Skip to content

Commit 4bb67e0

Browse files
jasnowpostmodern
jasnow
authored and
postmodern
committed
GHSA SYNC: 2 brand new advisories
1 parent 71a4127 commit 4bb67e0

File tree

2 files changed

+59
-0
lines changed

2 files changed

+59
-0
lines changed

gems/ruby-jwt/CVE-2025-45765.yml

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
---
2+
gem: ruby-jwt
3+
cve: 2025-45765
4+
ghsa: 6ch4-944p-wf7j
5+
url: https://github.com/advisories/GHSA-6ch4-944p-wf7j
6+
title: ruby-jwt < v3.0.0.beta1 was discovered to contain weak encryption
7+
date: 2025-08-07
8+
description: |
9+
ruby-jwt < v3.0.0.beta1 was discovered to contain weak encryption.
10+
11+
NOTE: the Supplier's perspective is "keysize is not something
12+
that is enforced by this library. Currently more recent versions
13+
of OpenSSL are enforcing some key sizes and those restrictions
14+
apply to the users of this gem also."
15+
16+
## BACKGROUND
17+
18+
We found that the HMAC and RSA key lengths used in your JSON Web
19+
Signature (JWS) implementation do not meet recommended security
20+
standards (RFC 75180NIST SP800-1170RFC 2437).
21+
22+
According to CWE-326 (Inadequate Encryption Strength), using keys
23+
that are too short can lead to serious vulnerabilities and
24+
potential attacks.
25+
cvss_v3: 9.1
26+
patched_versions:
27+
- ">= 3.0.0.beta1"
28+
related:
29+
url:
30+
- https://nvd.nist.gov/vuln/detail/CVE-2025-45765
31+
- https://github.com/advisories/GHSA-6ch4-944p-wf7j
32+
- https://github.com/jwt/ruby-jwt/issues/668
33+
- https://gist.github.com/ZupeiNie/c621253068ce5b64911629534879e8f9

gems/spree/CVE-2011-10019.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
---
2+
gem: spree
3+
cve: 2011-10019
4+
ghsa: 97vm-c39p-jr86
5+
url: https://github.com/advisories/GHSA-97vm-c39p-jr86
6+
title: Remote Command Execution in Spree search functionality
7+
date: 2011-02-10
8+
description: |
9+
Spree versions prior to 0.60.2 contain a remote command execution
10+
vulnerability in the search functionality. The application fails to
11+
properly sanitize input passed via the `search[:send][]` parameter,
12+
which is dynamically invoked using Ruby’s `send` method. This allows
13+
attackers to execute arbitrary shell commands on the server without
14+
authentication.
15+
cvss_v2: 9.0
16+
patched_versions:
17+
- ">= 0.60.2"
18+
related:
19+
url:
20+
- https://nvd.nist.gov/vuln/detail/CVE-2011-10019
21+
- https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/spree_search_exec.rb
22+
- https://web.archive.org/web/20111009192436/http://spreecommerce.com/blog/2011/10/05/remote-command-product-group
23+
- https://www.exploit-db.com/exploits/17941
24+
- https://www.vulncheck.com/advisories/spreecommerce-search-parameter-rce
25+
- https://github.com/orgs/spree/spree
26+
- https://github.com/advisories/GHSA-97vm-c39p-jr86

0 commit comments

Comments
 (0)