From f30c9b2dc2c49fa270d03541aad9806d58e1800c Mon Sep 17 00:00:00 2001 From: cicd Date: Fri, 14 Feb 2025 13:46:24 +0100 Subject: [PATCH] commit by to_remotes 2025-02-14 13:46:24 +0100 from cicd --- bundle-audit-time.txt | 2 +- bundle-audit.json | 2 +- report.txt | 11 +---------- update-info.txt | 12 +----------- 4 files changed, 4 insertions(+), 23 deletions(-) diff --git a/bundle-audit-time.txt b/bundle-audit-time.txt index 859a347..5c94f1c 100644 --- a/bundle-audit-time.txt +++ b/bundle-audit-time.txt @@ -1 +1 @@ -2025-02-14T13:42:46+01:00 +2025-02-14T13:46:23+01:00 diff --git a/bundle-audit.json b/bundle-audit.json index b96c227..904281a 100644 --- a/bundle-audit.json +++ b/bundle-audit.json @@ -1 +1 @@ -{"version":"0.9.2","created_at":"2025-02-14 13:42:46 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-25184.yml","id":"CVE-2025-25184","url":"https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg","title":"Possible Log Injection in Rack::CommonLogger","date":"2025-02-12","description":"## Summary\n\n`Rack::CommonLogger` can be exploited by crafting input that includes\nnewline characters to manipulate log entries. The supplied\nproof-of-concept demonstrates injecting malicious content into logs.\n\n## Details\n\nWhen a user provides the authorization credentials via\n`Rack::Auth::Basic`, if success, the username will be put in\n`env['REMOTE_USER']` and later be used by `Rack::CommonLogger`\nfor logging purposes.\n\nThe issue occurs when a server intentionally or unintentionally\nallows a user creation with the username contain CRLF and white\nspace characters, or the server just want to log every login\nattempts. If an attacker enters a username with CRLF character,\nthe logger will log the malicious username with CRLF characters\ninto the logfile.\n\n## Impact\n\nAttackers can break log formats or insert fraudulent entries,\npotentially obscuring real activity or injecting malicious data\ninto log files.\n\n## Mitigation\n\n- Update to the latest version of Rack.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-25184","osvdb":null,"ghsa":"7g2v-jj9q-g3rg","unaffected_versions":[],"patched_versions":["~> 2.2.11","~> 3.0.12",">= 3.1.10"],"criticality":null}}]} \ No newline at end of file +{"version":"0.9.2","created_at":"2025-02-14 13:46:23 +0100","results":[]} \ No newline at end of file diff --git a/report.txt b/report.txt index 4372b76..8900c02 100644 --- a/report.txt +++ b/report.txt @@ -1,10 +1 @@ -Name: rack -Version: 3.1.8 -CVE: CVE-2025-25184 -GHSA: GHSA-7g2v-jj9q-g3rg -Criticality: Unknown -URL: https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg -Title: Possible Log Injection in Rack::CommonLogger -Solution: update to '~> 2.2.11', '~> 3.0.12', '>= 3.1.10' - -Vulnerabilities found! +No vulnerabilities found diff --git a/update-info.txt b/update-info.txt index 9871417..11a296f 100644 --- a/update-info.txt +++ b/update-info.txt @@ -1,15 +1,5 @@ Updating ruby-advisory-db ... -Updating 44593ed..3e2cd72 -Fast-forward - gems/actionpack/CVE-2024-54133.yml | 1 + - gems/net-imap/CVE-2025-25186.yml | 1 + - gems/rack/CVE-2025-25184.yml | 48 ++++++++++++++++++++++++++++ - gems/rails-html-sanitizer/CVE-2024-53986.yml | 1 + - gems/rails-html-sanitizer/CVE-2024-53987.yml | 2 ++ - gems/rails-html-sanitizer/CVE-2024-53988.yml | 1 + - gems/rails-html-sanitizer/CVE-2024-53989.yml | 1 + - 7 files changed, 55 insertions(+) - create mode 100644 gems/rack/CVE-2025-25184.yml +Already up to date. Updated ruby-advisory-db ruby-advisory-db: advisories: 958 advisories