-
-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add advisories from SRC:CLR #238
Comments
admin-upmin, upmin and shoppe -- https://srcclr.com/security/cross-site-request-forgery-csrf-due-to/ruby/s-2266 |
@reedloden regarding spina ruby gem #250 |
Not sure https://srcclr.com is an active web site. |
You are correct, SourceClear was purchased by Veracode. The easiest way to find the links now would be to search the s-* number at https://sca.analysiscenter.veracode.com/vulnerability-database IE; Activeadmin that @reedloden posted is here: https://sca.analysiscenter.veracode.com/vulnerability-database/security/cross-site-scripting-xss-through-modal-dialog/ruby/sid-2276/summary |
@VanessaHenderson - Thanks for the education. |
Need a list of specific "puppet" URLs. |
It appears that "s-2272" for devise_invitable may have be withdrawn if this is the same advisory: GHSA-wj5j-xpcj-45gc |
It looks like SourceClear itself hasn't withdrawn the item, I wonder why GitHub withdrew it... |
Looks like all of the non-PR #616 advisories, including s-2272, appears to need a CVE/GHSA/etc ID before it is added to ruby-advisory-db repo so time will tell. |
Ah yeah that'd probably do it. SourceClear/Veracode adds vulnerabilities that aren't necessarily assigned CVEs, basing on code fixes etc instead of solely CVE |
Just a todo list I figured I should put somewhere more public... Need to add advisories for all these:
ruby_rncryptor / ruby_rncryptor_secured -- https://srcclr.com/security/timing-attacks/ruby/s-1938
spina -- https://srcclr.com/security/cross-site-request-forgery-csrf/ruby/s-1686
logstash-core -- https://srcclr.com/security/factoring-attack-rsa-export-keys-freak/ruby/s-1745
https://srcclr.com/security/man-middle-mitm-attacks/ruby/s-1798
facter -- https://srcclr.com/security/disclosure-amazon-ec2-iam-instance/ruby/s-1508
https://srcclr.com/security/elevation-privileges-untrusted-search/ruby/s-1586
kafo -- https://srcclr.com/security/world-readable-permissions-as-default/ruby/s-740
puppet -- https://srcclr.com/catalog/search#query=type:vulnerability%20puppet
The text was updated successfully, but these errors were encountered: