From e58647a1b3a2f0e9229bd63a78fac9df9904c5e7 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Wed, 16 Jul 2025 09:21:56 -0400 Subject: [PATCH] GHSA SYNC: Updated 2 fields in 1 existing advisory + 1 brand new advisory --- gems/measured/GHSA-29g5-m8v7-v564.yml | 25 +++++++++++++++++++++++++ gems/resolv/CVE-2025-24294.yml | 2 ++ 2 files changed, 27 insertions(+) create mode 100644 gems/measured/GHSA-29g5-m8v7-v564.yml diff --git a/gems/measured/GHSA-29g5-m8v7-v564.yml b/gems/measured/GHSA-29g5-m8v7-v564.yml new file mode 100644 index 0000000000..ad7327aed1 --- /dev/null +++ b/gems/measured/GHSA-29g5-m8v7-v564.yml @@ -0,0 +1,25 @@ +--- +gem: measured +ghsa: 29g5-m8v7-v564 +url: https://github.com/Shopify/measured/security/advisories/GHSA-29g5-m8v7-v564 +title: Measured is vulnerable to Path Traversal attacks during + class initialization +date: 2025-07-15 +description: | + ### Impact + + A path traversal vulnerability exists where an attacker + with access to manipulate inputs when initializing the + `Measured::Cache::Json class` would be able to instruct + the library to read arbitrary files. + + ### Patches + + Users should update to the latest version. +patched_versions: + - ">= 3.2.1" +related: + url: + - https://github.com/Shopify/measured/security/advisories/GHSA-29g5-m8v7-v564 + - https://github.com/Shopify/measured/commit/d6319985a2304d97c085e3dc45c98af554f4be76 + - https://github.com/advisories/GHSA-29g5-m8v7-v564 diff --git a/gems/resolv/CVE-2025-24294.yml b/gems/resolv/CVE-2025-24294.yml index 18750e8835..b3e72a7b41 100644 --- a/gems/resolv/CVE-2025-24294.yml +++ b/gems/resolv/CVE-2025-24294.yml @@ -1,6 +1,7 @@ --- gem: resolv cve: 2025-24294 +ghsa: xh69-987w-hrp8 url: https://www.ruby-lang.org/en/news/2025/07/08/dos-resolv-cve-2025-24294 title: Possible Denial of Service in resolv gem date: 2025-07-09 @@ -35,6 +36,7 @@ description: | ## History Originally published at 2025-07-08 07:00:00 (UTC) +cvss_v3: 5.3 patched_versions: - "~> 0.2.2" - "~> 0.3.0"