/detail/CVE-2018-18307
+title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field
+date: 2022-05-14
+description: |
+  A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS
+  via the /admin/pictures image filename field.
+cvss_v3: 5.9
+unaffected_versions:
+- "< 4.1.0"
+notes: Never patched
+related:
+  url:
+  - https://nvd.nist.gov/vuln/detail/CVE-2018-18307
+  - http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
+  - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
+  - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
+  - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
+  - https://github.com/advisories/GHSA-7mj4-2984-955f

gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml

@@ -0,0 +1,67 @@
+---
+gem: camaleon_cms
+ghsa: 3hp8-6j24-m5gm
+url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
+date: 2024-09-23
+description: |
+  The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.
+
+  Arbitrary file deletion can be exploited with following code path:
+  The parameter folder flows from the actions method:
+  ```ruby
+    def actions
+      authorize! :manage, :media if params[:media_action] != 'crop_url'
+      params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+      case params[:media_action]
+      [..]
+      when 'del_file'
+        cama_uploader.delete_file(params[:folder].gsub('//', '/'))
+        render plain: ''
+  ```
+  into the method delete_file of the CamaleonCmsLocalUploader
+  class (when files are uploaded locally):
+  ```ruby
+  def delete_file(key)
+    file = File.join(@root_folder, key)
+    FileUtils.rm(file) if File.exist? file
+    @instance.hooks_run('after_delete', key)
+    get_media_collection.find_by_key(key).take.destroy
+  end
+  ```
+  Where it is joined in an unchecked manner with the root folder and
+  then deleted.
+
+  ## Proof of concept
+  The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)
+  ```
+  curl --path-as-is -i -s -k -X $'POST' \
+      -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
+      -b $'auth_token=[..]; _cms_session=[..]' \
+      --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
+  2F..
+  2F..
+  2FREADME.md&media_action=del_file' \
+      $'https://<camaleon-host>/admin/media/actions?actions=true'
+  ```
+
+  ## Impact
+
+  This issue may lead to a defective CMS or system.
+
+  ## Remediation
+
+  Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the
+  targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
+
+  ## See also:
+
+  [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+  [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+patched_versions:
+- ">= 2.8.1"
+related:
+  url:
+  - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml
+  - https://github.com/advisories/GHSA-3hp8-6j24-m5gm

gems/fluentd-ui/CVE-2020-21514.yml

@@ -0,0 +1,18 @@
+---
+gem: fluentd-ui
+cve: 2020-21514
+ghsa: wrxf-x8rm-6ggg
+url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg
+title: Fluent Fluentd and Fluent-ui use default password
+date: 2023-04-04
+description: |
+  An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2
+  that allows attackers to gain escilated privileges and execute arbitrary code due
+  to use of a default password.
+cvss_v3: 8.8
+notes: Never patched
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-21514
+    - https://github.com/fluent/fluentd/issues/2722
+    - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg

gems/fluentd/CVE-2020-21514.yml

@@ -0,0 +1,18 @@
+---
+gem: fluentd
+cve: 2020-21514
+ghsa: wrxf-x8rm-6ggg
+url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg
+title: Fluent Fluentd and Fluent-ui use default password
+date: 2023-04-04
+description: |
+  An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2
+  that allows attackers to gain escilated privileges and execute arbitrary code due
+  to use of a default password.
+cvss_v3: 8.8
+notes: Never patched
+related:
+  url:
+  - https://nvd.nist.gov/vuln/detail/CVE-2020-21514
+  - https://github.com/fluent/fluentd/issues/2722
+  - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg

gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml

@@ -0,0 +1,54 @@
+---
+gem: nokogiri
+ghsa: vcc3-rw6f-jv97
+url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
+title: Use-after-free in libxml2 via Nokogiri::XML::Reader
+date: 2024-03-18
+description: |
+  ### Summary
+
+  Nokogiri upgrades its dependency libxml2 as follows:
+  - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6
+  - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4
+
+  libxml2 v2.11.7 and v2.12.5 address the following vulnerability:
+
+  CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062
+  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
+  - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
+
+  Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
+  the packaged libraries are being used. If you've overridden defaults at installation time to use
+  system libraries instead of packaged libraries, you should instead pay attention to your distro's
+  libxml2 release announcements.
+
+  JRuby users are not affected.
+
+  ### Severity
+
+  The Nokogiri maintainers have evaluated this as **Moderate**.
+
+  ### Impact
+
+  From the CVE description, this issue applies to the `xmlTextReader` module (which underlies
+  `Nokogiri::XML::Reader`):
+
+  > When using the XML Reader interface with DTD validation and XInclude expansion enabled,
+  > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
+
+  ### Mitigation
+
+  Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`.
+
+  Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
+  and link Nokogiri against patched external libxml2 libraries which will also address these same
+  issues.
+cvss_v3: 7.5
+patched_versions:
+- "~> 1.15.6"
+- ">= 1.16.2"
+related:
+  url:
+  - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
+  - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
+  - https://github.com/advisories/GHSA-vcc3-rw6f-jv97

gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml

@@ -0,0 +1,31 @@
+---
+gem: omniauth-saml
+ghsa: hw46-3hmr-x9xv
+url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv
+title: omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack
+  issue
+date: 2025-03-12
+description: |-
+  ### Summary
+  There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
+
+  The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
+
+  Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
+
+  ### Impact
+  Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
+cvss_v4: 9.3
+patched_versions:
+- "~> 1.10.6"
+- "~> 2.1.3"
+- ">= 2.2.3"
+related:
+  url:
+  - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv
+  - https://github.com/omniauth/omniauth-saml/commit/0d5eaa0d808acb2ac96deadf5c750ac1cf2d92b5
+  - https://github.com/omniauth/omniauth-saml/commit/2c8a482801808bbcb0188214bde74680b8018a35
+  - https://github.com/omniauth/omniauth-saml/commit/7a348b49083462a566af41a5ae85e9f3af15b985
+  - https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16
+  - https://rubygems.org/gems/omniauth-saml/versions/2.2.3
+  - https://github.com/advisories/GHSA-hw46-3hmr-x9xv

gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml

@@ -0,0 +1,24 @@
+---
+gem: user_agent_parser
+ghsa: pcqq-5962-hvcw
+url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+title: Denial of Service in uap-core when processing crafted User-Agent strings
+date: 2020-03-10
+description: |-
+  ### Impact
+  Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
+
+  ### Patches
+  Please update `uap-ruby` to >= v2.6.0
+
+  ### For more information
+  https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
+
+  Reported in `uap-core` by Ben Caller @bcaller
+patched_versions:
+- ">= 2.6.0"
+related:
+  url:
+  - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+  - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a
+  - https://github.com/advisories/GHSA-pcqq-5962-hvcw

gems/webrick/CVE-2009-4492.yml

@@ -0,0 +1,29 @@
+---
+gem: webrick
+cve: 2009-4492
+ghsa: 6mq2-37j5-w6r6
+url: https://github.com/advisories/GHSA-6mq2-37j5-w6r6
+title: WEBrick Improper Input Validation vulnerability
+date: 2017-10-24
+description: |
+  WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel
+  248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file
+  without sanitizing non-printable characters, which might allow remote attackers
+  to modify a window's title, or possibly execute arbitrary commands or overwrite
+  files, via an HTTP request containing an escape sequence for a terminal emulator.
+cvss_v2: 7.5
+patched_versions:
+- ">= 1.4.0"
+related:
+  url:
+  - https://nvd.nist.gov/vuln/detail/CVE-2009-4492
+  - https://github.com/advisories/GHSA-6mq2-37j5-w6r6
+  - http://www.redhat.com/support/errata/RHSA-2011-0908.html
+  - http://www.redhat.com/support/errata/RHSA-2011-0909.html
+  - http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection
+  - http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
+  - https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089
+  - https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949
+  - https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429
+  - https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded
+  - https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710