update vulnerabilities with cvss_v3 from github

Author: skipkayhil

gems/actionpack/CVE-2015-7581.yml

@@ -46,6 +46,8 @@ description: |
 
   Please note that only the 4.1.x and 4.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
 
+cvss_v3: 7.5
+
 unaffected_versions:
   - "< 4.0.0"
   - ">= 5.0.0.beta1"

gems/actionpack/CVE-2016-2098.yml

@@ -80,6 +80,8 @@ description: |
   Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for 
   reporting this!
 
+cvss_v3: 7.3
+
 unaffected_versions:
   - ">= 5.0.0.beta1"
 

gems/actionpack/CVE-2020-8264.yml

@@ -29,6 +29,8 @@ description: |
 
   `config.middleware.delete ActionDispatch::ActionableExceptions`
 
+cvss_v3: 6.1
+
 unaffected_versions:
   - "< 6.0.0"
 

gems/actionpack/CVE-2021-22885.yml

@@ -57,6 +57,8 @@ description: |
   end
   ```
 
+cvss_v3: 7.5
+
 unaffected_versions:
   - "< 2.0.0"
 

gems/actionview/CVE-2016-2097.yml

@@ -81,6 +81,8 @@ description: |
   Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this 
   and working with us in the patch!
 
+cvss_v3: 5.3
+
 unaffected_versions:
   - ">= 4.2.0"
 

gems/actionview/CVE-2019-5418.yml

@@ -90,6 +90,8 @@ description: |
   -------
   Thanks to John Hawthorn <[email protected]> of GitHub
 
+cvss_v3: 7.5
+
 patched_versions:
   - "~> 4.2.11, >= 4.2.11.1"
   - "~> 5.0.7, >= 5.0.7.2"

gems/actionview/CVE-2019-5419.yml

@@ -87,6 +87,8 @@ description: |
   Thanks to John Hawthorn <[email protected]> of GitHub 
 
 
+cvss_v3: 7.5
+
 patched_versions:
   - ">= 6.0.0.beta3"
   - "~> 5.2.2, >= 5.2.2.1"

gems/actionview/CVE-2020-5267.yml

@@ -64,6 +64,8 @@ description: |
   end
   ```
 
+cvss_v3: 4.0
+
 patched_versions:
   - "~> 5.2.4, >= 5.2.4.2"
   - ">= 6.0.2.2"

gems/activejob/CVE-2018-16476.yml

@@ -25,6 +25,8 @@ description: |
   All users running an affected release should either upgrade or use one of the
   workarounds immediately.
 
+cvss_v3: 7.5
+
 unaffected_versions:
   - "< 4.2.0"
 

gems/activerecord/CVE-2016-6317.yml

@@ -65,6 +65,8 @@ description: |
       end
     ```
 
+cvss_v3: 7.5
+
 unaffected_versions:
   - "< 4.2.0"
   - ">= 5.0.0"

gems/activestorage/CVE-2018-16477.yml

@@ -36,6 +36,8 @@ description: |
   end
   ```
 
+cvss_v3: 6.5
+
 unaffected_versions:
   - "< 5.2.0"
 

gems/administrate/CVE-2020-5257.yml

@@ -16,6 +16,8 @@ description: |
   Whilst this does have a high-impact, to exploit this you need access to the
   Administrate dashboards, which should generally be behind authentication.
 
+cvss_v3: 7.7
+
 patched_versions:
   - ">= 0.13.0"
 

gems/airbrake-ruby/CVE-2019-16060.yml

@@ -8,6 +8,8 @@ description: |
   A flaw in airbrake-ruby v4.2.3 prevented user data from being filtered
   prior to sending to Airbrake. Such data could be user passwords. Therefore, an app
   could leak user passwords without knowing it.
+cvss_v3: 9.8
+
 unaffected_versions:
   - "< 4.2.3"
   - "> 4.2.3"

gems/consul/CVE-2019-16377.yml

@@ -11,5 +11,7 @@ description: |
   to all power checks in that controller. This can lead to skipped power checks
   and hence unauthenticated access to certain controller actions.
 
+cvss_v3: 9.8
+
 patched_versions:
   - ">= 1.0.3"

gems/devise/CVE-2019-16109.yml

@@ -9,5 +9,7 @@ description: |
   confirmation_token, if a database record has a blank value in the confirmation_token column.
   However, there is no scenario within Devise itself in which such database records would exist.
 
+cvss_v3: 5.3
+
 patched_versions:
   - ">= 4.7.1"

gems/dragonfly/CVE-2021-33564.yml

@@ -12,5 +12,7 @@ description: |
   problem occurs because the generate and process features mishandle use of the ImageMagick
   convert utility.
 
+cvss_v3: 9.8
+
 patched_versions:
   - ">= 1.4.0"

gems/ember-source/CVE-2015-7565.yml

@@ -19,6 +19,8 @@ description: |
 
   All users running an affected release should either upgrade or use of
   the workarounds immediately.
+cvss_v3: 6.1
+
 patched_versions:
   - ~> 1.11.4
   - ~> 1.12.2

gems/excon/CVE-2019-16779.yml

@@ -15,6 +15,8 @@ description: |-
   Users can workaround the problem by disabling persistent connections, though
   this may cause performance implications.
 
+cvss_v3: 5.8
+
 patched_versions:
   - ">= 0.71.0"
 

gems/field_test/CVE-2019-13146.yml

@@ -14,6 +14,8 @@ description: |
 
   landing_page = field_test(:landing_page)
   Page.where("key = '#{landing_page}'")
+cvss_v3: 5.3
+
 patched_versions:
   - ">= 0.3.1"
 unaffected_versions:

gems/foreman_fog_proxmox/CVE-2021-20259.yml

@@ -12,5 +12,7 @@ description: |
   and integrity as well as system availability. Versions before foreman_fog_proxmox
   0.13.1 are affected
 
+cvss_v3: 7.8
+
 patched_versions:
    - ">= 0.13.1"

gems/pgsync/CVE-2021-31671.yml

@@ -23,5 +23,7 @@ description: |
   
   This applies to both the `to` and `from` connections.
 
+cvss_v3: 7.5
+
 patched_versions:
   - ">= 0.6.7"

gems/rack/CVE-2019-16782.yml

@@ -27,6 +27,8 @@ description: |-
   may be able to perform a timing attack to determine an existing session id
   and hijack that session.
 
+cvss_v3: 6.3
+
 patched_versions:
   - "~> 1.6.12"
   - ">= 2.0.8"

gems/railties/CVE-2019-5420.yml

@@ -41,6 +41,8 @@ description: |
   -------
   Thanks to ooooooo_q
 
+cvss_v3: 9.8
+
 unaffected_versions:
   - "< 5.2.0"
 

gems/ruby-saml/CVE-2017-11428.yml

@@ -18,6 +18,8 @@ description: |
 
 cvss_v2: 6.3
 
+cvss_v3: 7.7
+
 patched_versions:
   - ">= 1.7.0"
 

gems/trestle-auth/CVE-2021-29435.yml

@@ -18,6 +18,8 @@ description: |
 
   The vulnerability has been fixed in trestle-auth 0.4.2 released to RubyGems.
 
+cvss_v3: 8.1
+
 patched_versions:
   - ">= 0.4.2"