Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

GHSA SYNC: 3 modified and 1 brand new advisory #855

Merged
merged 3 commits into from
Mar 4, 2025
Merged

GHSA SYNC: 3 modified and 1 brand new advisory #855

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
bdb5d9a
3 brand new non-GHSA advisories
jasnow Mar 3, 2025
9a9703b
Merge remote-tracking branch 'parent/master'
jasnow Mar 4, 2025
3c30fce
GHSA SYNC: 3 modified and 1 brand new advisory
jasnow Mar 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions gems/cgi/CVE-2025-27219.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
gem: cgi
cve: 2025-27219
ghsa: gh9q-2xrm-x6qv
url: https://www.cve.org/CVERecord?id=CVE-2025-27219
title: CVE-2025-27219 - Denial of Service in CGI::Cookie.parse
date: 2025-02-26
Expand All @@ -25,6 +26,7 @@ description: |

Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.
cvss_v3: 5.8
patched_versions:
- "~> 0.3.5.1"
- "~> 0.3.7"
Expand Down
2 changes: 2 additions & 0 deletions gems/cgi/CVE-2025-27220.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
gem: cgi
cve: 2025-27220
ghsa: mhwm-jh88-3gjf
url: https://www.cve.org/CVERecord?id=CVE-2025-27220
title: CVE-2025-27220 - ReDoS in CGI::Util#escapeElement.
date: 2025-02-26
Expand All @@ -26,6 +27,7 @@ description: |

Thanks to svalkanov for discovering this issue.
Also thanks to nobu for fixing this vulnerability.
cvss_v3: 4.0
patched_versions:
- "~> 0.3.5.1"
- "~> 0.3.7"
Expand Down
21 changes: 21 additions & 0 deletions gems/oxidized-web/CVE-2025-27590.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
---
gem: oxidized-web
cve: 2025-27590
ghsa: jx6p-9c26-g373
url: https://github.com/advisories/GHSA-jx6p-9c26-g373
title: Oxidized Web RANCID migration page allows unauthenticated
user to gain control over Linux user account
date: 2025-03-03
description: |
In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID
migration page allows an unauthenticated user to gain control
over the Linux user account that is running oxidized-web.
cvss_v3: 9.1
patched_versions:
- ">= 0.15.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-27590
- https://github.com/ytti/oxidized-web/releases/tag/0.15.0
- https://github.com/ytti/oxidized-web/commit/a5220a0ddc57b85cd122bffee228d3ed4901668e
- https://github.com/advisories/GHSA-jx6p-9c26-g373
2 changes: 2 additions & 0 deletions gems/uri/CVE-2025-27221.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
---
gem: uri
cve: 2025-27221
ghsa: 22h5-pq3x-2gf2
url: https://www.cve.org/CVERecord?id=CVE-2025-27221
title: CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+.
date: 2025-02-26
Expand Down Expand Up @@ -29,6 +30,7 @@ description: |

Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
Also thanks to nobu for additional fixes of this vulnerability.
cvss_v3: 3.2
patched_versions:
- "~> 0.11.3"
- "~> 0.12.4"
Expand Down