From df40b21479a52ad1a1693d6aa8adeaba5d711510 Mon Sep 17 00:00:00 2001 From: Al Snow Date: Sat, 17 Jan 2026 11:03:58 -0500 Subject: [PATCH 1/2] GHSA SYNC: Merged 2 OSVDB and GHSA advisories --- .../{OSVDB-112347.yml => GHSA-mpwp-4h2m-765c.yml} | 14 +++++++++++--- .../{OSVDB-114854.yml => GHSA-5qw5-wf2q-f538.yml} | 15 ++++++++------- 2 files changed, 19 insertions(+), 10 deletions(-) rename gems/activejob/{OSVDB-112347.yml => GHSA-mpwp-4h2m-765c.yml} (56%) rename gems/activerecord-jdbc-adapter/{OSVDB-114854.yml => GHSA-5qw5-wf2q-f538.yml} (75%) diff --git a/gems/activejob/OSVDB-112347.yml b/gems/activejob/GHSA-mpwp-4h2m-765c.yml similarity index 56% rename from gems/activejob/OSVDB-112347.yml rename to gems/activejob/GHSA-mpwp-4h2m-765c.yml index 0d78aa9fb3..72825fca88 100644 --- a/gems/activejob/OSVDB-112347.yml +++ b/gems/activejob/GHSA-mpwp-4h2m-765c.yml @@ -1,10 +1,16 @@ --- gem: activejob +framework: rails +ghsa: mpwp-4h2m-765c osvdb: 112347 -url: https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347 +url: https://github.com/advisories/GHSA-mpwp-4h2m-765c title: Active Job - Object injection security vulnerability if Global IDs date: 2014-09-29 description: | + Active Job vulnerability: An Active Job bug allowed String + arguments to be deserialized as if they were Global IDs, an + object injection security vulnerability. + * In release post: "Active Job vulnerability: We also fixed an Active Job bug that allowed String arguments to be deserialized as if they were Global IDs, @@ -13,7 +19,9 @@ patched_versions: - ">= 4.2.0.beta2" related: url: - - https://rubyonrails.org/2014/9/29/Rails-4-2-0-beta2-has-been-released - https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347 + - https://rubyonrails.org/2014/9/29/Rails-4-2-0-beta2-has-been-released + - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/OSVDB-112347.yml + - https://github.com/advisories/GHSA-mpwp-4h2m-765c notes: | - - No CVE, GHSA, or CVSS values + - No CVE or CVSS values. diff --git a/gems/activerecord-jdbc-adapter/OSVDB-114854.yml b/gems/activerecord-jdbc-adapter/GHSA-5qw5-wf2q-f538.yml similarity index 75% rename from gems/activerecord-jdbc-adapter/OSVDB-114854.yml rename to gems/activerecord-jdbc-adapter/GHSA-5qw5-wf2q-f538.yml index c493c82424..f4b737b4a4 100644 --- a/gems/activerecord-jdbc-adapter/OSVDB-114854.yml +++ b/gems/activerecord-jdbc-adapter/GHSA-5qw5-wf2q-f538.yml @@ -2,10 +2,10 @@ gem: activerecord-jdbc-adapter platform: jruby osvdb: 114854 -url: https://github.com/jruby/activerecord-jdbc-adapter/issues/322 -title: - ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb sql.gsub() - Function SQL Injection +ghsa: 5qw5-wf2q-f538 +url: https://github.com/advisories/GHSA-5qw5-wf2q-f538 +title: ActiveRecord-JDBC-Adapter (AR-JDBC) lib/arjdbc/jdbc/adapter.rb + sql.gsub() Function SQL Injection date: 2013-02-25 description: | ActiveRecord-JDBC-Adapter (AR-JDBC) contains a flaw that may allow carrying @@ -22,7 +22,8 @@ related: url: - https://github.com/jruby/activerecord-jdbc-adapter/issues/322 - https://github.com/jruby/activerecord-jdbc-adapter/blob/master/lib/arjdbc/jdbc/adapter.rb - - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076 - https://my.diffend.io/gems/activerecord-jdbc-adapter/1.2.5/1.2.8 - - http://osvdb.org/show/osvdb/114854 - - https://advisories.gitlab.com/pkg/gem/activerecord-jdbc-adapter/OSVDB-2013-02-25 + - https://security.snyk.io/vuln/SNYK-RUBY-ACTIVERECORDJDBCADAPTER-20076 + - https://github.com/advisories/GHSA-5qw5-wf2q-f538 +notes: | + - No CVE, CVSS values. From 2ee75dc4dd73de4f0e2560c1b6a0c564add00edc Mon Sep 17 00:00:00 2001 From: Al Snow Date: Tue, 20 Jan 2026 10:46:58 -0500 Subject: [PATCH 2/2] 1 brand new advisory --- gems/jruby-openssl/CVE-2025-46551.yml | 43 +++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 gems/jruby-openssl/CVE-2025-46551.yml diff --git a/gems/jruby-openssl/CVE-2025-46551.yml b/gems/jruby-openssl/CVE-2025-46551.yml new file mode 100644 index 0000000000..2e5870f5e8 --- /dev/null +++ b/gems/jruby-openssl/CVE-2025-46551.yml @@ -0,0 +1,43 @@ +--- +gem: jruby-openssl +platform: jruby +cve: 2025-46551 +ghsa: 72qj-48g4-5xgx +url: https://github.com/advisories/GHSA-72qj-48g4-5xgx +title: JRuby-OpenSSL has hostname verification disabled by default +date: 2025-05-07 +description: | + JRuby-OpenSSL is an add-on gem for JRuby that emulates the Ruby + OpenSSL native library. + + Starting in JRuby-OpenSSL version 0.12.1 and prior to version 0.15.4 + (corresponding to JRuby versions starting in 9.3.4.0 prior to 9.4.12.1 + and 10.0.0.0 prior to 10.0.0.1), when verifying SSL certificates, + JRuby-OpenSSL does not verify that the hostname presented in the + certificate matches the one the user tries to connect to. + This means a man-in-the-middle could just present any valid cert for + a completely different domain they own, and JRuby would accept the cert. + Anybody using JRuby to make requests of external APIs, or scraping + the web, that depends on https to connect securely. + JRuby-OpenSSL version 0.15.4 contains a fix for the issue. This fix + is included in JRuby versions 10.0.0.1 and 9.4.12.1. +cvss_v3: 3.7 +cvss_v4: 5.7 +unaffected_versions: + - "<= 0.12.1" +patched_versions: + - ">= 0.15.4" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2025-46551 + - https://www.cve.org/CVERecord?id=CVE-2025-46551 + - https://www.jruby.org/2025/05/07/jruby-9-4-12-1 + - https://www.jruby.org/2025/05/07/jruby-10-0-0-1 + - https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s + - https://github.com/advisories/GHSA-72qj-48g4-5xgx +notes: | + 1. Reference: https://bsky.app/profile/jrubyproject.bsky.social/post/3lolurlze3p2s + -- "Security advisory: We have released jruby-openssl gem 0.15.4, + jruby 10.0.0.1, and jruby 9.4.12.1 to address CVE-2025-46551, + disabled hostname verification by default. + We recommend that all users upgrade!"