A database of vulnerable Ruby Gems
Ruby Shell Python
Clone or download
wktk and reedloden Remove pre-releases from unaffected versions of sinatra's CVE-2018-11…
…627 (#339)

- 2.0.0.beta[1-2] and 2.0.0.rc[1-6] are also affected, but accidentally
included to unaffected versions as they are < 2.0.0.
- In the commit history, 2.0.0-alpha exists before 2.0.0.beta1 and it's
not affected.  Since rubygems treats 2.0.0-alpha as between 2.0.0.beta2
and 2.0.0.rc1, we need to explicitly add it to unaffected versions.
Latest commit b51605e Jun 19, 2018

README.md

Ruby Advisory Database

The Ruby Advisory Database is a community effort to compile all security advisories that are relevant to Ruby libraries.

You can check your own Gemfile.locks against this database by using bundler-audit.

Support Ruby security!

Do you know about a vulnerability that isn't listed in this database? Open an issue, submit a PR, or use this form which will email the maintainers.

Directory Structure

The database is a list of directories that match the names of Ruby libraries on rubygems.org. Within each directory are one or more advisory files for the Ruby library. These advisory files are named using the advisories' CVE identifier number.

gems/:
  actionpack/:
    CVE-2014-0130.yml  CVE-2014-7818.yml  CVE-2014-7829.yml  CVE-2015-7576.yml
    CVE-2015-7581.yml  CVE-2016-0751.yml  CVE-2016-0752.yml

Format

Each advisory file contains the advisory information in YAML format:

---
gem: examplegem
cve: 2013-0156
url: https://github.com/rubysec/ruby-advisory-db/issues/123456
title: |
  Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
  Remote Code Execution

description: |
  Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
  The issue is triggered when a type casting error occurs during the parsing
  of parameters. This may allow a remote attacker to potentially execute
  arbitrary code.

cvss_v2: 10.0

patched_versions:
  - ~> 2.3.15
  - ~> 3.0.19
  - ~> 3.1.10
  - ">= 3.2.11"
unaffected_versions:
  - ~> 2.4.3

related:
  cve:
    - 2013-1234567
    - 2013-1234568
  url:
    - https://github.com/rubysec/ruby-advisory-db/issues/123457

Schema

  • gem [String]: Name of the affected gem.
  • framework [String] (optional): Name of the framework which the affected gem belongs to.
  • platform [String] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby)
  • cve [String]: CVE id.
  • osvdb [Integer]: OSVDB id.
  • url [String]: The URL to the full advisory.
  • title [String]: The title of the advisory or individual vulnerability.
  • date [Date]: The public disclosure date of the advisory.
  • description [String]: One or more paragraphs describing the vulnerability.
  • cvss_v2 [Float]: The CVSSv2 score for the vulnerability.
  • cvss_v3 [Float]: The CVSSv3 score for the vulnerability.
  • unaffected_versions [Array<String>] (optional): The version requirements for the unaffected versions of the Ruby library.
  • patched_versions [Array<String>]: The version requirements for the patched versions of the Ruby library.
  • related [Hash<Array<String>>]: Sometimes an advisory references many urls and cves. Supported keys: cve and url

Tests

Prior to submitting a pull request, run the tests:

bundle install
bundle exec rspec

Credits

Please see CONTRIBUTORS.md.

This database also includes data from the Open Source Vulnerability Database developed by the Open Security Foundation (OSF) and its contributors.