Skip to content

Commit c7f1a0e

Browse files
reedlodenreedloden
committed
Sync with GitHub Security Advisories
* Add CVE-2021-39880 for apollo_upload_server * Metadata updates for activesupport/CVE-2023-28120, rack/CVE-2023-27530, rack/CVE-2023-27539
1 parent e9b5f95 commit c7f1a0e

4 files changed

Lines changed: 26 additions & 1 deletion

File tree

gems/activesupport/CVE-2023-28120.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
gem: activesupport
33
framework: rails
44
cve: 2023-28120
5+
ghsa: pj73-v5mw-pm9j
56
url: https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
67
title: Possible XSS Security Vulnerability in SafeBuffer#bytesplice
78
date: 2023-03-13

gems/apollo_upload_server/CVE-2021-39880.yml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
---
2+
gem: apollo_upload_server
3+
cve: 2021-39880
4+
ghsa: w6pv-c757-6rgr
5+
url: https://hackerone.com/reports/1181284
6+
title: apollo_upload_server has Denial of Service vulnerability
7+
date: 2022-05-24
8+
description: |
9+
A Denial Of Service vulnerability in the apollo_upload_server Ruby gem
10+
in GitLab CE/EE version 11.11 and above allows an attacker to deny access to all
11+
users via specially crafted requests to the apollo_upload_server middleware.
12+
cvss_v3: 6.5
13+
patched_versions:
14+
- ">= 2.1.0"
15+
related:
16+
url:
17+
- https://gitlab.com/gitlab-org/cves/-/blob/master/2021/CVE-2021-39880.json
18+
- https://gitlab.com/gitlab-org/gitlab/-/issues/330561
19+
- https://github.com/jetruby/apollo_upload_server-ruby/pull/44
20+
- https://github.com/jetruby/apollo_upload_server-ruby/commit/b0582c1a3e458eee3c994fb38278bd0221f20486
21+
- https://github.com/jetruby/apollo_upload_server-ruby/releases/tag/2.1.0
22+
- https://gitlab.com/gitlab-org/gitlab/-/issues/330561#note_642879964
23+
- https://vuldb.com/?id.183842

gems/rack/CVE-2023-27530.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ description: |
1717
1818
# Workarounds
1919
A proxy can be configured to limit the POST body size which will mitigate this issue.
20+
cvss_v3: 7.5
2021
patched_versions:
2122
- "~> 2.0.9, >= 2.0.9.3"
2223
- "~> 2.1.4, >= 2.1.4.3"

gems/rack/CVE-2023-27539.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
---
22
gem: rack
33
cve: 2023-27539
4+
ghsa: c6qg-cjj8-47qp
45
url: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
56
title: Possible Denial of Service Vulnerability in Rack’s header parsing
67
date: 2023-03-13
@@ -14,7 +15,6 @@ description: |
1415
1516
# Workarounds
1617
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.
17-
1818
patched_versions:
1919
- "~> 2.0, >= 2.2.6.4"
2020
- ">= 3.0.6.1"

0 commit comments

Comments
 (0)