Sync with GitHub Security Advisories

* Add asciidoctor/CVE-2018-18385 camaleon_cms/CVE-2018-18260 camaleon_cms/CVE-2021-25969
  camaleon_cms/CVE-2021-25970 camaleon_cms/CVE-2021-25971 camaleon_cms/CVE-2021-25972
  ccsv/CVE-2017-15364 commonmarker/GHSA-636f-xm5j-pj9m fluentd/CVE-2017-10906
  git/CVE-2022-47318 gitaly/CVE-2020-13353 hammer_cli_foreman/CVE-2017-2667 katello/CVE-2016-3072
  katello/CVE-2017-2662 katello/CVE-2018-14623 katello/CVE-2018-16887
  mixlib-archive/CVE-2017-1000026 omniauth-weibo-oauth2/CVE-2019-17268 papercrop/CVE-2015-2784
  publify_core/CVE-2023-0569 sanitize/CVE-2023-23627 smalruby-editor/CVE-2017-2096
  smalruby/CVE-2017-2096 smashing/CVE-2021-35440 xapian-core/CVE-2018-0499

* Add missing metadata to following:
  administrate/CVE-2016-3098 clockwork_web/CVE-2023-25015 curupira/CVE-2015-10053
  devise/CVE-2015-8314 jquery-ui-rails/CVE-2016-7103 xaviershay-dm-rails/CVE-2015-2179

Author: reedloden

gems/administrate/CVE-2016-3098.yml

@@ -1,12 +1,14 @@
 ---
 gem: administrate
 cve: 2016-3098
+ghsa: cc8c-26rj-v2vx
+url: http://seclists.org/oss-sec/2016/q2/0
 title: Cross-site request forgery (CSRF) vulnerability in administrate gem
 date: 2016-04-01
-url: http://seclists.org/oss-sec/2016/q2/0
-description: >-
-  `Administrate::ApplicationController` actions didn't have CSRF
-  protection. Remote attackers can hijack user's sessions and use any
-  functionality that administrate exposes on their behalf.
+description: |
+  "`Administrate::ApplicationController` actions didn't have CSRF protection.
+  Remote attackers can hijack user's sessions and use any functionality that administrate
+  exposes on their behalf."
+cvss_v3: 5.4
 patched_versions:
-- '>= 0.1.5'
+- ">= 0.1.5"

gems/asciidoctor/CVE-2018-18385.yml

@@ -0,0 +1,17 @@
+---
+gem: asciidoctor
+cve: 2018-18385
+ghsa: qc9p-mjxm-j2wj
+url: https://github.com/asciidoctor/asciidoctor/issues/2888
+title: Asciidoctor Infinite Loop vulnerability
+date: 2022-05-13
+description: |
+  Asciidoctor in versions < 1.5.8 allows remote attackers to cause a denial
+  of service (infinite loop). The loop was caused by the fact that `Parser.next_block`
+  was not exhausting all the lines in the reader as the while loop expected it would.
+  This was happening because the regular expression that detects any list was not
+  agreeing with the regular expression that detects a specific list type. So the line
+  kept getting pushed back onto the reader, hence causing the loop.
+cvss_v3: 7.5
+patched_versions:
+- ">= 1.5.8"

gems/camaleon_cms/CVE-2018-18260.yml

@@ -0,0 +1,14 @@
+---
+gem: camaleon_cms
+cve: 2018-18260
+ghsa: 7f84-9cqf-g4j9
+url: http://packetstormsecurity.com/files/149772/CAMALEON-CMS-2.4-Cross-Site-Scripting.html
+title: Camaleon CMS vulnerable to Stored Cross-site Scripting
+date: 2022-05-13
+description: |
+  In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The
+  profile image in the User settings section can be run in the update / upload area
+  via `/admin/media/upload?actions=false`.
+cvss_v3: 6.1
+unaffected_versions:
+- "< 2.4"

gems/camaleon_cms/CVE-2021-25969.yml

@@ -0,0 +1,20 @@
+---
+gem: camaleon_cms
+cve: 2021-25969
+ghsa: x78v-4fvj-rg9j
+url: https://github.com/owen2345/camaleon-cms/commit/05506e9087bb05282c0bae6ccfe0283d0332ab3c
+title: Camaleon CMS Stored Cross-site Scripting vulnerability
+date: 2022-05-24
+description: |
+  In “Camaleon CMS” application, versions 0.0.1 through 2.6.0 are vulnerable
+  to stored XSS, that allows unprivileged application users to store malicious scripts
+  in the comments section of the post. These scripts are executed in a victim’s browser
+  when they open the page containing the malicious comment.
+cvss_v3: 6.1
+unaffected_versions:
+- "< 0.0.1"
+patched_versions:
+- ">= 2.6.0.1"
+related:
+  url:
+  - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25969

gems/camaleon_cms/CVE-2021-25970.yml

@@ -0,0 +1,20 @@
+---
+gem: camaleon_cms
+cve: 2021-25970
+ghsa: 438x-2p9v-g8h9
+url: https://github.com/owen2345/camaleon-cms/commit/77e31bc6cdde7c951fba104aebcd5ebb3f02b030
+title: Camaleon CMS Insufficient Session Expiration vulnerability
+date: 2022-05-24
+description: |
+  Camaleon CMS 0.1.7 through 2.6.0 doesn’t terminate the active session
+  of the users, even after the admin changes the user’s password. A user that was
+  already logged in, will still have access to the application even after the password
+  was changed.
+cvss_v3: 8.8
+unaffected_versions:
+- "< 0.1.7"
+patched_versions:
+- ">= 2.6.0.1"
+related:
+  url:
+  - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25970

gems/camaleon_cms/CVE-2021-25971.yml

@@ -0,0 +1,19 @@
+---
+gem: camaleon_cms
+cve: 2021-25971
+ghsa: r2w2-h6r8-3r53
+url: https://github.com/owen2345/camaleon-cms/commit/ab89584ab32b98a0af3d711e3f508a1d048147d2
+title: Camaleon CMS vulnerable to Uncaught Exception
+date: 2022-05-24
+description: |
+  In Camaleon CMS, versions 2.0.1 through 2.6.0 are vulnerable to an Uncaught
+  Exception. The app's media upload feature crashes permanently when an attacker with
+  a low privileged access uploads a specially crafted .svg file.
+cvss_v3: 4.3
+unaffected_versions:
+- "< 2.0.1"
+patched_versions:
+- ">= 2.6.0.1"
+related:
+  url:
+  - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25971

gems/camaleon_cms/CVE-2021-25972.yml

@@ -0,0 +1,21 @@
+---
+gem: camaleon_cms
+cve: 2021-25972
+ghsa: vx6p-q4gj-x6xx
+url: https://github.com/owen2345/camaleon-cms/commit/5a252d537411fdd0127714d66c1d76069dc7e190
+title: Camaleon CMS vulnerable to Server-Side Request Forgery
+date: 2022-05-24
+description: |
+  In Camaleon CMS, versions 2.1.2.0 through 2.6.0, are vulnerable to Server-Side
+  Request Forgery (SSRF) in the media upload feature, which allows admin users to
+  fetch media files from external URLs but fails to validate URLs referencing to localhost
+  or other internal servers. This allows attackers to read files stored in the internal
+  server.
+cvss_v3: 4.9
+unaffected_versions:
+- "< 2.1.2.0"
+patched_versions:
+- ">= 2.6.0.1"
+related:
+  url:
+  - https://www.whitesourcesoftware.com/vulnerability-database/CVE-2021-25972

gems/ccsv/CVE-2017-15364.yml

@@ -0,0 +1,12 @@
+---
+gem: ccsv
+cve: 2017-15364
+ghsa: 5gxp-c379-pj42
+url: https://github.com/evan/ccsv/issues/15
+title: ccsv Double Free vulnerability
+date: 2022-05-17
+description: |
+  The foreach function in `ext/ccsv.c` in Ccsv 1.1.0 allows remote attackers
+  to cause a denial of service (double free and application crash) or possibly have
+  unspecified other impact via a crafted file.
+cvss_v3: 5.5

gems/clockwork_web/CVE-2023-25015.yml

@@ -1,6 +1,7 @@
 ---
 gem: clockwork_web
 cve: 2023-25015
+ghsa: p4xx-w6fr-c4w9
 url: https://github.com/ankane/clockwork_web/issues/4
 title: CSRF Vulnerability with Rails < 5.2
 date: 2023-02-01
@@ -10,5 +11,6 @@ description: |
   A CSRF attack works by getting an authorized user to visit a malicious website and
   then performing requests on behalf of the user. In this instance, actions include
   enabling and disabling jobs.
+cvss_v3: 6.5
 patched_versions:
 - ">= 0.1.2"

gems/commonmarker/GHSA-636f-xm5j-pj9m.yml

@@ -0,0 +1,38 @@
+---
+gem: commonmarker
+ghsa: 636f-xm5j-pj9m
+url: https://github.com/gjtorikian/commonmarker/security/advisories/GHSA-636f-xm5j-pj9m
+title: Several quadratic complexity bugs may lead to denial of service in Commonmarker
+date: 2023-01-24
+description: |-
+  ## Impact
+
+  Several quadratic complexity bugs in commonmarker's underlying [`cmark-gfm`](https://github.com/github/cmark-gfm)
+  library may lead to unbounded resource exhaustion and subsequent denial of service.
+
+  The following vulnerabilities were addressed:
+
+  * [CVE-2023-22483](https://github.com/github/cmark-gfm/security/advisories/GHSA-29g3-96g3-jg6c)
+  * [CVE-2023-22484](https://github.com/github/cmark-gfm/security/advisories/GHSA-24f7-9frr-5h2r)
+  * [CVE-2023-22485](https://github.com/github/cmark-gfm/security/advisories/GHSA-c944-cv5f-hpvr)
+  * [CVE-2023-22486](https://github.com/github/cmark-gfm/security/advisories/GHSA-r572-jvj2-3m8p)
+
+  For more information, consult the release notes for version
+  [`0.23.0.gfm.7`](https://github.com/github/cmark-gfm/releases/tag/0.29.0.gfm.7).
+
+  ## Mitigation
+
+  Users are advised to upgrade to commonmarker version [`0.23.7`](https://rubygems.org/gems/commonmarker/versions/0.23.7).
+patched_versions:
+- ">= 0.23.7"
+related:
+  cve:
+  - 2023-22483
+  - 2023-22484
+  - 2023-22485
+  - 2023-22486
+  ghsa:
+  - 29g3-96g3-jg6c
+  - 24f7-9frr-5h2r
+  - c944-cv5f-hpvr
+  - r572-jvj2-3m8p