Add advisories from SRC:CLR

[reedloden]

Just a todo list I figured I should put somewhere more public... Need to add advisories for all these:

ruby_rncryptor / ruby_rncryptor_secured -- https://srcclr.com/security/timing-attacks/ruby/s-1938

spina -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-1686

logstash-core -- https://srcclr.com/security/factoring-attack-rsa-export-keys-freak/ruby/s-1745
https://srcclr.com/security/man-middle-mitm-attacks/ruby/s-1798

facter -- https://srcclr.com/security/disclosure-amazon-ec2-iam-instance/ruby/s-1508
https://srcclr.com/security/elevation-privileges-untrusted-search/ruby/s-1586

kafo -- https://srcclr.com/security/world-readable-permissions-as-default/ruby/s-740

puppet -- https://srcclr.com/catalog/search#query=type:vulnerability%20puppet

[VanessaHenderson]

refinerycms-core
https://srcclr.com/security/cross-site-scripting-xss-through-title/ruby/s-2168
https://srcclr.com/security/cross-site-scripting-xss-through-alt/ruby/s-2169
https://srcclr.com/security/stored-cross-site-scripting-xss-title/ruby/s-2170
https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-2171

[VanessaHenderson]

paperclip -- https://srcclr.com/security/denial-service-dos-through-excessive/ruby/s-2242

[VanessaHenderson]

admin-upmin, upmin and shoppe -- https://srcclr.com/security/cross-site-request-forgery-csrf-due-to/ruby/s-2266
devise_invitable -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-2272

[reedloden]

activeadmin -- https://srcclr.com/security/cross-site-scripting-xss-through-modal/ruby/s-2276

[skorth]

@reedloden regarding spina ruby gem #250

[jasnow]

Not sure https://srcclr.com is an active web site.

[VanessaHenderson]

You are correct, SourceClear was purchased by Veracode. The easiest way to find the links now would be to search the s-* number at https://sca.analysiscenter.veracode.com/vulnerability-database
A lot of them will be privated unless you have a Veraode SCA account, otherwise it is just basic information available.

IE; Activeadmin that @reedloden posted is here: https://sca.analysiscenter.veracode.com/vulnerability-database/security/cross-site-scripting-xss-through-modal-dialog/ruby/sid-2276/summary

[jasnow]

@VanessaHenderson - Thanks for the education.

[jasnow]

h#query=type:vulnerability%20puppet

Need a list of specific "puppet" URLs.

[jasnow]

admin-upmin, upmin and shoppe -- https://srcclr.com/security/cross-site-request-forgery-csrf-due-to/ruby/s-2266 devise_invitable -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-2272

It appears that "s-2272" for devise_invitable may have be withdrawn if this is the same advisory: GHSA-wj5j-xpcj-45gc

[VanessaHenderson]

It looks like SourceClear itself hasn't withdrawn the item, I wonder why GitHub withdrew it...

[jasnow]

It looks like SourceClear itself hasn't withdrawn the item, I wonder why GitHub withdrew it...

Looks like all of the non-PR #616 advisories, including s-2272, appears to need a CVE/GHSA/etc ID before it is added to ruby-advisory-db repo so time will tell.

[VanessaHenderson]

Ah yeah that'd probably do it. SourceClear/Veracode adds vulnerabilities that aren't necessarily assigned CVEs, basing on code fixes etc instead of solely CVE