Skip to content

GHSA SYNC: 1 brand new advisory#930

Closed
sudoremo wants to merge 1 commit intorubysec:masterfrom
sudoremo:add-10-ghsa-advisories
Closed

GHSA SYNC: 1 brand new advisory#930
sudoremo wants to merge 1 commit intorubysec:masterfrom
sudoremo:add-10-ghsa-advisories

Conversation

@sudoremo
Copy link
Copy Markdown
Contributor

@sudoremo sudoremo commented Dec 9, 2025
edited
Loading

Summary

Add 1 brand new security advisory from GitHub Advisory Database.

Advisory Added

  • Autolab/CVE-2024-49376 - Autolab Misconfigured Reset Password Permissions (CVSS: 8.8)

Changes Made

  • Verified and confirmed 'patched_versions' and 'unaffected_versions'
  • Filled in 'cvss_v3' score (8.8)
  • Removed GitHub advisory data as per sync manual
  • Properly formatted 'related' URLs section
  • All rspec tests passing

Review Feedback Addressed

  • Removed all 9 duplicate advisories identified in review
  • Confirmed ruby-saml CVE-2025-66567 and CVE-2025-66568 already exist in upstream (added 2024-12-12)
  • Only including genuinely new advisory for Autolab gem

postmodern
postmodern requested changes Dec 12, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@postmodern postmodern left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This contains duplicate advisories that ruby-advisory-db already has:

  • gems/nokogiri/GHSA-fq42-c5rg-92c2.yml -> gems/nokogiri/CVE-2021-30560.yml
  • gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml -> gems/nokogiri/CVE-2022-24839.yml
  • gems/nokogiri/GHSA-v6gp-9mmm-c6p5.yml -> gems/nokogiri/CVE-2018-25032.yml
  • gems/nokogiri/GHSA-xxx9-3xcr-gjj3.yml -> gems/nokogiri/CVE-2022-23437.yml
  • gems/omniauth-saml/GHSA-cvp8-5r8g-fhvq.yml -> gems/omniauth-saml/CVE-2024-45409.yml
  • gems/rails/CVE-2024-26143.yml -> gems/actionpack/CVE-2024-26143.yml
  • gems/user_agent_parser/GHSA-pcqq-5962-hvcw.yml -> gems/user_agent_parser/CVE-2020-5243.yml

Please remove the duplicate advisories.

@sudoremo sudoremo force-pushed the add-10-ghsa-advisories branch from 9341a73 to 0054ee3 Compare December 14, 2025 15:42
@sudoremo sudoremo changed the title GHSA SYNC: 10 brand new advisories GHSA SYNC: 3 brand new advisories Dec 14, 2025
@sudoremo sudoremo closed this Dec 14, 2025
@sudoremo sudoremo force-pushed the add-10-ghsa-advisories branch from 0054ee3 to e7530e9 Compare December 14, 2025 15:44
@sudoremo sudoremo changed the title GHSA SYNC: 3 brand new advisories GHSA SYNC: 1 brand new advisory Dec 14, 2025
@sudoremo sudoremo reopened this Dec 14, 2025
@jasnow
Copy link
Copy Markdown
Contributor

jasnow commented Dec 14, 2025

Make sure that any advisories that you report are on rubygems.org.
We found this advisory on 10/24/2024.

@sudoremo
Copy link
Copy Markdown
Contributor Author

sudoremo commented Dec 14, 2025

Sorry for the mess - my original intent was just to add the new ruby-saml vulnerabilities, which has been done in the meantime. So I'm closing now. Thanks.

@sudoremo sudoremo closed this Dec 14, 2025
@jasnow
Copy link
Copy Markdown
Contributor

jasnow commented Dec 14, 2025

We always welcome contributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@postmodern postmodern postmodern requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sudoremo @jasnow @postmodern