commit by to_remotes 2025-08-20 10:34:53 +0200 from cicd

2025-08-20 10:34:53 +02:00 · 2025-08-20 10:34:53 +02:00 · 8fad81d004
parent 8c70fd03f8
commit 8fad81d004
4 changed files with 48 additions and 7 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2025-08-12T12:32:13+02:00
+2025-08-20T10:34:53+02:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.2","created_at":"2025-08-12 12:32:13 +0200","results":[]}
+{"version":"0.9.2","created_at":"2025-08-20 10:34:52 +0200","results":[{"type":"unpatched_gem","gem":{"name":"activerecord","version":"8.0.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/activerecord/CVE-2025-55193.yml","id":"CVE-2025-55193","url":"https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776","title":"Active Record logging vulnerable to ANSI escape injection","date":"2025-08-13","description":"This vulnerability has been assigned the CVE identifier CVE-2025-55193\n\n### Impact\n\nThe ID passed to `find` or similar methods may be logged without\nescaping. If this is directly to the terminal, it may include\nunescaped ANSI sequences.\n\n### Releases\n\nThe fixed releases are available at the normal locations.\n\n### Credits\n\nThanks to [lio346](https://hackerone.com/lio346) for reporting\nthis vulnerability.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-55193","osvdb":null,"ghsa":"76r7-hhxj-r776","unaffected_versions":[],"patched_versions":["~> 7.1.5.2","~> 7.2.2.2",">= 8.0.2.1"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"activestorage","version":"8.0.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/activestorage/CVE-2025-24293.yml","id":"CVE-2025-24293","url":"https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3","title":"Active Storage allowed transformation methods that were potentially unsafe","date":"2025-08-14","description":"Active Storage attempts to prevent the use of potentially unsafe\nimage transformation methods and parameters by default.\nThe default allowed list contains three methods allowing for the\ncircumvention of the safe defaults which enables potential command\ninjection vulnerabilities in cases where arbitrary user supplied\ninput is accepted as valid transformation methods or parameters.\n\nThis has been assigned the CVE identifier CVE-2025-24293.\n\nVersions Affected:  >= 5.2.0\nNot affected:       < 5.2.0\nFixed Versions:     7.1.5.2, 7.2.2.2, 8.0.2.1\n\n## Impact\n\nThis vulnerability impacts applications that use Active Storage\nwith the image_processing processing gem in addition to\nmini_magick as the image processor.\n\nVulnerable code will look something similar to this:\n\n```\n<= image_tag blob.variant(params[:t] => params[:v]) >\n```\n\nWhere the transformation method or its arguments are untrusted\narbitrary input.\n\nAll users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\n## Releases\n\nThe fixed releases are available at the normal locations.\n\n## Workarounds\n\nConsuming user supplied input for image transformation methods\nor their parameters is unsupported behavior and should be\nconsidered dangerous.\n\nStrict validation of user supplied methods and parameters should\nbe performed as well as having a strong\n[ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed.\n\n## Credits\n\nThank you [lio346](https://hackerone.com/lio346) for reporting this!\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-24293","osvdb":null,"ghsa":"r4mg-4433-c7g3","unaffected_versions":["< 5.20"],"patched_versions":["~> 7.1.5.2","~> 7.2.2.2",">= 8.0.2.1"],"criticality":null}}]}
--- a/report.txt
+++ b/report.txt
@ -1 +1,19 @@
-No vulnerabilities found
+Name: activerecord
 Version: 8.0.2
 CVE: CVE-2025-55193
 GHSA: GHSA-76r7-hhxj-r776
 Criticality: Unknown
 URL: https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776
 Title: Active Record logging vulnerable to ANSI escape injection
 Solution: update to '~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1'
 Name: activestorage
 Version: 8.0.2
 CVE: CVE-2025-24293
 GHSA: GHSA-r4mg-4433-c7g3
 Criticality: Unknown
 URL: https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3
 Title: Active Storage allowed transformation methods that were potentially unsafe
 Solution: update to '~> 7.1.5.2', '~> 7.2.2.2', '>= 8.0.2.1'
 Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,7 +1,30 @@
 Updating ruby-advisory-db ...
-Already up to date.
+Updating 43149b5..38d5d62
 Fast-forward
 Gemfile                                |  2 +-
 README.md                              |  2 +-
 gems/activerecord/CVE-2025-55193.yml   | 37 ++++++++++++++++++
 gems/activestorage/CVE-2025-24293.yml  | 70 ++++++++++++++++++++++++++++++++++
 gems/karo/CVE-2014-10075.yml           | 15 ++++----
 gems/lodash-rails/CVE-2018-16487.yml   | 32 ++++++++++++++++
 gems/lodash-rails/CVE-2018-3721.yml    | 32 ++++++++++++++++
 gems/lodash-rails/CVE-2019-1010266.yml | 26 +++++++++++++
 gems/lodash-rails/CVE-2019-10744.yml   | 33 ++++++++++++++++
 gems/lodash-rails/CVE-2020-28500.yml   | 60 +++++++++++++++++++++++++++++
 gems/lodash-rails/CVE-2020-8203.yml    | 37 ++++++++++++++++++
 gems/lodash-rails/CVE-2021-23337.yml   | 33 ++++++++++++++++
 12 files changed, 369 insertions(+), 10 deletions(-)
 create mode 100644 gems/activerecord/CVE-2025-55193.yml
 create mode 100644 gems/activestorage/CVE-2025-24293.yml
 create mode 100644 gems/lodash-rails/CVE-2018-16487.yml
 create mode 100644 gems/lodash-rails/CVE-2018-3721.yml
 create mode 100644 gems/lodash-rails/CVE-2019-1010266.yml
 create mode 100644 gems/lodash-rails/CVE-2019-10744.yml
 create mode 100644 gems/lodash-rails/CVE-2020-28500.yml
 create mode 100644 gems/lodash-rails/CVE-2020-8203.yml
 create mode 100644 gems/lodash-rails/CVE-2021-23337.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	998 advisories
+  advisories:	1007 advisories
-  last updated:	2025-08-08 10:26:18 -0700
+  last updated:	2025-08-15 09:06:14 -0700
-  commit:	43149b540b701c9683e402fcd7fa4e5b6e5b60e9
+  commit:	38d5d62f8c2325f3c5b980dc2f7774f8abbc589c
`@ -1 +1 @@`
	`2025-08-12T12:32:13+02:00`	`2025-08-20T10:34:53+02:00`
		`@ -1 +1 @@`
			`{"version":"0.9.2","created_at":"2025-08-12 12:32:13 +0200","results":[]}`				{"version":"0.9.2","created_at":"2025-08-20 10:34:52 +0200","results":[{"type":"unpatched_gem","gem":{"name":"activerecord","version":"8.0.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/activerecord/CVE-2025-55193.yml","id":"CVE-2025-55193","url":"https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776","title":"Active Record logging vulnerable to ANSI escape injection","date":"2025-08-13","description":"This vulnerability has been assigned the CVE identifier CVE-2025-55193\n\n### Impact\n\nThe ID passed to `find` or similar methods may be logged without\nescaping. If this is directly to the terminal, it may include\nunescaped ANSI sequences.\n\n### Releases\n\nThe fixed releases are available at the normal locations.\n\n### Credits\n\nThanks to [lio346](https://hackerone.com/lio346) for reporting\nthis vulnerability.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-55193","osvdb":null,"ghsa":"76r7-hhxj-r776","unaffected_versions":[],"patched_versions":["~> 7.1.5.2","~> 7.2.2.2",">= 8.0.2.1"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"activestorage","version":"8.0.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/activestorage/CVE-2025-24293.yml","id":"CVE-2025-24293","url":"https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3","title":"Active Storage allowed transformation methods that were potentially unsafe","date":"2025-08-14","description":"Active Storage attempts to prevent the use of potentially unsafe\nimage transformation methods and parameters by default.\nThe default allowed list contains three methods allowing for the\ncircumvention of the safe defaults which enables potential command\ninjection vulnerabilities in cases where arbitrary user supplied\ninput is accepted as valid transformation methods or parameters.\n\nThis has been assigned the CVE identifier CVE-2025-24293.\n\nVersions Affected: >= 5.2.0\nNot affected: < 5.2.0\nFixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1\n\n## Impact\n\nThis vulnerability impacts applications that use Active Storage\nwith the image_processing processing gem in addition to\nmini_magick as the image processor.\n\nVulnerable code will look something similar to this:\n\n```\n<= image_tag blob.variant(params[:t] => params[:v]) >\n```\n\nWhere the transformation method or its arguments are untrusted\narbitrary input.\n\nAll users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\n## Releases\n\nThe fixed releases are available at the normal locations.\n\n## Workarounds\n\nConsuming user supplied input for image transformation methods\nor their parameters is unsupported behavior and should be\nconsidered dangerous.\n\nStrict validation of user supplied methods and parameters should\nbe performed as well as having a strong\n[ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed.\n\n## Credits\n\nThank you [lio346](https://hackerone.com/lio346) for reporting this!\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-24293","osvdb":null,"ghsa":"r4mg-4433-c7g3","unaffected_versions":["< 5.20"],"patched_versions":["~> 7.1.5.2","~> 7.2.2.2",">= 8.0.2.1"],"criticality":null}}]}