GHSA SYNC: 2 brand new advisories

jasnow · postmodern · commit cb566ac5802b · 2025-03-13T10:36:52.000-07:00
diff --git a/gems/graphql/CVE-2025-27407.yml b/gems/graphql/CVE-2025-27407.yml
@@ -0,0 +1,41 @@
+---
+gem: graphql
+cve: 2025-27407
+ghsa: q92j-grw3-h492
+url: https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
+title: graphql allows remote code execution when loading a crafted GraphQL schema
+date: 2025-03-12
+description: |
+  Loading a malicious schema definition in
+  `GraphQL::Schema.from_introspection` (or `GraphQL::Schema::Loader.load`)
+  can result in remote code execution. Any system which loads a schema
+  by JSON from an untrusted source is vulnerable, including those that
+  use [GraphQL::Client](https://github.com/github-community-projects/graphql-client)
+  to load external schemas via GraphQL introspection.
+cvss_v3: 9.1
+unaffected_versions:
+  - "< 1.11.5"
+patched_versions:
+  - "~> 1.11.11"
+  - "~> 1.12.25"
+  - "~> 1.13.24"
+  - "~> 2.0.32"
+  - "~> 2.1.15"
+  - "~> 2.2.17"
+  - "~> 2.3.21"
+  - ">= 2.4.13"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-27407
+    - https://github.com/github-community-projects/graphql-client
+    - https://github.com/rmosolgo/graphql-ruby/security/advisories/GHSA-q92j-grw3-h492
+    - https://github.com/rmosolgo/graphql-ruby/commit/e58676c70aa695e3052ba1fbc787efee4ba7d67e
+    - https://github.com/rmosolgo/graphql-ruby/commit/28233b16c0eb9d0fb7808f4980e061dc7507c4cd
+    - https://github.com/rmosolgo/graphql-ruby/commit/2d2f4ed1f79472f8eed29c864b039649e1de238f
+    - https://github.com/rmosolgo/graphql-ruby/commit/5c5a7b9a9bdce143be048074aea50edb7bb747be
+    - https://github.com/rmosolgo/graphql-ruby/commit/6eca16b9fa553aa957099a30dbde64ddcdac52ca
+    - https://github.com/rmosolgo/graphql-ruby/commit/d0963289e0dab4ea893bbecf12bb7d89294957bb
+    - https://github.com/rmosolgo/graphql-ruby/commit/d1117ae0361d9ed67e0795b07f5c3e98e62f3c7c
+    - https://github.com/rmosolgo/graphql-ruby/commit/e3b33ace05391da2871c75ab4d3b66e29133b367
+    - https://about.gitlab.com/releases/2025/03/12/patch-release-gitlab-17-9-2-released
+    - https://github.com/advisories/GHSA-q92j-grw3-h492
diff --git a/gems/json/CVE-2025-27788.yml b/gems/json/CVE-2025-27788.yml
@@ -0,0 +1,34 @@
+---
+gem: json
+cve: 2025-27788
+ghsa: 9m3q-rhmv-5q44
+url: https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44
+title: Out-of-bounds Read in Ruby JSON Parser
+date: 2025-03-12
+description: |
+  ### Impact
+
+  A specially crafted document could cause an out of bound read,
+  most likely resulting in a crash.
+
+  Versions 2.10.0 and 2.10.1 are impacted. Older versions are not.
+
+  ### Patches
+
+  Version 2.10.2 fixes the problem.
+
+  ### Workarounds
+
+  None.
+cvss_v3: 7.5
+unaffected_versions:
+  - "< 2.10.0"
+patched_versions:
+  - ">= 2.10.2"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-27788
+    - https://github.com/ruby/json/security/advisories/GHSA-9m3q-rhmv-5q44
+    - https://github.com/ruby/json/releases/tag/v2.10.2
+    - https://github.com/ruby/json/commit/c56db31f800d5d508389793e69682f99749dbadf
+    - https://github.com/advisories/GHSA-9m3q-rhmv-5q44
