diff --git a/Changelog.md b/Changelog.md index 1643229c..6aef28da 100644 --- a/Changelog.md +++ b/Changelog.md @@ -52,6 +52,7 @@ _latest update: Thu Feb 13 08:31:37 CET 2014_ or just old. I enabled only check against ruby * Added a check for CVE-2014-2322 +* Added a check for CVE-2014-0036 ## Version 1.0.4 - codename: Lightning McQueen (2014-03-14) diff --git a/lib/codesake/dawn/kb/cve_2014_0036.rb b/lib/codesake/dawn/kb/cve_2014_0036.rb new file mode 100644 index 00000000..98e2f925 --- /dev/null +++ b/lib/codesake/dawn/kb/cve_2014_0036.rb @@ -0,0 +1,29 @@ +module Codesake + module Dawn + module Kb + # Automatically created with rake on 2014-03-14 + class CVE_2014_0036 + include DependencyCheck + + def initialize + message = "rbovirt Gem for Ruby contains a flaw related to certificate validation. The issue is due to the program failing to validate SSL certificates. This may allow an attacker with access to network traffic (e.g. MiTM, DNS cache poisoning) to spoof the SSL server via an arbitrary certificate that appears valid. Such an attack would allow for the interception of sensitive traffic, and potentially allow for the injection of content into the SSL stream." + + super({ + :name=>"CVE-2014-0036", + :cvss=>"", + :release_date => Date.new(2014, 3, 5), + :cwe=>"20", + :owasp=>"A9", + :applies=>["sinatra", "padrino", "rails"], + :kind=>Codesake::Dawn::KnowledgeBase::DEPENDENCY_CHECK, + :message=>message, + :mitigation=>"Please upgrade rbovirt version at least to 0.0.24. As a general rule, using the latest version is recommended.", + :aux_links=>["http://www.securityfocus.com/bid/66006"] + }) + + self.safe_dependencies = [{:name=>"rbovirt", :version=>['0.0.24']}] + end + end + end + end +end diff --git a/lib/codesake/dawn/knowledge_base.rb b/lib/codesake/dawn/knowledge_base.rb index 8bdc6733..c32b5f96 100644 --- a/lib/codesake/dawn/knowledge_base.rb +++ b/lib/codesake/dawn/knowledge_base.rb @@ -211,6 +211,7 @@ # CVE - 2014 +require "codesake/dawn/kb/cve_2014_0036" require "codesake/dawn/kb/cve_2014_0080" require "codesake/dawn/kb/cve_2014_0081" require "codesake/dawn/kb/cve_2014_0082" @@ -442,6 +443,7 @@ def self.load_security_checks Codesake::Dawn::Kb::CVE_2013_7086.new, Codesake::Dawn::Kb::CVE_2014_1233.new, Codesake::Dawn::Kb::CVE_2014_1234.new, + Codesake::Dawn::Kb::CVE_2014_0036.new, Codesake::Dawn::Kb::CVE_2014_0080.new, Codesake::Dawn::Kb::CVE_2014_0081.new, Codesake::Dawn::Kb::CVE_2014_0082.new, diff --git a/spec/lib/dawn/codesake_knowledgebase_spec.rb b/spec/lib/dawn/codesake_knowledgebase_spec.rb index 7db0ee30..8245a644 100644 --- a/spec/lib/dawn/codesake_knowledgebase_spec.rb +++ b/spec/lib/dawn/codesake_knowledgebase_spec.rb @@ -866,4 +866,10 @@ sc.should_not be_nil sc.class.should == Codesake::Dawn::Kb::CVE_2014_2322 end + + it "must have test for CVE-2014-0036" do + sc = kb.find("CVE-2014-0036") + sc.should_not be_nil + sc.class.should == Codesake::Dawn::Kb::CVE_2014_0036 + end end diff --git a/spec/lib/kb/cve_2014_0036_spec.rb b/spec/lib/kb/cve_2014_0036_spec.rb new file mode 100644 index 00000000..915a5b96 --- /dev/null +++ b/spec/lib/kb/cve_2014_0036_spec.rb @@ -0,0 +1,16 @@ +require 'spec_helper' +describe "The CVE-2014-0036 vulnerability" do + before(:all) do + @check = Codesake::Dawn::Kb::CVE_2014_0036.new + # @check.debug = true + end + it "must be filled with CVSS information" + it "is reported when a vulnerable rbovirt gem version is detected (0.0.23)" do + @check.dependencies = [{:name=>"rbovirt", :version=>'0.0.23'}] + @check.vuln?.should be_true + end + it "is not reported when a sage rbovirt gem version is detected (0.0.24)" do + @check.dependencies = [{:name=>"rbovirt", :version=>'0.0.24'}] + @check.vuln?.should be_false + end +end