Updated advisory posts against rubysec/ruby-advisory-db@6847b45

jasnow · RubySec CI · commit fe7bc1334db9 · 2025-03-04T19:22:04.000Z
diff --git a/advisories/_posts/2025-02-26-CVE-2025-27219.md b/advisories/_posts/2025-02-26-CVE-2025-27219.md
@@ -7,6 +7,7 @@ categories:
 advisory:
   gem: cgi
   cve: 2025-27219
+  ghsa: gh9q-2xrm-x6qv
   url: https://www.cve.org/CVERecord?id=CVE-2025-27219
   title: CVE-2025-27219 - Denial of Service in CGI::Cookie.parse
   date: 2025-02-26
@@ -31,6 +32,7 @@ advisory:
 
     Thanks to lio346 for discovering this issue.
     Also thanks to mame for fixing this vulnerability.
+  cvss_v3: 5.8
   patched_versions:
   - "~> 0.3.5.1"
   - "~> 0.3.7"
diff --git a/advisories/_posts/2025-02-26-CVE-2025-27220.md b/advisories/_posts/2025-02-26-CVE-2025-27220.md
@@ -7,6 +7,7 @@ categories:
 advisory:
   gem: cgi
   cve: 2025-27220
+  ghsa: mhwm-jh88-3gjf
   url: https://www.cve.org/CVERecord?id=CVE-2025-27220
   title: CVE-2025-27220 - ReDoS in CGI::Util#escapeElement.
   date: 2025-02-26
@@ -32,6 +33,7 @@ advisory:
 
     Thanks to svalkanov for discovering this issue.
     Also thanks to nobu for fixing this vulnerability.
+  cvss_v3: 4.0
   patched_versions:
   - "~> 0.3.5.1"
   - "~> 0.3.7"
diff --git a/advisories/_posts/2025-02-26-CVE-2025-27221.md b/advisories/_posts/2025-02-26-CVE-2025-27221.md
@@ -8,6 +8,7 @@ categories:
 advisory:
   gem: uri
   cve: 2025-27221
+  ghsa: 22h5-pq3x-2gf2
   url: https://www.cve.org/CVERecord?id=CVE-2025-27221
   title: CVE-2025-27221 - userinfo leakage in URI#join, URI#merge and URI#+.
   date: 2025-02-26
@@ -36,6 +37,7 @@ advisory:
 
     Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.
     Also thanks to nobu for additional fixes of this vulnerability.
+  cvss_v3: 3.2
   patched_versions:
   - "~> 0.11.3"
   - "~> 0.12.4"
diff --git a/advisories/_posts/2025-03-03-CVE-2025-27590.md b/advisories/_posts/2025-03-03-CVE-2025-27590.md
@@ -0,0 +1,29 @@
+---
+layout: advisory
+title: 'CVE-2025-27590 (oxidized-web): Oxidized Web RANCID migration page allows unauthenticated
+  user to gain control over Linux user account'
+comments: false
+categories:
+- oxidized-web
+advisory:
+  gem: oxidized-web
+  cve: 2025-27590
+  ghsa: jx6p-9c26-g373
+  url: https://github.com/advisories/GHSA-jx6p-9c26-g373
+  title: Oxidized Web RANCID migration page allows unauthenticated user to gain control
+    over Linux user account
+  date: 2025-03-03
+  description: |
+    In oxidized-web (aka Oxidized Web) before 0.15.0, the RANCID
+    migration page allows an unauthenticated user to gain control
+    over the Linux user account that is running oxidized-web.
+  cvss_v3: 9.1
+  patched_versions:
+  - ">= 0.15.0"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-27590
+    - https://github.com/ytti/oxidized-web/releases/tag/0.15.0
+    - https://github.com/ytti/oxidized-web/commit/a5220a0ddc57b85cd122bffee228d3ed4901668e
+    - https://github.com/advisories/GHSA-jx6p-9c26-g373
+---
