Sync with GitHub Security Advisories

reedloden · reedloden · commit c862ad98216d · 2023-01-02T12:09:38.000-08:00
* Add active_attr/CVE-2021-4250 * Update CVSSv3 for text_helpers/CVE-2020-36624
diff --git a/gems/active_attr/CVE-2021-4250.yml b/gems/active_attr/CVE-2021-4250.yml
@@ -0,0 +1,25 @@
+---
+gem: active_attr
+cve: 2021-4250
+ghsa: 4whf-rmx5-8frv
+url: https://github.com/cgriego/active_attr/issues/184
+title: active_attr Improper Resource Shutdown or Release vulnerability
+date: 2022-12-19
+description: |
+  A vulnerability classified as problematic has been found in cgriego active_attr
+  up to 0.15.3. This affects the function call of the file
+  lib/active_attr/typecasting/boolean_typecaster.rb of the component Regex Handler.
+  The manipulation of the argument value leads to denial of service. The exploit
+  has been disclosed to the public and may be used. Upgrading to version 0.15.4 can
+  address this issue. The name of the patch is dab95e5843b01525444b82bd7b336ef1d79377df.
+  It is recommended to upgrade the affected component. The associated identifier of
+  this vulnerability is VDB-216207.
+cvss_v3: 3.5
+patched_versions:
+- ">= 0.15.4"
+related:
+  url:
+  - https://github.com/cgriego/active_attr/pull/185
+  - https://github.com/cgriego/active_attr/commit/dab95e5843b01525444b82bd7b336ef1d79377df
+  - https://github.com/cgriego/active_attr/releases/tag/v0.15.4
+  - https://vuldb.com/?id.216207
diff --git a/gems/text_helpers/CVE-2020-36624.yml b/gems/text_helpers/CVE-2020-36624.yml
@@ -5,13 +5,15 @@ ghsa: 74hc-57m5-83ch
 url: https://github.com/ahorner/text-helpers/pull/19
 title: text_helpers uses web link to untrusted target with window.opener access
 date: 2022-12-22
-description: A vulnerability was found in ahorner text-helpers 1.1.0/1.1.1. It has
-  been declared as critical. This vulnerability affects unknown code of the file lib/text_helpers/translation.rb.
-  The manipulation of the argument link leads to use of web link to untrusted target
-  with window.opener access. The attack can be initiated remotely. Upgrading to version
-  1.2.0 can address this issue. The name of the patch is 184b60ded0e43c985788582aca2d1e746f9405a3.
-  It is recommended to upgrade the affected component. The identifier of this vulnerability
-  is VDB-216520.
+description: |
+  A vulnerability was found in ahorner text-helpers 1.1.0/1.1.1. It has
+  been declared as critical. This vulnerability affects unknown code of the file
+  lib/text_helpers/translation.rb. The manipulation of the argument link leads to
+  use of web link to untrusted target with window.opener access. The attack can be
+  initiated remotely. Upgrading to version 1.2.0 can address this issue. The name
+  of the patch is 184b60ded0e43c985788582aca2d1e746f9405a3. It is recommended to
+  upgrade the affected component. The identifier of this vulnerability is VDB-216520.
+cvss_v3: 6.1
 unaffected_versions:
 - "< 1.1.0"
 patched_versions:
