1 line
3.2 KiB
JSON
1 line
3.2 KiB
JSON
{"version":"0.9.2","created_at":"2025-08-20 10:34:52 +0200","results":[{"type":"unpatched_gem","gem":{"name":"activerecord","version":"8.0.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/activerecord/CVE-2025-55193.yml","id":"CVE-2025-55193","url":"https://github.com/rails/rails/security/advisories/GHSA-76r7-hhxj-r776","title":"Active Record logging vulnerable to ANSI escape injection","date":"2025-08-13","description":"This vulnerability has been assigned the CVE identifier CVE-2025-55193\n\n### Impact\n\nThe ID passed to `find` or similar methods may be logged without\nescaping. If this is directly to the terminal, it may include\nunescaped ANSI sequences.\n\n### Releases\n\nThe fixed releases are available at the normal locations.\n\n### Credits\n\nThanks to [lio346](https://hackerone.com/lio346) for reporting\nthis vulnerability.\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-55193","osvdb":null,"ghsa":"76r7-hhxj-r776","unaffected_versions":[],"patched_versions":["~> 7.1.5.2","~> 7.2.2.2",">= 8.0.2.1"],"criticality":null}},{"type":"unpatched_gem","gem":{"name":"activestorage","version":"8.0.2"},"advisory":{"path":"/home/wiseadvice/.local/share/ruby-advisory-db/gems/activestorage/CVE-2025-24293.yml","id":"CVE-2025-24293","url":"https://github.com/rails/rails/security/advisories/GHSA-r4mg-4433-c7g3","title":"Active Storage allowed transformation methods that were potentially unsafe","date":"2025-08-14","description":"Active Storage attempts to prevent the use of potentially unsafe\nimage transformation methods and parameters by default.\nThe default allowed list contains three methods allowing for the\ncircumvention of the safe defaults which enables potential command\ninjection vulnerabilities in cases where arbitrary user supplied\ninput is accepted as valid transformation methods or parameters.\n\nThis has been assigned the CVE identifier CVE-2025-24293.\n\nVersions Affected: >= 5.2.0\nNot affected: < 5.2.0\nFixed Versions: 7.1.5.2, 7.2.2.2, 8.0.2.1\n\n## Impact\n\nThis vulnerability impacts applications that use Active Storage\nwith the image_processing processing gem in addition to\nmini_magick as the image processor.\n\nVulnerable code will look something similar to this:\n\n```\n<= image_tag blob.variant(params[:t] => params[:v]) >\n```\n\nWhere the transformation method or its arguments are untrusted\narbitrary input.\n\nAll users running an affected release should either upgrade or\nuse one of the workarounds immediately.\n\n## Releases\n\nThe fixed releases are available at the normal locations.\n\n## Workarounds\n\nConsuming user supplied input for image transformation methods\nor their parameters is unsupported behavior and should be\nconsidered dangerous.\n\nStrict validation of user supplied methods and parameters should\nbe performed as well as having a strong\n[ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed.\n\n## Credits\n\nThank you [lio346](https://hackerone.com/lio346) for reporting this!\n","cvss_v2":null,"cvss_v3":null,"cve":"2025-24293","osvdb":null,"ghsa":"r4mg-4433-c7g3","unaffected_versions":["< 5.20"],"patched_versions":["~> 7.1.5.2","~> 7.2.2.2",">= 8.0.2.1"],"criticality":null}}]} |