diff --git a/rubies/ruby/CVE-2007-5770.yml b/rubies/ruby/CVE-2007-5770.yml index da10d9033e..add274a076 100644 --- a/rubies/ruby/CVE-2007-5770.yml +++ b/rubies/ruby/CVE-2007-5770.yml @@ -1,6 +1,7 @@ --- engine: ruby cve: 2007-5770 +ghsa: mf83-c25g-48r6 url: http://www.cvedetails.com/cve/CVE-2007-5770/ title: Ruby Net::HTTPS library does not validate server certificate CN date: 2007-10-08 @@ -15,3 +16,12 @@ cvss_v2: 4.3 patched_versions: - "~> 1.8.6.230" - ">= 1.8.7" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2007-5770 + - https://bugzilla.redhat.com/show_bug.cgi?id=362081 + - http://www.debian.org/security/2007/dsa-1410 + - http://www.debian.org/security/2007/dsa-1411 + - http://www.debian.org/security/2007/dsa-1412 + - https://ubuntu.com/security/notices/USN-596-1 + - https://github.com/advisories/GHSA-mf83-c25g-48r6 diff --git a/rubies/ruby/CVE-2009-0642.yml b/rubies/ruby/CVE-2009-0642.yml index 4d75791891..45a9097712 100644 --- a/rubies/ruby/CVE-2009-0642.yml +++ b/rubies/ruby/CVE-2009-0642.yml @@ -1,6 +1,7 @@ --- engine: ruby cve: 2009-0642 +ghsa: 4gvm-4mw2-9fpv url: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528 title: Ruby 'OCSP_basic_verify()' X.509 Certificate Verification Vulnerability date: 2009-01-29 @@ -15,3 +16,12 @@ patched_versions: - "~> 1.8.7.173" - "~> 1.9.1.129" - ">= 1.9.2.preview.1" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2009-0642 + - https://web.archive.org/web/20111209131753/http://redmine.ruby-lang.org/issues/show/1091 + - http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=513528 + - https://ubuntu.com/security/notices/USN-805-1 + - https://exchange.xforce.ibmcloud.com/vulnerabilities/48761 + - https://www.invicti.com/web-application-vulnerabilities/ruby-improper-authentication-vulnerability-cve-2009-0642 + - https://github.com/advisories/GHSA-4gvm-4mw2-9fpv diff --git a/rubies/ruby/CVE-2012-4464.yml b/rubies/ruby/CVE-2012-4464.yml index 7a3352ea92..da3480ee4d 100644 --- a/rubies/ruby/CVE-2012-4464.yml +++ b/rubies/ruby/CVE-2012-4464.yml @@ -1,6 +1,7 @@ --- engine: ruby cve: 2012-4464 +ghsa: gjcp-rx5c-g849 url: https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466/ title: Ruby Exception#to_s / NameError#to_s Methods Safe Level Security Bypass date: 2012-10-12 @@ -15,3 +16,8 @@ cvss_v2: 5.0 patched_versions: - "~> 1.8.7.371" - ">= 1.9.3.286" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2012-4464 + - https://www.ruby-lang.org/en/news/2012/10/12/cve-2012-4464-cve-2012-4466 + - https://github.com/advisories/GHSA-gjcp-rx5c-g849 diff --git a/rubies/ruby/CVE-2014-6438.yml b/rubies/ruby/CVE-2014-6438.yml new file mode 100644 index 0000000000..fd1595da53 --- /dev/null +++ b/rubies/ruby/CVE-2014-6438.yml @@ -0,0 +1,23 @@ +--- +engine: ruby +cve: 2014-6438 +ghsa: 2j3h-55rq-rj48 +url: https://nvd.nist.gov/vuln/detail/CVE-2014-6438 +title: DoS Vulnerability associated with URI.decode_www_form_component method +date: 2017-09-06 +description: | + The URI.decode_www_form_component method in Ruby before 1.9.2-p330 + allows remote attackers to cause a denial of service (catastrophic + regular expression backtracking, resource consumption, or application + crash) via a crafted string. +cvss_v2: 5.0 +cvss_v3: 7.5 +patched_versions: + - ">= 1.9.2.p330" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2014-6438 + - https://www.ruby-lang.org/en/news/2014/08/19/ruby-1-9-2-p330-released + - https://github.com/ruby/www.ruby-lang.org/issues/817 + - http://www.openwall.com/lists/oss-security/2015/07/13/6 + - https://github.com/advisories/GHSA-2j3h-55rq-rj48 diff --git a/rubies/ruby/CVE-2022-28739.yml b/rubies/ruby/CVE-2022-28739.yml index 136e4eaea4..5b78d00910 100644 --- a/rubies/ruby/CVE-2022-28739.yml +++ b/rubies/ruby/CVE-2022-28739.yml @@ -1,6 +1,7 @@ --- engine: ruby cve: 2022-28739 +ghsa: mvgc-rxvg-hqc6 url: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/ title: Buffer overrun in String-to-Float conversion date: 2022-04-12 @@ -10,8 +11,15 @@ description: | Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read. Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2. +cvss_v2: 4.3 +cvss_v3: 7.5 patched_versions: - "~> 2.6.10" - "~> 2.7.6" - "~> 3.0.4" - ">= 3.1.2" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2022-28739 + - https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739 + - https://github.com/advisories/GHSA-mvgc-rxvg-hqc6