Sync with GitHub Security Advisories

reedloden · reedloden · commit 55138bfa7c4e · 2023-01-08T20:24:46.000-08:00
* Add httparty/GHSA-5pq7-52mg-hr42 and keynote/CVE-2017-20159
diff --git a/gems/httparty/GHSA-5pq7-52mg-hr42.yml b/gems/httparty/GHSA-5pq7-52mg-hr42.yml
@@ -0,0 +1,29 @@
+---
+gem: httparty
+ghsa: 5pq7-52mg-hr42
+url: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
+title: httparty has multipart/form-data request tampering vulnerability
+date: 2023-01-03
+description: |
+  "multipart/form-data request tampering vulnerability"
+  caused by Content-Disposition "filename" lack of escaping in httparty.
+
+  `httparty/lib/httparty/request` > `body.rb` > `def generate_multipart`
+
+  https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+
+  By exploiting this problem, the following attacks are possible
+
+  * An attack that rewrites the \"name\" field according to the crafted file
+  name, impersonating (overwriting) another field.
+  * Attacks that rewrite the filename extension at the time multipart/form-data
+  is generated by tampering with the filename.
+cvss_v3: 6.5
+patched_versions:
+- ">= 0.21.0"
+related:
+  url:
+  - https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
+  - https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
+  - https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+  - https://bugzilla.mozilla.org/show_bug.cgi?id=1556711
diff --git a/gems/keynote/CVE-2017-20159.yml b/gems/keynote/CVE-2017-20159.yml
@@ -0,0 +1,21 @@
+---
+gem: keynote
+cve: 2017-20159
+ghsa: 399p-vq28-5hg8
+url: https://github.com/rf-/keynote/commit/05be4356b0a6ca7de48da926a9b997beb5ffeb4a
+title: keynote Cross-site Scripting vulnerability
+date: 2022-12-31
+description: |
+  A vulnerability was found in rf Keynote up to 0.x. It has been rated
+  as problematic. Affected by this issue is some unknown functionality of the file
+  lib/keynote/rumble.rb. The manipulation of the argument value leads to cross site
+  scripting. The attack may be launched remotely. Upgrading to version 1.0.0 can address
+  this issue. The name of the patch is 05be4356b0a6ca7de48da926a9b997beb5ffeb4a. It
+  is recommended to upgrade the affected component. VDB-217142 is the identifier assigned
+  to this vulnerability.
+patched_versions:
+- ">= 1.0.0"
+related:
+  url:
+  - https://github.com/rf-/keynote/releases/tag/v1.0.0
+  - https://vuldb.com/?id.217142
