From 659b10a8f69fc7361dccadb497c6ec1efcace567 Mon Sep 17 00:00:00 2001 From: Viktor Rak Date: Tue, 20 May 2025 14:23:43 +0300 Subject: [PATCH 1/6] GHSA SYNC: new advisories - gems/Autolab/CVE-2024-49376.yml - gems/alchemy_cms/CVE-2018-18307.yml - gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml - gems/fluentd-ui/CVE-2020-21514.yml - gems/fluentd/CVE-2020-21514.yml - gems/nokogiri/GHSA-fq42-c5rg-92c2.yml - gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml - gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml - gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml - gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml - gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml - gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml - gems/rails/CVE-2024-26143.yml - gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml - gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml - gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml - gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml - gems/webrick/CVE-2009-4492.yml --- gems/Autolab/CVE-2024-49376.yml | 34 ++++++++++ gems/alchemy_cms/CVE-2018-18307.yml | 22 ++++++ gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml | 67 +++++++++++++++++++ gems/fluentd-ui/CVE-2020-21514.yml | 18 +++++ gems/fluentd/CVE-2020-21514.yml | 18 +++++ gems/nokogiri/GHSA-fq42-c5rg-92c2.yml | 64 ++++++++++++++++++ gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml | 41 ++++++++++++ gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml | 30 +++++++++ gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml | 54 +++++++++++++++ gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml | 37 ++++++++++ gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml | 23 +++++++ gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml | 31 +++++++++ gems/rails/CVE-2024-26143.yml | 46 +++++++++++++ .../spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml | 35 ++++++++++ .../spree_auth_devise/GHSA-8xfw-5q82-3652.yml | 33 +++++++++ .../spree_auth_devise/GHSA-gpqc-4pp7-5954.yml | 33 +++++++++ .../user_agent_parser/GHSA-pcqq-5962-hvcw.yml | 24 +++++++ gems/webrick/CVE-2009-4492.yml | 29 ++++++++ 18 files changed, 639 insertions(+) create mode 100644 gems/Autolab/CVE-2024-49376.yml create mode 100644 gems/alchemy_cms/CVE-2018-18307.yml create mode 100644 gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml create mode 100644 gems/fluentd-ui/CVE-2020-21514.yml create mode 100644 gems/fluentd/CVE-2020-21514.yml create mode 100644 gems/nokogiri/GHSA-fq42-c5rg-92c2.yml create mode 100644 gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml create mode 100644 gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml create mode 100644 gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml create mode 100644 gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml create mode 100644 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml create mode 100644 gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml create mode 100644 gems/rails/CVE-2024-26143.yml create mode 100644 gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml create mode 100644 gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml create mode 100644 gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml create mode 100644 gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml create mode 100644 gems/webrick/CVE-2009-4492.yml diff --git a/gems/Autolab/CVE-2024-49376.yml b/gems/Autolab/CVE-2024-49376.yml new file mode 100644 index 0000000000..98c77671e4 --- /dev/null +++ b/gems/Autolab/CVE-2024-49376.yml @@ -0,0 +1,34 @@ +--- +gem: Autolab +cve: 2024-49376 +ghsa: v46j-h43h-rwrm +url: https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm +title: Autolab Misconfigured Reset Password Permissions +date: 2024-10-25 +description: | + ### Impact + For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. + + ### Patches + This is fixed in v3.0.1. + + ### Workarounds + No workarounds. + + ### For more information + If you have any questions or comments about this advisory: + + Open an issue in https://github.com/autolab/Autolab/ + Email us at [autolab-dev@andrew.cmu.edu](mailto:autolab-dev@andrew.cmu.edu) +cvss_v3: 8.8 +cvss_v4: 7.1 +unaffected_versions: +- "< 3.0.0" +patched_versions: +- ">= 3.0.1" +related: + url: + - https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm + - https://nvd.nist.gov/vuln/detail/CVE-2024-49376 + - https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b + - https://github.com/advisories/GHSA-v46j-h43h-rwrm diff --git a/gems/alchemy_cms/CVE-2018-18307.yml b/gems/alchemy_cms/CVE-2018-18307.yml new file mode 100644 index 0000000000..fbf63653d9 --- /dev/null +++ b/gems/alchemy_cms/CVE-2018-18307.yml @@ -0,0 +1,22 @@ +--- +gem: alchemy_cms +cve: 2018-18307 +ghsa: 7mj4-2984-955f +url: http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html +title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field +date: 2022-05-14 +description: | + A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS + via the /admin/pictures image filename field. +cvss_v3: 5.9 +unaffected_versions: +- "< 4.1.0" +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-18307 + - http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html + - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15 + - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5 + - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21 + - https://github.com/advisories/GHSA-7mj4-2984-955f diff --git a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml new file mode 100644 index 0000000000..6460a2861b --- /dev/null +++ b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml @@ -0,0 +1,67 @@ +--- +gem: camaleon_cms +ghsa: 3hp8-6j24-m5gm +url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 +title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) +date: 2024-09-23 +description: | + The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently. + + Arbitrary file deletion can be exploited with following code path: + The parameter folder flows from the actions method: + ```ruby + def actions + authorize! :manage, :media if params[:media_action] != 'crop_url' + params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? + case params[:media_action] + [..] + when 'del_file' + cama_uploader.delete_file(params[:folder].gsub('//', '/')) + render plain: '' + ``` + into the method delete_file of the CamaleonCmsLocalUploader + class (when files are uploaded locally): + ```ruby + def delete_file(key) + file = File.join(@root_folder, key) + FileUtils.rm(file) if File.exist? file + @instance.hooks_run('after_delete', key) + get_media_collection.find_by_key(key).take.destroy + end + ``` + Where it is joined in an unchecked manner with the root folder and + then deleted. + + **Proof of concept** + The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below) + ``` + curl --path-as-is -i -s -k -X $'POST' \ + -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ + -b $'auth_token=[..]; _cms_session=[..]' \ + --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. + 2F.. + 2F.. + 2FREADME.md&media_action=del_file' \ + $'https:///admin/media/actions?actions=true' + ``` + + **Impact** + + This issue may lead to a defective CMS or system. + + **Remediation** + + Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the + targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. + + **See also:** + + [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) + [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) +patched_versions: +- ">= 2.8.1" +related: + url: + - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml + - https://github.com/advisories/GHSA-3hp8-6j24-m5gm diff --git a/gems/fluentd-ui/CVE-2020-21514.yml b/gems/fluentd-ui/CVE-2020-21514.yml new file mode 100644 index 0000000000..77b385257a --- /dev/null +++ b/gems/fluentd-ui/CVE-2020-21514.yml @@ -0,0 +1,18 @@ +--- +gem: fluentd-ui +cve: 2020-21514 +ghsa: wrxf-x8rm-6ggg +url: https://github.com/fluent/fluentd/issues/2722 +title: Fluent Fluentd and Fluent-ui use default password +date: 2023-04-04 +description: | + An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 + that allows attackers to gain escilated privileges and execute arbitrary code due + to use of a default password. +cvss_v3: 8.8 +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2020-21514 + - https://github.com/fluent/fluentd/issues/2722 + - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg diff --git a/gems/fluentd/CVE-2020-21514.yml b/gems/fluentd/CVE-2020-21514.yml new file mode 100644 index 0000000000..f3d6bfec92 --- /dev/null +++ b/gems/fluentd/CVE-2020-21514.yml @@ -0,0 +1,18 @@ +--- +gem: fluentd +cve: 2020-21514 +ghsa: wrxf-x8rm-6ggg +url: https://github.com/fluent/fluentd/issues/2722 +title: Fluent Fluentd and Fluent-ui use default password +date: 2023-04-04 +description: | + An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 + that allows attackers to gain escilated privileges and execute arbitrary code due + to use of a default password. +cvss_v3: 8.8 +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2020-21514 + - https://github.com/fluent/fluentd/issues/2722 + - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg diff --git a/gems/nokogiri/GHSA-fq42-c5rg-92c2.yml b/gems/nokogiri/GHSA-fq42-c5rg-92c2.yml new file mode 100644 index 0000000000..312f8ebd18 --- /dev/null +++ b/gems/nokogiri/GHSA-fq42-c5rg-92c2.yml @@ -0,0 +1,64 @@ +--- +gem: nokogiri +ghsa: fq42-c5rg-92c2 +url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2 +title: Vulnerable dependencies in Nokogiri +date: 2022-02-25 +description: | + ### Summary + + Nokogiri [v1.13.2](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: + + - vendored libxml2 from v2.9.12 to [v2.9.13](https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) + - vendored libxslt from v1.1.34 to [v1.1.35](https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) + + Those library versions address the following upstream CVEs: + + - libxslt: [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) + - libxml2: [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below) + + Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. + + Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements. + + + ### Mitigation + + Upgrade to Nokogiri `>= 1.13.2`. + + Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 `>= 2.9.13` and libxslt `>= 1.1.35`, which will also address these same CVEs. + + + ### Impact + + #### libxslt [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) + + - CVSS3 score: 8.8 (High) + - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c + + All versions of libxslt prior to v1.1.35 are affected. + + Applications using **untrusted** XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. + + + #### libxml2 [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) + + - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. + - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 + - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html + + The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an **untrusted** document with parse options `DTDVALID` set to true, and `NOENT` set to false. + + An analysis of these parse options: + + - While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. + - `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. + + It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing **untrusted** documents is vulnerable and should be upgraded immediately. +cvss_v3: 8.8 +patched_versions: +- ">= 1.13.2" +related: + url: + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2 + - https://github.com/advisories/GHSA-fq42-c5rg-92c2 diff --git a/gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml b/gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml new file mode 100644 index 0000000000..787ceccadf --- /dev/null +++ b/gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml @@ -0,0 +1,41 @@ +--- +gem: nokogiri +ghsa: gx8x-g87m-h5q6 +url: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv +title: Denial of Service (DoS) in Nokogiri on JRuby +date: 2022-04-11 +description: | + ## Summary + + Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity). + + See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information. + + Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. + + + ## Mitigation + + Upgrade to Nokogiri `>= 1.13.4`. + + + ## Impact + + ### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml + + - **Severity**: High 7.5 + - **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption + - **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. + - **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) +cvss_v3: 7.5 +patched_versions: +- ">= 1.13.4" +related: + url: + - https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6 + - https://nvd.nist.gov/vuln/detail/CVE-2022-24839 + - https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d + - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 + - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer + - https://github.com/advisories/GHSA-gx8x-g87m-h5q6 diff --git a/gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml b/gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml new file mode 100644 index 0000000000..d0d23e19ad --- /dev/null +++ b/gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml @@ -0,0 +1,30 @@ +--- +gem: nokogiri +ghsa: v6gp-9mmm-c6p5 +url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 +title: Out-of-bounds Write in zlib affects Nokogiri +date: 2022-04-11 +description: "## Summary\n\nNokogiri v1.13.4 updates the vendored zlib from 1.2.11 + to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). + That CVE is scored as CVSS 7.4 \"High\" on the NVD record as of 2022-04-05.\n\nPlease + note that this advisory only applies to the CRuby implementation of Nokogiri `< + 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this + document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) + for a complete description of which platform gems vendor `zlib`. If you've overridden + defaults at installation time to use system libraries instead of packaged libraries, + you should instead pay attention to your distro's `zlib` release announcements. + \n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) + in zlib\n\n- **Severity**: High\n- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) + Out of bounds write\n- **Description**: zlib before 1.2.12 allows memory corruption + when deflating (i.e., when compressing) if the input has many distant matches.\n\n" +cvss_v3: 7.5 +patched_versions: +- ">= 1.13.4" +related: + url: + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 + - https://nvd.nist.gov/vuln/detail/CVE-2018-25032 + - https://github.com/advisories/GHSA-jc36-42cf-vqwj + - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 + - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer + - https://github.com/advisories/GHSA-v6gp-9mmm-c6p5 diff --git a/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml b/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml new file mode 100644 index 0000000000..60899d26a9 --- /dev/null +++ b/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml @@ -0,0 +1,54 @@ +--- +gem: nokogiri +ghsa: vcc3-rw6f-jv97 +url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j +title: Use-after-free in libxml2 via Nokogiri::XML::Reader +date: 2024-03-18 +description: | + ### Summary + + Nokogiri upgrades its dependency libxml2 as follows: + - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 + - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 + + libxml2 v2.11.7 and v2.12.5 address the following vulnerability: + + CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 + - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 + - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 + + Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if + the packaged libraries are being used. If you've overridden defaults at installation time to use + system libraries instead of packaged libraries, you should instead pay attention to your distro's + libxml2 release announcements. + + JRuby users are not affected. + + ### Severity + + The Nokogiri maintainers have evaluated this as **Moderate**. + + ### Impact + + From the CVE description, this issue applies to the `xmlTextReader` module (which underlies + `Nokogiri::XML::Reader`): + + > When using the XML Reader interface with DTD validation and XInclude expansion enabled, + > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. + + ### Mitigation + + Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. + + Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile + and link Nokogiri against patched external libxml2 libraries which will also address these same + issues. +cvss_v3: 7.5 +patched_versions: +- "~> 1.15.6" +- ">= 1.16.2" +related: + url: + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml + - https://github.com/advisories/GHSA-vcc3-rw6f-jv97 diff --git a/gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml b/gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml new file mode 100644 index 0000000000..b8cba98d14 --- /dev/null +++ b/gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml @@ -0,0 +1,37 @@ +--- +gem: nokogiri +ghsa: xxx9-3xcr-gjj3 +url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3 +title: XML Injection in Xerces Java affects Nokogiri +date: 2022-04-11 +description: |+ + ## Summary + + Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record. + + Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. + + ## Mitigation + + Upgrade to Nokogiri `>= v1.13.4`. + + ## Impact + + ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J + + - **Severity**: Medium + - **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection) + - **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. + - **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj + +cvss_v3: 6.5 +patched_versions: +- ">= 1.13.4" +related: + url: + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3 + - https://nvd.nist.gov/vuln/detail/CVE-2022-23437 + - https://github.com/advisories/GHSA-h65f-jvqw-m9fj + - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 + - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer + - https://github.com/advisories/GHSA-xxx9-3xcr-gjj3 diff --git a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml new file mode 100644 index 0000000000..128b1bb830 --- /dev/null +++ b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml @@ -0,0 +1,23 @@ +--- +gem: omniauth-saml +ghsa: cvp8-5r8g-fhvq +url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 +title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature +date: 2024-09-11 +description: "ruby-saml, the dependent SAML gem of omniauth-saml has a signature wrapping + vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 + \nAs a result, omniauth-saml created a [new release](https://github.com/omniauth/omniauth-saml/releases) + by upgrading ruby-saml to the patched versions v1.17. \n" +cvss_v3: 10.0 +patched_versions: +- "~> 1.10.5" +- "~> 2.1.2" +- ">= 2.2.1" +related: + url: + - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 + - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq + - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd + - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml + - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq diff --git a/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml b/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml new file mode 100644 index 0000000000..15823f8d72 --- /dev/null +++ b/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml @@ -0,0 +1,31 @@ +--- +gem: omniauth-saml +ghsa: hw46-3hmr-x9xv +url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv +title: omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack + issue +date: 2025-03-12 +description: |- + ### Summary + There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml. + + The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0. + + Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0. + + ### Impact + Signature Wrapping Vulnerabilities allows an attacker to impersonate a user. +cvss_v4: 9.3 +patched_versions: +- "~> 1.10.6" +- "~> 2.1.3" +- ">= 2.2.3" +related: + url: + - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv + - https://github.com/omniauth/omniauth-saml/commit/0d5eaa0d808acb2ac96deadf5c750ac1cf2d92b5 + - https://github.com/omniauth/omniauth-saml/commit/2c8a482801808bbcb0188214bde74680b8018a35 + - https://github.com/omniauth/omniauth-saml/commit/7a348b49083462a566af41a5ae85e9f3af15b985 + - https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16 + - https://rubygems.org/gems/omniauth-saml/versions/2.2.3 + - https://github.com/advisories/GHSA-hw46-3hmr-x9xv diff --git a/gems/rails/CVE-2024-26143.yml b/gems/rails/CVE-2024-26143.yml new file mode 100644 index 0000000000..abab7c25f5 --- /dev/null +++ b/gems/rails/CVE-2024-26143.yml @@ -0,0 +1,46 @@ +--- +gem: rails +cve: 2024-26143 +ghsa: 9822-6m93-xqf4 +url: https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 +title: Rails has possible XSS Vulnerability in Action Controller +date: 2024-02-27 +description: "# Possible XSS Vulnerability in Action Controller\n\nThere is a possible + XSS vulnerability when using the translation helpers\n(`translate`, `t`, etc) in + Action Controller. This vulnerability has been\nassigned the CVE identifier CVE-2024-26143.\n\nVersions + Affected: >= 7.0.0.\nNot affected: < 7.0.0\nFixed Versions: 7.1.3.1, + 7.0.8.1\n\nImpact\n------\nApplications using translation methods like `translate`, + or `t` on a\ncontroller, with a key ending in \"_html\", a `:default` key which + contains\nuntrusted user input, and the resulting string is used in a view, may + be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted code will look + something like this:\n\n```ruby\nclass ArticlesController < ApplicationController\n + \ def show \n @message = t(\"message_html\", default: untrusted_input)\n # + The `show` template displays the contents of `@message`\n end\nend\n```\n\nTo reiterate + the pre-conditions, applications must:\n\n* Use a translation function from a controller + (i.e. _not_ I18n.t, or `t` from\n a view)\n* Use a key that ends in `_html`\n* + Use a default value where the default value is untrusted and unescaped input\n* + Send the text to the victim (whether that's part of a template, or a\n `render` + call)\n\nAll users running an affected release should either upgrade or use one + of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available + at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds + for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately + we have provided patches for\nthe two supported release series. They are in git-am + format and consist of a\nsingle changeset.\n\n* 7-0-translate-xss.patch - Patch + for 7.0 series\n* 7-1-translate-xss.patch - Patch for 7.1 series\n\nCredits\n-------\n\nThanks + to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!" +cvss_v3: 6.1 +unaffected_versions: +- "< 7.0.0" +patched_versions: +- "~> 7.0.8.1" +- ">= 7.1.3.1" +related: + url: + - https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 + - https://nvd.nist.gov/vuln/detail/CVE-2024-26143 + - https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc + - https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e + - https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml + - https://security.netapp.com/advisory/ntap-20240510-0004 + - https://github.com/advisories/GHSA-9822-6m93-xqf4 diff --git a/gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml b/gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml new file mode 100644 index 0000000000..55abeb4936 --- /dev/null +++ b/gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml @@ -0,0 +1,35 @@ +--- +gem: spree_auth_devise +ghsa: 6mqr-q86q-6gwr +url: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 +title: Authentication Bypass by CSRF Weakness +date: 2021-11-18 +description: "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll + applications using any version of the frontend component of `spree_auth_devise` + are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n + \ * A before_action callback (the default)\n * A prepend_before_action (option + prepend: true given) before the :load_object hook in Spree::UserController (most + likely order to find).\n* Configured to use :null_session or :reset_session strategies + (:null_session is the default in case the no strategy is given, but rails --new + generated skeleton use :exception).\n\nThat means that applications that haven't + been configured differently from what it's generated with Rails aren't affected.\n\nThanks + @waiting-for-dev for reporting and providing a patch \U0001F44F \n\n### Patches\n\nSpree + 4.3 users should update to spree_auth_devise 4.4.1\nSpree 4.2 users should update + to spree_auth_devise 4.2.1\n \n### Workarounds\n\nIf possible, change your strategy + to :exception:\n\n```ruby\nclass ApplicationController < ActionController::Base\n + \ protect_from_forgery with: :exception\nend\n```\n\nAdd the following to`config/application.rb + `to at least run the `:exception` strategy on the affected controller:\n\n```ruby\nconfig.after_initialize + do\n Spree::UsersController.protect_from_forgery with: :exception\nend\n```\n\n### + References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\n" +cvss_v3: 9.3 +unaffected_versions: +- "< 4.2.0" +patched_versions: +- ">= 4.2.1" +related: + url: + - https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 + - https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr + - https://github.com/spree/spree_auth_devise/commit/50bf2444a851f10dff926eb4ea3674976d9d279d + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml + - https://github.com/advisories/GHSA-6mqr-q86q-6gwr diff --git a/gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml b/gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml new file mode 100644 index 0000000000..9a3fb05361 --- /dev/null +++ b/gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml @@ -0,0 +1,33 @@ +--- +gem: spree_auth_devise +ghsa: 8xfw-5q82-3652 +url: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 +title: Authentication Bypass by CSRF Weakness +date: 2021-11-18 +description: "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll + applications using any version of the frontend component of `spree_auth_devise` + are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n + \ * A before_action callback (the default)\n * A prepend_before_action (option + prepend: true given) before the :load_object hook in Spree::UserController (most + likely order to find).\n* Configured to use :null_session or :reset_session strategies + (:null_session is the default in case the no strategy is given, but rails --new + generated skeleton use :exception).\n\nThat means that applications that haven't + been configured differently from what it's generated with Rails aren't affected.\n\nThanks + @waiting-for-dev for reporting and providing a patch \U0001F44F \n\n### Patches\n\nSpree + 4.1 users should update to spree_auth_devise 4.1.1\n \n### Workarounds\n\nIf possible, + change your strategy to :exception:\n\n```ruby\nclass ApplicationController < ActionController::Base\n + \ protect_from_forgery with: :exception\nend\n```\n\nAdd the following to`config/application.rb + `to at least run the `:exception` strategy on the affected controller:\n\n```ruby\nconfig.after_initialize + do\n Spree::UsersController.protect_from_forgery with: :exception\nend\n```\n\n### + References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\n" +cvss_v3: 9.3 +unaffected_versions: +- "< 4.1.0" +patched_versions: +- ">= 4.1.1" +related: + url: + - https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 + - https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml + - https://github.com/advisories/GHSA-8xfw-5q82-3652 diff --git a/gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml b/gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml new file mode 100644 index 0000000000..bf3a037f40 --- /dev/null +++ b/gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml @@ -0,0 +1,33 @@ +--- +gem: spree_auth_devise +ghsa: gpqc-4pp7-5954 +url: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 +title: Authentication Bypass by CSRF Weakness +date: 2021-11-18 +description: "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll + applications using any version of the frontend component of `spree_auth_devise` + are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n + \ * A before_action callback (the default)\n * A prepend_before_action (option + prepend: true given) before the :load_object hook in Spree::UserController (most + likely order to find).\n* Configured to use :null_session or :reset_session strategies + (:null_session is the default in case the no strategy is given, but rails --new + generated skeleton use :exception).\n\nThat means that applications that haven't + been configured differently from what it's generated with Rails aren't affected.\n\nThanks + @waiting-for-dev for reporting and providing a patch \U0001F44F \n\n### Patches\n\nSpree + 4.3 users should update to spree_auth_devise 4.4.1\nSpree 4.2 users should update + to spree_auth_devise 4.2.1\nSpree 4.1 users should update to spree_auth_devise 4.1.1\nOlder + Spree version users should update to spree_auth_devise 4.0.1\n \n### Workarounds\n\nIf + possible, change your strategy to :exception:\n\n```ruby\nclass ApplicationController + < ActionController::Base\n protect_from_forgery with: :exception\nend\n```\n\nAdd + the following to`config/application.rb `to at least run the `:exception` strategy + on the affected controller:\n\n```ruby\nconfig.after_initialize do\n Spree::UsersController.protect_from_forgery + with: :exception\nend\n```\n\n### References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\n" +cvss_v3: 9.3 +patched_versions: +- ">= 4.0.1" +related: + url: + - https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 + - https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml + - https://github.com/advisories/GHSA-gpqc-4pp7-5954 diff --git a/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml b/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml new file mode 100644 index 0000000000..b8759ef756 --- /dev/null +++ b/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml @@ -0,0 +1,24 @@ +--- +gem: user_agent_parser +ghsa: pcqq-5962-hvcw +url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw +title: Denial of Service in uap-core when processing crafted User-Agent strings +date: 2020-03-10 +description: |- + ### Impact + Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. + + ### Patches + Please update `uap-ruby` to >= v2.6.0 + + ### For more information + https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p + + Reported in `uap-core` by Ben Caller @bcaller +patched_versions: +- ">= 2.6.0" +related: + url: + - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw + - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a + - https://github.com/advisories/GHSA-pcqq-5962-hvcw diff --git a/gems/webrick/CVE-2009-4492.yml b/gems/webrick/CVE-2009-4492.yml new file mode 100644 index 0000000000..2bac49f55e --- /dev/null +++ b/gems/webrick/CVE-2009-4492.yml @@ -0,0 +1,29 @@ +--- +gem: webrick +cve: 2009-4492 +ghsa: 6mq2-37j5-w6r6 +url: https://github.com/advisories/GHSA-6mq2-37j5-w6r6 +title: WEBrick Improper Input Validation vulnerability +date: 2017-10-24 +description: | + WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel + 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file + without sanitizing non-printable characters, which might allow remote attackers + to modify a window's title, or possibly execute arbitrary commands or overwrite + files, via an HTTP request containing an escape sequence for a terminal emulator. +cvss_v2: 7.5 +patched_versions: +- ">= 1.4.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-4492 + - https://github.com/advisories/GHSA-6mq2-37j5-w6r6 + - http://www.redhat.com/support/errata/RHSA-2011-0908.html + - http://www.redhat.com/support/errata/RHSA-2011-0909.html + - http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection + - http://www.ush.it/team/ush/hack_httpd_escape/adv.txt + - https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089 + - https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949 + - https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429 + - https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded + - https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710 From 26bcfcf84042bd84d957955b536c8ee7784a4e78 Mon Sep 17 00:00:00 2001 From: Viktor Rak Date: Wed, 21 May 2025 14:43:33 +0300 Subject: [PATCH 2/6] Apply remarks from https://github.com/rubysec/ruby-advisory-db/pull/873 * remove duplicates of gems/nokogiri/CVE-2018-25032.yml: - gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml * remove duplicates of gems/nokogiri/CVE-2021-30560.yml: - gems/nokogiri/GHSA-fq42-c5rg-92c2.yml * remove duplicates of gems/nokogiri/CVE-2022-23437.yml: - gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml * remove duplicates of gems/nokogiri/CVE-2022-24839.yml: - gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml * remove duplicates of gems/omniauth-saml/CVE-2024-45409.yml: - gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml * remove duplicates of gems/spree_auth_devise/CVE-2021-41275.yml: - gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml - gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml - gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml * remove duplicates of gems/nokogiri/CVE-2022-23437.yml: - gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml * use `##` instead of `**` to denote sections within the description text * use `description: |` to make text easier to read and edit * use NVD url for gems/alchemy_cms/CVE-2018-18307.yml --- gems/alchemy_cms/CVE-2018-18307.yml | 2 +- gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml | 8 +- gems/nokogiri/GHSA-fq42-c5rg-92c2.yml | 64 --------------- gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml | 41 ---------- gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml | 30 ------- gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml | 37 --------- gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml | 23 ------ gems/rails/CVE-2024-26143.yml | 79 +++++++++++++------ .../spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml | 35 -------- .../spree_auth_devise/GHSA-8xfw-5q82-3652.yml | 33 -------- .../spree_auth_devise/GHSA-gpqc-4pp7-5954.yml | 33 -------- 11 files changed, 61 insertions(+), 324 deletions(-) delete mode 100644 gems/nokogiri/GHSA-fq42-c5rg-92c2.yml delete mode 100644 gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml delete mode 100644 gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml delete mode 100644 gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml delete mode 100644 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml delete mode 100644 gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml delete mode 100644 gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml delete mode 100644 gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml diff --git a/gems/alchemy_cms/CVE-2018-18307.yml b/gems/alchemy_cms/CVE-2018-18307.yml index fbf63653d9..8f924e29a5 100644 --- a/gems/alchemy_cms/CVE-2018-18307.yml +++ b/gems/alchemy_cms/CVE-2018-18307.yml @@ -2,7 +2,7 @@ gem: alchemy_cms cve: 2018-18307 ghsa: 7mj4-2984-955f -url: http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html +url: https://nvd.nist.gov/vuln/detail/CVE-2018-18307 title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field date: 2022-05-14 description: | diff --git a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml index 6460a2861b..a5ba31b828 100644 --- a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml +++ b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml @@ -32,7 +32,7 @@ description: | Where it is joined in an unchecked manner with the root folder and then deleted. - **Proof of concept** + ## Proof of concept The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below) ``` curl --path-as-is -i -s -k -X $'POST' \ @@ -45,16 +45,16 @@ description: | $'https:///admin/media/actions?actions=true' ``` - **Impact** + ## Impact This issue may lead to a defective CMS or system. - **Remediation** + ## Remediation Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. - **See also:** + ## See also: [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) diff --git a/gems/nokogiri/GHSA-fq42-c5rg-92c2.yml b/gems/nokogiri/GHSA-fq42-c5rg-92c2.yml deleted file mode 100644 index 312f8ebd18..0000000000 --- a/gems/nokogiri/GHSA-fq42-c5rg-92c2.yml +++ /dev/null @@ -1,64 +0,0 @@ ---- -gem: nokogiri -ghsa: fq42-c5rg-92c2 -url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2 -title: Vulnerable dependencies in Nokogiri -date: 2022-02-25 -description: | - ### Summary - - Nokogiri [v1.13.2](https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.2) upgrades two of its packaged dependencies: - - - vendored libxml2 from v2.9.12 to [v2.9.13](https://download.gnome.org/sources/libxml2/2.9/libxml2-2.9.13.news) - - vendored libxslt from v1.1.34 to [v1.1.35](https://download.gnome.org/sources/libxslt/1.1/libxslt-1.1.35.news) - - Those library versions address the following upstream CVEs: - - - libxslt: [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) (CVSS 8.8, High severity) - - libxml2: [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) (Unspecified severity, see more information below) - - Those library versions also address numerous other issues including performance improvements, regression fixes, and bug fixes, as well as memory leaks and other use-after-free issues that were not assigned CVEs. - - Please note that this advisory only applies to the CRuby implementation of Nokogiri `< 1.13.2`, and only if the _packaged_ libraries are being used. If you've overridden defaults at installation time to use _system_ libraries instead of packaged libraries, you should instead pay attention to your distro's `libxml2` and `libxslt` release announcements. - - - ### Mitigation - - Upgrade to Nokogiri `>= 1.13.2`. - - Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile and link an older version Nokogiri against external libraries libxml2 `>= 2.9.13` and libxslt `>= 1.1.35`, which will also address these same CVEs. - - - ### Impact - - #### libxslt [CVE-2021-30560](https://nvd.nist.gov/vuln/detail/CVE-2021-30560) - - - CVSS3 score: 8.8 (High) - - Fixed by https://gitlab.gnome.org/GNOME/libxslt/-/commit/50f9c9c - - All versions of libxslt prior to v1.1.35 are affected. - - Applications using **untrusted** XSL stylesheets to transform XML are vulnerable to a denial-of-service attack and should be upgraded immediately. - - - #### libxml2 [CVE-2022-23308](https://nvd.nist.gov/vuln/detail/CVE-2022-23308) - - - As of the time this security advisory was published, there is no officially published information available about this CVE's severity. The above NIST link does not yet have a published record, and the libxml2 maintainer has declined to provide a severity score. - - Fixed by https://gitlab.gnome.org/GNOME/libxml2/-/commit/652dd12 - - Further explanation is at https://mail.gnome.org/archives/xml/2022-February/msg00015.html - - The upstream commit and the explanation linked above indicate that an application may be vulnerable to a denial of service, memory disclosure, or code execution if it parses an **untrusted** document with parse options `DTDVALID` set to true, and `NOENT` set to false. - - An analysis of these parse options: - - - While `NOENT` is off by default for Document, DocumentFragment, Reader, and Schema parsing, it is on by default for XSLT (stylesheet) parsing in Nokogiri v1.12.0 and later. - - `DTDVALID` is an option that Nokogiri does not set for any operations, and so this CVE applies only to applications setting this option explicitly. - - It seems reasonable to assume that any application explicitly setting the parse option `DTDVALID` when parsing **untrusted** documents is vulnerable and should be upgraded immediately. -cvss_v3: 8.8 -patched_versions: -- ">= 1.13.2" -related: - url: - - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-fq42-c5rg-92c2 - - https://github.com/advisories/GHSA-fq42-c5rg-92c2 diff --git a/gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml b/gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml deleted file mode 100644 index 787ceccadf..0000000000 --- a/gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml +++ /dev/null @@ -1,41 +0,0 @@ ---- -gem: nokogiri -ghsa: gx8x-g87m-h5q6 -url: https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv -title: Denial of Service (DoS) in Nokogiri on JRuby -date: 2022-04-11 -description: | - ## Summary - - Nokogiri `v1.13.4` updates the vendored `org.cyberneko.html` library to `1.9.22.noko2` which addresses [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv). That CVE is rated 7.5 (High Severity). - - See [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) for more information. - - Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. - - - ## Mitigation - - Upgrade to Nokogiri `>= 1.13.4`. - - - ## Impact - - ### [CVE-2022-24839](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) in nekohtml - - - **Severity**: High 7.5 - - **Type**: [CWE-400](https://cwe.mitre.org/data/definitions/400.html) Uncontrolled Resource Consumption - - **Description**: The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. - - **See also**: [GHSA-9849-p7jc-9rmv](https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv) -cvss_v3: 7.5 -patched_versions: -- ">= 1.13.4" -related: - url: - - https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv - - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-gx8x-g87m-h5q6 - - https://nvd.nist.gov/vuln/detail/CVE-2022-24839 - - https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d - - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 - - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer - - https://github.com/advisories/GHSA-gx8x-g87m-h5q6 diff --git a/gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml b/gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml deleted file mode 100644 index d0d23e19ad..0000000000 --- a/gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml +++ /dev/null @@ -1,30 +0,0 @@ ---- -gem: nokogiri -ghsa: v6gp-9mmm-c6p5 -url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 -title: Out-of-bounds Write in zlib affects Nokogiri -date: 2022-04-11 -description: "## Summary\n\nNokogiri v1.13.4 updates the vendored zlib from 1.2.11 - to 1.2.12, which addresses [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032). - That CVE is scored as CVSS 7.4 \"High\" on the NVD record as of 2022-04-05.\n\nPlease - note that this advisory only applies to the CRuby implementation of Nokogiri `< - 1.13.4`, and only if the packaged version of `zlib` is being used. Please see [this - document](https://nokogiri.org/LICENSE-DEPENDENCIES.html#default-platform-release-ruby) - for a complete description of which platform gems vendor `zlib`. If you've overridden - defaults at installation time to use system libraries instead of packaged libraries, - you should instead pay attention to your distro's `zlib` release announcements. - \n\n## Mitigation\n\nUpgrade to Nokogiri `>= v1.13.4`.\n\n## Impact\n\n### [CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032) - in zlib\n\n- **Severity**: High\n- **Type**: [CWE-787](https://cwe.mitre.org/data/definitions/787.html) - Out of bounds write\n- **Description**: zlib before 1.2.12 allows memory corruption - when deflating (i.e., when compressing) if the input has many distant matches.\n\n" -cvss_v3: 7.5 -patched_versions: -- ">= 1.13.4" -related: - url: - - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-v6gp-9mmm-c6p5 - - https://nvd.nist.gov/vuln/detail/CVE-2018-25032 - - https://github.com/advisories/GHSA-jc36-42cf-vqwj - - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 - - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer - - https://github.com/advisories/GHSA-v6gp-9mmm-c6p5 diff --git a/gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml b/gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml deleted file mode 100644 index b8cba98d14..0000000000 --- a/gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -gem: nokogiri -ghsa: xxx9-3xcr-gjj3 -url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3 -title: XML Injection in Xerces Java affects Nokogiri -date: 2022-04-11 -description: |+ - ## Summary - - Nokogiri v1.13.4 updates the vendored `xerces:xercesImpl` from 2.12.0 to 2.12.2, which addresses [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437). That CVE is scored as CVSS 6.5 "Medium" on the NVD record. - - Please note that this advisory only applies to the **JRuby** implementation of Nokogiri `< 1.13.4`. - - ## Mitigation - - Upgrade to Nokogiri `>= v1.13.4`. - - ## Impact - - ### [CVE-2022-23437](https://nvd.nist.gov/vuln/detail/CVE-2022-23437) in xerces-J - - - **Severity**: Medium - - **Type**: [CWE-91](https://cwe.mitre.org/data/definitions/91.html) XML Injection (aka Blind XPath Injection) - - **Description**: There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions. - - **See also**: https://github.com/advisories/GHSA-h65f-jvqw-m9fj - -cvss_v3: 6.5 -patched_versions: -- ">= 1.13.4" -related: - url: - - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xxx9-3xcr-gjj3 - - https://nvd.nist.gov/vuln/detail/CVE-2022-23437 - - https://github.com/advisories/GHSA-h65f-jvqw-m9fj - - https://github.com/sparklemotion/nokogiri/releases/tag/v1.13.4 - - https://groups.google.com/g/ruby-security-ann/c/vX7qSjsvWis/m/TJWN4oOKBwAJ?utm_medium=email&utm_source=footer - - https://github.com/advisories/GHSA-xxx9-3xcr-gjj3 diff --git a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml b/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml deleted file mode 100644 index 128b1bb830..0000000000 --- a/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -gem: omniauth-saml -ghsa: cvp8-5r8g-fhvq -url: https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 -title: omniauth-saml vulnerable to Improper Verification of Cryptographic Signature -date: 2024-09-11 -description: "ruby-saml, the dependent SAML gem of omniauth-saml has a signature wrapping - vulnerability in <= v1.12.0 and v1.13.0 to v1.16.0 , see https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 - \nAs a result, omniauth-saml created a [new release](https://github.com/omniauth/omniauth-saml/releases) - by upgrading ruby-saml to the patched versions v1.17. \n" -cvss_v3: 10.0 -patched_versions: -- "~> 1.10.5" -- "~> 2.1.2" -- ">= 2.2.1" -related: - url: - - https://github.com/SAML-Toolkits/ruby-saml/security/advisories/GHSA-jw9c-mfg7-9rx2 - - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cvp8-5r8g-fhvq - - https://github.com/omniauth/omniauth-saml/commit/4274e9d57e65f2dcaae4aa3b2accf831494f2ddd - - https://github.com/omniauth/omniauth-saml/commit/6c681fd082ab3daf271821897a40ab3417382e29 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml - - https://github.com/advisories/GHSA-cvp8-5r8g-fhvq diff --git a/gems/rails/CVE-2024-26143.yml b/gems/rails/CVE-2024-26143.yml index abab7c25f5..c2ec52c351 100644 --- a/gems/rails/CVE-2024-26143.yml +++ b/gems/rails/CVE-2024-26143.yml @@ -5,29 +5,62 @@ ghsa: 9822-6m93-xqf4 url: https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 title: Rails has possible XSS Vulnerability in Action Controller date: 2024-02-27 -description: "# Possible XSS Vulnerability in Action Controller\n\nThere is a possible - XSS vulnerability when using the translation helpers\n(`translate`, `t`, etc) in - Action Controller. This vulnerability has been\nassigned the CVE identifier CVE-2024-26143.\n\nVersions - Affected: >= 7.0.0.\nNot affected: < 7.0.0\nFixed Versions: 7.1.3.1, - 7.0.8.1\n\nImpact\n------\nApplications using translation methods like `translate`, - or `t` on a\ncontroller, with a key ending in \"_html\", a `:default` key which - contains\nuntrusted user input, and the resulting string is used in a view, may - be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted code will look - something like this:\n\n```ruby\nclass ArticlesController < ApplicationController\n - \ def show \n @message = t(\"message_html\", default: untrusted_input)\n # - The `show` template displays the contents of `@message`\n end\nend\n```\n\nTo reiterate - the pre-conditions, applications must:\n\n* Use a translation function from a controller - (i.e. _not_ I18n.t, or `t` from\n a view)\n* Use a key that ends in `_html`\n* - Use a default value where the default value is untrusted and unescaped input\n* - Send the text to the victim (whether that's part of a template, or a\n `render` - call)\n\nAll users running an affected release should either upgrade or use one - of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available - at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds - for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately - we have provided patches for\nthe two supported release series. They are in git-am - format and consist of a\nsingle changeset.\n\n* 7-0-translate-xss.patch - Patch - for 7.0 series\n* 7-1-translate-xss.patch - Patch for 7.1 series\n\nCredits\n-------\n\nThanks - to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!" +description: | + # Possible XSS Vulnerability in Action Controller + + There is a possible XSS vulnerability when using the translation helpers + (`translate`, `t`, etc) in Action Controller. + This vulnerability has been assigned the CVE identifier CVE-2024-26143. + + Versions Affected: `>= 7.0.0`. + Not affected: `< 7.0.0` + Fixed Versions: `7.1.3.1`, `7.0.8.1` + + ## Impact + + Applications using translation methods like `translate`, or `t` on a controller, + with a key ending in `_html`, a `:default` key which contains untrusted user input, + and the resulting string is used in a view, may be susceptible to an XSS vulnerability. + + For example, impacted code will look something like this: + + ```ruby + class ArticlesController < ApplicationController + def show + @message = t("message_html", default: untrusted_input) + # The `show` template displays the contents of `@message` + end + end + ``` + + To reiterate the pre-conditions, applications must: + + * Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from a view) + * Use a key that ends in `_html` + * Use a default value where the default value is untrusted and unescaped input + * Send the text to the victim (whether that's part of a template, or a `render` call) + + All users running an affected release should either upgrade or use one of the workarounds immediately. + + ## Releases + + The fixed releases are available at the normal locations. + + ## Workarounds + + There are no feasible workarounds for this issue. + + ## Patches + + To aid users who aren't able to upgrade immediately we have provided patches for + the two supported release series. They are in git-am format and consist of a single changeset. + + * 7-0-translate-xss.patch - Patch for 7.0 series + * 7-1-translate-xss.patch - Patch for 7.1 series + + ## Credits + + Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!" cvss_v3: 6.1 unaffected_versions: - "< 7.0.0" diff --git a/gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml b/gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml deleted file mode 100644 index 55abeb4936..0000000000 --- a/gems/spree_auth_devise/GHSA-6mqr-q86q-6gwr.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -gem: spree_auth_devise -ghsa: 6mqr-q86q-6gwr -url: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 -title: Authentication Bypass by CSRF Weakness -date: 2021-11-18 -description: "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll - applications using any version of the frontend component of `spree_auth_devise` - are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n - \ * A before_action callback (the default)\n * A prepend_before_action (option - prepend: true given) before the :load_object hook in Spree::UserController (most - likely order to find).\n* Configured to use :null_session or :reset_session strategies - (:null_session is the default in case the no strategy is given, but rails --new - generated skeleton use :exception).\n\nThat means that applications that haven't - been configured differently from what it's generated with Rails aren't affected.\n\nThanks - @waiting-for-dev for reporting and providing a patch \U0001F44F \n\n### Patches\n\nSpree - 4.3 users should update to spree_auth_devise 4.4.1\nSpree 4.2 users should update - to spree_auth_devise 4.2.1\n \n### Workarounds\n\nIf possible, change your strategy - to :exception:\n\n```ruby\nclass ApplicationController < ActionController::Base\n - \ protect_from_forgery with: :exception\nend\n```\n\nAdd the following to`config/application.rb - `to at least run the `:exception` strategy on the affected controller:\n\n```ruby\nconfig.after_initialize - do\n Spree::UsersController.protect_from_forgery with: :exception\nend\n```\n\n### - References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\n" -cvss_v3: 9.3 -unaffected_versions: -- "< 4.2.0" -patched_versions: -- ">= 4.2.1" -related: - url: - - https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 - - https://github.com/spree/spree_auth_devise/security/advisories/GHSA-6mqr-q86q-6gwr - - https://github.com/spree/spree_auth_devise/commit/50bf2444a851f10dff926eb4ea3674976d9d279d - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml - - https://github.com/advisories/GHSA-6mqr-q86q-6gwr diff --git a/gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml b/gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml deleted file mode 100644 index 9a3fb05361..0000000000 --- a/gems/spree_auth_devise/GHSA-8xfw-5q82-3652.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -gem: spree_auth_devise -ghsa: 8xfw-5q82-3652 -url: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 -title: Authentication Bypass by CSRF Weakness -date: 2021-11-18 -description: "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll - applications using any version of the frontend component of `spree_auth_devise` - are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n - \ * A before_action callback (the default)\n * A prepend_before_action (option - prepend: true given) before the :load_object hook in Spree::UserController (most - likely order to find).\n* Configured to use :null_session or :reset_session strategies - (:null_session is the default in case the no strategy is given, but rails --new - generated skeleton use :exception).\n\nThat means that applications that haven't - been configured differently from what it's generated with Rails aren't affected.\n\nThanks - @waiting-for-dev for reporting and providing a patch \U0001F44F \n\n### Patches\n\nSpree - 4.1 users should update to spree_auth_devise 4.1.1\n \n### Workarounds\n\nIf possible, - change your strategy to :exception:\n\n```ruby\nclass ApplicationController < ActionController::Base\n - \ protect_from_forgery with: :exception\nend\n```\n\nAdd the following to`config/application.rb - `to at least run the `:exception` strategy on the affected controller:\n\n```ruby\nconfig.after_initialize - do\n Spree::UsersController.protect_from_forgery with: :exception\nend\n```\n\n### - References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\n" -cvss_v3: 9.3 -unaffected_versions: -- "< 4.1.0" -patched_versions: -- ">= 4.1.1" -related: - url: - - https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 - - https://github.com/spree/spree_auth_devise/security/advisories/GHSA-8xfw-5q82-3652 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml - - https://github.com/advisories/GHSA-8xfw-5q82-3652 diff --git a/gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml b/gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml deleted file mode 100644 index bf3a037f40..0000000000 --- a/gems/spree_auth_devise/GHSA-gpqc-4pp7-5954.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -gem: spree_auth_devise -ghsa: gpqc-4pp7-5954 -url: https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 -title: Authentication Bypass by CSRF Weakness -date: 2021-11-18 -description: "### Impact\n\nCSRF vulnerability that allows user account takeover.\n\nAll - applications using any version of the frontend component of `spree_auth_devise` - are affected if `protect_from_forgery` method is both:\n\n* Executed whether as:\n - \ * A before_action callback (the default)\n * A prepend_before_action (option - prepend: true given) before the :load_object hook in Spree::UserController (most - likely order to find).\n* Configured to use :null_session or :reset_session strategies - (:null_session is the default in case the no strategy is given, but rails --new - generated skeleton use :exception).\n\nThat means that applications that haven't - been configured differently from what it's generated with Rails aren't affected.\n\nThanks - @waiting-for-dev for reporting and providing a patch \U0001F44F \n\n### Patches\n\nSpree - 4.3 users should update to spree_auth_devise 4.4.1\nSpree 4.2 users should update - to spree_auth_devise 4.2.1\nSpree 4.1 users should update to spree_auth_devise 4.1.1\nOlder - Spree version users should update to spree_auth_devise 4.0.1\n \n### Workarounds\n\nIf - possible, change your strategy to :exception:\n\n```ruby\nclass ApplicationController - < ActionController::Base\n protect_from_forgery with: :exception\nend\n```\n\nAdd - the following to`config/application.rb `to at least run the `:exception` strategy - on the affected controller:\n\n```ruby\nconfig.after_initialize do\n Spree::UsersController.protect_from_forgery - with: :exception\nend\n```\n\n### References\nhttps://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2\n" -cvss_v3: 9.3 -patched_versions: -- ">= 4.0.1" -related: - url: - - https://github.com/solidusio/solidus_auth_devise/security/advisories/GHSA-xm34-v85h-9pg2 - - https://github.com/spree/spree_auth_devise/security/advisories/GHSA-gpqc-4pp7-5954 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/spree_auth_devise/CVE-2021-41275.yml - - https://github.com/advisories/GHSA-gpqc-4pp7-5954 From 3248e6dce07f280f63ed9e61b45cdc233abb5c8f Mon Sep 17 00:00:00 2001 From: Postmodern Date: Wed, 21 May 2025 08:31:19 -0700 Subject: [PATCH 3/6] Remove duplicate `gems/rails/CVE-2024-26143.yml` file. This advisory already exists at `gems/actionpack/CVE-2024-26143.yml`. --- gems/rails/CVE-2024-26143.yml | 79 ----------------------------------- 1 file changed, 79 deletions(-) delete mode 100644 gems/rails/CVE-2024-26143.yml diff --git a/gems/rails/CVE-2024-26143.yml b/gems/rails/CVE-2024-26143.yml deleted file mode 100644 index c2ec52c351..0000000000 --- a/gems/rails/CVE-2024-26143.yml +++ /dev/null @@ -1,79 +0,0 @@ ---- -gem: rails -cve: 2024-26143 -ghsa: 9822-6m93-xqf4 -url: https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 -title: Rails has possible XSS Vulnerability in Action Controller -date: 2024-02-27 -description: | - # Possible XSS Vulnerability in Action Controller - - There is a possible XSS vulnerability when using the translation helpers - (`translate`, `t`, etc) in Action Controller. - This vulnerability has been assigned the CVE identifier CVE-2024-26143. - - Versions Affected: `>= 7.0.0`. - Not affected: `< 7.0.0` - Fixed Versions: `7.1.3.1`, `7.0.8.1` - - ## Impact - - Applications using translation methods like `translate`, or `t` on a controller, - with a key ending in `_html`, a `:default` key which contains untrusted user input, - and the resulting string is used in a view, may be susceptible to an XSS vulnerability. - - For example, impacted code will look something like this: - - ```ruby - class ArticlesController < ApplicationController - def show - @message = t("message_html", default: untrusted_input) - # The `show` template displays the contents of `@message` - end - end - ``` - - To reiterate the pre-conditions, applications must: - - * Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from a view) - * Use a key that ends in `_html` - * Use a default value where the default value is untrusted and unescaped input - * Send the text to the victim (whether that's part of a template, or a `render` call) - - All users running an affected release should either upgrade or use one of the workarounds immediately. - - ## Releases - - The fixed releases are available at the normal locations. - - ## Workarounds - - There are no feasible workarounds for this issue. - - ## Patches - - To aid users who aren't able to upgrade immediately we have provided patches for - the two supported release series. They are in git-am format and consist of a single changeset. - - * 7-0-translate-xss.patch - Patch for 7.0 series - * 7-1-translate-xss.patch - Patch for 7.1 series - - ## Credits - - Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!" -cvss_v3: 6.1 -unaffected_versions: -- "< 7.0.0" -patched_versions: -- "~> 7.0.8.1" -- ">= 7.1.3.1" -related: - url: - - https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4 - - https://nvd.nist.gov/vuln/detail/CVE-2024-26143 - - https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc - - https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e - - https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947 - - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml - - https://security.netapp.com/advisory/ntap-20240510-0004 - - https://github.com/advisories/GHSA-9822-6m93-xqf4 From 805f65b75bf58852f4516199b85bbd466475460a Mon Sep 17 00:00:00 2001 From: Postmodern Date: Wed, 21 May 2025 10:28:34 -0700 Subject: [PATCH 4/6] Delete `gems/Autolab/CVE-2024-49376.yml` for non-existent gem `Autolab` Autolab is a standalone Ruby web-app and was never released as a gem. --- gems/Autolab/CVE-2024-49376.yml | 34 --------------------------------- 1 file changed, 34 deletions(-) delete mode 100644 gems/Autolab/CVE-2024-49376.yml diff --git a/gems/Autolab/CVE-2024-49376.yml b/gems/Autolab/CVE-2024-49376.yml deleted file mode 100644 index 98c77671e4..0000000000 --- a/gems/Autolab/CVE-2024-49376.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -gem: Autolab -cve: 2024-49376 -ghsa: v46j-h43h-rwrm -url: https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm -title: Autolab Misconfigured Reset Password Permissions -date: 2024-10-25 -description: | - ### Impact - For email-based accounts, users with insufficient privileges could reset and theoretically access privileged users' accounts by resetting their passwords. - - ### Patches - This is fixed in v3.0.1. - - ### Workarounds - No workarounds. - - ### For more information - If you have any questions or comments about this advisory: - - Open an issue in https://github.com/autolab/Autolab/ - Email us at [autolab-dev@andrew.cmu.edu](mailto:autolab-dev@andrew.cmu.edu) -cvss_v3: 8.8 -cvss_v4: 7.1 -unaffected_versions: -- "< 3.0.0" -patched_versions: -- ">= 3.0.1" -related: - url: - - https://github.com/autolab/Autolab/security/advisories/GHSA-v46j-h43h-rwrm - - https://nvd.nist.gov/vuln/detail/CVE-2024-49376 - - https://github.com/autolab/Autolab/commit/301689ab5c5e39d13bab47b71eaf8998d04bcc9b - - https://github.com/advisories/GHSA-v46j-h43h-rwrm From 873e3758b0653f8484560d713a5ae0102a70e710 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Wed, 21 May 2025 10:33:07 -0700 Subject: [PATCH 5/6] Update CVE-2020-21514.yml Link to the GHSA advisory for CVE-2020-21514. --- gems/fluentd-ui/CVE-2020-21514.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gems/fluentd-ui/CVE-2020-21514.yml b/gems/fluentd-ui/CVE-2020-21514.yml index 77b385257a..c851d7e226 100644 --- a/gems/fluentd-ui/CVE-2020-21514.yml +++ b/gems/fluentd-ui/CVE-2020-21514.yml @@ -2,7 +2,7 @@ gem: fluentd-ui cve: 2020-21514 ghsa: wrxf-x8rm-6ggg -url: https://github.com/fluent/fluentd/issues/2722 +url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg title: Fluent Fluentd and Fluent-ui use default password date: 2023-04-04 description: | From d9f5eac0dd2bd6fdd56a734cfc77343b5a205874 Mon Sep 17 00:00:00 2001 From: Postmodern Date: Wed, 21 May 2025 10:34:14 -0700 Subject: [PATCH 6/6] Update CVE-2020-21514.yml Link to the GHSA advisory for CVE-2020-21514. --- gems/fluentd/CVE-2020-21514.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gems/fluentd/CVE-2020-21514.yml b/gems/fluentd/CVE-2020-21514.yml index f3d6bfec92..5b5c2fd2a9 100644 --- a/gems/fluentd/CVE-2020-21514.yml +++ b/gems/fluentd/CVE-2020-21514.yml @@ -2,7 +2,7 @@ gem: fluentd cve: 2020-21514 ghsa: wrxf-x8rm-6ggg -url: https://github.com/fluent/fluentd/issues/2722 +url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg title: Fluent Fluentd and Fluent-ui use default password date: 2023-04-04 description: |