commit by to_remotes 2025-03-12 07:32:47 +0100 from cicd

2025-03-12 07:32:47 +01:00 · 2025-03-12 07:32:47 +01:00 · a41ca01da8
parent e1e8685cb1
commit a41ca01da8
4 changed files with 20 additions and 7 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2025-03-11T13:35:56+01:00
+2025-03-12T07:32:47+01:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.2","created_at":"2025-03-11 13:35:56 +0100","results":[]}
+{"version":"0.9.2","created_at":"2025-03-12 07:32:47 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.11"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-27610.yml","id":"CVE-2025-27610","url":"https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v","title":"Local File Inclusion in Rack::Static","date":"2025-03-10","description":"## Summary\n\n`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.\n\n## Details\n\nThe vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.\n\n## Impact\n\nBy exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Static`, or\n- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.\n\nIt is likely that a CDN or similar static file server would also mitigate the issue.","cvss_v2":null,"cvss_v3":7.5,"cve":"2025-27610","osvdb":null,"ghsa":"7wqh-767x-r66v","unaffected_versions":[],"patched_versions":["~> 2.2.13","~> 3.0.14",">= 3.1.12"],"criticality":"high"}}]}
--- a/report.txt
+++ b/report.txt
@ -1 +1,10 @@
-No vulnerabilities found
+Name: rack
 Version: 3.1.11
 CVE: CVE-2025-27610
 GHSA: GHSA-7wqh-767x-r66v
 Criticality: High
 URL: https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
 Title: Local File Inclusion in Rack::Static
 Solution: update to '~> 2.2.13', '~> 3.0.14', '>= 3.1.12'
 Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,7 +1,11 @@
 Updating ruby-advisory-db ...
-Already up to date.
+Updating 00d14ff..b7fc2b1
 Fast-forward
 gems/rack/CVE-2025-27610.yml | 38 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 gems/rack/CVE-2025-27610.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	965 advisories
+  advisories:	966 advisories
-  last updated:	2025-03-09 12:29:55 -0700
+  last updated:	2025-03-11 12:17:36 -0700
-  commit:	00d14ff80339f5bd97074f098bba6a6d26bd54a4
+  commit:	b7fc2b1ef9bcc4b62a6cd3cd9ab4d5d4070a23bb
`@ -1 +1 @@`
	`2025-03-11T13:35:56+01:00`	`2025-03-12T07:32:47+01:00`
		`@ -1 +1 @@`
			`{"version":"0.9.2","created_at":"2025-03-11 13:35:56 +0100","results":[]}`				{"version":"0.9.2","created_at":"2025-03-12 07:32:47 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.11"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-27610.yml","id":"CVE-2025-27610","url":"https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v","title":"Local File Inclusion in Rack::Static","date":"2025-03-10","description":"## Summary\n\n`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.\n\n## Details\n\nThe vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.\n\n## Impact\n\nBy exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Static`, or\n- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.\n\nIt is likely that a CDN or similar static file server would also mitigate the issue.","cvss_v2":null,"cvss_v3":7.5,"cve":"2025-27610","osvdb":null,"ghsa":"7wqh-767x-r66v","unaffected_versions":[],"patched_versions":["~> 2.2.13","~> 3.0.14",">= 3.1.12"],"criticality":"high"}}]}