bundler-audit

• Homepage
• Issues
• Documentation
• Email

Description

Patch-level verification for Bundler.

Features

• Checks for vulnerable versions of gems in Gemfile.lock.
• Prints advisory information.
• Does not require a network connection.

Synopsis

Audit a projects Gemfile.lock:

$ bundle-audit
Name: rack
Version: 1.4.4
CVE: 2013-0263
Criticality: High
URL: http://osvdb.org/show/osvdb/89939
Title: Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution 
Patched Versions: ~> 1.1.6, ~> 1.2.8, ~> 1.3.10, ~> 1.4.5, >= 1.5.2

Name: json
Version: 1.7.6
CVE: 2013-0269
Criticality: High
URL: http://direct.osvdb.org/show/osvdb/90074
Title: Ruby on Rails JSON Gem Arbitrary Symbol Creation Remote DoS
Patched Versions: ~> 1.5.4, ~> 1.6.7, >= 1.7.7

Name: rails
Version: 3.2.10
CVE: 2013-0155
Criticality: High
URL: http://osvdb.org/show/osvdb/89025
Title: Ruby on Rails Active Record JSON Parameter Parsing Query Bypass 
Patched Versions: ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: rails
Version: 3.2.10
CVE: 2013-0156
Criticality: High
URL: http://osvdb.org/show/osvdb/89026
Title: Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
Remote Code Execution 
Patched Versions: ~> 2.3.15, ~> 3.0.19, ~> 3.1.10, >= 3.2.11

Name: rails
Version: 3.2.10
CVE: 2013-0276
Criticality: Medium
URL: http://direct.osvdb.org/show/osvdb/90072
Title: Ruby on Rails Active Record attr_protected Method Bypass
Patched Versions: ~> 2.3.17, ~> 3.1.11, >= 3.2.12

Unpatched versions found!

Requirements

• bundler ~> 1.0

Install

$ gem install bundler-audit

Contributing Advisories

For an advisory to be added to the Database, it must match the following format:

• Must be a YAML file.
• Must be placed in the data/bundler/audit/$gem/ directory.
• Must be named after the CVE number (2013-0156.yml):
  • Must contain a URL to the OSVDB advisory.
  • Must contain the title and description.
  • Must contain the title and description.
  • Must contain the CVSSv2 Score.
  • Must contain the patched versions ranges.

Example

---
url: http://osvdb.org/show/osvdb/89026
title: |
  Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
  Remote Code Execution 

description: |
  Ruby on Rails contains a flaw in params_parser.rb of the Action Pack.
  The issue is triggered when a type casting error occurs during the parsing
  of parameters. This may allow a remote attacker to potentially execute
  arbitrary code.

cvss_v2: 10.0

patched_versions:
  - "~> 2.3.15"
  - "~> 3.0.19"
  - "~> 3.1.10"
  - ">= 3.2.11"

License

Copyright (c) 2013 Hal Brodigan (postmodern.mod3 at gmail.com)

bundler-audit is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

bundler-audit is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with bundler-audit. If not, see http://www.gnu.org/licenses/.