Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions gems/activeadmin/CVE-2023-51763.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,5 @@ related:
- https://github.com/activeadmin/activeadmin/releases/tag/v3.2.0
- https://github.com/activeadmin/activeadmin/pull/8161
- https://github.com/activeadmin/activeadmin/commit/697be2b183491beadc8f0b7d8b5bfb44f2387909
- https://github.com/activeadmin/activeadmin/security/advisories/GHSA-xhvv-3jww-c487
- https://github.com/advisories/GHSA-rqxc-9p8h-xqgq
40 changes: 40 additions & 0 deletions gems/mpxj/CVE-2026-61570.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
gem: mpxj
cve: 2026-61570
ghsa: 5vvx-3h34-f3gj
url: https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-61570
title: XXE Vulnerability in MerlinReader
date: 2026-06-22
description: |
## Impact

MPXJ used the default configuration when creating a DocumentBuilder
instance, which leaves doctype declarations enabled, when parsing
the XML content of the ZTIMEINTERVALS column from a Merlin project
SQLite file. This would allow a carefully crafted XML payload to
read an arbitrary file. However, although an arbitrary file can be
read, the way the resulting parsed XML is processed by MPXJ means
that the data it contains is unlikely to be available for exfiltration.

## Workarounds

Potential workarounds include:
* Avoid reading Merlin project files with MPXJ
* Only accept Merlin project files from trusted sources
* Preprocess Merlin SQLite databases to strip doctype declarations
from the ZTIMEINTERVALS column
cvss_v3: 7.5
unaffected_versions:
- "< 5.5.5"
patched_versions:
- ">= 16.4.1"
related:
url:
- https://www.cve.org/CVERecord/SearchResults?query=CVE-2026-61570
- https://rubygems.org/gems/mpxj/versions/16.4.1
- https://github.com/joniles/mpxj/releases/tag/v16.4.1
- https://github.com/joniles/mpxj/security/advisories/GHSA-5vvx-3h34-f3gj
notes: |
- CVE is reserved, but not published.
- cvss_v3 value from GHSA.
- data from gem release date.
29 changes: 29 additions & 0 deletions gems/mpxj/GHSA-7952-gx68-cjqr.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---
gem: mpxj
ghsa: 7952-gx68-cjqr
url: https://github.com/joniles/mpxj/security/advisories/GHSA-7952-gx68-cjqr
title: Potential Path Traversal Vulnerability in Primavera P3 PRX and
SureTrak STX readers
date: 2026-07-03
description: |
## Impact

When reading a suitably crafted PRX or STX file, MPXJ can be made
to write files to arbitrary locations in the file system.

## Workarounds

Do not read PRX or STX files from untrusted sources.
cvss_v3: 5.3
unaffected_versions:
- "< 7.3.0"
patched_versions:
- ">= 16.5.0"
related:
url:
- https://rubygems.org/gems/mpxj/versions/16.5.0
- https://github.com/joniles/mpxj/releases/tag/v16.5.0
- https://github.com/joniles/mpxj/security/advisories/GHSA-7952-gx68-cjqr
notes: |
- No CVE.
- cvss_v3 value from GHSA
28 changes: 28 additions & 0 deletions gems/omniauth-saml/GHSA-cgp2-2cmh-pf7x.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
gem: omniauth-saml
ghsa: cgp2-2cmh-pf7x
url: https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cgp2-2cmh-pf7x
title: Bad documentation for idp_cert_fingerprint_validator
date: 2025-05-27
description: |
Documentation:
https://github.com/omniauth/omniauth-saml#:~:text=%2C%0A%20%20%3Aidp_cert_fingerprint%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%3E%20%22E7%3A91%3AB2%3AE1%3A...%22%2C-,%3Aidp_cert_fingerprint_validator%20%20%20%20%20%3D%3E%20lambda%20%7B%20%7Cfingerprint%7C%20fingerprint%20%7D%2C,-%3Aname_identifier_format%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%3E%20%22urn%3Aoasis%3Anames%3Atc%3ASAML%3A1.1%3Anameid%2Dformat

Has the line:
:idp_cert_fingerprint_validator => lambda { |fingerprint| fingerprint },

This proc returns true for any fingerprint, allowing any certificate
to be trusted.

Update documentation to encourage secure defaults.
patched_versions:
- ">= 2.2.4"
related:
url:
- https://rubygems.org/gems/omniauth-saml/versions/2.2.4
- https://github.com/omniauth/omniauth-saml/releases/tag/v2.2.4
- https://github.com/omniauth/omniauth-saml/security/advisories/GHSA-cgp2-2cmh-pf7x
notes: |
- No CVE.
- GHSA has "low" severity.
- date from GHSA
3 changes: 3 additions & 0 deletions gems/rubygems-update/CVE-2013-4287.yml
Original file line number Diff line number Diff line change
Expand Up @@ -19,3 +19,6 @@ patched_versions:
- "~> 1.8.26"
- "~> 2.0.8"
- ">= 2.1.0"
related:
url:
- https://guides.rubygems.org/cve
3 changes: 3 additions & 0 deletions gems/rubygems-update/CVE-2013-4363.yml
Original file line number Diff line number Diff line change
Expand Up @@ -22,3 +22,6 @@ patched_versions:
- "~> 1.8.27"
- "~> 2.0.10"
- ">= 2.1.5"
related:
url:
- https://guides.rubygems.org/cve
3 changes: 3 additions & 0 deletions gems/rubygems-update/CVE-2015-3900.yml
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,6 @@ patched_versions:
- "~> 2.0.16"
- "~> 2.2.4"
- ">= 2.4.7"
related:
url:
- https://guides.rubygems.org/cve
3 changes: 3 additions & 0 deletions gems/rubygems-update/CVE-2015-4020.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,6 @@ patched_versions:
- "~> 2.0.17"
- "~> 2.2.5"
- ">= 2.4.8"
related:
url:
- https://guides.rubygems.org/cve
13 changes: 13 additions & 0 deletions lib/rad-ignores.sh
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,19 @@ rm -rf gems/commonmarker/GHSA-7vh7-fw88-wj87.yml
rm -f gems/webrick/CVE-2024-47220.yml
rm -f gems/webrick/CVE-2026-38969.yml

# https://github.com/Shopify/ruby-lsp/security/advisories/GHSA-2x7g-8mp4-572w
# is a Shopify.ruby-lsp (VS Code Extension), not a Ruby gem.

# https://github.com/ckeditor/ckeditor4/security/advisories/GHSA-vh5c-xwqv-cv9g
# is not a Ruby gem, it is a WYSIWYG editor.

# https://github.com/ua-parser/uap-core/security/advisories/GHSA-p4pj-mg4r-x6v4
# is not a Ruby gem, it is a npm (javascript) package.

# https://github.com/github/cmark-gfm/security/advisories/GHSA-7gc6-9qr5-hc85
# https://github.com/github/cmark-gfm/security/advisories/GHSA-cgh3-p57x-9q7q
# are not a Ruby gems, no Ruby code.

exit

# AL>> QUESTION (ruby or jruby)?
Expand Down