commit by to_remotes 2025-02-14 13:46:24 +0100 from cicd

2025-02-14 13:46:24 +01:00 · 2025-02-14 13:46:24 +01:00 · f30c9b2dc2
parent f6e754f570
commit f30c9b2dc2
4 changed files with 4 additions and 23 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2025-02-14T13:42:46+01:00
+2025-02-14T13:46:23+01:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.2","created_at":"2025-02-14 13:42:46 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-25184.yml","id":"CVE-2025-25184","url":"https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg","title":"Possible Log Injection in Rack::CommonLogger","date":"2025-02-12","description":"## Summary\n\n`Rack::CommonLogger` can be exploited by crafting input that includes\nnewline characters to manipulate log entries. The supplied\nproof-of-concept demonstrates injecting malicious content into logs.\n\n## Details\n\nWhen a user provides the authorization credentials via\n`Rack::Auth::Basic`, if success, the username will be put in\n`env['REMOTE_USER']` and later be used by `Rack::CommonLogger`\nfor logging purposes.\n\nThe issue occurs when a server intentionally or unintentionally\nallows a user creation with the username contain CRLF and white\nspace characters, or the server just want to log every login\nattempts. If an attacker enters a username with CRLF character,\nthe logger will log the malicious username with CRLF characters\ninto the logfile.\n\n## Impact\n\nAttackers can break log formats or insert fraudulent entries,\npotentially obscuring real activity or injecting malicious data\ninto log files.\n\n## Mitigation\n\n- Update to the latest version of Rack.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-25184","osvdb":null,"ghsa":"7g2v-jj9q-g3rg","unaffected_versions":[],"patched_versions":["~> 2.2.11","~> 3.0.12",">= 3.1.10"],"criticality":null}}]}
+{"version":"0.9.2","created_at":"2025-02-14 13:46:23 +0100","results":[]}
--- a/report.txt
+++ b/report.txt
@ -1,10 +1 @@
-Name: rack
+No vulnerabilities found
 Version: 3.1.8
 CVE: CVE-2025-25184
 GHSA: GHSA-7g2v-jj9q-g3rg
 Criticality: Unknown
 URL: https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
 Title: Possible Log Injection in Rack::CommonLogger
 Solution: update to '~> 2.2.11', '~> 3.0.12', '>= 3.1.10'
 Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,15 +1,5 @@
 Updating ruby-advisory-db ...
-Updating 44593ed..3e2cd72
+Already up to date.
 Fast-forward
 gems/actionpack/CVE-2024-54133.yml           |  1 +
 gems/net-imap/CVE-2025-25186.yml             |  1 +
 gems/rack/CVE-2025-25184.yml                 | 48 ++++++++++++++++++++++++++++
 gems/rails-html-sanitizer/CVE-2024-53986.yml |  1 +
 gems/rails-html-sanitizer/CVE-2024-53987.yml |  2 ++
 gems/rails-html-sanitizer/CVE-2024-53988.yml |  1 +
 gems/rails-html-sanitizer/CVE-2024-53989.yml |  1 +
 7 files changed, 55 insertions(+)
 create mode 100644 gems/rack/CVE-2025-25184.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
  advisories:	958 advisories
`@ -1 +1 @@`
	`2025-02-14T13:42:46+01:00`	`2025-02-14T13:46:23+01:00`
		`@ -1 +1 @@`
			{"version":"0.9.2","created_at":"2025-02-14 13:42:46 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-25184.yml","id":"CVE-2025-25184","url":"https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg","title":"Possible Log Injection in Rack::CommonLogger","date":"2025-02-12","description":"## Summary\n\n`Rack::CommonLogger` can be exploited by crafting input that includes\nnewline characters to manipulate log entries. The supplied\nproof-of-concept demonstrates injecting malicious content into logs.\n\n## Details\n\nWhen a user provides the authorization credentials via\n`Rack::Auth::Basic`, if success, the username will be put in\n`env['REMOTE_USER']` and later be used by `Rack::CommonLogger`\nfor logging purposes.\n\nThe issue occurs when a server intentionally or unintentionally\nallows a user creation with the username contain CRLF and white\nspace characters, or the server just want to log every login\nattempts. If an attacker enters a username with CRLF character,\nthe logger will log the malicious username with CRLF characters\ninto the logfile.\n\n## Impact\n\nAttackers can break log formats or insert fraudulent entries,\npotentially obscuring real activity or injecting malicious data\ninto log files.\n\n## Mitigation\n\n- Update to the latest version of Rack.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-25184","osvdb":null,"ghsa":"7g2v-jj9q-g3rg","unaffected_versions":[],"patched_versions":["~> 2.2.11","~> 3.0.12",">= 3.1.10"],"criticality":null}}]}				`{"version":"0.9.2","created_at":"2025-02-14 13:46:23 +0100","results":[]}`