Add OSVDB 103438, 103439, and 103440

40cb879b · Steve Wills · e9dc46a3 · 40cb879b · 40cb879b · 40cb879b
Commit 40cb879b authored Feb 21, 2014 by Steve Wills
--- a/gems/actionpack/OSVDB-103439.yml
+++ b/gems/actionpack/OSVDB-103439.yml
+--- 
+gem: actionpack
+framework: rails
+cve: 2014-0081
+osvdb: 103439
+url: http://osvdb.org/show/osvdb/103439
+title:
+  Ruby on Rails actionpack/lib/action_view/helpers/number_helper.rb Multiple
+  Helpers XSS 
+
+date: 2014-02-18
+
+description: | 
+  Ruby on Rails contains a flaw that allows a cross-site scripting (XSS)
+  attack. This flaw exists because the
+  actionpack/lib/action_view/helpers/number_helper.rb script does not validate
+  input to the 'number_to_currency', 'number_to_percentage', and
+  'number_to_human' helpers before returning it to users. This may allow a
+  remote attacker to create a specially crafted request that would execute
+  arbitrary script code in a user's browser session within the trust
+  relationship between their browser and the server.
+
+cvss_v2: 4.3
+
+unaffected_versions:
+
+patched_versions: 
+  - ">= 3.2.17"
+  - ">= 4.0.3"
+  - ">= 4.1.0.beta2"
--- a/gems/actionpack/OSVDB-103440.yml
+++ b/gems/actionpack/OSVDB-103440.yml
+--- 
+gem: actionpack
+framework: rails
+cve: 2014-0082
+osvdb: 103440
+url: http://osvdb.org/show/osvdb/103440
+title:
+  Ruby on Rails actionpack/lib/action_view/template/text.rb Action View Text
+  Rendering Component MIME Type Handling Remote DoS
+
+date: 2014-02-18
+
+description: | 
+  Ruby on Rails contains a flaw in actionpack/lib/action_view/template/text.rb
+  in the text rendering component of Action View that is triggered when
+  handling MIME types that are converted to symbols. This may allow a remote
+  attacker to cause a denial of service.
+
+cvss_v2: 5.0
+
+unaffected_versions:
+  - ">= 4.0.0"
+
+patched_versions: 
+  - ">= 3.2.17"
--- a/gems/activerecord/OSVDB-103438.yml
+++ b/gems/activerecord/OSVDB-103438.yml
+--- 
+gem: activerecord
+framework: rails
+cve: 2014-0080
+osvdb: 103438
+url: http://osvdb.org/show/osvdb/103438
+title:
+  Ruby on Rails Active Record connection_adapters/postgresql/cast.rb
+  PostgreSQL Array Type Columns Data Injection 
+
+date: 2014-02-18
+
+description: | 
+  Ruby on Rails contains a flaw in
+  connection_adapters/postgresql/cast.rb in Active Record. This issue
+  may allow a remote attacker to inject data into PostgreSQL array
+  columns via a specially crafted string.
+
+cvss_v2: 6.8
+
+unaffected_versions:
+  - "<= 3.2.17"
+
+patched_versions: 
+  - ">= 4.0.3"
+  - ">= 4.1.0.beta2"