diff --git a/gems/alchemy_cms/CVE-2018-18307.yml b/gems/alchemy_cms/CVE-2018-18307.yml new file mode 100644 index 0000000000..8f924e29a5 --- /dev/null +++ b/gems/alchemy_cms/CVE-2018-18307.yml @@ -0,0 +1,22 @@ +--- +gem: alchemy_cms +cve: 2018-18307 +ghsa: 7mj4-2984-955f +url: https://nvd.nist.gov/vuln/detail/CVE-2018-18307 +title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field +date: 2022-05-14 +description: | + A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS + via the /admin/pictures image filename field. +cvss_v3: 5.9 +unaffected_versions: +- "< 4.1.0" +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2018-18307 + - http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html + - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15 + - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5 + - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21 + - https://github.com/advisories/GHSA-7mj4-2984-955f diff --git a/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml new file mode 100644 index 0000000000..a5ba31b828 --- /dev/null +++ b/gems/camaleon_cms/GHSA-3hp8-6j24-m5gm.yml @@ -0,0 +1,67 @@ +--- +gem: camaleon_cms +ghsa: 3hp8-6j24-m5gm +url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 +title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185) +date: 2024-09-23 +description: | + The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently. + + Arbitrary file deletion can be exploited with following code path: + The parameter folder flows from the actions method: + ```ruby + def actions + authorize! :manage, :media if params[:media_action] != 'crop_url' + params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present? + case params[:media_action] + [..] + when 'del_file' + cama_uploader.delete_file(params[:folder].gsub('//', '/')) + render plain: '' + ``` + into the method delete_file of the CamaleonCmsLocalUploader + class (when files are uploaded locally): + ```ruby + def delete_file(key) + file = File.join(@root_folder, key) + FileUtils.rm(file) if File.exist? file + @instance.hooks_run('after_delete', key) + get_media_collection.find_by_key(key).take.destroy + end + ``` + Where it is joined in an unchecked manner with the root folder and + then deleted. + + ## Proof of concept + The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below) + ``` + curl --path-as-is -i -s -k -X $'POST' \ + -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \ + -b $'auth_token=[..]; _cms_session=[..]' \ + --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=.. + 2F.. + 2F.. + 2FREADME.md&media_action=del_file' \ + $'https:///admin/media/actions?actions=true' + ``` + + ## Impact + + This issue may lead to a defective CMS or system. + + ## Remediation + + Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the + targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths. + + ## See also: + + [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/) + [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal) +patched_versions: +- ">= 2.8.1" +related: + url: + - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9 + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml + - https://github.com/advisories/GHSA-3hp8-6j24-m5gm diff --git a/gems/fluentd-ui/CVE-2020-21514.yml b/gems/fluentd-ui/CVE-2020-21514.yml new file mode 100644 index 0000000000..c851d7e226 --- /dev/null +++ b/gems/fluentd-ui/CVE-2020-21514.yml @@ -0,0 +1,18 @@ +--- +gem: fluentd-ui +cve: 2020-21514 +ghsa: wrxf-x8rm-6ggg +url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg +title: Fluent Fluentd and Fluent-ui use default password +date: 2023-04-04 +description: | + An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 + that allows attackers to gain escilated privileges and execute arbitrary code due + to use of a default password. +cvss_v3: 8.8 +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2020-21514 + - https://github.com/fluent/fluentd/issues/2722 + - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg diff --git a/gems/fluentd/CVE-2020-21514.yml b/gems/fluentd/CVE-2020-21514.yml new file mode 100644 index 0000000000..5b5c2fd2a9 --- /dev/null +++ b/gems/fluentd/CVE-2020-21514.yml @@ -0,0 +1,18 @@ +--- +gem: fluentd +cve: 2020-21514 +ghsa: wrxf-x8rm-6ggg +url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg +title: Fluent Fluentd and Fluent-ui use default password +date: 2023-04-04 +description: | + An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2 + that allows attackers to gain escilated privileges and execute arbitrary code due + to use of a default password. +cvss_v3: 8.8 +notes: Never patched +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2020-21514 + - https://github.com/fluent/fluentd/issues/2722 + - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg diff --git a/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml b/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml new file mode 100644 index 0000000000..60899d26a9 --- /dev/null +++ b/gems/nokogiri/GHSA-vcc3-rw6f-jv97.yml @@ -0,0 +1,54 @@ +--- +gem: nokogiri +ghsa: vcc3-rw6f-jv97 +url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j +title: Use-after-free in libxml2 via Nokogiri::XML::Reader +date: 2024-03-18 +description: | + ### Summary + + Nokogiri upgrades its dependency libxml2 as follows: + - v1.15.6 upgrades libxml2 to 2.11.7 from 2.11.6 + - v1.16.2 upgrades libxml2 to 2.12.5 from 2.12.4 + + libxml2 v2.11.7 and v2.12.5 address the following vulnerability: + + CVE-2024-25062 / https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25062 + - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604 + - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970 + + Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if + the packaged libraries are being used. If you've overridden defaults at installation time to use + system libraries instead of packaged libraries, you should instead pay attention to your distro's + libxml2 release announcements. + + JRuby users are not affected. + + ### Severity + + The Nokogiri maintainers have evaluated this as **Moderate**. + + ### Impact + + From the CVE description, this issue applies to the `xmlTextReader` module (which underlies + `Nokogiri::XML::Reader`): + + > When using the XML Reader interface with DTD validation and XInclude expansion enabled, + > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free. + + ### Mitigation + + Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`. + + Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile + and link Nokogiri against patched external libxml2 libraries which will also address these same + issues. +cvss_v3: 7.5 +patched_versions: +- "~> 1.15.6" +- ">= 1.16.2" +related: + url: + - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml + - https://github.com/advisories/GHSA-vcc3-rw6f-jv97 diff --git a/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml b/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml new file mode 100644 index 0000000000..15823f8d72 --- /dev/null +++ b/gems/omniauth-saml/GHSA-hw46-3hmr-x9xv.yml @@ -0,0 +1,31 @@ +--- +gem: omniauth-saml +ghsa: hw46-3hmr-x9xv +url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv +title: omniauth-saml has dependency on ruby-saml version with Signature Wrapping Attack + issue +date: 2025-03-12 +description: |- + ### Summary + There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml. + + The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0. + + Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0. + + ### Impact + Signature Wrapping Vulnerabilities allows an attacker to impersonate a user. +cvss_v4: 9.3 +patched_versions: +- "~> 1.10.6" +- "~> 2.1.3" +- ">= 2.2.3" +related: + url: + - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv + - https://github.com/omniauth/omniauth-saml/commit/0d5eaa0d808acb2ac96deadf5c750ac1cf2d92b5 + - https://github.com/omniauth/omniauth-saml/commit/2c8a482801808bbcb0188214bde74680b8018a35 + - https://github.com/omniauth/omniauth-saml/commit/7a348b49083462a566af41a5ae85e9f3af15b985 + - https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16 + - https://rubygems.org/gems/omniauth-saml/versions/2.2.3 + - https://github.com/advisories/GHSA-hw46-3hmr-x9xv diff --git a/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml b/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml new file mode 100644 index 0000000000..b8759ef756 --- /dev/null +++ b/gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml @@ -0,0 +1,24 @@ +--- +gem: user_agent_parser +ghsa: pcqq-5962-hvcw +url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw +title: Denial of Service in uap-core when processing crafted User-Agent strings +date: 2020-03-10 +description: |- + ### Impact + Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings. + + ### Patches + Please update `uap-ruby` to >= v2.6.0 + + ### For more information + https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p + + Reported in `uap-core` by Ben Caller @bcaller +patched_versions: +- ">= 2.6.0" +related: + url: + - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw + - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a + - https://github.com/advisories/GHSA-pcqq-5962-hvcw diff --git a/gems/webrick/CVE-2009-4492.yml b/gems/webrick/CVE-2009-4492.yml new file mode 100644 index 0000000000..2bac49f55e --- /dev/null +++ b/gems/webrick/CVE-2009-4492.yml @@ -0,0 +1,29 @@ +--- +gem: webrick +cve: 2009-4492 +ghsa: 6mq2-37j5-w6r6 +url: https://github.com/advisories/GHSA-6mq2-37j5-w6r6 +title: WEBrick Improper Input Validation vulnerability +date: 2017-10-24 +description: | + WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel + 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file + without sanitizing non-printable characters, which might allow remote attackers + to modify a window's title, or possibly execute arbitrary commands or overwrite + files, via an HTTP request containing an escape sequence for a terminal emulator. +cvss_v2: 7.5 +patched_versions: +- ">= 1.4.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-4492 + - https://github.com/advisories/GHSA-6mq2-37j5-w6r6 + - http://www.redhat.com/support/errata/RHSA-2011-0908.html + - http://www.redhat.com/support/errata/RHSA-2011-0909.html + - http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection + - http://www.ush.it/team/ush/hack_httpd_escape/adv.txt + - https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089 + - https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949 + - https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429 + - https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded + - https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710