Redid work

Author: jasnow

gems/activejob/GHSA-mpwp-4h2m-765c.yml

@@ -21,7 +21,6 @@ related:
   url:
     - https://advisories.gitlab.com/pkg/gem/activejob/OSVDB-112347
     - https://rubyonrails.org/2014/9/29/Rails-4-2-0-beta2-has-been-released
-    - https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activejob/OSVDB-112347.yml
     - https://advisories.gitlab.com/pkg/gem/activejob/GHSA-mpwp-4h2m-765c
     - https://github.com/advisories/GHSA-mpwp-4h2m-765c
 notes: |

gems/activerecord/CVE-2013-3221.yml

@@ -0,0 +1,38 @@
+---
+gem: activerecord
+framework: rails
+cve: 2013-3221
+ghsa: f57c-hx33-hvh8
+url: https://nvd.nist.gov/vuln/detail/CVE-2013-3221
+title: Data-type injection vulnerability
+date: 2013-04-21
+description: |
+  The Active Record component in Ruby on Rails 2.3.x, 3.0.x, 3.1.x,
+  and 3.2.x does not ensure that the declared data type of a database
+  column is used during comparisons of input values to stored values
+  in that column, which makes it easier for remote attackers to
+  conduct data-type injection attacks against Ruby on Rails applications
+  via a crafted value, as demonstrated by unintended interaction
+  between the "typed XML" feature and a MySQL database.
+
+  ## RELEASE INFO
+  - Phrack writeup says that 'couple of days after the advisory the
+    issue was "fixed" in Rails 3.2.12 as by the following commit' 921a296.
+    But "Indeed the vector is completely fixed as of Rails 4.2 almost
+    two years after the original advisory."
+cvss_v2: 6.4
+patched_versions:
+  - ">= 4.2.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2013-3221
+    - https://github.com/rails/rails/commit/c9909db9f2f81575ef2ea2ed3b4e8743c8d6f1b9
+    - https://github.com/rails/rails/commit/921a296a3390192a71abeec6d9a035cc6d1865c8
+    - https://groups.google.com/group/rubyonrails-security/msg/1f3bc0b88a60c1ce
+    - http://pl.reddit.com/r/netsec/comments/17yajp/mysql_madness_and_rails
+    - http://openwall.com/lists/oss-security/2013/02/06/7
+    - http://openwall.com/lists/oss-security/2013/04/24/7
+    - https://gist.github.com/marianposaceanu/5442275
+    - https://web.archive.org/web/20160307143147/http://www.phenoelit.org/blog/archives/2013/02/index.html
+    - https://github.com/advisories/GHSA-f57c-hx33-hvh8
+    - https://phrack.org/issues/69/12

gems/alchemy_cms/CVE-2026-23885.yml

@@ -0,0 +1,45 @@
+---
+gem: alchemy_cms
+cve: 2026-23885
+ghsa: 2762-657x-v979
+url: https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
+title: AlchemyCMS - Authenticated Remote Code Execution (RCE) via
+  eval injection in ResourcesHelper
+date: 2026-01-21
+description: |
+  ### Summary
+
+  A vulnerability was discovered during a manual security audit
+  of the AlchemyCMS source code. The application uses the Ruby
+  `eval()` function to dynamically execute a string provided by the
+  `resource_handler.engine_name` attribute in
+  `Alchemy::ResourcesHelper#resource_url_proxy`.
+
+  ### Details
+
+  The vulnerability exists in `app/helpers/alchemy/resources_helper.rb`
+  at line 28. The code explicitly bypasses security linting with
+  `# rubocop:disable Security/Eval`, indicating that the use of a
+  dangerous function was known but not properly mitigated.
+
+  Since `engine_name` is sourced from module definitions that can be
+  influenced by administrative configurations, it allows an authenticated
+  attacker to escape the Ruby sandbox and execute arbitrary system
+  commands on the host OS.
+
+  But, for this attack to be possible local file access to the alchemy
+  project or the source on a remote server is necessary in order to
+  manipulate the module config file, though.
+cvss_v3: 6.6
+patched_versions:
+  - "~> 7.4.12"
+  - ">= 8.0.3"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-23885
+    - https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979
+    - https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26
+    - https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7
+    - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12
+    - https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3
+    - https://github.com/advisories/GHSA-2762-657x-v979

gems/decidim-core/CVE-2025-65017.yml

@@ -0,0 +1,132 @@
+---
+gem: decidim-core
+cve: 2025-65017
+ghsa: 3cx6-j9j4-54mp
+url: https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
+title: Decidim's private data exports can lead to data leaks
+date: 2026-02-03
+description: |
+  ### Impact
+
+  Private data exports can lead to data leaks in cases where the UUID
+  generation causes collisions for the generated UUIDs.
+
+  The bug was introduced by #13571 and affects Decidim versions 0.30.0
+  or newer (currently 2025-09-23).
+
+  This issue  was discovered by running the following spec several
+  times in a row, as it can randomly fail due to this bug:
+
+  ```bash
+  $ cd decidim-core
+  $ for i in {1..10}; do bundle exec rspec
+    spec/jobs/decidim/download_your_data_export_job_spec.rb
+    -e "deletes the" || break ; done
+  ```
+
+  Run the spec as many times as needed to hit a UUID that converts
+  to `0` through `.to_i`.
+
+  The UUID to zero conversion does not cause a security issue but
+  the security issue is demonstrated with the following example.
+
+  The following code regenerates the issue by assigning a predefined
+  UUID that will generate a collision (example assumes there are
+  already two existing users in the system):
+
+  ```ruby
+  # Create the ZIP buffers to be stored
+  buffer1 = Zip::OutputStream.write_buffer do |out|
+    out.put_next_entry("admin.txt")
+    out.write "Hello, admin!"
+  end
+  buffer1.rewind
+  buffer2 = Zip::OutputStream.write_buffer do |out|
+    out.put_next_entry("user.txt")
+    out.write "Hello, user!"
+  end
+  buffer2.rewind
+
+  # Create the private exports with a predefined IDs
+  user1 = Decidim::User.find(1)
+  export = user1.private_exports.build
+  export.id = "0210ae70-482b-4671-b758-35e13e0097a9"
+  export.export_type = "download_your_data"
+  export.file.attach(io: buffer1, filename: "foobar.zip",
+    content_type: "application/zip")
+  export.expires_at = Decidim.download_your_data_expiry_time.from_now
+  export.metadata = {}
+  export.save!
+
+  user2 = Decidim::User.find(2)
+  export = user2.private_exports.build
+  export.id = "0210d2df-a0c7-40aa-ad97-2dae5083e3b8"
+  export.export_type = "download_your_data"
+  export.file.attach(io: buffer2, filename: "foobar.zip",
+    content_type: "application/zip")
+  export.expires_at = Decidim.download_your_data_expiry_time.from_now
+  export.metadata = {}
+  export.save!
+  ```
+
+  Expect to see an error in the situation.
+
+  Now, login as user with ID 1, go to `/download_your_data`, click
+  "Download file" from the export and expect to see the data that
+  should be attached to user with ID 2. This is an artificially
+  replicated situation with the predefined UUIDs but it can easily
+  happen in real situations.
+
+  The reason for the test case failure can be replicated in case
+  you change the export ID to
+    `export.id = "e9540f96-9e3d-4abe-8c2a-6c338d85a684"`.
+  This would return `0` through `.to_s`
+
+  After attaching that ID, you can test if the file is available
+  for the export:
+
+  ```ruby
+  user.private_exports.last.file.attached?
+  => false
+  user.private_exports.last.file.blob
+  => nil
+  ```
+
+  Note that this fails with such UUID as shown in the example and
+  could easily lead to collisions in case the UUID starts with a
+  number. E.g. UUID `"0210ae70-482b-4671-b758-35e13e0097a9"` would
+  convert to `210` through `.to_s`. Therefore, if someone else has
+  a "private" export with the prefixes "00000210", "0000210",
+  "000210", "00210", "0210" or "210", that would cause a collision
+  and the file could be attached to the wrong private export.
+
+  Theoretical chance of collision (the reality depends on the
+  UUID generation algorithm):
+
+  - Potential combinations of the UUID first part (8 characters hex): 16^8
+  - Potentially colliding character combinations (8 numbers
+    characters in the range of 0-9): 10^8
+  - 10^8 / 16^8 ≈ 2.3 (23 / 1000 users)
+
+  The root cause is that the class `Decidim::PrivateExport` defines
+  an ActiveStorage relation to `file` and the table
+  `active_storage_attachments` stores the related `record_id` as
+  `bigint` which causes the conversion to happen.
+
+  ### Workarounds
+
+  Fully disable the private exports feature until a patch is available.
+cvss_v4: 8.2
+unaffected_versions:
+  - "< 0.30.0"
+patched_versions:
+  - "~> 0.30.4"
+  - ">= 0.31.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-65017
+    - https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
+    - https://github.com/decidim/decidim/releases/tag/v0.31.0
+    - https://github.com/decidim/decidim/releases/tag/v0.30.4
+    - https://github.com/decidim/decidim/pull/13571
+    - https://github.com/advisories/GHSA-3cx6-j9j4-54mp

gems/decidim/CVE-2025-65017.yml

@@ -0,0 +1,132 @@
+---
+gem: decidim
+cve: 2025-65017
+ghsa: 3cx6-j9j4-54mp
+url: https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
+title: Decidim's private data exports can lead to data leaks
+date: 2026-02-03
+description: |
+  ### Impact
+
+  Private data exports can lead to data leaks in cases where the UUID
+  generation causes collisions for the generated UUIDs.
+
+  The bug was introduced by #13571 and affects Decidim versions 0.30.0
+  or newer (currently 2025-09-23).
+
+  This issue  was discovered by running the following spec several
+  times in a row, as it can randomly fail due to this bug:
+
+  ```bash
+  $ cd decidim-core
+  $ for i in {1..10}; do bundle exec rspec
+    spec/jobs/decidim/download_your_data_export_job_spec.rb
+    -e "deletes the" || break ; done
+  ```
+
+  Run the spec as many times as needed to hit a UUID that converts
+  to `0` through `.to_i`.
+
+  The UUID to zero conversion does not cause a security issue but
+  the security issue is demonstrated with the following example.
+
+  The following code regenerates the issue by assigning a predefined
+  UUID that will generate a collision (example assumes there are
+  already two existing users in the system):
+
+  ```ruby
+  # Create the ZIP buffers to be stored
+  buffer1 = Zip::OutputStream.write_buffer do |out|
+    out.put_next_entry("admin.txt")
+    out.write "Hello, admin!"
+  end
+  buffer1.rewind
+  buffer2 = Zip::OutputStream.write_buffer do |out|
+    out.put_next_entry("user.txt")
+    out.write "Hello, user!"
+  end
+  buffer2.rewind
+
+  # Create the private exports with a predefined IDs
+  user1 = Decidim::User.find(1)
+  export = user1.private_exports.build
+  export.id = "0210ae70-482b-4671-b758-35e13e0097a9"
+  export.export_type = "download_your_data"
+  export.file.attach(io: buffer1, filename: "foobar.zip",
+    content_type: "application/zip")
+  export.expires_at = Decidim.download_your_data_expiry_time.from_now
+  export.metadata = {}
+  export.save!
+
+  user2 = Decidim::User.find(2)
+  export = user2.private_exports.build
+  export.id = "0210d2df-a0c7-40aa-ad97-2dae5083e3b8"
+  export.export_type = "download_your_data"
+  export.file.attach(io: buffer2, filename: "foobar.zip",
+    content_type: "application/zip")
+  export.expires_at = Decidim.download_your_data_expiry_time.from_now
+  export.metadata = {}
+  export.save!
+  ```
+
+  Expect to see an error in the situation.
+
+  Now, login as user with ID 1, go to `/download_your_data`, click
+  "Download file" from the export and expect to see the data that
+  should be attached to user with ID 2. This is an artificially
+  replicated situation with the predefined UUIDs but it can easily
+  happen in real situations.
+
+  The reason for the test case failure can be replicated in case
+  you change the export ID to
+    `export.id = "e9540f96-9e3d-4abe-8c2a-6c338d85a684"`.
+  This would return `0` through `.to_s`
+
+  After attaching that ID, you can test if the file is available
+  for the export:
+
+  ```ruby
+  user.private_exports.last.file.attached?
+  => false
+  user.private_exports.last.file.blob
+  => nil
+  ```
+
+  Note that this fails with such UUID as shown in the example and
+  could easily lead to collisions in case the UUID starts with a
+  number. E.g. UUID `"0210ae70-482b-4671-b758-35e13e0097a9"` would
+  convert to `210` through `.to_s`. Therefore, if someone else has
+  a "private" export with the prefixes "00000210", "0000210",
+  "000210", "00210", "0210" or "210", that would cause a collision
+  and the file could be attached to the wrong private export.
+
+  Theoretical chance of collision (the reality depends on the
+  UUID generation algorithm):
+
+  - Potential combinations of the UUID first part (8 characters hex): 16^8
+  - Potentially colliding character combinations (8 numbers
+    characters in the range of 0-9): 10^8
+  - 10^8 / 16^8 ≈ 2.3 (23 / 1000 users)
+
+  The root cause is that the class `Decidim::PrivateExport` defines
+  an ActiveStorage relation to `file` and the table
+  `active_storage_attachments` stores the related `record_id` as
+  `bigint` which causes the conversion to happen.
+
+  ### Workarounds
+
+  Fully disable the private exports feature until a patch is available.
+cvss_v4: 8.2
+unaffected_versions:
+  - "< 0.30.0"
+patched_versions:
+  - "~> 0.30.4"
+  - ">= 0.31.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-65017
+    - https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp
+    - https://github.com/decidim/decidim/releases/tag/v0.31.0
+    - https://github.com/decidim/decidim/releases/tag/v0.30.4
+    - https://github.com/decidim/decidim/pull/13571
+    - https://github.com/advisories/GHSA-3cx6-j9j4-54mp

gems/fog-kubevirt/CVE-2026-1530.yml

@@ -0,0 +1,29 @@
+---
+gem: fog-kubevirt
+cve: 2026-1530
+ghsa: m3hq-3qj8-c5fm
+url: https://access.redhat.com/security/cve/CVE-2026-1530
+title: fog-kubevirt allows remote attacker to perform MITM attack
+  due to disabled certificate validation
+date: 2026-02-02
+description: |
+  A flaw was found in fog-kubevirt. This vulnerability allows a remote
+  attacker to perform a Man-in-the-Middle (MITM) attack due to disabled
+  certificate validation. This enables the attacker to intercept and
+  potentially alter sensitive communications between Satellite and
+  OpenShift, resulting in information disclosure and data integrity
+  compromise.
+cvss_v3: 8.1
+patched_versions:
+  - ">= 1.5.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-1530
+    - https://github.com/fog/fog-kubevirt/releases/tag/v1.5.1
+    - https://github.com/fog/fog-kubevirt/blob/8adb03e07972d6e19a7713ecf2a827aa2cfe4b9e/CHANGELOG.md?plain=1#L11
+    - https://github.com/fog/fog-kubevirt/pull/168
+    - https://github.com/fog/fog-kubevirt/commit/8371e9ded99f9ec3e74caf2f283836109763e450
+    - https://github.com/fog/fog-kubevirt/commit/9603d79a239a0f68bedfc679cd1b65fbf6ec4753
+    - https://access.redhat.com/security/cve/CVE-2026-1530
+    - https://bugzilla.redhat.com/show_bug.cgi?id=2433784
+    - https://github.com/advisories/GHSA-m3hq-3qj8-c5fm