=================================================================== CERT-Renater Note d'Information No. 2022/VULN473 _____________________________________________________________________ DATE : 19/12/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running rails-html-sanitizer versions prior to 1.4.4. ====================================================================https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m _____________________________________________________________________ Inefficient Regular Expression Complexity in rails-html-sanitizer High flavorjones published GHSA-5x79-w82f-gw8w Package rails-html-sanitizer (RubyGems) Affected versions < 1.4.4 Patched versions 1.4.4 Description Summary Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. Mitigation Upgrade to rails-html-sanitizer >= 1.4.4. Severity The maintainers have evaluated this as High Severity 7.5 (CVSS3.1). References CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9) https://hackerone.com/reports/1684163 Credit This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q). Severity High 7.5/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2022-23517 Weaknesses CWE-1333 ______________________________________________________________________ Possible XSS vulnerability with certain configurations of rails-html-sanitizer Moderate severity GitHub Reviewed Vulnerability details Package rails-html-sanitizer (RubyGems) Affected versions < 1.4.4 Patched versions 1.4.4 Description Summary There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209. Versions affected: ALL Not affected: NONE Fixed versions: 1.4.4 Impact A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden using either of the following two mechanisms: Using the Rails configuration config.action_view.sanitized_allow_tags=: # In config/application.rb config.action_view.sanitized_allowed_tags = ["select", "style"] (see https://guides.rubyonrails.org/configuring.html#configuring-action-view) Using the class method Rails::Html::SafeListSanitizer.allowed_tags=: # class-level option Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"] All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately. NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms: the :tags option to the Action View helper method sanitize. the :tags option to the instance method SafeListSanitizer#sanitize. Workarounds Remove either "select" or "style" from the overridden allowed tags. References CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209 https://hackerone.com/reports/1654310 Credit This vulnerability was responsibly reported by Dominic Breuker. References GHSA-rrfc-7g8p-99q8 https://hackerone.com/reports/1654310 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23520.yml https://nvd.nist.gov/vuln/detail/CVE-2022-23520 @flavorjones flavorjones published the maintainer security advisory last week Severity Moderate 6.1/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Weaknesses CWE-79 CVE ID CVE-2022-23520 GHSA ID GHSA-rrfc-7g8p-99q8 Source code rails/rails-html-sanitizer _____________________________________________________________________ Possible XSS vulnerability with certain configurations of rails-html-sanitizer Moderate flavorjones published GHSA-rrfc-7g8p-99q8 Package rails-html-sanitizer (RubyGems) Affected versions < 1.4.4 Patched versions 1.4.4 Description Summary There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209. Versions affected: ALL Not affected: NONE Fixed versions: 1.4.4 Impact A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements. Code is only impacted if allowed tags are being overridden using either of the following two mechanisms: Using the Rails configuration config.action_view.sanitized_allow_tags=: # In config/application.rb config.action_view.sanitized_allowed_tags = ["select", "style"] (see https://guides.rubyonrails.org/configuring.html#configuring-action-view) Using the class method Rails::Html::SafeListSanitizer.allowed_tags=: # class-level option Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"] All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately. NOTE: Code is not impacted if allowed tags are overridden using either of the following mechanisms: the :tags option to the Action View helper method sanitize. the :tags option to the instance method SafeListSanitizer#sanitize. Workarounds Remove either "select" or "style" from the overridden allowed tags. References CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209 https://hackerone.com/reports/1654310 Credit This vulnerability was responsibly reported by Dominic Breuker. Severity Moderate CVE ID CVE-2022-23520 Weaknesses CWE-79 _____________________________________________________________________ Improper neutralization of data URIs may allow XSS in rails-html-sanitizer Moderate flavorjones published GHSA-mcvf-2q2m-x72m Package rails-html-sanitizer (RubyGems) Affected versions > = 1.0.3, < 1.4.4 Patched versions 1.4.4 Description Summary rails-html-sanitizer >= 1.0.3, < 1.4.4 is vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. Mitigation Upgrade to rails-html-sanitizer >= 1.4.4. Severity The maintainers have evaluated this as Medium Severity 6.1. References CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9) SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg #135 https://hackerone.com/reports/1694173 Credit This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche). Severity Moderate 6.1/ 10 CVSS base metrics Attack vector Network Attack complexity Low Privileges required None User interaction Required Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVE ID CVE-2022-23518 Weaknesses CWE-79 ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================