rubysec · reedloden · Jun 22, 2021 · Jun 22, 2021
diff --git a/gems/VladTheEnterprising/CVE-2014-4996.yml b/gems/VladTheEnterprising/CVE-2014-4996.yml
@@ -3,7 +3,7 @@ gem: VladTheEnterprising
 cve: 2014-4996
 osvdb: 108728
 url: https://nvd.nist.gov/vuln/detail/CVE-2014-4996
-title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact 
+title: VladTheEnterprising Gem for Ruby /tmp/my.cnf.#{target_host} Symlink Multiple Impact
 date: 2014-06-30
 description: |
   VladTheEnterprising Gem for Ruby contains a flaw as the program creates

diff --git a/gems/actionmailer/CVE-2013-4389.yml b/gems/actionmailer/CVE-2013-4389.yml
@@ -13,5 +13,5 @@ description: Action Mailer Gem for Ruby contains a format string flaw in
 cvss_v2: 4.3
 unaffected_versions:
   - ~> 2.3.2
-patched_versions: 
+patched_versions:
   - '>= 3.2.15'
diff --git a/gems/actionpack/CVE-2012-1099.yml b/gems/actionpack/CVE-2012-1099.yml
@@ -1,4 +1,4 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2012-1099
@@ -10,7 +10,7 @@ title:
 date: 2012-03-01
 
 description: |
-  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) 
+  Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS)
   attack. This flaw exists because the application does not validate manually
   generated 'select tag options' upon submission to
   actionpack/lib/action_view/helpers/form_options_helper.rb. This may allow a
@@ -20,7 +20,7 @@ description: |
 
 cvss_v2: 4.3
 
-patched_versions: 
+patched_versions:
   - ~> 3.0.12
   - ~> 3.1.4
   - ">= 3.2.2"
diff --git a/gems/actionpack/CVE-2012-3463.yml b/gems/actionpack/CVE-2012-3463.yml
@@ -1,4 +1,4 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2012-3463
@@ -20,7 +20,7 @@ cvss_v2: 4.3
 unaffected_versions:
   - ~> 2.3.0
 
-patched_versions: 
+patched_versions:
   - ~> 3.0.17
   - ~> 3.1.8
   - ">= 3.2.8"
diff --git a/gems/actionpack/CVE-2012-3465.yml b/gems/actionpack/CVE-2012-3465.yml
@@ -1,4 +1,4 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2012-3465
@@ -17,7 +17,7 @@ description: |
 
 cvss_v2: 4.3
 
-patched_versions: 
+patched_versions:
   - ~> 3.0.17
   - ~> 3.1.8
   - ">= 3.2.8"
diff --git a/gems/actionpack/CVE-2013-0156.yml b/gems/actionpack/CVE-2013-0156.yml
@@ -1,12 +1,12 @@
---- 
+---
 gem: actionpack
 framework: rails
 cve: 2013-0156
 osvdb: 89026
 url: https://nvd.nist.gov/vuln/detail/CVE-2013-0156
 title:
   Ruby on Rails params_parser.rb Action Pack Type Casting Parameter Parsing
-  Remote Code Execution 
+  Remote Code Execution
 date: 2013-01-08
 
 description: |
@@ -17,7 +17,7 @@ description: |
 
 cvss_v2: 10.0
 
-patched_versions: 
+patched_versions:
   - ~> 2.3.15
   - ~> 3.0.19
   - ~> 3.1.10

diff --git a/gems/actionpack/CVE-2015-7581.yml b/gems/actionpack/CVE-2015-7581.yml
@@ -8,41 +8,41 @@ url: "https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE"
 title: Object leak vulnerability for wildcard controller routes in Action Pack
 
 description: |
-  There is an object leak vulnerability for wildcard controllers in Action Pack. 
-  This vulnerability has been assigned the CVE identifier CVE-2015-7581. 
+  There is an object leak vulnerability for wildcard controllers in Action Pack.
+  This vulnerability has been assigned the CVE identifier CVE-2015-7581.
 
-  Versions Affected:  >= 4.0.0 and < 5.0.0.beta1 
-  Not affected:       < 4.0.0, 5.0.0.beta1 and newer 
-  Fixed Versions:     4.2.5.1, 4.1.14.1 
+  Versions Affected:  >= 4.0.0 and < 5.0.0.beta1
+  Not affected:       < 4.0.0, 5.0.0.beta1 and newer
+  Fixed Versions:     4.2.5.1, 4.1.14.1
 
-  Impact 
-  ------ 
-  Users that have a route that contains the string ":controller" are susceptible 
-  to objects being leaked globally which can lead to unbounded memory growth. 
-  To identify if your application is vulnerable, look for routes that contain 
-  ":controller". 
+  Impact
+  ------
+  Users that have a route that contains the string ":controller" are susceptible
+  to objects being leaked globally which can lead to unbounded memory growth.
+  To identify if your application is vulnerable, look for routes that contain
+  ":controller".
 
-  Internally, Action Pack keeps a map of "url controller name" to "controller 
-  class name".  This map is cached globally, and is populated even if the 
-  controller class doesn't actually exist. 
+  Internally, Action Pack keeps a map of "url controller name" to "controller
+  class name".  This map is cached globally, and is populated even if the
+  controller class doesn't actually exist.
 
-  All users running an affected release should either upgrade or use one of the 
-  workarounds immediately. 
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
 
-  Releases 
-  -------- 
-  The FIXED releases are available at the normal locations. 
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
 
-  Workarounds 
-  ----------- 
-  There are no feasible workarounds for this issue. 
+  Workarounds
+  -----------
+  There are no feasible workarounds for this issue.
 
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset. 
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series.  They are in git-am format and consist of a single changeset.
 
-  * 4-1-wildcard_route.patch - Patch for 4.1 series 
-  * 4-2-wildcard_route.patch - Patch for 4.2 series 
+  * 4-1-wildcard_route.patch - Patch for 4.1 series
+  * 4-2-wildcard_route.patch - Patch for 4.2 series
 
   Please note that only the 4.1.x and 4.2.x series are supported at present.  Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
 

diff --git a/gems/actionpack/CVE-2016-2097.yml b/gems/actionpack/CVE-2016-2097.yml
@@ -9,17 +9,17 @@ title: Possible Information Leak Vulnerability in Action View
 
 description: |
 
-  There is a possible directory traversal and information leak vulnerability 
-  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 
-  patch was not covering all the scenarios. This vulnerability has been 
+  There is a possible directory traversal and information leak vulnerability
+  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
+  patch was not covering all the scenarios. This vulnerability has been
   assigned the CVE identifier CVE-2016-2097.
 
   Versions Affected:  3.2.x, 4.0.x, 4.1.x
   Not affected:       4.2+
   Fixed Versions:     3.2.22.2, 4.1.14.2
 
-  Impact 
-  ------ 
+  Impact
+  ------
   Applications that pass unverified user input to the `render` method in a
   controller may be vulnerable to an information leak vulnerability.
 
@@ -38,12 +38,12 @@ description: |
   All users running an affected release should either upgrade or use one of the
   workarounds immediately.
 
-  Releases 
-  -------- 
-  The FIXED releases are available at the normal locations. 
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
 
-  Workarounds 
-  ----------- 
+  Workarounds
+  -----------
   A workaround to this issue is to not pass arbitrary user input to the `render`
   method. Instead, verify that data before passing it to the `render` method.
 
@@ -68,17 +68,17 @@ description: |
   end
   ```
 
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided patches 
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches
   for it. It is in git-am format and consist of a single changeset.
 
   * 3-2-render_data_leak_2.patch - Patch for 3.2 series
   * 4-1-render_data_leak_2.patch - Patch for 4.1 series
 
-  Credits 
-  ------- 
-  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this 
+  Credits
+  -------
+  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
   and working with us in the patch!
 
 unaffected_versions:

diff --git a/gems/actionpack/CVE-2016-2098.yml b/gems/actionpack/CVE-2016-2098.yml
@@ -15,8 +15,8 @@ description: |
   Not affected:       5.0+
   Fixed Versions:     3.2.22.2, 4.1.14.2, 4.2.5.2
 
-  Impact 
-  ------ 
+  Impact
+  ------
   Applications that pass unverified user input to the `render` method in a
   controller or a view may be vulnerable to a code injection.
 
@@ -33,15 +33,15 @@ description: |
   An attacker could use the request parameters to coerce the above example
   to execute arbitrary ruby code.
 
-  All users running an affected release should either upgrade or use one of 
+  All users running an affected release should either upgrade or use one of
   the workarounds immediately.
 
-  Releases 
-  -------- 
+  Releases
+  --------
   The FIXED releases are available at the normal locations.
 
-  Workarounds 
-  ----------- 
+  Workarounds
+  -----------
   A workaround to this issue is to not pass arbitrary user input to the `render`
   method. Instead, verify that data before passing it to the `render` method.
 
@@ -66,18 +66,18 @@ description: |
   end
   ```
 
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided a 
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided a
   patch for it. It is in git-am format and consist of a single changeset.
 
   * 3-2-secure_inline_with_params.patch - Patch for 3.2 series
   * 4-1-secure_inline_with_params.patch - Patch for 4.1 series
   * 4-2-secure_inline_with_params.patch - Patch for 4.2 series
 
-  Credits 
-  ------- 
-  Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for 
+  Credits
+  -------
+  Thanks to both Tobias Kraze from makandra and joernchen of Phenoelit for
   reporting this!
 
 unaffected_versions:

diff --git a/gems/actionview/CVE-2016-2097.yml b/gems/actionview/CVE-2016-2097.yml
@@ -9,17 +9,17 @@ title: Possible Information Leak Vulnerability in Action View
 
 description: |
 
-  There is a possible directory traversal and information leak vulnerability 
-  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2 
-  patch was not covering all the scenarios. This vulnerability has been 
+  There is a possible directory traversal and information leak vulnerability
+  in Action View. This was meant to be fixed on CVE-2016-0752. However the 3.2
+  patch was not covering all the scenarios. This vulnerability has been
   assigned the CVE identifier CVE-2016-2097.
 
   Versions Affected:  3.2.x, 4.0.x, 4.1.x
   Not affected:       4.2+
   Fixed Versions:     3.2.22.2, 4.1.14.2
 
-  Impact 
-  ------ 
+  Impact
+  ------
   Applications that pass unverified user input to the `render` method in a
   controller may be vulnerable to an information leak vulnerability.
 
@@ -38,12 +38,12 @@ description: |
   All users running an affected release should either upgrade or use one of the
   workarounds immediately.
 
-  Releases 
-  -------- 
-  The FIXED releases are available at the normal locations. 
+  Releases
+  --------
+  The FIXED releases are available at the normal locations.
 
-  Workarounds 
-  ----------- 
+  Workarounds
+  -----------
   A workaround to this issue is to not pass arbitrary user input to the `render`
   method. Instead, verify that data before passing it to the `render` method.
 
@@ -68,17 +68,17 @@ description: |
   end
   ```
 
-  Patches 
-  ------- 
-  To aid users who aren't able to upgrade immediately we have provided patches 
+  Patches
+  -------
+  To aid users who aren't able to upgrade immediately we have provided patches
   for it. It is in git-am format and consist of a single changeset.
 
   * 3-2-render_data_leak_2.patch - Patch for 3.2 series
   * 4-1-render_data_leak_2.patch - Patch for 4.1 series
 
-  Credits 
-  ------- 
-  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this 
+  Credits
+  -------
+  Thanks to both Jyoti Singh and Tobias Kraze from makandra for reporting this
   and working with us in the patch!
 
 unaffected_versions:

diff --git a/gems/actionview/CVE-2019-5419.yml b/gems/actionview/CVE-2019-5419.yml
@@ -81,10 +81,10 @@ description: |
     end
   end)
   ```
-  
-  Credits 
-  ------- 
-  Thanks to John Hawthorn <[email protected]> of GitHub 
+
+  Credits
+  -------
+  Thanks to John Hawthorn <[email protected]> of GitHub
 
 
 patched_versions:

diff --git a/gems/activerecord/CVE-2012-2660.yml b/gems/activerecord/CVE-2012-2660.yml
@@ -1,4 +1,4 @@
---- 
+---
 gem: activerecord
 framework: rails
 cve: 2012-2660
@@ -18,7 +18,7 @@ description: |
 
 cvss_v2: 7.5
 
-patched_versions: 
+patched_versions:
   - ~> 3.0.13
   - ~> 3.1.5
   - ">= 3.2.4"
diff --git a/gems/activerecord/CVE-2012-2661.yml b/gems/activerecord/CVE-2012-2661.yml
@@ -1,4 +1,4 @@
---- 
+---
 gem: activerecord
 framework: rails
 cve: 2012-2661
@@ -19,7 +19,7 @@ cvss_v2: 5.0
 unaffected_versions:
   - ~> 2.3.14
 
-patched_versions: 
+patched_versions:
   - ~> 3.0.13
   - ~> 3.1.5
   - ">= 3.2.4"
-Original file line number
+Diff line change
@@ Expand Up / @@ -81,10 +81,10 @@ description: | @@
         end
       end)
       ```
-      Credits
-      -------
-      Thanks to John Hawthorn <[email protected]> of GitHub
+      Credits
+      -------
+      Thanks to John Hawthorn <[email protected]> of GitHub
     patched_versions:
@@ Expand Down @@