commit by to_remotes 2024-09-23 09:27:29 +0200 from cicd

bundle-audit-time.txt

@@ -1 +1 @@
-2024-09-20T14:26:53+02:00
+2024-09-23T09:27:29+02:00

bundle-audit.json

@@ -1 +1 @@
-{"version":"0.9.1","created_at":"2024-09-20 14:26:52 +0200","results":[]}
+{"version":"0.9.1","created_at":"2024-09-23 09:27:29 +0200","results":[{"type":"unpatched_gem","gem":{"name":"google-protobuf","version":"4.27.3"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/google-protobuf/CVE-2024-7254.yml","id":"CVE-2024-7254","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8","title":"protobuf-java has potential Denial of Service issue","date":"2024-09-19","description":"### Summary\nWhen parsing unknown fields in the Protobuf Java Lite and Full library,\na maliciously crafted message can cause a StackOverflow error and lead\nto a program crash.\n\nReporter: Alexis Challande, Trail of Bits Ecosystem Security\nTeam <ecosystem@trailofbits.com>\n\nAffected versions: This issue affects all versions of both the Java\nfull and lite Protobuf runtimes, as well as Protobuf for Kotlin and\nJRuby, which themselves use the Java Protobuf runtime.\n\n### Severity\n[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254)\n**High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\n\nThis is a potential Denial of Service. Parsing nested groups as unknown\nfields with DiscardUnknownFieldsParser or Java Protobuf Lite parser,\nor against Protobuf map fields, creates unbounded recursions that can\nbe abused by an attacker.\n\n### Proof of Concept\nFor reproduction details, please refer to the unit tests (Protobuf Java\n[LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java)\nand [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java))\nthat identify the specific inputs that exercise this parsing weakness.\n\n### Remediation and Mitigation\nWe have been working diligently to address this issue and have released\na mitigation that is available now. Please update to the latest\navailable versions of the following packages:\n\n* protobuf-java (3.25.5, 4.27.5, 4.28.2)\n* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)\n\n","cvss_v2":null,"cvss_v3":7.5,"cve":"2024-7254","osvdb":null,"ghsa":"735f-pc8j-v9w8","unaffected_versions":[],"patched_versions":["~> 3.25.5","~> 4.27.5",">= 4.28.2"],"criticality":"high"}},{"type":"unpatched_gem","gem":{"name":"puma","version":"6.4.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/puma/CVE-2024-45614.yml","id":"CVE-2024-45614","url":"https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4","title":"Puma's header normalization allows for client to clobber proxy set headers","date":"2024-09-20","description":"### Impact\n\nClients could clobber values set by intermediate proxies (such as\nX-Forwarded-For) by providing a underscore version of the same\nheader (X-Forwarded_For).\n\nAny users trusting headers set by their proxy may be affected.\nAttackers may be able to downgrade connections to HTTP (non-SSL)\nor redirect responses, which could cause confidentiality leaks\nif combined with a separate MITM attack.\n\n### Patches\nv6.4.3/v5.6.9 now discards any headers using underscores if the\nnon-underscore version also exists.  Effectively, allowing the\nproxy defined headers to always win.\n\n### Workarounds\nNginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers)\nconfiguration variable to discard these headers at the proxy level.\n\nAny users that are implicitly trusting the proxy defined headers\nfor security or availability should immediately cease doing so\nuntil upgraded to the fixed versions.\n","cvss_v2":null,"cvss_v3":5.4,"cve":"2024-45614","osvdb":null,"ghsa":"9hf4-67fc-4vf4","unaffected_versions":[],"patched_versions":["~> 5.6.9",">= 6.4.3"],"criticality":"medium"}}]}

report.txt

@@ -1 +1,19 @@
-No vulnerabilities found
+Name: google-protobuf
+Version: 4.27.3
+CVE: CVE-2024-7254
+GHSA: GHSA-735f-pc8j-v9w8
+Criticality: High
+URL: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
+Title: protobuf-java has potential Denial of Service issue
+Solution: upgrade to '~> 3.25.5', '~> 4.27.5', '>= 4.28.2'
+
+Name: puma
+Version: 6.4.2
+CVE: CVE-2024-45614
+GHSA: GHSA-9hf4-67fc-4vf4
+Criticality: Medium
+URL: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
+Title: Puma's header normalization allows for client to clobber proxy set headers
+Solution: upgrade to '~> 5.6.9', '>= 6.4.3'
+
+Vulnerabilities found!

update-info.txt

@@ -1,7 +1,16 @@
 Updating ruby-advisory-db ...
-Already up to date.
+Updating 5e77a68..ebac396
+Fast-forward
+ gems/google-protobuf/CVE-2024-7254.yml     | 63 ++++++++++++++++++++++++++++++
+ gems/omniauth-saml/CVE-2024-45409.yml      | 31 ++++++++++-----
+ gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml | 25 ------------
+ gems/puma/CVE-2024-45614.yml               | 43 ++++++++++++++++++++
+ 4 files changed, 128 insertions(+), 34 deletions(-)
+ create mode 100644 gems/google-protobuf/CVE-2024-7254.yml
+ delete mode 100644 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
+ create mode 100644 gems/puma/CVE-2024-45614.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	925 advisories
-  last updated:	2024-09-18 11:41:17 -0700
-  commit:	5e77a68ffb3efbe1f4de93cf3ee2c7b74521cc62
+  advisories:	926 advisories
+  last updated:	2024-09-21 16:59:39 -0700
+  commit:	ebac3962e0275ec2f95ff29dc76398f7a4fccd5f