GHSA SYNC: 1 brand new unreviewed advisories#969
GHSA SYNC: 1 brand new unreviewed advisories#969jasnow wants to merge 1 commit intorubysec:masterfrom
Conversation
postmodern
left a comment
postmodern
left a comment
There was a problem hiding this comment.
Before we flag all versions of Ruby as being vulnerable due to issues in stdlib gems, will need some confirmation here.
| - Unclear when or if this was patched. | ||
| cvss_v2: 5.0 | ||
| cvss_v3: 5.3 | ||
| notes: Never patched |
There was a problem hiding this comment.
Is this is still unpatched?
Also, WEBrick was moved out of Ruby and into a separate gem as of Ruby 3.0.0. I feel like >= 3.0.0 should technically be the patched_versions.
| requests, which might allow remote attackers to inject arbitrary text | ||
| into log files or bypass intended address parsing via a crafted header. | ||
|
|
||
| ## Can only have one "notes:" field for adding these notes here: |
There was a problem hiding this comment.
notes: is free form text. This additional information should be put into notes:. The additional URLs can also be added to the related urls list.
| developers can cause arbitrary code execution. | ||
| cvss_v2: 7.5 | ||
| cvss_v3: 9.8 | ||
| notes: "Never patched" |
There was a problem hiding this comment.
Is it really fair to flag all Ruby versions because of a stdlib gem that is not required by default and can only be used on a Windows system? Perhaps this should go into gems/win32ole/?
|
All good issues stated above. Think this PR has too many open questions so I am going to cancel it. |
2 participants
GHSA SYNC: 1 brand new unreviewed advisories