Various additions, modifications

* Add activerecord/CVE-2022-32224
* Add diffy/CVE-2022-33127
* Add mechanize/CVE-2022-31033
* Add octokit/CVE-2022-31072
* Add octopoller/CVE-2022-31071
* Add opensearch-ruby/CVE-2022-31115
* Add passenger/CVE-2017-16355
* Add passenger/CVE-2018-12615
* Add red-arrow/CVE-2019-12408
* Add red-arrow/CVE-2019-12410
* Clean-up rails-html-sanitizer/CVE-2022-32209
* Rename ruby-mysql/CVE-2021-32740 -> ruby-mysql/CVE-2021-3779
* Add CVSSv3 for dragonfly/CVE-2021-33473 and jmespath/CVE-2022-32511

Thanks to GitHub Security Advisories where applicable

gems/activerecord/CVE-2022-32224.yml

@@ -0,0 +1,77 @@
+---
+gem: activerecord
+framework: rails
+cve: 2022-32224
+ghsa: 3hhc-qp5v-9p2j
+url: https://groups.google.com/g/rubyonrails-security/c/MmFO3LYQE8U
+title: Possible RCE escalation bug with Serialized Columns in Active Record
+date: 2022-07-12
+description: |
+  There is a possible escalation to RCE when using YAML serialized columns in
+  Active Record. This vulnerability has been assigned the CVE identifier
+  CVE-2022-32224.
+
+  Versions Affected:  All.
+  Not affected:       None
+  Fixed Versions:     7.0.3.1, 6.1.6.1, 6.0.5.1, 5.2.8.1
+
+  Impact
+  ------
+  When serialized columns that use YAML (the default) are deserialized, Rails
+  uses `YAML.unsafe_load` to convert the YAML data in to Ruby objects.  If an
+  attacker can manipulate data in the database (via means like SQL injection),
+  then it may be possible for the attacker to escalate to an RCE.
+
+  Impacted Active Record models will look something like this:
+
+  ```ruby
+  class User < ApplicationRecord
+    serialize :options       # Vulnerable: Uses YAML for serialization
+    serialize :values, Array # Vulnerable: Uses YAML for serialization
+    serialize :values, JSON  # Not vulnerable
+  end
+  ```
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
+
+  The released versions change the default YAML deserializer to use
+  `YAML.safe_load`, which prevents deserialization of possibly dangerous
+  objects.  This may introduce backwards compatibility issues with existing
+  data.
+
+  In order to cope with that situation, the released version also contains two
+  new Active Record configuration options.  The configuration options are as
+  follows:
+
+  * `config.active_storage.use_yaml_unsafe_load`
+
+  When set to true, this configuration option tells Rails to use the old
+  "unsafe" YAML loading strategy, maintaining the existing behavior but leaving
+  the possible escalation vulnerability in place.  Setting this option to true
+  is *not* recommended, but can aid in upgrading.
+
+  * `config.active_record.yaml_column_permitted_classes`
+
+  The "safe YAML" loading method does not allow all classes to be deserialized
+  by default.  This option allows you to specify classes deemed "safe" in your
+  application.  For example, if your application uses Symbol and Time in
+  serialized data, you can add Symbol and Time to the allowed list as follows:
+
+  ```
+  config.active_record.yaml_column_permitted_classes = [Symbol, Date, Time]
+  ```
+
+  Workarounds
+  -----------
+  There are no feasible workarounds for this issue, but other coders (such as
+  JSON) are not impacted.
+patched_versions:
+- "~> 5.2.8, >= 5.2.8.1"
+- "~> 6.0.5, >= 6.0.5.1"
+- "~> 6.1.6, >= 6.1.6.1"
+- ">= 7.0.3.1"

gems/diffy/CVE-2022-33127.yml

@@ -0,0 +1,17 @@
+---
+gem: diffy
+cve: 2022-33127
+ghsa: 5ww9-9qp2-x524
+url: https://github.com/samg/diffy/commit/478f392082b66d38f54a02b4bb9c41be32fd6593
+title: Improper handling of double quotes in file name in Diffy in Windows environment
+date: 2022-06-24
+description: |
+  The function that calls the diff tool in versions of Diffy prior to 3.4.1
+  does not properly handle double quotes in a filename when run in a Windows environment.
+  This allows attackers to execute arbitrary commands via a crafted string.
+cvss_v3: 9.8
+patched_versions:
+- ">= 3.4.1"
+related:
+  url:
+  - https://github.com/samg/diffy/blob/56fd935aea256742f7352b050592542d3d153bf6/CHANGELOG#L1

gems/dragonfly/CVE-2021-33473.yml

@@ -9,6 +9,7 @@ description: |
   An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows
   attackers to read and write arbitrary files when the verify_url option is disabled.
   This vulnerability is exploited via a crafted URL.
+cvss_v3: 9.1
 patched_versions:
 - ">= 1.4.0"
 related:

gems/jmespath/CVE-2022-32511.yml

@@ -8,6 +8,7 @@ date: 2022-06-07
 description: |
   jmespath.rb (aka JMESPath for Ruby) before 1.6.1 uses JSON.load in a
   situation where JSON.parse is preferable.
+cvss_v3: 9.8
 patched_versions:
 - ">= 1.6.1"
 related:

gems/mechanize/CVE-2022-31033.yml

@@ -0,0 +1,37 @@
+---
+gem: mechanize
+cve: 2022-31033
+ghsa: 64qm-hrgp-pgr9
+url: https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9
+title: Authorization header leak on port redirect in mechanize
+date: 2022-06-09
+description: |
+  **Summary**
+
+  Mechanize (rubygem) `< v2.8.5` leaks the `Authorization` header after a
+  redirect to a different port on the same site.
+
+  **Mitigation**
+
+  Upgrade to Mechanize v2.8.5 or later.
+
+  **Notes**
+
+  See [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl.
+
+  Cookies are shared with a server at a different port on the same site, per
+  https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:
+
+  > Cookies do not provide isolation by port.  If a cookie is readable
+  > by a service running on one port, the cookie is also readable by a
+  > service running on another port of the same server.  If a cookie is
+  > writable by a service on one port, the cookie is also writable by a
+  > service running on another port of the same server.  For this
+  > reason, servers SHOULD NOT both run mutually distrusting services on
+  > different ports of the same host and use cookies to store security-
+  > sensitive information.
+patched_versions:
+- ">= 2.8.5"
+related:
+  url:
+  - https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317

gems/octokit/CVE-2022-31072.yml

@@ -0,0 +1,40 @@
+---
+gem: octokit
+cve: 2022-31072
+ghsa: g28x-pgr3-qqx6
+url: https://github.com/octokit/octokit.rb/security/advisories/GHSA-g28x-pgr3-qqx6
+title: Octokit gem published with world-writable files
+date: 2022-06-15
+description: |
+  ### Impact
+
+  Versions [4.23.0](https://rubygems.org/gems/octokit/versions/4.23.0)
+  and [4.24.0](https://rubygems.org/gems/octokit/versions/4.24.0) of the octokit gem
+  were published containing world-writeable files.
+
+  Specifically, the gem was packed
+  with files having their permissions set to `-rw-rw-rw-` (i.e. 0666) instead of `rw-r--r--`
+  (i.e. 0644). This means everyone who is not the owner (Group and Public) with access
+  to the instance where this release had been installed could modify the world-writable
+  files from this gem.
+
+  Malicious code already present and running on your machine,
+  separate from this package, could modify the gem’s files and change its behavior
+  during runtime.
+
+  ### Patches
+
+  * [octokit 4.25.0](https://rubygems.org/gems/octokit/versions/4.25.0)
+
+  ### Workarounds
+  Users can use the previous version of the gem [v4.22.0](https://rubygems.org/gems/octokit/versions/4.22.0).
+  Alternatively, users can modify the file permissions manually until they are able
+  to upgrade to the latest version.
+cvss_v3: 2.5
+unaffected_versions:
+- "< 4.23.0, >= 4.25.0"
+patched_versions:
+- ">= 4.25.0"
+related:
+  url:
+  - https://github.com/octokit/octokit.rb/commit/1c8edecc9cf23d1ceb959d91a416a69f55ce7d55

gems/octopoller/CVE-2022-31071.yml

@@ -0,0 +1,34 @@
+---
+gem: octopoller
+cve: 2022-31071
+ghsa: 26qj-cr27-r5c4
+url: https://github.com/octokit/octopoller.rb/security/advisories/GHSA-26qj-cr27-r5c4
+title: Octopoller gem published with world-writable files
+date: 2022-06-15
+description: |
+  ### Impact
+
+  Version [0.2.0](https://rubygems.org/gems/octopoller/versions/0.2.0)
+  of the octopoller gem was published containing world-writeable files. Specifically,
+  the gem was packed with files having their permissions set to `-rw-rw-rw-` (i.e.
+  0666) instead of `rw-r--r--` (i.e. 0644).
+
+  This means everyone who is not the owner (Group and Public) with access to the
+  instance where this release had been installed could modify the world-writable
+  files from this gem.
+
+  Malicious code already present and running on your machine, separate from this
+  package, could modify the gem’s files and change its behavior during runtime.
+
+  ### Patches
+  * octopoller v0.3.0
+
+  ### Workarounds
+  Users can use the previous version of the gem [v0.1.0](https://rubygems.org/gems/octopoller/versions/0.1.0).
+  Alternatively, users can modify the file permissions manually until they are able
+  to upgrade to the latest version.
+cvss_v3: 2.5
+unaffected_versions:
+- "!= 0.2.0"
+patched_versions:
+- ">= 0.3.0"

gems/opensearch-ruby/CVE-2022-31115.yml

@@ -0,0 +1,23 @@
+---
+gem: opensearch-ruby
+cve: 2022-31115
+ghsa: 977c-63xq-cgw3
+url: https://github.com/opensearch-project/opensearch-ruby/security/advisories/GHSA-977c-63xq-cgw3
+title: Unsafe YAML deserialization in opensearch-ruby
+date: 2022-07-05
+description: |
+  ### Impact
+  A YAML deserialization in opensearch-ruby 2.0.0 can lead to unsafe deserialization using
+  YAML.load if the response is of type YAML.
+
+  ### Patches
+  The problem has been patched in opensearch-ruby gem version 2.0.2.
+
+  ### Workarounds
+  No viable workaround.  Please upgrade to 2.0.2
+patched_versions:
+- ">= 2.0.2"
+related:
+  url:
+  - https://github.com/opensearch-project/opensearch-ruby/pull/77
+  - https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/

gems/passenger/CVE-2017-16355.yml

@@ -0,0 +1,21 @@
+---
+gem: passenger
+cve: 2017-16355
+ghsa: cv3f-px9r-54hm
+url: https://github.com/phusion/passenger/commit/4043718264095cde6623c2cbe8c644541036d7bf
+title: Phusion Passenger information disclosure
+date: 2022-05-13
+description: |
+  In agent/Core/SpawningKit/Spawner.h in Phusion Passenger 5.1.10 (fixed
+  in Passenger Open Source 5.1.11 and Passenger Enterprise 5.1.10), if Passenger is
+  running as root, it is possible to list the contents of arbitrary files on a system
+  by symlinking a file named REVISION from the application root folder to a file of
+  choice and querying passenger-status --show=xml.
+cvss_v3: 4.7
+patched_versions:
+- ">= 5.1.11"
+related:
+  url:
+  - https://blog.phusion.nl/2017/10/13/passenger-security-advisory-5-1-11/
+  - https://seclists.org/bugtraq/2019/Mar/34
+  - https://www.debian.org/security/2019/dsa-4415

gems/passenger/CVE-2018-12615.yml

@@ -0,0 +1,15 @@
+---
+gem: passenger
+cve: 2018-12615
+ghsa: 4284-jfhc-f854
+url: https://github.com/phusion/passenger/commit/4e97fdb86d0a0141ec9a052c6e691fcd07bb45c8
+title: Phusion Passenger incorrect permission assignment
+date: 2022-05-13
+description: |
+  An issue was discovered in switchGroup() in agent/ExecHelper/ExecHelperMain.cpp
+  in Phusion Passenger before 5.3.2. The set of groups (gidset) is not set correctly,
+  leaving it up to randomness (i.e., uninitialized memory) which supplementary groups
+  are actually being set while lowering privileges.
+cvss_v3: 5.3
+patched_versions:
+- ">= 5.3.2"

gems/rails-html-sanitizer/CVE-2022-32209.yml

@@ -1,9 +1,10 @@
 ---
 gem: rails-html-sanitizer
 cve: 2022-32209
+ghsa: pg8v-g4xq-hww9
 url: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
 title: Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
-date: 2022-06-10
+date: 2022-06-09
 description: |
   There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
   This vulnerability has been assigned the CVE identifier CVE-2022-32209.
@@ -14,12 +15,12 @@ description: |
 
   ## Impact
 
-  A possible XSS vulnerability with certain configurations of
-  Rails::Html::Sanitizer may allow an attacker to inject content if the
-  application developer has overridden the sanitizer's allowed tags to allow
-  both `select` and `style` elements.
+  A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
+  may allow an attacker to inject content if the application developer has overridden
+  the sanitizer's allowed tags to allow both `select` and `style` elements.
 
-  Code is only impacted if allowed tags are being overridden. This may be done via application configuration:
+  Code is only impacted if allowed tags are being overridden. This may be done via
+  application configuration:
 
   ```ruby
   # In config/application.rb
@@ -50,18 +51,12 @@ description: |
   Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
   ```
 
-  All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.
-
-  ## Releases
-
-  The FIXED releases are available at the normal locations.
+  All users overriding the allowed tags by any of the above mechanisms to include
+  both "select" and "style" should either upgrade or use one of the workarounds immediately.
 
   ## Workarounds
 
   Remove either `select` or `style` from the overridden allowed tags.
-
-  ## Credits
-
-  This vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).
+cvss_v3: 6.1
 patched_versions:
-- '>= 1.4.3'
+- ">= 1.4.3"

gems/red-arrow/CVE-2019-12408.yml

@@ -0,0 +1,22 @@
+---
+gem: red-arrow
+cve: 2019-12408
+ghsa: 8cw2-jv5c-c825
+url: https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E
+title: Missing Initialization of Resource in Apache Arrow
+date: 2022-05-24
+description: |
+  It was discovered that the C++ implementation (which underlies the R,
+  Python and Ruby implementations) of Apache Arrow 0.14.0 to 0.14.1 had a uninitialized
+  memory bug when building arrays with null values in some cases. This can lead to
+  uninitialized memory being unintentionally shared if Arrow Arrays are transmitted
+  over the wire (for instance with Flight) or persisted in the streaming IPC and file
+  formats.
+cvss_v3: 7.5
+unaffected_versions:
+- "< 0.14.0"
+patched_versions:
+- ">= 0.15.1"
+related:
+  url:
+  - https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E

gems/red-arrow/CVE-2019-12410.yml

@@ -0,0 +1,23 @@
+---
+gem: red-arrow
+cve: 2019-12410
+ghsa: cjw4-2w9r-r8mv
+url: https://lists.apache.org/thread.html/49f067b1c5fb7493d952580f0d2d032819ba351f7a78743c21126269@%3Cdev.arrow.apache.org%3E
+title: Missing Initialization of Resource in Apache Arrow
+date: 2022-05-24
+description: |
+  While investigating UBSAN errors in https://github.com/apache/arrow/pull/5365
+  it was discovered Apache Arrow versions 0.12.0 to 0.14.1, left memory Array data
+  uninitialized when reading RLE null data from parquet. This affected the C++, Python,
+  Ruby and R implementations. The uninitialized memory could potentially be shared
+  if are transmitted over the wire (for instance with Flight) or persisted in the
+  streaming IPC and file formats.
+cvss_v3: 7.5
+unaffected_versions:
+- "< 0.12.0"
+patched_versions:
+- ">= 0.15.1"
+related:
+  url:
+  - https://lists.apache.org/thread.html/efd8bbf57427d3c303b5316d208a335f8d0c0dbe0dc4c87cfa995073@%3Cannounce.apache.org%3E
+  - http://www.openwall.com/lists/oss-security/2019/11/08/1

gems/ruby-mysql/CVE-2021-32740.yml → gems/ruby-mysql/CVE-2021-3779.yml

@@ -1,6 +1,6 @@
 ---
 gem: ruby-mysql
-cve: 2021-32740
+cve: 2021-3779
 url: https://www.rapid7.com/blog/post/2022/06/28/cve-2021-3779-ruby-mysql-gem-client-file-read-fixed/
 date: 2022-06-28
 title: ruby-mysql Client File Read