Add CVE-2019-10842 - remote code exection in bootstrap-sass

eoinkelly · eoinkelly · commit ab525ab02e16 · 2019-04-04T21:28:20.000+13:00
diff --git a/gems/bootstrap-sass/CVE-2019-10842.yml b/gems/bootstrap-sass/CVE-2019-10842.yml
@@ -0,0 +1,18 @@
+---
+gem: bootstrap-sass
+cve: 2019-10842
+url: https://github.com/twbs/bootstrap-sass/issues/1195
+title: Remote code execution in bootstrap-sass
+date: 2019-04-04
+
+description: >-
+  bootstrap-sass is a Sass-powered version of Bootstrap 3, ready to drop right
+  into your Sass powered applications. Affected versions of this package are
+  malicious. The file `lib/active-controller/middleware.rb` contains a backdoor
+  which will enable a remote attacker to run arbitrary code on the server by
+  decoding a specific cookie value and evaluating its content.
+
+unaffected_versions:
+  - "<= 3.2.0.2"
+patched_versions:
+  - ">= 3.2.0.4"
