From bdb5d9a838e58031c3b7ef1f2894cceace9c0822 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Mon, 3 Mar 2025 09:47:06 -0500 Subject: [PATCH 1/2] 3 brand new non-GHSA advisories --- gems/cgi/CVE-2025-27219.yml | 36 +++++++++++++++++++++++++++++++++ gems/cgi/CVE-2025-27220.yml | 36 +++++++++++++++++++++++++++++++++ gems/uri/CVE-2025-27221.yml | 40 +++++++++++++++++++++++++++++++++++++ 3 files changed, 112 insertions(+) create mode 100644 gems/cgi/CVE-2025-27219.yml create mode 100644 gems/cgi/CVE-2025-27220.yml create mode 100644 gems/uri/CVE-2025-27221.yml diff --git a/gems/cgi/CVE-2025-27219.yml b/gems/cgi/CVE-2025-27219.yml new file mode 100644 index 0000000000..72ab8dccaf --- /dev/null +++ b/gems/cgi/CVE-2025-27219.yml @@ -0,0 +1,36 @@ +--- +gem: cgi +cve: 2025-27219 +url: https://www.cve.org/CVERecord?id=CVE-2025-27219 +title: CVE-2025-27219 - Denial of Service in CGI::Cookie.parse +date: 2025-02-26 +description: | + There is a possibility for DoS by in the cgi gem. + This vulnerability has been assigned the CVE identifier + CVE-2025-27219. We recommend upgrading the cgi gem. + + ## Details + + CGI::Cookie.parse took super-linear time to parse a cookie string + in some cases. Feeding a maliciously crafted cookie string into + the method could lead to a Denial of Service. + + Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later. + + ## Affected versions + + cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1. + + ## Credits + + Thanks to lio346 for discovering this issue. + Also thanks to mame for fixing this vulnerability. +patched_versions: + - "~> 0.3.5.1" + - "~> 0.3.7" + - ">= 0.4.2" +related: + url: + - https://www.cve.org/CVERecord?id=CVE-2025-27219 + - https://www.suse.com/security/cve/CVE-2025-27219.html + - https://www.ruby-lang.org/en/news/2025/02/26/security-advisories diff --git a/gems/cgi/CVE-2025-27220.yml b/gems/cgi/CVE-2025-27220.yml new file mode 100644 index 0000000000..e63c5775f2 --- /dev/null +++ b/gems/cgi/CVE-2025-27220.yml @@ -0,0 +1,36 @@ +--- +gem: cgi +cve: 2025-27220 +url: https://www.cve.org/CVERecord?id=CVE-2025-27220 +title: CVE-2025-27220 - ReDoS in CGI::Util#escapeElement. +date: 2025-02-26 +description: | + There is a possibility for Regular expression Denial of Service (ReDoS) + by in the cgi gem. This vulnerability has been assigned the CVE + identifier CVE-2025-27220. We recommend upgrading the cgi gem. + + ## Details + + The regular expression used in CGI::Util#escapeElement is vulnerable + to ReDoS. The crafted input could lead to a high CPU consumption. + + This vulnerability only affects Ruby 3.1 and 3.2. If you + are using these versions, please update CGI gem to version + 0.3.5.1, 0.3.7, 0.4.2 or later. + + ## Affected versions + + cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1. + + ## Credits + + Thanks to svalkanov for discovering this issue. + Also thanks to nobu for fixing this vulnerability. +patched_versions: + - "~> 0.3.5.1" + - "~> 0.3.7" + - ">= 0.4.2" +related: + url: + - https://www.cve.org/CVERecord?id=CVE-2025-27220 + - https://www.ruby-lang.org/en/news/2025/02/26/security-advisories diff --git a/gems/uri/CVE-2025-27221.yml b/gems/uri/CVE-2025-27221.yml new file mode 100644 index 0000000000..d529344f49 --- /dev/null +++ b/gems/uri/CVE-2025-27221.yml @@ -0,0 +1,40 @@ +--- +gem: uri +cve: 2025-27221 +url: https://www.cve.org/CVERecord?id=CVE-2025-27221 +title: CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+. +date: 2025-02-26 +description: | + + There is a possibility for userinfo leakage by in the uri gem. + This vulnerability has been assigned the CVE identifier + CVE-2025-27221. We recommend upgrading the uri gem. + + ## Details + + The methods URI#join, URI#merge, and URI#+ retained userinfo, such + as user:password, even after the host is replaced. When generating + a URL to a malicious host from a URL containing secret userinfo + using these methods, and having someone access that URL, an + unintended userinfo leak could occur. + + Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later. + + ## Affected versions + + uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and + 1.0.0 to 1.0.2. + + ## Credits + + Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. + Also thanks to nobu for additional fixes of this vulnerability. +patched_versions: + - "~> 0.11.3" + - "~> 0.12.4" + - "~> 0.13.2" + - ">= 1.0.3" +related: + url: + - https://www.cve.org/CVERecord?id=CVE-2025-27221 + - https://www.ruby-lang.org/en/news/2025/02/26/security-advisories From 3c30fceb03189a636445f6fc6e9ab08f81820420 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 4 Mar 2025 08:09:06 -0500 Subject: [PATCH 2/2] GHSA SYNC: 3 modified and 1 brand new advisory --- gems/cgi/CVE-2025-27219.yml | 2 ++ gems/cgi/CVE-2025-27220.yml | 2 ++ gems/oxidized-web/CVE-2025-27590.yml | 21 +++++++++++++++++++++ gems/uri/CVE-2025-27221.yml | 2 ++ 4 files changed, 27 insertions(+) create mode 100644 gems/oxidized-web/CVE-2025-27590.yml diff --git a/gems/cgi/CVE-2025-27219.yml b/gems/cgi/CVE-2025-27219.yml index 72ab8dccaf..17b88f3fe1 100644 --- a/gems/cgi/CVE-2025-27219.yml +++ b/gems/cgi/CVE-2025-27219.yml @@ -1,6 +1,7 @@ --- gem: cgi cve: 2025-27219 +ghsa: gh9q-2xrm-x6qv url: https://www.cve.org/CVERecord?id=CVE-2025-27219 title: CVE-2025-27219 - Denial of Service in CGI::Cookie.parse date: 2025-02-26 @@ -25,6 +26,7 @@ description: | Thanks to lio346 for discovering this issue. Also thanks to mame for fixing this vulnerability. +cvss_v3: 5.8 patched_versions: - "~> 0.3.5.1" - "~> 0.3.7" diff --git a/gems/cgi/CVE-2025-27220.yml b/gems/cgi/CVE-2025-27220.yml index e63c5775f2..b33bca1821 100644 --- a/gems/cgi/CVE-2025-27220.yml +++ b/gems/cgi/CVE-2025-27220.yml @@ -1,6 +1,7 @@ --- gem: cgi cve: 2025-27220 +ghsa: mhwm-jh88-3gjf url: https://www.cve.org/CVERecord?id=CVE-2025-27220 title: CVE-2025-27220 - ReDoS in CGI::Util#escapeElement. date: 2025-02-26 @@ -26,6 +27,7 @@ description: | Thanks to svalkanov for discovering this issue. Also thanks to nobu for fixing this vulnerability. +cvss_v3: 4.0 patched_versions: - "~> 0.3.5.1" - "~> 0.3.7" diff --git a/gems/oxidized-web/CVE-2025-27590.yml b/gems/oxidized-web/CVE-2025-27590.yml new file mode 100644 index 0000000000..6e15621989 --- /dev/null +++ b/gems/oxidized-web/CVE-2025-27590.yml @@ -0,0 +1,21 @@ +--- +gem: oxidized-web +cve: 2025-27590 +ghsa: jx6p-9c26-g373 +url: https://github.com/advisories/GHSA-jx6p-9c26-g373 +title: Oxidized Web RANCID migration page allows unauthenticated + user to gain control over Linux user account +date: 2025-03-03 +description: | + In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID + migration page allows an unauthenticated user to gain control + over the Linux user account that is running oxidized-web. +cvss_v3: 9.1 +patched_versions: + - ">= 0.15.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-27590 + - https://github.com/ytti/oxidized-web/releases/tag/0.15.0 + - https://github.com/ytti/oxidized-web/commit/a5220a0ddc57b85cd122bffee228d3ed4901668e + - https://github.com/advisories/GHSA-jx6p-9c26-g373 diff --git a/gems/uri/CVE-2025-27221.yml b/gems/uri/CVE-2025-27221.yml index d529344f49..c15293a21e 100644 --- a/gems/uri/CVE-2025-27221.yml +++ b/gems/uri/CVE-2025-27221.yml @@ -1,6 +1,7 @@ --- gem: uri cve: 2025-27221 +ghsa: 22h5-pq3x-2gf2 url: https://www.cve.org/CVERecord?id=CVE-2025-27221 title: CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+. date: 2025-02-26 @@ -29,6 +30,7 @@ description: | Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability. +cvss_v3: 3.2 patched_versions: - "~> 0.11.3" - "~> 0.12.4"