=================================================================== CERT-Renater Note d'Information No. 2021/VULN180 _____________________________________________________________________ DATE : 04/05/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Rails versions prior to 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1. ====================================================================https://groups.google.com/g/rubyonrails-security/c/RmWxKvSNgRg https://groups.google.com/g/rubyonrails-security/c/Yg2tEh2UUqc _____________________________________________________________________ [CVE-2022-22577] Possible XSS Vulnerability in Action Pack Aaron Patterson Apr 26, 2022, 9:53:28 PM to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Impact ------ CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- Set a CSP for your API responses manually. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-csp-xss.patch - Patch for 5.2 series * 6-0-csp-xss.patch - Patch for 6.0 series * 6-1-csp-xss.patch - Patch for 6.1 series * 7-0-csp-xss.patch - Patch for 7.0 series Credits ------- Thank you Tim Wade for making the patch, and thank you [thorsteneckel](https://hackerone.com/thorsteneckel?type=user) for reporting this issue. _____________________________________________________________________ [CVE-2022-27777] Possible XSS Vulnerability in Action View tag helpers Aaron Patterson Apr 26, 2022, 9:54:25 PM to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com There is a possible XSS vulnerability in Action View tag helpers. Passing untrusted input as hash keys can lead to a possible XSS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2022-27777. Versions Affected: ALL Not affected: NONE Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 Impact ------ If untrusted data is passed as the hash key for tag attributes, there is a possibility that the untrusted data may not be properly escaped which can lead to an XSS vulnerability. Impacted code will look something like this: ``` check_box_tag('thename', 'thevalue', false, aria: { malicious_input => 'thevalueofaria' }) ``` Where the "malicious_input" variable contains untrusted data. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- Escape the untrusted data before using it as a key for tag helper methods. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 5-2-tag-helper-xss.patch - Patch for 5.2 series * 6-0-tag-helper-xss.patch - Patch for 6.0 series * 6-1-tag-helper-xss.patch - Patch for 6.1 series * 7-0-tag-helper-xss.patch - Patch for 7.0 series Credits ------- Thank you to [Álvaro Martín Fraguas] (https://hackerone.com/amartinfraguas) for reporting the issue and providing patches! ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================