jasnow · June 21, 2023 13:50 · postmodern · Jun 21, 2023 · jasnow · Jun 21, 2023
diff --git a/gistfile1.txt b/gistfile1.txt
 diff --git a/gems/actionpack/CVE-2014-7818.yml b/gems/actionpack/CVE-2014-7818.yml
 index 7b801ab..42df6ed 100644
 --- a/gems/actionpack/CVE-2014-7818.yml
 +++ b/gems/actionpack/CVE-2014-7818.yml
 @@ -1,21 +1,73 @@
 ---
 gem: actionpack
 -framework: rails
 cve: 2014-7818
 ghsa: 29gr-w57f-rpfw
 -url: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
 -title: Arbitrary file existence disclosure in Action Pack
 -date: 2014-10-30
 -description: |
 -  Specially crafted requests can be used to determine whether a file exists on
 -  the filesystem that is outside the Rails application's root directory.  The
 -  files will not be served, but attackers can determine whether or not the file
 -  exists.
 -cvss_v2: 4.3
 +url: https://github.com/advisories/GHSA-29gr-w57f-rpfw
 +title: actionpack vulnerable to Path Traversal
 +date: 2017-10-24
 +description: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb
 +  in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before
 +  4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows
 +  remote attackers to determine the existence of files outside the application root
 +  via a /..%2F sequence.
 +cvss_v3: "<FILL IN IF AVAILABLE>"
 unaffected_versions:
 -  - "< 3.0.0"
 +- "<OPTIONAL: FILL IN SEE BELOW>"
 patched_versions:
 -  - "~> 3.2.20"
 -  - "~> 4.0.11"
 -  - "~> 4.1.7"
 -  - ">= 4.2.0.beta3"
 +- "~> 3.2.20"
 +- "~> 4.0.11"
 +- ">= 4.1.7"
 +related:
 +  url:
 +  - url: https://nvd.nist.gov/vuln/detail/CVE-2014-7818
 +  - url: https://github.com/advisories/GHSA-29gr-w57f-rpfw
 +  - url: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
 +  - url: https://puppet.com/security/cve/cve-2014-7829
 +  - url: http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
 +
 +
 +# GitHub advisory data below - **Remove this data before committing**
 +# Use this data to write patched_versions (and potentially unaffected_versions) above
 +---
 +identifiers:
 +- type: GHSA
 +  value: GHSA-29gr-w57f-rpfw
 +- type: CVE
 +  value: CVE-2014-7818
 +summary: actionpack vulnerable to Path Traversal
 +description: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb
 +  in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before
 +  4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows
 +  remote attackers to determine the existence of files outside the application root
 +  via a /..%2F sequence.
 +severity: MODERATE
 +cvss:
 +  score: 0.0
 +  vectorString: 
 +references:
 +- url: https://nvd.nist.gov/vuln/detail/CVE-2014-7818
 +- url: https://github.com/advisories/GHSA-29gr-w57f-rpfw
 +- url: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
 +- url: https://puppet.com/security/cve/cve-2014-7829
 +- url: http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
 +publishedAt: '2017-10-24T18:33:36Z'
 +withdrawnAt: 
 +vulnerabilities:
 +- package:
 +    name: actionpack
 +    ecosystem: RUBYGEMS
 +  vulnerableVersionRange: ">= 4.1.0, < 4.1.7"
 +  firstPatchedVersion:
 +    identifier: 4.1.7
 +- package:
 +    name: actionpack
 +    ecosystem: RUBYGEMS
 +  vulnerableVersionRange: ">= 4.0.0, < 4.0.11"
 +  firstPatchedVersion:
 +    identifier: 4.0.11
 +- package:
 +    name: actionpack
 +    ecosystem: RUBYGEMS
 +  vulnerableVersionRange: ">= 3.0.0, < 3.2.20"
 +  firstPatchedVersion:
 +    identifier: 3.2.20
	diff --git a/gems/actionpack/CVE-2014-7818.yml b/gems/actionpack/CVE-2014-7818.yml
	index 7b801ab..42df6ed 100644
	--- a/gems/actionpack/CVE-2014-7818.yml
	+++ b/gems/actionpack/CVE-2014-7818.yml
	@@ -1,21 +1,73 @@
	---
	gem: actionpack
	-framework: rails
	cve: 2014-7818
	ghsa: 29gr-w57f-rpfw
	-url: https://groups.google.com/forum/#!topic/rubyonrails-security/dCp7duBiQgo
	-title: Arbitrary file existence disclosure in Action Pack
	-date: 2014-10-30
	-description: \|
	- Specially crafted requests can be used to determine whether a file exists on
	- the filesystem that is outside the Rails application's root directory. The
	- files will not be served, but attackers can determine whether or not the file
	- exists.
	-cvss_v2: 4.3
	+url: https://github.com/advisories/GHSA-29gr-w57f-rpfw
	+title: actionpack vulnerable to Path Traversal
	+date: 2017-10-24
	+description: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb
	+ in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before
	+ 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows
	+ remote attackers to determine the existence of files outside the application root
	+ via a /..%2F sequence.
	+cvss_v3: "<FILL IN IF AVAILABLE>"
	unaffected_versions:
	- - "< 3.0.0"
	+- "<OPTIONAL: FILL IN SEE BELOW>"
	patched_versions:
	- - "~> 3.2.20"
	- - "~> 4.0.11"
	- - "~> 4.1.7"
	- - ">= 4.2.0.beta3"
	+- "~> 3.2.20"
	+- "~> 4.0.11"
	+- ">= 4.1.7"
	+related:
	+ url:
	+ - url: https://nvd.nist.gov/vuln/detail/CVE-2014-7818
	+ - url: https://github.com/advisories/GHSA-29gr-w57f-rpfw
	+ - url: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
	+ - url: https://puppet.com/security/cve/cve-2014-7829
	+ - url: http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
	+
	+
	+# GitHub advisory data below - Remove this data before committing
	+# Use this data to write patched_versions (and potentially unaffected_versions) above
	+---
	+identifiers:
	+- type: GHSA
	+ value: GHSA-29gr-w57f-rpfw
	+- type: CVE
	+ value: CVE-2014-7818
	+summary: actionpack vulnerable to Path Traversal
	+description: Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb
	+ in Action Pack in Ruby on Rails 3.x before 3.2.20, 4.0.x before 4.0.11, 4.1.x before
	+ 4.1.7, and 4.2.x before 4.2.0.beta3, when serve_static_assets is enabled, allows
	+ remote attackers to determine the existence of files outside the application root
	+ via a /..%2F sequence.
	+severity: MODERATE
	+cvss:
	+ score: 0.0
	+ vectorString:
	+references:
	+- url: https://nvd.nist.gov/vuln/detail/CVE-2014-7818
	+- url: https://github.com/advisories/GHSA-29gr-w57f-rpfw
	+- url: https://groups.google.com/forum/message/raw?msg=rubyonrails-security/dCp7duBiQgo/v_R_8PFs5IwJ
	+- url: https://puppet.com/security/cve/cve-2014-7829
	+- url: http://lists.opensuse.org/opensuse-updates/2014-11/msg00112.html
	+publishedAt: '2017-10-24T18:33:36Z'
	+withdrawnAt:
	+vulnerabilities:
	+- package:
	+ name: actionpack
	+ ecosystem: RUBYGEMS
	+ vulnerableVersionRange: ">= 4.1.0, < 4.1.7"
	+ firstPatchedVersion:
	+ identifier: 4.1.7
	+- package:
	+ name: actionpack
	+ ecosystem: RUBYGEMS
	+ vulnerableVersionRange: ">= 4.0.0, < 4.0.11"
	+ firstPatchedVersion:
	+ identifier: 4.0.11
	+- package:
	+ name: actionpack
	+ ecosystem: RUBYGEMS
	+ vulnerableVersionRange: ">= 3.0.0, < 3.2.20"
	+ firstPatchedVersion:
	+ identifier: 3.2.20