This release only adds checks for the latest CVEs, no other changes.
Changes since 2.4.0:
- Add check for CVE-2014-0080
- Add check for CVE-2014-0081, replaces CVE-2013-6415
- Add check for CVE-2014-0082
CVE-2014-0080 is a SQL injection issue only affects applications using PostgreSQL with Rails 4.x. If Brakeman detects the
pg gem and an affected version, it will warn about this CVE.
CVE-2014-0081 is a vulnerability in
number_to_human. Values passed in as options may not be properly escaped. It affects all previous versions of Rails.
Brakeman will warn on unsafe uses of these methods. If no unsafe calls are found, it will generate a generic medium confidence warning.
Warnings for CVE-2014-0081 replace warnings for CVE-2013-6415, which was about just
CVE-2014-0082 is a potential symbol denial of service problem when handling
render :text in Rails 3.x.
Brakeman will only warn about this CVE if it detects use of
render :text in affected versions.
The SHA1 sums for this release are
e9fb5439d5a322b4a9c9611d75d994e7df83d4d2 brakeman-2.4.1.gem b84ad90a7ec9b6e6bbce8fc69c50d1d8b3214d0f brakeman-min-2.4.1.gem