Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'issue_43_cve_2014_0036' into development
Conflicts: lib/codesake/dawn/knowledge_base.rb spec/lib/dawn/codesake_knowledgebase_spec.rb
- Loading branch information
Showing
5 changed files
with
54 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
module Codesake | ||
module Dawn | ||
module Kb | ||
# Automatically created with rake on 2014-03-14 | ||
class CVE_2014_0036 | ||
include DependencyCheck | ||
|
||
def initialize | ||
message = "rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream." | ||
|
||
super({ | ||
:name=>"CVE-2014-0036", | ||
:cvss=>"", | ||
:release_date => Date.new(2014, 3, 5), | ||
:cwe=>"20", | ||
:owasp=>"A9", | ||
:applies=>["sinatra", "padrino", "rails"], | ||
:kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK, | ||
:message=>message, | ||
:mitigation=>"Please upgrade rbovirt version at least to 0.0.24. As a general rule, using the latest version is recommended.", | ||
:aux_links=>["http://www.securityfocus.com/bid/66006"] | ||
}) | ||
|
||
self.safe_dependencies = [{:name=>"rbovirt", :version=>['0.0.24']}] | ||
end | ||
end | ||
end | ||
end | ||
end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
require 'spec_helper' | ||
describe "The CVE-2014-0036 vulnerability" do | ||
before(:all) do | ||
@check = Codesake::Dawn::Kb::CVE_2014_0036.new | ||
# @check.debug = true | ||
end | ||
it "must be filled with CVSS information" | ||
it "is reported when a vulnerable rbovirt gem version is detected (0.0.23)" do | ||
@check.dependencies = [{:name=>"rbovirt", :version=>'0.0.23'}] | ||
@check.vuln?.should be_true | ||
end | ||
it "is not reported when a sage rbovirt gem version is detected (0.0.24)" do | ||
@check.dependencies = [{:name=>"rbovirt", :version=>'0.0.24'}] | ||
@check.vuln?.should be_false | ||
end | ||
end |