[DRE-maint] Bug#1027153: ruby-rails-html-sanitizer: CVE-2022-23517 CVE-2022-23518 CVE-2022-23519 CVE-2022-23520
Moritz Mühlenhoff
jmm at inutil.org
Wed Dec 28 17:57:07 GMT 2022
Source: ruby-rails-html-sanitizer
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerabilities were published for ruby-rails-html-sanitizer.
CVE-2022-23517[0]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Certain configurations of rails-html-sanitizer
| < 1.4.4 use an inefficient regular expression that is susceptible
| to excessive backtracking when attempting to sanitize certain SVG
| attributes. This may lead to a denial of service through CPU resource
| consumption. This issue has been patched in version 1.4.4.
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979
CVE-2022-23518[1]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to
| cross-site scripting via data URIs when used in combination with
| Loofah >= 2.1.0. This issue is patched in version 1.4.4.
https://github.com/rails/rails-html-sanitizer/issues/135
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
CVE-2022-23519[2]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Prior to version 1.4.4, a possible XSS
| vulnerability with certain configurations of Rails::Html::Sanitizer
| may allow an attacker to inject content if the application developer
| has overridden the sanitizer's allowed tags in either of the following
| ways: allow both "math" and "style" elements, or allow both "svg" and
| "style" elements. Code is only impacted if allowed tags are being
| overridden. . This issue is fixed in version 1.4.4. All users
| overriding the allowed tags to include "math" or "svg" and "style"
| should either upgrade or use the following workaround immediately:
| Remove "style" from the overridden allowed tags, or remove "math" and
| "svg" from the overridden allowed tags.
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
CVE-2022-23520[3]:
| rails-html-sanitizer is responsible for sanitizing HTML fragments in
| Rails applications. Prior to version 1.4.4, there is a possible XSS
| vulnerability with certain configurations of Rails::Html::Sanitizer
| due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may
| allow an attacker to inject content if the application developer has
| overridden the sanitizer's allowed tags to allow both "select" and
| "style" elements. Code is only impacted if allowed tags are being
| overridden. This issue is patched in version 1.4.4. All users
| overriding the allowed tags to include both "select" and "style"
| should either upgrade or use this workaround: Remove either "select"
| or "style" from the overridden allowed tags. NOTE: Code is _not_
| impacted if allowed tags are overridden using either the :tags option
| to the Action View helper method sanitize or the :tags option to the
| instance method SafeListSanitizer#sanitize.
https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2022-23517
https://www.cve.org/CVERecord?id=CVE-2022-23517
[1] https://security-tracker.debian.org/tracker/CVE-2022-23518
https://www.cve.org/CVERecord?id=CVE-2022-23518
[2] https://security-tracker.debian.org/tracker/CVE-2022-23519
https://www.cve.org/CVERecord?id=CVE-2022-23519
[3] https://security-tracker.debian.org/tracker/CVE-2022-23520
https://www.cve.org/CVERecord?id=CVE-2022-23520
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-ruby-extras-maintainers
mailing list