Add CVE-2018-18476 for mysql-binuuid-rails (#362)

Add CVE-2018-18476 for mysql-binuuid-rails

Author: viraptor

gems/mysql-binuuid-rails/CVE-2018-18476.yml

@@ -0,0 +1,21 @@
+---
+gem: mysql-binuuid-rails
+cve: 2018-18476
+url: https://gist.github.com/viraptor/881276ea61e8d56bac6e28454c79f1e6
+title: mysql-binuuid-rails allows SQL Injection by removing default string escaping
+date: 2018-10-19
+
+description: |
+  mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes
+  default string escaping for affected database columns. ActiveRecord does not
+  explicitly escape the Binary data type (Type::Binary::Data) for mysql.
+  mysql-binuuid-rails uses a data type that is derived from the base Binary
+  type, except, it doesn’t convert the value to hex. Instead, it assumes the
+  string value provided is a valid hex string and doesn’t do any checks on it.
+
+patched_versions:
+  - ">= 1.1.1"
+
+related:
+  url:
+    - https://github.com/nedap/mysql-binuuid-rails/pull/18