New release

bulletin/CVE_2013_2513.yml

@@ -0,0 +1,19 @@
+--- !ruby/object:Dawn::Kb::UnsafeDependencyCheck
+applies:
+- rails
+- sinatra
+- padrino
+title: CVE-2013-2513
+cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+cve: CVE-2013-2513
+name: CVE-2013-2513
+owasp: A9
+release_date: 12/12/2023
+
+kind: :unsafe_dependency_check
+message: |-
+ The flash_tool gem through 0.6.0 for Ruby allows command execution via shell metacharacters in the name of a downloaded file.
+check_family: :bulletin
+vulnerable_version_array:
+- :name: 'flash_tool'
+  :versionEndIncluding: 0.6.0

bulletin/CVE_2015_2179.yml

@@ -0,0 +1,20 @@
+--- !ruby/object:Dawn::Kb::UnsafeDependencyCheck
+applies:
+- rails
+- sinatra
+- padrino
+title: CVE-2015-2179
+cvss: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
+cve: CVE-2015-2179
+name: CVE-2015-2179
+owasp: A9
+release_date: 12/12/2023
+
+kind: :unsafe_dependency_check
+message: |-
+ The xaviershay-dm-rails gem 0.10.3.8 for Ruby allows local users to discover MySQL credentials by listing a process and its arguments.
+check_family: :bulletin
+vulnerable_version_array:
+- :name: 'xaviershay-dm-rails'
+  :version:
+  - 0.10.3.8

bulletin/CVE_2015_8314.yml

@@ -0,0 +1,19 @@
+--- !ruby/object:Dawn::Kb::UnsafeDependencyCheck
+applies:
+- rails
+- sinatra
+- padrino
+title: CVE-2015-8314
+cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
+cve: CVE-2015-8314
+name: CVE-2015-8314
+owasp: A9
+release_date: 12/12/2023
+
+kind: :unsafe_dependency_check
+message: |-
+ The Devise gem before 3.5.4 for Ruby mishandles Remember Me cookies for sessions, which may allow an adversary to obtain unauthorized persistent application access.
+check_family: :bulletin
+vulnerable_version_array:
+- :name: 'devise'
+  :versionEndExcluding: 3.5.4

bulletin/CVE_2023_49090.yml

@@ -0,0 +1,20 @@
+--- !ruby/object:Dawn::Kb::UnsafeDependencyCheck
+applies:
+- rails
+- sinatra
+- padrino
+title: CVE-2023-49090
+cvss: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
+cve: CVE-2023-49090
+name: CVE-2023-49090
+owasp: A9
+release_date: 29/11/2023
+
+kind: :unsafe_dependency_check
+message: |-
+ CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.
+check_family: :bulletin
+vulnerable_version_array:
+- :name: 'carrierwave'
+  :versionEndExcluding: 2.2.5
+  :versionEndExcluding: 3.0.5

bulletin/CVE_2023_5349.yml

@@ -0,0 +1,19 @@
+--- !ruby/object:Dawn::Kb::UnsafeDependencyCheck
+applies:
+- rails
+- sinatra
+- padrino
+title: CVE-2023-5349
+cvss: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
+cve: CVE-2023-5349
+name: CVE-2023-5349
+owasp: A9
+release_date: 30/10/2023
+
+kind: :unsafe_dependency_check
+message: |-
+ A memory leak flaw was found in ruby-magick, an interface between Ruby and ImageMagick. This issue can lead to a denial of service (DOS) by memory exhaustion.
+check_family: :bulletin
+vulnerable_version_array:
+- :name: 'rmagick'
+  :versionEndExcluding: 5.3.0

kb.yaml

@@ -1,6 +1,6 @@
 ---
 :kb:
-        :version: '20231026'
+        :version: '20240116'
         :revision: '0'
         :api: 2.2.0
-        :checks: 539
+        :checks: 545

kb.yaml.sig

@@ -1 +1 @@
-e6afe9b9806095a080621a8aed5e6621550dea469afdda8a50af684338aa5d87  kb.yaml
+fefcdf5d4fac2dc6c942425aa928c49a59f92ca2098473478ee4b8484c33aefa  kb.yaml