Updated advisory posts against rubysec/ruby-advisory-db@46d3f37

Author: rakvium

advisories/_posts/2017-10-24-CVE-2009-4492.md

@@ -0,0 +1,36 @@
+---
+layout: advisory
+title: 'CVE-2009-4492 (webrick): WEBrick Improper Input Validation vulnerability'
+comments: false
+categories:
+- webrick
+advisory:
+  gem: webrick
+  cve: 2009-4492
+  ghsa: 6mq2-37j5-w6r6
+  url: https://github.com/advisories/GHSA-6mq2-37j5-w6r6
+  title: WEBrick Improper Input Validation vulnerability
+  date: 2017-10-24
+  description: |
+    WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel
+    248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file
+    without sanitizing non-printable characters, which might allow remote attackers
+    to modify a window's title, or possibly execute arbitrary commands or overwrite
+    files, via an HTTP request containing an escape sequence for a terminal emulator.
+  cvss_v2: 7.5
+  patched_versions:
+  - ">= 1.4.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2009-4492
+    - https://github.com/advisories/GHSA-6mq2-37j5-w6r6
+    - http://www.redhat.com/support/errata/RHSA-2011-0908.html
+    - http://www.redhat.com/support/errata/RHSA-2011-0909.html
+    - http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection
+    - http://www.ush.it/team/ush/hack_httpd_escape/adv.txt
+    - https://web.archive.org/web/20100113155532/http://www.vupen.com/english/advisories/2010/0089
+    - https://web.archive.org/web/20100815010948/http://secunia.com/advisories/37949
+    - https://web.archive.org/web/20170402100552/http://securitytracker.com/id?1023429
+    - https://web.archive.org/web/20170908140655/http://www.securityfocus.com/archive/1/508830/100/0/threaded
+    - https://web.archive.org/web/20200228145937/http://www.securityfocus.com/bid/37710
+---

advisories/_posts/2020-03-10-GHSA-pcqq-5962-hvcw.md

@@ -0,0 +1,32 @@
+---
+layout: advisory
+title: 'GHSA-pcqq-5962-hvcw (user_agent_parser): Denial of Service in uap-core when
+  processing crafted User-Agent strings'
+comments: false
+categories:
+- user_agent_parser
+advisory:
+  gem: user_agent_parser
+  ghsa: pcqq-5962-hvcw
+  url: https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+  title: Denial of Service in uap-core when processing crafted User-Agent strings
+  date: 2020-03-10
+  description: |-
+    ### Impact
+    Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent header in an HTTP(S) request to maliciously crafted long strings.
+
+    ### Patches
+    Please update `uap-ruby` to >= v2.6.0
+
+    ### For more information
+    https://github.com/ua-parser/uap-core/security/advisories/GHSA-cmcx-xhr8-3w9p
+
+    Reported in `uap-core` by Ben Caller @bcaller
+  patched_versions:
+  - ">= 2.6.0"
+  related:
+    url:
+    - https://github.com/ua-parser/uap-ruby/security/advisories/GHSA-pcqq-5962-hvcw
+    - https://github.com/ua-parser/uap-ruby/commit/2bb18268f4c5ba7d4ba0e21c296bf6437063da3a
+    - https://github.com/advisories/GHSA-pcqq-5962-hvcw
+---

advisories/_posts/2022-05-14-CVE-2018-18307.md

@@ -0,0 +1,30 @@
+---
+layout: advisory
+title: 'CVE-2018-18307 (alchemy_cms): AlchemyCMS is vulnerable to stored XSS via the
+  /admin/pictures image field'
+comments: false
+categories:
+- alchemy_cms
+advisory:
+  gem: alchemy_cms
+  cve: 2018-18307
+  ghsa: 7mj4-2984-955f
+  url: https://nvd.nist.gov/vuln/detail/CVE-2018-18307
+  title: AlchemyCMS is vulnerable to stored XSS via the /admin/pictures image field
+  date: 2022-05-14
+  description: |
+    A stored XSS vulnerability has been discovered in version 4.1.0 of AlchemyCMS
+    via the /admin/pictures image filename field.
+  cvss_v3: 5.9
+  unaffected_versions:
+  - "< 4.1.0"
+  notes: Never patched
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-18307
+    - http://packetstormsecurity.com/files/149787/Alchemy-CMS-4.1-Stable-Cross-Site-Scripting.html
+    - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/base_controller.rb#L15
+    - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/pictures_controller.rb#L5
+    - https://github.com/AlchemyCMS/alchemy_cms/blob/4.1-stable/app/controllers/alchemy/admin/resources_controller.rb#L21
+    - https://github.com/advisories/GHSA-7mj4-2984-955f
+---

advisories/_posts/2023-04-04-CVE-2020-21514.md

@@ -0,0 +1,25 @@
+---
+layout: advisory
+title: 'CVE-2020-21514 (fluentd): Fluent Fluentd and Fluent-ui use default password'
+comments: false
+categories:
+- fluentd
+advisory:
+  gem: fluentd
+  cve: 2020-21514
+  ghsa: wrxf-x8rm-6ggg
+  url: https://github.com/advisories/GHSA-wrxf-x8rm-6ggg
+  title: Fluent Fluentd and Fluent-ui use default password
+  date: 2023-04-04
+  description: |
+    An issue was discovered in Fluent Fluentd v.1.8.0 and Fluent-ui v.1.2.2
+    that allows attackers to gain escilated privileges and execute arbitrary code due
+    to use of a default password.
+  cvss_v3: 8.8
+  notes: Never patched
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-21514
+    - https://github.com/fluent/fluentd/issues/2722
+    - https://github.com/advisories/GHSA-wrxf-x8rm-6ggg
+---

advisories/_posts/2024-03-18-GHSA-vcc3-rw6f-jv97.md

@@ -10,8 +10,7 @@ advisory:
   url: https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
   title: Use-after-free in libxml2 via Nokogiri::XML::Reader
   date: 2024-03-18
-  description: |2
-
+  description: |
     ### Summary
 
     Nokogiri upgrades its dependency libxml2 as follows:
@@ -24,11 +23,10 @@ advisory:
     - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/604
     - patched by https://gitlab.gnome.org/GNOME/libxml2/-/commit/92721970
 
-    Please note that this advisory only applies to the CRuby implementation
-    of Nokogiri, and only if the packaged libraries are being used. If
-    you've overridden defaults at installation time to use system libraries
-    instead of packaged libraries, you should instead pay attention to
-    your distro's libxml2 release announcements.
+    Please note that this advisory only applies to the CRuby implementation of Nokogiri, and only if
+    the packaged libraries are being used. If you've overridden defaults at installation time to use
+    system libraries instead of packaged libraries, you should instead pay attention to your distro's
+    libxml2 release announcements.
 
     JRuby users are not affected.
 
@@ -38,26 +36,26 @@ advisory:
 
     ### Impact
 
-    From the CVE description, this issue applies to the `xmlTextReader`
-    module (which underlies `Nokogiri::XML::Reader`):
+    From the CVE description, this issue applies to the `xmlTextReader` module (which underlies
+    `Nokogiri::XML::Reader`):
 
-    > When using the XML Reader interface with DTD validation and
-    > XInclude expansion enabled, processing crafted XML documents
-    > can lead to an xmlValidatePopElement use-after-free.
+    > When using the XML Reader interface with DTD validation and XInclude expansion enabled,
+    > processing crafted XML documents can lead to an xmlValidatePopElement use-after-free.
 
     ### Mitigation
 
     Upgrade to Nokogiri `~> 1.15.6` or `>= 1.16.2`.
 
-    Users who are unable to upgrade Nokogiri may also choose a more
-    complicated mitigation: compile and link Nokogiri against patched
-    external libxml2 libraries which will also address these same issues.
+    Users who are unable to upgrade Nokogiri may also choose a more complicated mitigation: compile
+    and link Nokogiri against patched external libxml2 libraries which will also address these same
+    issues.
+  cvss_v3: 7.5
   patched_versions:
   - "~> 1.15.6"
   - ">= 1.16.2"
   related:
     url:
     - https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-xc9x-jj77-9p9j
-    - https://vulners.com/github/GHSA-VCC3-RW6F-JV97
+    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-xc9x-jj77-9p9j.yml
     - https://github.com/advisories/GHSA-vcc3-rw6f-jv97
 ---

advisories/_posts/2024-09-23-GHSA-3hp8-6j24-m5gm.md

@@ -0,0 +1,75 @@
+---
+layout: advisory
+title: 'GHSA-3hp8-6j24-m5gm (camaleon_cms): Camaleon CMS vulnerable to remote code
+  execution through code injection (GHSL-2024-185)'
+comments: false
+categories:
+- camaleon_cms
+advisory:
+  gem: camaleon_cms
+  ghsa: 3hp8-6j24-m5gm
+  url: https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+  title: Camaleon CMS vulnerable to remote code execution through code injection (GHSL-2024-185)
+  date: 2024-09-23
+  description: |
+    The [actions](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L51-L52) defined inside of the MediaController class do not check whether a given path is inside a certain path (e.g. inside the media folder). If an attacker performed an account takeover of an administrator account (See: GHSL-2024-184) they could delete arbitrary files or folders on the server hosting Camaleon CMS. The [crop_url](https://github.com/owen2345/camaleon-cms/blob/feccb96e542319ed608acd3a16fa5d92f13ede67/app/controllers/camaleon_cms/admin/media_controller.rb#L64-L65) action might make arbitrary file writes (similar impact to GHSL-2024-182) for any authenticated user possible, but it doesn't seem to work currently.
+
+    Arbitrary file deletion can be exploited with following code path:
+    The parameter folder flows from the actions method:
+    ```ruby
+      def actions
+        authorize! :manage, :media if params[:media_action] != 'crop_url'
+        params[:folder] = params[:folder].gsub('//', '/') if params[:folder].present?
+        case params[:media_action]
+        [..]
+        when 'del_file'
+          cama_uploader.delete_file(params[:folder].gsub('//', '/'))
+          render plain: ''
+    ```
+    into the method delete_file of the CamaleonCmsLocalUploader
+    class (when files are uploaded locally):
+    ```ruby
+    def delete_file(key)
+      file = File.join(@root_folder, key)
+      FileUtils.rm(file) if File.exist? file
+      @instance.hooks_run('after_delete', key)
+      get_media_collection.find_by_key(key).take.destroy
+    end
+    ```
+    Where it is joined in an unchecked manner with the root folder and
+    then deleted.
+
+    ## Proof of concept
+    The following request would delete the file README.md in the top folder of the Ruby on Rails application. (The values for auth_token, X-CSRF-Token and _cms_session would also need to be replaced with authenticated values in the curl command below)
+    ```
+    curl --path-as-is -i -s -k -X $'POST' \
+        -H $'X-CSRF-Token: [..]' -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Accept: */*' -H $'Connection: keep-alive' \
+        -b $'auth_token=[..]; _cms_session=[..]' \
+        --data-binary $'versions=&thumb_size=&formats=&media_formats=&dimension=&private=&folder=..
+    2F..
+    2F..
+    2FREADME.md&media_action=del_file' \
+        $'https://<camaleon-host>/admin/media/actions?actions=true'
+    ```
+
+    ## Impact
+
+    This issue may lead to a defective CMS or system.
+
+    ## Remediation
+
+    Normalize all file paths constructed from untrusted user input before using them and check that the resulting path is inside the
+    targeted directory. Additionally, do not allow character sequences such as .. in untrusted input that is used to build paths.
+
+    ## See also:
+
+    [CodeQL: Uncontrolled data used in path expression](https://codeql.github.com/codeql-query-help/ruby/rb-path-injection/)
+    [OWASP: Path Traversal](https://owasp.org/www-community/attacks/Path_Traversal)
+  patched_versions:
+  - ">= 2.8.1"
+  related:
+    url:
+    - https://github.com/owen2345/camaleon-cms/security/advisories/GHSA-7x4w-cj9r-h4v9
+    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/camaleon_cms/GHSA-7x4w-cj9r-h4v9.yml
+    - https://github.com/advisories/GHSA-3hp8-6j24-m5gm
+---

advisories/_posts/2025-03-12-GHSA-hw46-3hmr-x9xv.md

@@ -0,0 +1,39 @@
+---
+layout: advisory
+title: 'GHSA-hw46-3hmr-x9xv (omniauth-saml): omniauth-saml has dependency on ruby-saml
+  version with Signature Wrapping Attack issue'
+comments: false
+categories:
+- omniauth-saml
+advisory:
+  gem: omniauth-saml
+  ghsa: hw46-3hmr-x9xv
+  url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv
+  title: omniauth-saml has dependency on ruby-saml version with Signature Wrapping
+    Attack issue
+  date: 2025-03-12
+  description: |-
+    ### Summary
+    There are 2 new Critical Signature Wrapping Vulnerabilities (CVE-2025-25292, CVE-2025-25291) and a potential DDOS Moderated Vulneratiblity (CVE-2025-25293) affecting ruby-saml, a dependency of omniauth-saml.
+
+    The fix will be applied to ruby-saml and released 12 March 2025, under version 1.18.0.
+
+    Please [upgrade](https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16) the ruby-saml requirement to v1.18.0.
+
+    ### Impact
+    Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.
+  cvss_v4: 9.3
+  patched_versions:
+  - "~> 1.10.6"
+  - "~> 2.1.3"
+  - ">= 2.2.3"
+  related:
+    url:
+    - https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-hw46-3hmr-x9xv
+    - https://github.com/omniauth/omniauth-saml/commit/0d5eaa0d808acb2ac96deadf5c750ac1cf2d92b5
+    - https://github.com/omniauth/omniauth-saml/commit/2c8a482801808bbcb0188214bde74680b8018a35
+    - https://github.com/omniauth/omniauth-saml/commit/7a348b49083462a566af41a5ae85e9f3af15b985
+    - https://github.com/omniauth/omniauth-saml/blob/master/omniauth-saml.gemspec#L16
+    - https://rubygems.org/gems/omniauth-saml/versions/2.2.3
+    - https://github.com/advisories/GHSA-hw46-3hmr-x9xv
+---