Source: ruby-rails-html-sanitizer X-Debbugs-CC: t...@security.debian.org Severity: grave Tags: security
Hi, The following vulnerabilities were published for ruby-rails-html-sanitizer. CVE-2022-23517[0]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Certain configurations of rails-html-sanitizer | < 1.4.4 use an inefficient regular expression that is susceptible | to excessive backtracking when attempting to sanitize certain SVG | attributes. This may lead to a denial of service through CPU resource | consumption. This issue has been patched in version 1.4.4. https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w https://github.com/rails/rails-html-sanitizer/commit/56c61c0cebd1e493e8ad7bca2a0191609a4a6979 CVE-2022-23518[1]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to | cross-site scripting via data URIs when used in combination with | Loofah >= 2.1.0. This issue is patched in version 1.4.4. https://github.com/rails/rails-html-sanitizer/issues/135 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m CVE-2022-23519[2]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Prior to version 1.4.4, a possible XSS | vulnerability with certain configurations of Rails::Html::Sanitizer | may allow an attacker to inject content if the application developer | has overridden the sanitizer's allowed tags in either of the following | ways: allow both "math" and "style" elements, or allow both "svg" and | "style" elements. Code is only impacted if allowed tags are being | overridden. . This issue is fixed in version 1.4.4. All users | overriding the allowed tags to include "math" or "svg" and "style" | should either upgrade or use the following workaround immediately: | Remove "style" from the overridden allowed tags, or remove "math" and | "svg" from the overridden allowed tags. https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h CVE-2022-23520[3]: | rails-html-sanitizer is responsible for sanitizing HTML fragments in | Rails applications. Prior to version 1.4.4, there is a possible XSS | vulnerability with certain configurations of Rails::Html::Sanitizer | due to an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may | allow an attacker to inject content if the application developer has | overridden the sanitizer's allowed tags to allow both "select" and | "style" elements. Code is only impacted if allowed tags are being | overridden. This issue is patched in version 1.4.4. All users | overriding the allowed tags to include both "select" and "style" | should either upgrade or use this workaround: Remove either "select" | or "style" from the overridden allowed tags. NOTE: Code is _not_ | impacted if allowed tags are overridden using either the :tags option | to the Action View helper method sanitize or the :tags option to the | instance method SafeListSanitizer#sanitize. https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8 If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2022-23517 https://www.cve.org/CVERecord?id=CVE-2022-23517 [1] https://security-tracker.debian.org/tracker/CVE-2022-23518 https://www.cve.org/CVERecord?id=CVE-2022-23518 [2] https://security-tracker.debian.org/tracker/CVE-2022-23519 https://www.cve.org/CVERecord?id=CVE-2022-23519 [3] https://security-tracker.debian.org/tracker/CVE-2022-23520 https://www.cve.org/CVERecord?id=CVE-2022-23520 Please adjust the affected versions in the BTS as needed.