wiseadvice_public_repos
/
bundle-audit-results
3
0
Fork 0
Code Wiki

commit by to_remotes 2024-09-23 09:30:14 +0200 from cicd

main
cicd 2024-09-23 09:30:14 +02:00
parent bf9d32880d
commit ee879bdb83
4 changed files with 4 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bundle-audit-time.txt
View File

@ -1 +1 @@
2024-09-23T09:27:29+02:00
2024-09-23T09:30:13+02:00

2
bundle-audit.json
View File

@ -1 +1 @@
{"version":"0.9.1","created_at":"2024-09-23 09:27:29 +0200","results":[{"type":"unpatched_gem","gem":{"name":"google-protobuf","version":"4.27.3"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/google-protobuf/CVE-2024-7254.yml","id":"CVE-2024-7254","url":"https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8","title":"protobuf-java has potential Denial of Service issue","date":"2024-09-19","description":"### Summary\nWhen parsing unknown fields in the Protobuf Java Lite and Full library,\na maliciously crafted message can cause a StackOverflow error and lead\nto a program crash.\n\nReporter: Alexis Challande, Trail of Bits Ecosystem Security\nTeam <ecosystem@trailofbits.com>\n\nAffected versions: This issue affects all versions of both the Java\nfull and lite Protobuf runtimes, as well as Protobuf for Kotlin and\nJRuby, which themselves use the Java Protobuf runtime.\n\n### Severity\n[CVE-2024-7254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7254)\n**High** CVSS4.0 Score 8.7 (NOTE: there may be a delay in publication)\n\nThis is a potential Denial of Service. Parsing nested groups as unknown\nfields with DiscardUnknownFieldsParser or Java Protobuf Lite parser,\nor against Protobuf map fields, creates unbounded recursions that can\nbe abused by an attacker.\n\n### Proof of Concept\nFor reproduction details, please refer to the unit tests (Protobuf Java\n[LiteTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/lite/src/test/java/com/google/protobuf/LiteTest.java)\nand [CodedInputStreamTest](https://github.com/protocolbuffers/protobuf/blob/a037f28ff81ee45ebe008c64ab632bf5372242ce/java/core/src/test/java/com/google/protobuf/CodedInputStreamTest.java))\nthat identify the specific inputs that exercise this parsing weakness.\n\n### Remediation and Mitigation\nWe have been working diligently to address this issue and have released\na mitigation that is available now. Please update to the latest\navailable versions of the following packages:\n\n* protobuf-java (3.25.5, 4.27.5, 4.28.2)\n* protobuf-javalite (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin (3.25.5, 4.27.5, 4.28.2)\n* protobuf-kotlin-lite (3.25.5, 4.27.5, 4.28.2)\n* com-protobuf [JRuby gem only] (3.25.5, 4.27.5, 4.28.2)\n\n","cvss_v2":null,"cvss_v3":7.5,"cve":"2024-7254","osvdb":null,"ghsa":"735f-pc8j-v9w8","unaffected_versions":[],"patched_versions":["~> 3.25.5","~> 4.27.5",">= 4.28.2"],"criticality":"high"}},{"type":"unpatched_gem","gem":{"name":"puma","version":"6.4.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/puma/CVE-2024-45614.yml","id":"CVE-2024-45614","url":"https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4","title":"Puma's header normalization allows for client to clobber proxy set headers","date":"2024-09-20","description":"### Impact\n\nClients could clobber values set by intermediate proxies (such as\nX-Forwarded-For) by providing a underscore version of the same\nheader (X-Forwarded_For).\n\nAny users trusting headers set by their proxy may be affected.\nAttackers may be able to downgrade connections to HTTP (non-SSL)\nor redirect responses, which could cause confidentiality leaks\nif combined with a separate MITM attack.\n\n### Patches\nv6.4.3/v5.6.9 now discards any headers using underscores if the\nnon-underscore version also exists. Effectively, allowing the\nproxy defined headers to always win.\n\n### Workarounds\nNginx has a [underscores_in_headers](https://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers)\nconfiguration variable to discard these headers at the proxy level.\n\nAny users that are implicitly trusting the proxy defined headers\nfor security or availability should immediately cease doing so\nuntil upgraded to the fixed versions.\n","cvss_v2":null,"cvss_v3":5.4,"cve":"2024-45614","osvdb":null,"ghsa":"9hf4-67fc-4vf4","unaffected_versions":[],"patched_versions":["~> 5.6.9",">= 6.4.3"],"criticality":"medium"}}]}
{"version":"0.9.2","created_at":"2024-09-23 09:30:13 +0200","results":[]}

20
report.txt
View File

@ -1,19 +1 @@
Name: google-protobuf
Version: 4.27.3
CVE: CVE-2024-7254
GHSA: GHSA-735f-pc8j-v9w8
Criticality: High
URL: https://github.com/protocolbuffers/protobuf/security/advisories/GHSA-735f-pc8j-v9w8
Title: protobuf-java has potential Denial of Service issue
Solution: upgrade to '~> 3.25.5', '~> 4.27.5', '>= 4.28.2'
Name: puma
Version: 6.4.2
CVE: CVE-2024-45614
GHSA: GHSA-9hf4-67fc-4vf4
Criticality: Medium
URL: https://github.com/puma/puma/security/advisories/GHSA-9hf4-67fc-4vf4
Title: Puma's header normalization allows for client to clobber proxy set headers
Solution: upgrade to '~> 5.6.9', '>= 6.4.3'
Vulnerabilities found!
No vulnerabilities found

11
update-info.txt
View File

@ -1,14 +1,5 @@
Updating ruby-advisory-db ...
Updating 5e77a68..ebac396
Fast-forward
gems/google-protobuf/CVE-2024-7254.yml | 63 ++++++++++++++++++++++++++++++
gems/omniauth-saml/CVE-2024-45409.yml | 31 ++++++++++-----
gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml | 25 ------------
gems/puma/CVE-2024-45614.yml | 43 ++++++++++++++++++++
4 files changed, 128 insertions(+), 34 deletions(-)
create mode 100644 gems/google-protobuf/CVE-2024-7254.yml
delete mode 100644 gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml
create mode 100644 gems/puma/CVE-2024-45614.yml
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
advisories: 926 advisories