From 6b3269153f31938d12f9653356a39f79d56a6843 Mon Sep 17 00:00:00 2001 From: cicd Date: Thu, 6 Mar 2025 11:25:00 +0100 Subject: [PATCH] commit by to_remotes 2025-03-06 11:25:00 +0100 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 11 ++++++++++- update-info.txt | 12 ++++++++---- 4 files changed, 20 insertions(+), 7 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 140d544..2a8d57b 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2025-03-05T14:35:11+01:00 +2025-03-06T11:25:00+01:00 diff --git a/bundle-audit.json b/bundle-audit.json index 6ab6841..f07d123 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.2","created_at":"2025-03-05 14:35:10 +0100","results":[]} \ No newline at end of file +{"version":"0.9.2","created_at":"2025-03-06 11:25:00 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.10"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-27111.yml","id":"CVE-2025-27111","url":"https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v","title":"Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection","date":"2025-03-04","description":"## Summary\n\n`Rack::Sendfile` can be exploited by crafting input that\nincludes newline characters to manipulate log entries.\n\n## Details\n\nThe `Rack::Sendfile` middleware logs unsanitized header values from\nthe `X-Sendfile-Type` header. An attacker can exploit this by\ninjecting escape sequences (such as newline characters) into the\nheader, resulting in log injection.\n\n## Impact\n\nThis vulnerability can distort log files, obscure\nattack traces, and complicate security auditing.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Sendfile`.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-27111","osvdb":null,"ghsa":"8cgq-6mh2-7j6v","unaffected_versions":[],"patched_versions":["~> 2.2.12","~> 3.0.13",">= 3.1.11"],"criticality":null}}]} \ No newline at end of file diff --git a/report.txt b/report.txt index 8900c02..750bf61 100644 --- a/report.txt +++ b/report.txt @@ -1 +1,10 @@ -No vulnerabilities found +Name: rack +Version: 3.1.10 +CVE: CVE-2025-27111 +GHSA: GHSA-8cgq-6mh2-7j6v +Criticality: Unknown +URL: https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v +Title: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection +Solution: update to '~> 2.2.12', '~> 3.0.13', '>= 3.1.11' + +Vulnerabilities found! diff --git a/update-info.txt b/update-info.txt index 01c1926..3b4eec2 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,7 +1,11 @@ Updating ruby-advisory-db ... -Already up to date. +Updating 6847b45..8ab1b43 +Fast-forward + gems/rack/CVE-2025-27111.yml | 43 +++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 43 insertions(+) + create mode 100644 gems/rack/CVE-2025-27111.yml Updated ruby-advisory-db ruby-advisory-db: - advisories: 964 advisories - last updated: 2025-03-04 11:21:21 -0800 - commit: 6847b4580e91a077f37ffc80d90054b8684c14ca + advisories: 965 advisories + last updated: 2025-03-05 12:12:15 -0800 + commit: 8ab1b435ef4029c64d694839e618bd7375109a6b