diff --git a/gems/actionpack/CVE-2015-7581.yml b/gems/actionpack/CVE-2015-7581.yml index e77f1b8689..340144592b 100644 --- a/gems/actionpack/CVE-2015-7581.yml +++ b/gems/actionpack/CVE-2015-7581.yml @@ -46,6 +46,8 @@ description: | Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. +cvss_v3: 7.5 + unaffected_versions: - "< 4.0.0" - ">= 5.0.0.beta1" diff --git a/gems/actionpack/CVE-2016-2098.yml b/gems/actionpack/CVE-2016-2098.yml index 203221355c..7ae13b3e1f 100644 --- a/gems/actionpack/CVE-2016-2098.yml +++ b/gems/actionpack/CVE-2016-2098.yml @@ -80,6 +80,8 @@ description: | Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for reporting this! +cvss_v3: 7.3 + unaffected_versions: - ">= 5.0.0.beta1" diff --git a/gems/actionpack/CVE-2020-8264.yml b/gems/actionpack/CVE-2020-8264.yml index f0eac07995..88dbd774f1 100644 --- a/gems/actionpack/CVE-2020-8264.yml +++ b/gems/actionpack/CVE-2020-8264.yml @@ -29,6 +29,8 @@ description: | `config.middleware.delete ActionDispatch::ActionableExceptions` +cvss_v3: 6.1 + unaffected_versions: - "< 6.0.0" diff --git a/gems/actionpack/CVE-2021-22885.yml b/gems/actionpack/CVE-2021-22885.yml index 1c77e6e1a3..fe54fbc131 100644 --- a/gems/actionpack/CVE-2021-22885.yml +++ b/gems/actionpack/CVE-2021-22885.yml @@ -57,6 +57,8 @@ description: | end ``` +cvss_v3: 7.5 + unaffected_versions: - "< 2.0.0" diff --git a/gems/actionview/CVE-2016-2097.yml b/gems/actionview/CVE-2016-2097.yml index 100f7b8ac0..18b07a486c 100644 --- a/gems/actionview/CVE-2016-2097.yml +++ b/gems/actionview/CVE-2016-2097.yml @@ -81,6 +81,8 @@ description: | Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this and working with us in the patch! +cvss_v3: 5.3 + unaffected_versions: - ">= 4.2.0" diff --git a/gems/actionview/CVE-2019-5418.yml b/gems/actionview/CVE-2019-5418.yml index 864d7722c2..63b9452d0c 100644 --- a/gems/actionview/CVE-2019-5418.yml +++ b/gems/actionview/CVE-2019-5418.yml @@ -90,6 +90,8 @@ description: | ------- Thanks to John Hawthorn of GitHub +cvss_v3: 7.5 + patched_versions: - "~> 4.2.11, >= 4.2.11.1" - "~> 5.0.7, >= 5.0.7.2" diff --git a/gems/actionview/CVE-2019-5419.yml b/gems/actionview/CVE-2019-5419.yml index b18ffcacce..78a026c5dc 100644 --- a/gems/actionview/CVE-2019-5419.yml +++ b/gems/actionview/CVE-2019-5419.yml @@ -87,6 +87,8 @@ description: | Thanks to John Hawthorn of GitHub +cvss_v3: 7.5 + patched_versions: - ">= 6.0.0.beta3" - "~> 5.2.2, >= 5.2.2.1" diff --git a/gems/actionview/CVE-2020-5267.yml b/gems/actionview/CVE-2020-5267.yml index 8df50fd1ca..7d1b5737ca 100644 --- a/gems/actionview/CVE-2020-5267.yml +++ b/gems/actionview/CVE-2020-5267.yml @@ -64,6 +64,8 @@ description: | end ``` +cvss_v3: 4.0 + patched_versions: - "~> 5.2.4, >= 5.2.4.2" - ">= 6.0.2.2" diff --git a/gems/activejob/CVE-2018-16476.yml b/gems/activejob/CVE-2018-16476.yml index e14fda7b5e..a52643c84a 100644 --- a/gems/activejob/CVE-2018-16476.yml +++ b/gems/activejob/CVE-2018-16476.yml @@ -25,6 +25,8 @@ description: | All users running an affected release should either upgrade or use one of the workarounds immediately. +cvss_v3: 7.5 + unaffected_versions: - "< 4.2.0" diff --git a/gems/activerecord/CVE-2016-6317.yml b/gems/activerecord/CVE-2016-6317.yml index 9f2a390efe..ad07da24b5 100644 --- a/gems/activerecord/CVE-2016-6317.yml +++ b/gems/activerecord/CVE-2016-6317.yml @@ -65,6 +65,8 @@ description: | end ``` +cvss_v3: 7.5 + unaffected_versions: - "< 4.2.0" - ">= 5.0.0" diff --git a/gems/activestorage/CVE-2018-16477.yml b/gems/activestorage/CVE-2018-16477.yml index 70d28dcaec..f5109ce462 100644 --- a/gems/activestorage/CVE-2018-16477.yml +++ b/gems/activestorage/CVE-2018-16477.yml @@ -36,6 +36,8 @@ description: | end ``` +cvss_v3: 6.5 + unaffected_versions: - "< 5.2.0" diff --git a/gems/administrate/CVE-2020-5257.yml b/gems/administrate/CVE-2020-5257.yml index b271bf14b7..c57fce9123 100644 --- a/gems/administrate/CVE-2020-5257.yml +++ b/gems/administrate/CVE-2020-5257.yml @@ -16,6 +16,8 @@ description: | Whilst this does have a high-impact, to exploit this you need access to the Administrate dashboards, which should generally be behind authentication. +cvss_v3: 7.7 + patched_versions: - ">= 0.13.0" diff --git a/gems/airbrake-ruby/CVE-2019-16060.yml b/gems/airbrake-ruby/CVE-2019-16060.yml index 800452a860..824620476a 100644 --- a/gems/airbrake-ruby/CVE-2019-16060.yml +++ b/gems/airbrake-ruby/CVE-2019-16060.yml @@ -8,6 +8,8 @@ description: | A flaw in airbrake-ruby v4.2.3 prevented user data from being filtered prior to sending to Airbrake. Such data could be user passwords. Therefore, an app could leak user passwords without knowing it. +cvss_v3: 9.8 + unaffected_versions: - "< 4.2.3" - "> 4.2.3" diff --git a/gems/consul/CVE-2019-16377.yml b/gems/consul/CVE-2019-16377.yml index 06902fade8..73441e7da3 100644 --- a/gems/consul/CVE-2019-16377.yml +++ b/gems/consul/CVE-2019-16377.yml @@ -11,5 +11,7 @@ description: | to all power checks in that controller. This can lead to skipped power checks and hence unauthenticated access to certain controller actions. +cvss_v3: 9.8 + patched_versions: - ">= 1.0.3" diff --git a/gems/devise/CVE-2019-16109.yml b/gems/devise/CVE-2019-16109.yml index 013a5dd327..9c0de586f8 100644 --- a/gems/devise/CVE-2019-16109.yml +++ b/gems/devise/CVE-2019-16109.yml @@ -9,5 +9,7 @@ description: | confirmation_token, if a database record has a blank value in the confirmation_token column. However, there is no scenario within Devise itself in which such database records would exist. +cvss_v3: 5.3 + patched_versions: - ">= 4.7.1" diff --git a/gems/dragonfly/CVE-2021-33564.yml b/gems/dragonfly/CVE-2021-33564.yml index 36cf5cabcd..9797b47d4f 100644 --- a/gems/dragonfly/CVE-2021-33564.yml +++ b/gems/dragonfly/CVE-2021-33564.yml @@ -12,5 +12,7 @@ description: | problem occurs because the generate and process features mishandle use of the ImageMagick convert utility. +cvss_v3: 9.8 + patched_versions: - ">= 1.4.0" diff --git a/gems/ember-source/CVE-2015-7565.yml b/gems/ember-source/CVE-2015-7565.yml index 4aa32e9788..5b6c5739db 100644 --- a/gems/ember-source/CVE-2015-7565.yml +++ b/gems/ember-source/CVE-2015-7565.yml @@ -19,6 +19,8 @@ description: | All users running an affected release should either upgrade or use of the workarounds immediately. +cvss_v3: 6.1 + patched_versions: - ~> 1.11.4 - ~> 1.12.2 diff --git a/gems/excon/CVE-2019-16779.yml b/gems/excon/CVE-2019-16779.yml index caef6fcf12..1b50aee0bd 100644 --- a/gems/excon/CVE-2019-16779.yml +++ b/gems/excon/CVE-2019-16779.yml @@ -15,6 +15,8 @@ description: |- Users can workaround the problem by disabling persistent connections, though this may cause performance implications. +cvss_v3: 5.8 + patched_versions: - ">= 0.71.0" diff --git a/gems/field_test/CVE-2019-13146.yml b/gems/field_test/CVE-2019-13146.yml index 0fcdbb412a..741ba3c248 100644 --- a/gems/field_test/CVE-2019-13146.yml +++ b/gems/field_test/CVE-2019-13146.yml @@ -14,6 +14,8 @@ description: | landing_page = field_test(:landing_page) Page.where("key = '#{landing_page}'") +cvss_v3: 5.3 + patched_versions: - ">= 0.3.1" unaffected_versions: diff --git a/gems/foreman_fog_proxmox/CVE-2021-20259.yml b/gems/foreman_fog_proxmox/CVE-2021-20259.yml index cd33ac68eb..457dce345a 100644 --- a/gems/foreman_fog_proxmox/CVE-2021-20259.yml +++ b/gems/foreman_fog_proxmox/CVE-2021-20259.yml @@ -12,5 +12,7 @@ description: | and integrity as well as system availability. Versions before foreman_fog_proxmox 0.13.1 are affected +cvss_v3: 7.8 + patched_versions: - ">= 0.13.1" diff --git a/gems/pgsync/CVE-2021-31671.yml b/gems/pgsync/CVE-2021-31671.yml index 8647b4ef1e..4b80dc67b4 100644 --- a/gems/pgsync/CVE-2021-31671.yml +++ b/gems/pgsync/CVE-2021-31671.yml @@ -23,5 +23,7 @@ description: | This applies to both the `to` and `from` connections. +cvss_v3: 7.5 + patched_versions: - ">= 0.6.7" diff --git a/gems/rack/CVE-2019-16782.yml b/gems/rack/CVE-2019-16782.yml index 9daa45906f..9e6729bba6 100644 --- a/gems/rack/CVE-2019-16782.yml +++ b/gems/rack/CVE-2019-16782.yml @@ -27,6 +27,8 @@ description: |- may be able to perform a timing attack to determine an existing session id and hijack that session. +cvss_v3: 6.3 + patched_versions: - "~> 1.6.12" - ">= 2.0.8" diff --git a/gems/railties/CVE-2019-5420.yml b/gems/railties/CVE-2019-5420.yml index a0629d32cc..ab058017bc 100644 --- a/gems/railties/CVE-2019-5420.yml +++ b/gems/railties/CVE-2019-5420.yml @@ -41,6 +41,8 @@ description: | ------- Thanks to ooooooo_q +cvss_v3: 9.8 + unaffected_versions: - "< 5.2.0" diff --git a/gems/ruby-saml/CVE-2017-11428.yml b/gems/ruby-saml/CVE-2017-11428.yml index 5f9009e74d..1026259977 100644 --- a/gems/ruby-saml/CVE-2017-11428.yml +++ b/gems/ruby-saml/CVE-2017-11428.yml @@ -18,6 +18,8 @@ description: | cvss_v2: 6.3 +cvss_v3: 7.7 + patched_versions: - ">= 1.7.0" diff --git a/gems/trestle-auth/CVE-2021-29435.yml b/gems/trestle-auth/CVE-2021-29435.yml index d7787a75a2..ae7506825f 100644 --- a/gems/trestle-auth/CVE-2021-29435.yml +++ b/gems/trestle-auth/CVE-2021-29435.yml @@ -18,6 +18,8 @@ description: | The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems. +cvss_v3: 8.1 + patched_versions: - ">= 0.4.2"