commit by to_remotes 2025-02-14 13:42:46 +0100 from cicd

2025-02-14 13:42:46 +01:00 · 2025-02-14 13:42:46 +01:00 · f6e754f570
parent ea3c535acc
commit f6e754f570
4 changed files with 26 additions and 7 deletions
--- a/bundle-audit-time.txt
+++ b/bundle-audit-time.txt
@ -1 +1 @@
-2025-02-13T14:35:56+01:00
+2025-02-14T13:42:46+01:00
--- a/bundle-audit.json
+++ b/bundle-audit.json
@ -1 +1 @@
-{"version":"0.9.2","created_at":"2025-02-13 14:35:55 +0100","results":[]}
+{"version":"0.9.2","created_at":"2025-02-14 13:42:46 +0100","results":[{"type":"unpatched_gem","gem":{"name":"rack","version":"3.1.8"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/rack/CVE-2025-25184.yml","id":"CVE-2025-25184","url":"https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg","title":"Possible Log Injection in Rack::CommonLogger","date":"2025-02-12","description":"## Summary\n\n`Rack::CommonLogger` can be exploited by crafting input that includes\nnewline characters to manipulate log entries. The supplied\nproof-of-concept demonstrates injecting malicious content into logs.\n\n## Details\n\nWhen a user provides the authorization credentials via\n`Rack::Auth::Basic`, if success, the username will be put in\n`env['REMOTE_USER']` and later be used by `Rack::CommonLogger`\nfor logging purposes.\n\nThe issue occurs when a server intentionally or unintentionally\nallows a user creation with the username contain CRLF and white\nspace characters, or the server just want to log every login\nattempts. If an attacker enters a username with CRLF character,\nthe logger will log the malicious username with CRLF characters\ninto the logfile.\n\n## Impact\n\nAttackers can break log formats or insert fraudulent entries,\npotentially obscuring real activity or injecting malicious data\ninto log files.\n\n## Mitigation\n\n- Update to the latest version of Rack.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-25184","osvdb":null,"ghsa":"7g2v-jj9q-g3rg","unaffected_versions":[],"patched_versions":["~> 2.2.11","~> 3.0.12",">= 3.1.10"],"criticality":null}}]}
--- a/report.txt
+++ b/report.txt
@ -1 +1,10 @@
-No vulnerabilities found
+Name: rack
+Version: 3.1.8
+CVE: CVE-2025-25184
+GHSA: GHSA-7g2v-jj9q-g3rg
+Criticality: Unknown
+URL: https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
+Title: Possible Log Injection in Rack::CommonLogger
+Solution: update to '~> 2.2.11', '~> 3.0.12', '>= 3.1.10'
+
+Vulnerabilities found!
--- a/update-info.txt
+++ b/update-info.txt
@ -1,7 +1,17 @@
 Updating ruby-advisory-db ...
-Already up to date.
+Updating 44593ed..3e2cd72
+Fast-forward
+ gems/actionpack/CVE-2024-54133.yml           |  1 +
+ gems/net-imap/CVE-2025-25186.yml             |  1 +
+ gems/rack/CVE-2025-25184.yml                 | 48 ++++++++++++++++++++++++++++
+ gems/rails-html-sanitizer/CVE-2024-53986.yml |  1 +
+ gems/rails-html-sanitizer/CVE-2024-53987.yml |  2 ++
+ gems/rails-html-sanitizer/CVE-2024-53988.yml |  1 +
+ gems/rails-html-sanitizer/CVE-2024-53989.yml |  1 +
+ 7 files changed, 55 insertions(+)
+ create mode 100644 gems/rack/CVE-2025-25184.yml
 Updated ruby-advisory-db
 ruby-advisory-db:
-  advisories:	957 advisories
-  last updated:	2025-02-11 12:00:22 -0800
-  commit:	44593edd43b5890a2b28b3febf5f18f776615bf1
+  advisories:	958 advisories
+  last updated:	2025-02-13 12:33:52 -0800
+  commit:	3e2cd72acc948f36521eda7bd0c881f88913ddd6