diff --git a/gems/activejob/OSVDB-112347.yml b/gems/activejob/OSVDB-112347.yml new file mode 100644 index 0000000000..0d78aa9fb3 --- /dev/null +++ b/gems/activejob/OSVDB-112347.yml @@ -0,0 +1,19 @@ +--- +gem: activejob +osvdb: 112347 +url: https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347 +title: Active Job - Object injection security vulnerability if Global IDs +date: 2014-09-29 +description: | + * In release post: "Active Job vulnerability: + We also fixed an Active Job bug that allowed String + arguments to be deserialized as if they were Global IDs, + an object injection security vulnerability. +patched_versions: + - ">= 4.2.0.beta2" +related: + url: + - https://rubyonrails.org/2014/9/29/Rails-4-2-0-beta2-has-been-released + - https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347 +notes: | + - No CVE, GHSA, or CVSS values diff --git a/gems/activerecord-jdbc-adapter/OSVDB-114854.yml b/gems/activerecord-jdbc-adapter/OSVDB-114854.yml index d8907709b7..c493c82424 100644 --- a/gems/activerecord-jdbc-adapter/OSVDB-114854.yml +++ b/gems/activerecord-jdbc-adapter/OSVDB-114854.yml @@ -25,3 +25,4 @@ related: - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076 - https://my.diffend.io/gems/activerecord-jdbc-adapter/1.2.5/1.2.8 - http://osvdb.org/show/osvdb/114854 + - https://advisories.gitlab.com/pkg/gem/activerecord-jdbc-adapter/OSVDB-2013-02-25 diff --git a/gems/rails_admin/CVE-2016-10522.yml b/gems/rails_admin/CVE-2016-10522.yml index c879c4a2b6..0f2d96cb88 100644 --- a/gems/rails_admin/CVE-2016-10522.yml +++ b/gems/rails_admin/CVE-2016-10522.yml @@ -18,5 +18,8 @@ patched_versions: - ">= 1.1.1" related: url: + - https://nvd.nist.gov/vuln/detail/CVE-2016-10522 - https://www.sourceclear.com/registry/security/cross-site-request-forgery-csrf-/ruby/sid-3173 - https://github.com/sferik/rails_admin/commit/b13e879eb93b661204e9fb5e55f7afa4f397537a + - https://advisories.gitlab.com/pkg/gem/rails_admin/SRCCLR-SID-3173 + - https://github.com/advisories/GHSA-pxqr-8v54-m2hj