Merge branch 'issue_43_cve_2014_0036' into development

Conflicts: lib/codesake/dawn/knowledge_base.rb spec/lib/dawn/codesake_knowledgebase_spec.rb
thesp0nge · Mar 14, 2014 · 9550d0a · 9550d0a
2 parents 690531b + a82cb08
commit 9550d0a
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 0 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -52,6 +52,7 @@ _latest update: Thu Feb 13 08:31:37 CET 2014_
   or just old. I enabled only check against ruby
 
 * Added a check for CVE-2014-2322
+* Added a check for CVE-2014-0036
 
 ## Version 1.0.4 - codename: Lightning McQueen (2014-03-14)
 

diff --git a/lib/codesake/dawn/kb/cve_2014_0036.rb b/lib/codesake/dawn/kb/cve_2014_0036.rb
@@ -0,0 +1,29 @@
+module Codesake
+	module Dawn
+		module Kb
+			# Automatically created with rake on 2014-03-14
+			class CVE_2014_0036
+				include DependencyCheck
+
+				def initialize
+          message = "rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream."
+
+           super({
+            :name=>"CVE-2014-0036",
+            :cvss=>"",
+            :release_date => Date.new(2014, 3, 5),
+            :cwe=>"20",
+            :owasp=>"A9",
+            :applies=>["sinatra", "padrino", "rails"],
+            :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK,
+            :message=>message,
+            :mitigation=>"Please upgrade rbovirt version at least to 0.0.24. As a general rule, using the latest version is recommended.",
+            :aux_links=>["http://www.securityfocus.com/bid/66006"]
+           })
+
+           self.safe_dependencies = [{:name=>"rbovirt", :version=>['0.0.24']}]
+				end
+			end
+		end
+	end
+end
diff --git a/lib/codesake/dawn/knowledge_base.rb b/lib/codesake/dawn/knowledge_base.rb
@@ -211,6 +211,7 @@
 
 # CVE - 2014
 
+require "codesake/dawn/kb/cve_2014_0036"
 require "codesake/dawn/kb/cve_2014_0080"
 require "codesake/dawn/kb/cve_2014_0081"
 require "codesake/dawn/kb/cve_2014_0082"
@@ -442,6 +443,7 @@ def self.load_security_checks
           Codesake::Dawn::Kb::CVE_2013_7086.new, 
           Codesake::Dawn::Kb::CVE_2014_1233.new,
           Codesake::Dawn::Kb::CVE_2014_1234.new,
+          Codesake::Dawn::Kb::CVE_2014_0036.new, 
           Codesake::Dawn::Kb::CVE_2014_0080.new, 
           Codesake::Dawn::Kb::CVE_2014_0081.new, 
           Codesake::Dawn::Kb::CVE_2014_0082.new, 

diff --git a/spec/lib/dawn/codesake_knowledgebase_spec.rb b/spec/lib/dawn/codesake_knowledgebase_spec.rb
@@ -866,4 +866,10 @@
         sc.should_not   be_nil
           sc.class.should == Codesake::Dawn::Kb::CVE_2014_2322
   end
+
+  it "must have test for CVE-2014-0036" do
+      sc = kb.find("CVE-2014-0036")
+        sc.should_not   be_nil
+          sc.class.should == Codesake::Dawn::Kb::CVE_2014_0036
+  end
 end
diff --git a/spec/lib/kb/cve_2014_0036_spec.rb b/spec/lib/kb/cve_2014_0036_spec.rb
@@ -0,0 +1,16 @@
+require 'spec_helper'
+describe "The CVE-2014-0036 vulnerability" do
+	before(:all) do
+		@check = Codesake::Dawn::Kb::CVE_2014_0036.new
+		# @check.debug = true
+	end
+  it "must be filled with CVSS information"
+  it "is reported when a vulnerable rbovirt gem version is detected (0.0.23)" do
+    @check.dependencies = [{:name=>"rbovirt", :version=>'0.0.23'}]
+    @check.vuln?.should   be_true
+  end
+  it "is not reported when a sage rbovirt gem version is detected (0.0.24)" do
+    @check.dependencies = [{:name=>"rbovirt", :version=>'0.0.24'}]
+    @check.vuln?.should   be_false
+  end
+end