-
-
Notifications
You must be signed in to change notification settings - Fork 221
GHSA SYNC: new advisories #873
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
Show all changes
6 commits
Select commit
Hold shift + click to select a range
659b10a
GHSA SYNC: new advisories
rakvium 26bcfcf
Apply remarks from https://github.com/rubysec/ruby-advisory-db/pull/873
rakvium 3248e6d
Remove duplicate `gems/rails/CVE-2024-26143.yml` file.
postmodern 805f65b
Delete `gems/Autolab/CVE-2024-49376.yml` for non-existent gem `Autolab`
postmodern 873e375
Update CVE-2020-21514.yml
postmodern d9f5eac
Update CVE-2020-21514.yml
postmodern File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,22 @@ | ||
| --- | ||
| gem: alchemy_cms | ||
| cve: 2018-18307 | ||
| ghsa: 7mj4-2984-955f | ||
| url: https://nvd.nist.gov/vuln/detail/CVE-2018-18307 | ||
| title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field | ||
| date: 2022-05-14 | ||
| description: | | ||
| A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS | ||
| via the /admin/pictures image filename field. | ||
| cvss_v3: 5.9 | ||
| unaffected_versions: | ||
| - "< 4.1.0" | ||
| notes: Never patched | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2018-18307 | ||
| - http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html | ||
| - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15 | ||
| - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5 | ||
| - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21 | ||
| - https://github.com/advisories/GHSA-7mj4-2984-955f |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,67 @@ | ||
| --- | ||
| gem: camaleon_cms | ||
| ghsa: 3hp8-6j24-m5gm | ||
| url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 | ||
| title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) | ||
| date: 2024-09-23 | ||
| description: | | ||
| The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently. | ||
| Arbitrary file deletion can be exploited with following code path: | ||
| The parameter folder flows from the actions method: | ||
| ```ruby | ||
| def actions | ||
| authorize! :manage, :media if params[:media_action] != 'crop_url' | ||
| params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? | ||
| case params[:media_action] | ||
| [..] | ||
| when 'del_file' | ||
| cama_uploader.delete_file(params[:folder].gsub('//', '/')) | ||
| render plain: '' | ||
| ``` | ||
| into the method delete_file of the CamaleonCmsLocalUploader | ||
| class (when files are uploaded locally): | ||
| ```ruby | ||
| def delete_file(key) | ||
| file = File.join(@root_folder, key) | ||
| FileUtils.rm(file) if File.exist? file | ||
| @instance.hooks_run('after_delete', key) | ||
| get_media_collection.find_by_key(key).take.destroy | ||
| end | ||
| ``` | ||
| Where it is joined in an unchecked manner with the root folder and | ||
| then deleted. | ||
| ## Proof of concept | ||
| The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below) | ||
| ``` | ||
| curl --path-as-is -i -s -k -X $'POST' \ | ||
| -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ | ||
| -b $'auth_token=[..]; _cms_session=[..]' \ | ||
| --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. | ||
| 2F.. | ||
| 2F.. | ||
| 2FREADME.md&media_action=del_file' \ | ||
| $'https://<camaleon-host>/admin/media/actions?actions=true' | ||
| ``` | ||
| ## Impact | ||
| This issue may lead to a defective CMS or system. | ||
| ## Remediation | ||
| Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the | ||
| targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. | ||
| ## See also: | ||
| [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) | ||
| [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) | ||
| patched_versions: | ||
| - ">= 2.8.1" | ||
| related: | ||
| url: | ||
| - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 | ||
| - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml | ||
| - https://github.com/advisories/GHSA-3hp8-6j24-m5gm |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| --- | ||
| gem: fluentd-ui | ||
| cve: 2020-21514 | ||
| ghsa: wrxf-x8rm-6ggg | ||
| url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg | ||
| title: Fluent Fluentd and Fluent-ui use default password | ||
| date: 2023-04-04 | ||
| description: | | ||
| An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 | ||
| that allows attackers to gain escilated privileges and execute arbitrary code due | ||
| to use of a default password. | ||
| cvss_v3: 8.8 | ||
| notes: Never patched | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2020-21514 | ||
| - https://github.com/fluent/fluentd/issues/2722 | ||
| - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| --- | ||
| gem: fluentd | ||
| cve: 2020-21514 | ||
| ghsa: wrxf-x8rm-6ggg | ||
| url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg | ||
| title: Fluent Fluentd and Fluent-ui use default password | ||
| date: 2023-04-04 | ||
| description: | | ||
| An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 | ||
| that allows attackers to gain escilated privileges and execute arbitrary code due | ||
| to use of a default password. | ||
| cvss_v3: 8.8 | ||
| notes: Never patched | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2020-21514 | ||
| - https://github.com/fluent/fluentd/issues/2722 | ||
| - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| --- | ||
| gem: nokogiri | ||
| ghsa: vcc3-rw6f-jv97 | ||
| url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j | ||
| title: Use-after-free in libxml2 via Nokogiri::XML::Reader | ||
| date: 2024-03-18 | ||
| description: | | ||
| ### Summary | ||
| Nokogiri upgrades its dependency libxml2 as follows: | ||
| - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 | ||
| - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 | ||
| libxml2 v2.11.7 and v2.12.5 address the following vulnerability: | ||
| CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 | ||
| - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 | ||
| - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 | ||
| Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if | ||
| the packaged libraries are being used. If you've overridden defaults at installation time to use | ||
| system libraries instead of packaged libraries, you should instead pay attention to your distro's | ||
| libxml2 release announcements. | ||
| JRuby users are not affected. | ||
| ### Severity | ||
| The Nokogiri maintainers have evaluated this as **Moderate**. | ||
| ### Impact | ||
| From the CVE description, this issue applies to the `xmlTextReader` module (which underlies | ||
| `Nokogiri::XML::Reader`): | ||
| > When using the XML Reader interface with DTD validation and XInclude expansion enabled, | ||
| > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. | ||
| ### Mitigation | ||
| Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. | ||
| Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile | ||
| and link Nokogiri against patched external libxml2 libraries which will also address these same | ||
| issues. | ||
| cvss_v3: 7.5 | ||
| patched_versions: | ||
| - "~> 1.15.6" | ||
| - ">= 1.16.2" | ||
| related: | ||
| url: | ||
| - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j | ||
| - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml | ||
| - https://github.com/advisories/GHSA-vcc3-rw6f-jv97 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,31 @@ | ||
| --- | ||
| gem: omniauth-saml | ||
| ghsa: hw46-3hmr-x9xv | ||
| url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv | ||
| title: omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack | ||
| issue | ||
| date: 2025-03-12 | ||
| description: |- | ||
| ### Summary | ||
| There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml. | ||
| The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0. | ||
| Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0. | ||
| ### Impact | ||
| Signature Wrapping Vulnerabilities allows an attacker to impersonate a user. | ||
| cvss_v4: 9.3 | ||
| patched_versions: | ||
| - "~> 1.10.6" | ||
| - "~> 2.1.3" | ||
| - ">= 2.2.3" | ||
| related: | ||
| url: | ||
| - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv | ||
| - https://github.com/omniauth/omniauth-saml/commit/0d5eaa0d808acb2ac96deadf5c750ac1cf2d92b5 | ||
| - https://github.com/omniauth/omniauth-saml/commit/2c8a482801808bbcb0188214bde74680b8018a35 | ||
| - https://github.com/omniauth/omniauth-saml/commit/7a348b49083462a566af41a5ae85e9f3af15b985 | ||
| - https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16 | ||
| - https://rubygems.org/gems/omniauth-saml/versions/2.2.3 | ||
| - https://github.com/advisories/GHSA-hw46-3hmr-x9xv |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| --- | ||
| gem: user_agent_parser | ||
| ghsa: pcqq-5962-hvcw | ||
| url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw | ||
| title: Denial of Service in uap-core when processing crafted User-Agent strings | ||
| date: 2020-03-10 | ||
| description: |- | ||
| ### Impact | ||
| Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. | ||
| ### Patches | ||
| Please update `uap-ruby` to >= v2.6.0 | ||
| ### For more information | ||
| https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p | ||
| Reported in `uap-core` by Ben Caller @bcaller | ||
| patched_versions: | ||
| - ">= 2.6.0" | ||
| related: | ||
| url: | ||
| - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw | ||
| - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a | ||
| - https://github.com/advisories/GHSA-pcqq-5962-hvcw | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,29 @@ | ||
| --- | ||
| gem: webrick | ||
| cve: 2009-4492 | ||
| ghsa: 6mq2-37j5-w6r6 | ||
| url: https://github.com/advisories/GHSA-6mq2-37j5-w6r6 | ||
| title: WEBrick Improper Input Validation vulnerability | ||
| date: 2017-10-24 | ||
| description: | | ||
| WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel | ||
| 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file | ||
| without sanitizing non-printable characters, which might allow remote attackers | ||
| to modify a window's title, or possibly execute arbitrary commands or overwrite | ||
| files, via an HTTP request containing an escape sequence for a terminal emulator. | ||
| cvss_v2: 7.5 | ||
| patched_versions: | ||
| - ">= 1.4.0" | ||
| related: | ||
| url: | ||
| - https://nvd.nist.gov/vuln/detail/CVE-2009-4492 | ||
| - https://github.com/advisories/GHSA-6mq2-37j5-w6r6 | ||
| - http://www.redhat.com/support/errata/RHSA-2011-0908.html | ||
| - http://www.redhat.com/support/errata/RHSA-2011-0909.html | ||
| - http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection | ||
| - http://www.ush.it/team/ush/hack_httpd_escape/adv.txt | ||
| - https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089 | ||
| - https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949 | ||
| - https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429 | ||
| - https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded | ||
| - https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710 |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.