Home

Awesome

Ruby Advisory Database

The Ruby Advisory Database is a community effort to compile all security advisories that are relevant to Ruby libraries.

You can check your own Gemfile.locks against this database by using bundler-audit.

Support Ruby security!

Do you know about a vulnerability that isn't listed in this database? Open an issue or submit a PR.

Directory Structure

The database is a list of directories that match the names of Ruby libraries on rubygems.org. Within each directory are one or more advisory files for the Ruby library. These advisory files are named using the advisories' CVE identifier number.

gems/:
  actionpack/:
    CVE-2014-0130.yml  CVE-2014-7818.yml  CVE-2014-7829.yml  CVE-2015-7576.yml
    CVE-2015-7581.yml  CVE-2016-0751.yml  CVE-2016-0752.yml
rubies/:
  jruby/:
    ...
  mruby/:
    ...
  ruby/:
    ...

gems/

The gems/ directory contains sub-directories that match the names of the Ruby libraries on rubygems.org. Within each directory are one or more advisory files for the Ruby library. These advisory files are named using the advisories' CVE or GHSA ID.

rubies/

The rubies/ directory contains sub-directories for each Ruby implementation. Within each directory are one or more advisory files for the Ruby implementation. These advisory files are named using the advisories' CVE or GHSA ID.

Format

Each advisory file contains the advisory information in YAML format. Here are some example advisories:

gems/actionpack/CVE-2023-22795.yml

---
gem: actionpack
cve: 2023-22795
ghsa: 8xww-x3g3-6jcv
url: https://github.com/rails/rails/releases/tag/v7.0.4.1
title: ReDoS based DoS vulnerability in Action Dispatch
date: 2023-01-18
description: |
  There is a possible regular expression based DoS vulnerability in Action
  Dispatch related to the If-None-Match header. This vulnerability has been
  assigned the CVE identifier CVE-2023-22795.

  Versions Affected: All
  Not affected: None
  Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

  # Impact

  A specially crafted HTTP If-None-Match header can cause the regular
  expression engine to enter a state of catastrophic backtracking, when on a
  version of Ruby below 3.2.0. This can cause the process to use large amounts
  of CPU and memory, leading to a possible DoS vulnerability All users running
  an affected release should either upgrade or use one of the workarounds
  immediately.

  # Workarounds

  We recommend that all users upgrade to one of the FIXED versions. In the
  meantime, users can mitigate this vulnerability by using a load balancer or
  other device to filter out malicious If-None-Match headers before they reach
  the application.

  Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
patched_versions:
  - "~> 5.2.8, >= 5.2.8.15"  # Rails LTS
  - "~> 6.1.7, >= 6.1.7.1"
  - ">= 7.0.4.1"

rubies/ruby/CVE-2022-28739.yml

---
engine: ruby
cve: 2022-28739
url: https://www.ruby-lang.org/en/news/2022/04/12/buffer-overrun-in-string-to-float-cve-2022-28739/
title: Buffer overrun in String-to-Float conversion
date: 2022-04-12
description: |
  A buffer-overrun vulnerability is discovered in a conversion algorithm from a String to a Float. This vulnerability has been assigned the CVE identifier CVE-2022-28739. We strongly recommend upgrading Ruby.

  Due to a bug in an internal function that converts a String to a Float, some convertion methods like Kernel#Float and String#to_f could cause buffer over-read. A typical consequence is a process termination due to segmentation fault, but in a limited circumstances, it may be exploitable for illegal memory read.

  Please update Ruby to 2.6.10, 2.7.6, 3.0.4, or 3.1.2.
patched_versions:
  - ~> 2.6.10
  - ~> 2.7.6
  - ~> 3.0.4
  - '>= 3.1.2'

Schema

gems

rubies

Tests

Prior to submitting a pull request, run the tests:

bundle install
bundle exec rspec

GitHub Advisory Sync

There is a script that will create initial yaml files for RubyGem advisories which are in the GitHub Security Advisory API, but are not already in this dataset. This script can be periodically run to ensure this repo has all the data that is present in the GitHub Advisory data.

The GitHub Advisory API requires a token to access it.

To run the GitHub Advisory sync to retrieve all advisories, start by executing the rake task:

GH_API_TOKEN=<your GitHub API Token> bundle exec rake sync_github_advisories

Or, to only retrieve advisories for a single gem:

GH_API_TOKEN=<your GitHub API Token> bundle exec rake sync_github_advisories[gem_name]

Credits

Please see CONTRIBUTORS.md.

This database also includes data from the Open Sourced Vulnerability Database developed by the Open Security Foundation (OSF) and its contributors.