{"id":13395044,"url":"https://github.com/rubysec/ruby-advisory-db","last_synced_at":"2025-05-14T14:07:27.938Z","repository":{"id":6904353,"uuid":"8154497","full_name":"rubysec/ruby-advisory-db","owner":"rubysec","description":"A database of vulnerable Ruby Gems","archived":false,"fork":false,"pushed_at":"2025-05-09T03:37:31.000Z","size":2007,"stargazers_count":1029,"open_issues_count":25,"forks_count":220,"subscribers_count":90,"default_branch":"master","last_synced_at":"2025-05-09T04:27:38.224Z","etag":null,"topics":["advisory-files","hacktoberfest","metadata","rubysec","security-advisories","yaml"],"latest_commit_sha":null,"homepage":"https://rubysec.com","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rubysec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE.txt","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":["reedloden","postmodern"]}},"created_at":"2013-02-12T07:10:30.000Z","updated_at":"2025-05-09T03:37:36.000Z","dependencies_parsed_at":"2023-11-23T11:28:00.299Z","dependency_job_id":"4ec06f21-df56-49f6-b2b3-953a05a52f77","html_url":"https://github.com/rubysec/ruby-advisory-db","commit_stats":{"total_commits":1211,"total_committers":175,"mean_commits":6.92,"dds":0.8307184145334434,"last_synced_commit":"5e77a68ffb3efbe1f4de93cf3ee2c7b74521cc62"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fruby-advisory-db","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fruby-advisory-db/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fruby-advisory-db/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rubysec%2Fruby-advisory-db/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rubysec","download_url":"https://codeload.github.com/rubysec/ruby-advisory-db/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254159194,"owners_count":22024558,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["advisory-files","hacktoberfest","metadata","rubysec","security-advisories","yaml"],"created_at":"2024-07-30T17:01:40.257Z","updated_at":"2025-05-14T14:07:27.894Z","avatar_url":"https://github.com/rubysec.png","language":"Ruby","funding_links":["https://github.com/sponsors/reedloden","https://github.com/sponsors/postmodern"],"categories":["Ruby","\u003ca id=\"761a373e2ec1c58c9cd205cd7a03e8a8\"\u003e\u003c/a\u003e靶机\u0026\u0026漏洞环境\u0026\u0026漏洞App","Vulnerabilities and Security Advisories","Gems"],"sub_categories":["\u003ca id=\"3e751670de79d2649ba62b177bd3e4ef\"\u003e\u003c/a\u003e未分类-VulnerableMachine","Static Code Analysis"],"readme":"# Ruby Advisory Database\n\nThe Ruby Advisory Database is a community effort to compile all security\nadvisories that are relevant to Ruby libraries.\n\nYou can check your own Gemfile.locks against this database by using\n[bundler-audit].\n\n## Support Ruby Security!\n\nDo you know about a vulnerability that isn't listed in this database? Open an\nissue or submit a PR.\n\n## Directory Structure\n\nThe database is a list of directories that match the names of Ruby libraries on\n[rubygems.org]. Within each directory are one or more advisory files\nfor the Ruby library. These advisory files are named using\nthe advisories' [CVE] identifier number.\n\n```\ngems/:\n  actionpack/:\n    CVE-2014-0130.yml  CVE-2014-7818.yml  CVE-2014-7829.yml  CVE-2015-7576.yml\n    CVE-2015-7581.yml  CVE-2016-0751.yml  CVE-2016-0752.yml\nrubies/:\n  jruby/:\n    ...\n  mruby/:\n    ...\n  ruby/:\n    ...\n```\n\n### `gems/`\n\nThe `gems/` directory contains sub-directories that match the names of the Ruby\nlibraries on [rubygems.org]. Within each directory are one or more advisory\nfiles for the Ruby library. These advisory files are named using the\nadvisories' [CVE] or [GHSA] ID.\n\n### `rubies/`\n\nThe `rubies/` directory contains sub-directories for each Ruby implementation.\nWithin each directory are one or more advisory files for the Ruby\nimplementation. These advisory files are named using the advisories' [CVE]\nor [GHSA] ID.\n\n## Examples\n\nEach advisory file contains the advisory information in [YAML] format.\nHere are some example advisories:\n\n### `gems/actionpack/CVE-2023-22795.yml`\n\n```yaml\n---\ngem: actionpack\ncve: 2023-22795\nghsa: 8xww-x3g3-6jcv\nurl: https://github.com/rails/rails/releases/tag/v7.0.4.1\ntitle: ReDoS based DoS vulnerability in Action Dispatch\ndate: 2023-01-18\ndescription: |\n  There is a possible regular expression based DoS vulnerability in Action\n  Dispatch related to the If-None-Match header. This vulnerability has been\n  assigned the CVE identifier CVE-2023-22795.\n\n  Versions Affected: All\n  Not affected: None\n  Fixed Versions: 6.1.7.1, 7.0.4.1\n\n  # Impact\n\n  A specially crafted HTTP If-None-Match header can cause the regular\n  expression engine to enter a state of catastrophic backtracking, when on a\n  version of Ruby below 3.2.0. This can cause the process to use large amounts\n  of CPU and memory, leading to a possible DoS vulnerability All users running\n  an affected release should either upgrade or use one of the workarounds\n  immediately.\n\n  # Workarounds\n\n  We recommend that all users upgrade to one of the FIXED versions. In the\n  meantime, users can mitigate this vulnerability by using a load balancer or\n  other device to filter out malicious If-None-Match headers before they reach\n  the application.\n\n  Users on Ruby 3.2.0 or greater are not affected by this vulnerability.\npatched_versions:\n  - \"~\u003e 5.2.8\"\n  - \"~\u003e 6.1.7, \u003e= 6.1.7.1\"\n  - \"\u003e= 7.0.4.1\"\n```\n\n### `rubies/ruby/CVE-2022-28739.yml`\n\n```yaml\n---\nengine: ruby\ncve: 2022-28739\nurl: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/\ntitle: Buffer overrun in String-to-Float conversion\ndate: 2022-04-12\ndescription: |\n  A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This vulnerability has been assigned the CVE identifier CVE-2022-28739. We strongly recommend upgrading Ruby.\n\n  Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.\n\n  Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2.\npatched_versions:\n  - ~\u003e 2.6.10\n  - ~\u003e 2.7.6\n  - ~\u003e 3.0.4\n  - '\u003e= 3.1.2'\n```\n\n## YAML Schema\n\n### `gems`\n\n* `gem` \\[String\\] (required): Name of the affected gem.\n* `library` \\[String\\] (optional): Name of the ruby library which the affected gem belongs to.\n* `framework` \\[String\\] (optional): Name of the framework which the affected gem belongs to.\n* `platform` \\[String\\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby)\n* `cve` \\[String\\] (optional): Common Vulnerabilities and Exposures (CVE) ID.\n* `osvdb` \\[Integer\\] (optional): Open Sourced Vulnerability Database (OSVDB) ID.\n* `ghsa` \\[String\\] (optional): GitHub Security Advisory (GHSA) ID.\n* `url` \\[String\\] (required): The URL to the full advisory.\n* `title` \\[String\\] (required): The title of the advisory or individual vulnerability. It must be a single line sentence.\n* `date` \\[Date\\] (required): The public disclosure date of the advisory.\n* `description` \\[String\\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs.\n* `cvss_v2` \\[Float\\] (optional): The [CVSSv2] score for the vulnerability.\n* `cvss_v3` \\[Float\\] (optional): The [CVSSv3] score for the vulnerability.\n* `cvss_v4` \\[Float\\] (optional): The [CVSSv4] score for the vulnerability.\n* `unaffected_versions` \\[Array\\\u003cString\\\u003e\\] (optional): The version requirements for the\n  unaffected versions of the Ruby library.\n* `patched_versions` \\[Array\\\u003cString\\\u003e\\] (optional): The version requirements for the\n  patched versions of the Ruby library.\n* `related` \\[Hash\\\u003cArray\\\u003cString\\\u003e\\\u003e\\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url`\n* `notes` \\[String\\] (optional): Internal notes regarding the vulnerability's inclusion in this database.\n\n### `rubies`\n\n* `engine` \\[`ruby` | `mruby` | `jruby` | `truffleruby`\\] (required): Name of the affected Ruby implementation.\n* `platform` \\[String\\] (optional): If this vulnerability is platform-specific, name of platform this vulnerability affects (e.g. jruby)\n* `cve` \\[String\\] (optional): Common Vulnerabilities and Exposures (CVE) ID.\n* `osvdb` \\[Integer\\] (optional): Open Sourced Vulnerability Database (OSVDB) ID.\n* `ghsa` \\[String\\] (optional): GitHub Security Advisory (GHSA) ID.\n* `url` \\[String\\] (required): The URL to the full advisory.\n* `title` \\[String\\] (required): The title of the advisory or individual vulnerability. It must be a single line sentence.\n* `date` \\[Date\\] (required): The public disclosure date of the advisory.\n* `description` \\[String\\] (required): One or more paragraphs describing the vulnerability. It may contain multiple paragraphs.\n* `cvss_v2` \\[Float\\] (optional): The [CVSSv2] score for the vulnerability.\n* `cvss_v3` \\[Float\\] (optional): The [CVSSv3] score for the vulnerability.\n* `cvss_v4` \\[Float\\] (optional): The [CVSSv4] score for the vulnerability.\n* `unaffected_versions` \\[Array\\\u003cString\\\u003e\\] (optional): The version requirements for the\n  unaffected versions of the Ruby implementation.\n* `patched_versions` \\[Array\\\u003cString\\\u003e\\] (optional): The version requirements for the\n  patched versions of the Ruby implementation.\n* `related` \\[Hash\\\u003cArray\\\u003cString\\\u003e\\\u003e\\] (optional): Sometimes an advisory references many urls and other identifiers. Supported keys: `cve`, `ghsa`, `osvdb`, and `url`\n* `notes` \\[String\\] (optional): Internal notes regarding the vulnerability's inclusion in this database.\n\n## Tests\n\nPrior to submitting a pull request, run the tests:\n\n```shell\nbundle install\nbundle exec rspec\n```\n\n## GitHub Advisory Sync\n\nThere is a script that will create initial YAML files for RubyGem advisories\nwhich are in the [GitHub Security Advisory API], but are not already in this\ndataset. This script can be periodically run to ensure this repo has all the\ndata that is present in the GitHub Advisory data.\n\nThe GitHub Advisory API requires a token to access it.\n\n* It can be a completely scope-less token (recommended); it does not require any\n  permissions at all.\n* Get yours at: https://github.com/settings/tokens\n\nTo run the GitHub Advisory sync to retrieve all advisories, start by executing\nthe rake task:\n\n```shell\nGH_API_TOKEN=\"your GitHub API Token\" bundle exec rake sync_github_advisories\n```\n\nOr, to only retrieve advisories for a single gem:\n\n```shell\nGH_API_TOKEN=\"your GitHub API Token\" bundle exec rake sync_github_advisories[gem_name]\n```\n\n* The rake task will write YAML files for any missing advisories.\n* Those files must be further edited.\n  * Fill in `cvss_v3` field by following the CVE link and getting it from page.\n  * Fill in `cvss_v4` field by following the CVE link and getting it from page.\n  * Fill in `patched_versions` field, using the comments at the bottom of the\n    YAML file.\n  * Optionally fill in `unaffected_versions`.\n  * Delete the GitHub data at the bottom of the YAML file.\n  * Double check all the data, commit it, and make a PR.\n\n## Rails LTS\n\nThe maintainers of [Rails LTS] have [asked us not to track the Rails LTS versions][PR-847].\nIf you are using [Rails LTS] and [bundler-audit], it is advised that you should\nadd the [List of CVEs addressed by Rails LTS] to your `.bundler-audit.yml` file\nunder `ignore:`.\n\n[Rails LTS]: https://railslts.com/\n[List of CVEs addressed by Rails LTS]: https://makandracards.com/railslts/474590-list-cves-addressed-rails-lts\n[PR-847]: https://github.com/rubysec/ruby-advisory-db/pull/847\n\n## Credits\n\nPlease see [CONTRIBUTORS.md].\n\nThis database also includes data from the [Open Sourced Vulnerability Database][OSVDB]\ndeveloped by the Open Security Foundation (OSF) and its contributors.\n\n[rubygems.org]: https://rubygems.org/\n[bundler-audit]: https://github.com/rubysec/bundler-audit\n[CVE]: https://cve.mitre.org/\n[OSVDB]: https://en.wikipedia.org/wiki/Open_Source_Vulnerability_Database\n[GHSA]: https://help.github.com/en/articles/about-maintainer-security-advisories\n[GitHub Security Advisory API]: https://developer.github.com/v4/object/securityadvisory/\n[CVSSv2]: https://www.first.org/cvss/v2/guide\n[CVSSv3]: https://www.first.org/cvss/v3.1/user-guide\n[CVSSv4]: https://www.first.org/cvss/v4.0/user-guide\n[YAML]: http://www.yaml.org/\n[CONTRIBUTORS.md]: https://github.com/rubysec/ruby-advisory-db/blob/master/CONTRIBUTORS.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frubysec%2Fruby-advisory-db","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frubysec%2Fruby-advisory-db","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frubysec%2Fruby-advisory-db/lists"}