GHSA Sync: 5 more new advisories

gems/grpc/CVE-2023-1428.yml

@@ -0,0 +1,32 @@
+---
+gem: grpc
+cve: 2023-1428
+ghsa: 6628-q6j9-w8vg
+url: https://github.com/grpc/grpc/issues/33463
+title: gRPC Reachable Assertion issue
+date: 2023-07-06
+description: |
+  There exists an vulnerability causing an abort() to be called in gRPC.
+  The following headers cause gRPC's C++ implementation to abort()
+  when called via http2:
+
+  te: x (x != trailers)
+
+  :scheme: x (x != http, https)
+
+  grpclb_client_stats: x (x == anything)
+
+  On top of sending one of those headers, a later header must be sent
+  that gets the total header size past 8KB. We recommend upgrading
+  past git commit 2485fa94bd8a723e5c977d55a3ce10b301b437f8 or v1.53
+  and above.
+cvss_v3: 7.5
+patched_versions:
+  - ">= 1.53.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-1428
+    - https://github.com/grpc/grpc/issues/33463
+    - https://github.com/grpc/grpc/pull/32507
+    - https://github.com/grpc/grpc/commit/2485fa94bd8a723e5c977d55a3ce10b301b437f8
+    - https://github.com/advisories/GHSA-6628-q6j9-w8vg

gems/grpc/CVE-2023-32732.yml

@@ -0,0 +1,22 @@
+---
+gem: grpc
+cve: 2023-32732
+ghsa: 9hxf-ppjv-w6rq
+url: https://github.com/grpc/grpc/releases/tag/v1.53.1
+title: gRPC connection termination issue
+date: 2023-07-06
+description: |
+  gRPC contains a vulnerability whereby a client can cause a
+  termination of connection between a HTTP2 proxy and a gRPC server:
+  a base64 encoding error for `-bin` suffixed headers will result in
+  a disconnection by the gRPC server, but is typically allowed by
+  HTTP2 proxies. We recommend upgrading beyond the commit in
+  https://github.com/grpc/grpc/pull/32309.
+cvss_v3: 5.3
+patched_versions:
+  - ">= 1.53.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-32732
+    - https://github.com/grpc/grpc/pull/32309
+    - https://github.com/advisories/GHSA-9hxf-ppjv-w6rq

gems/jquery-rails/CVE-2020-23064.yml

@@ -0,0 +1,29 @@
+---
+gem: jquery-rails
+framework: rails
+cve: 2020-23064
+ghsa: 257q-pv89-v3xv
+url: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
+title: jQuery Cross Site Scripting vulnerability
+date: 2023-06-26
+description: |
+  Cross Site Scripting vulnerability in jQuery v.2.2.0 until v.3.5.0
+  allows a remote attacker to execute arbitrary code via the
+  `<options>` element.
+cvss_v3: 6.1
+unaffected_versions:
+  - "< 4.1.0"
+patched_versions:
+  - ">= 4.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2020-23064
+    - https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
+    - https://github.com/rails/jquery-rails/blob/v4.4.0/vendor/assets/javascripts/jquery3.js#L6162
+    - https://github.com/rails/jquery-rails/blob/v4.3.5/vendor/assets/javascripts/jquery3.js#L5979
+    - https://snyk.io/vuln/SNYK-JS-JQUERY-565129
+    - https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
+    - https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#410
+    - https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
+
+    - https://github.com/advisories/GHSA-257q-pv89-v3xv

gems/nokogiri/CVE-2019-18197.yml

@@ -0,0 +1,43 @@
+---
+gem: nokogiri
+cve: 2019-18197
+ghsa: 242x-7cm6-4w8j
+url: https://github.com/sparklemotion/nokogiri/issues/1943
+title: Nokogiri affected by libxslt Use of Uninitialized Resource/
+  Use After Free vulnerability
+date: 2022-05-24
+description: |
+  In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable
+  isn't reset under certain circumstances. If the relevant memory area
+  happened to be freed and reused in a certain way, a bounds check could
+  fail and memory outside a buffer could be written to, or uninitialized
+  data could be disclosed.
+
+  Nokogiri prior to version 1.10.5 contains a vulnerable version of
+  libxslt. Nokogiri version 1.10.5 upgrades the dependency to
+  libxslt 1.1.34, which contains a patch for this issue.
+cvss_v2: 5.1
+cvss_v3: 7.5
+patched_versions:
+  - ">= 1.10.5"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-18197
+    - https://github.com/sparklemotion/nokogiri/issues/1943
+    - https://github.com/sparklemotion/nokogiri/blob/01ab95f3e37429ed8d3b380a8d2f73902eb325d9/CHANGELOG.md?plain=1#L934
+    - https://access.redhat.com/errata/RHSA-2020:0514
+    - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15746
+    - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15768
+    - https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=15914
+    - https://gitlab.gnome.org/GNOME/libxslt/commit/2232473733b7313d67de8836ea3b29eec6e8e285
+    - https://lists.debian.org/debian-lts-announce/2019/10/msg00037.html
+    - https://security.netapp.com/advisory/ntap-20191031-0004
+    - https://security.netapp.com/advisory/ntap-20200416-0004
+    - https://usn.ubuntu.com/4164-1
+    - https://www.oracle.com/security-alerts/cpuapr2020.html
+    - http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00010.html
+    - http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00015.html
+    - http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00025.html
+    - http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00062.html
+    - http://www.openwall.com/lists/oss-security/2019/11/17/2
+    - https://github.com/advisories/GHSA-242x-7cm6-4w8j

gems/nokogiri/CVE-2019-5815.yml

@@ -0,0 +1,26 @@
+---
+gem: nokogiri
+cve: 2019-5815
+ghsa: vmfx-gcfq-wvm2
+url: https://github.com/sparklemotion/nokogiri/issues/2630
+title: Nokogiri implementation of libxslt vulnerable to heap corruption
+date: 2022-05-24
+description: |
+  Type confusion in `xsltNumberFormatGetMultipleLevel` prior to
+  libxslt 1.1.33 could allow attackers to potentially exploit heap
+  corruption via crafted XML data.
+
+  Nokogiri prior to version 1.10.5 contains a vulnerable version of
+  libxslt. Nokogiri version 1.10.5 upgrades the dependency to
+  libxslt 1.1.34, which contains a patch for this issue.
+cvss_v2: 5.0
+cvss_v3: 7.5
+patched_versions:
+  - ">= 1.10.5"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2019-5815
+    - https://github.com/sparklemotion/nokogiri/issues/2630
+    - https://gitlab.gnome.org/GNOME/libxslt/commit/08b62c25871b38d5d573515ca8a065b4b8f64f6b
+    - https://lists.debian.org/debian-lts-announce/2022/09/msg00010.html
+    - https://github.com/advisories/GHSA-vmfx-gcfq-wvm2