Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-16468 - Loofah XSS Vulnerability #154

Closed
flavorjones opened this issue Oct 27, 2018 · 2 comments
Closed

CVE-2018-16468 - Loofah XSS Vulnerability #154

flavorjones opened this issue Oct 27, 2018 · 2 comments
Labels

Comments

@flavorjones
Copy link
Owner

@flavorjones flavorjones commented Oct 27, 2018

CVE-2018-16468 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by Shubham Pathak and @yasinS (Yasin Soliman).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.

Severity

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

Description

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected Versions

Loofah < v2.2.3.

Mitigation

Upgrade to Loofah v2.2.3.

References

History of this public disclosure

2018-10-27: disclosure created, all information is embargoed
2018-10-30: embargo ends, full information made available

@flavorjones flavorjones changed the title placeholder - security vulnerability placeholder - embargoed security vulnerability Oct 28, 2018
@flavorjones
Copy link
Owner Author

@flavorjones flavorjones commented Oct 30, 2018

This vulnerability has been assigned CVE-2018-16468.

flavorjones added a commit that referenced this issue Oct 30, 2018
@flavorjones
Copy link
Owner Author

@flavorjones flavorjones commented Oct 30, 2018

This issue has been updated with full unembargoed information.

@flavorjones flavorjones changed the title placeholder - embargoed security vulnerability CVE-2018-16468 - Loofah XSS Vulnerability Oct 30, 2018
flavorjones added a commit that referenced this issue Oct 30, 2018
albertoalmagro added a commit to albertoalmagro/rails that referenced this issue Oct 30, 2018
floehopper added a commit to Crown-Commercial-Service/crown-marketplace that referenced this issue Oct 30, 2018
chrishunt pushed a commit to codecation/trailmix that referenced this issue Oct 30, 2018
Chris Hunt
danbernier added a commit to tedconf/crushinator_helpers that referenced this issue Oct 30, 2018
va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Oct 31, 2018
ruby advisory fails on

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3
```

Once rails/rails-html-sanitizer#73 is merged, we can remove this exception.
kaspergrubbe added a commit to kaspergrubbe/rails-html-sanitizer that referenced this issue Oct 31, 2018
More info at flavorjones/loofah#154
annaswims added a commit to department-of-veterans-affairs/vets-api that referenced this issue Oct 31, 2018
CVE-2018-16468 - Loofah XSS Vulnerability

flavorjones/loofah#154
robbkidd added a commit to chef/supermarket that referenced this issue Oct 31, 2018
loofah < 2.2.3 has a cross-site scriting vulnerability reported.[1]

[1] flavorjones/loofah#154

Supermarket is not vulnerable to this. The library is being updated out
of an abundance of caution and to appease the vulnerability scanner.

Signed-off-by: Robb Kidd <rkidd@chef.io>
arsley added a commit to kinc-shinshu/smaT-api that referenced this issue Nov 12, 2018
antw added a commit to quintel/etmodel that referenced this issue Nov 12, 2018
IsaacDurand added a commit to IsaacDurand/dinder that referenced this issue Nov 12, 2018
matt-hh added a commit to produktgenuss/administrate that referenced this issue Nov 13, 2018
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes thoughtbot#1225
anthonycrumley added a commit to anthonycrumley/network that referenced this issue Nov 14, 2018
ramontayag added a commit to bloom-solutions/crypto-cold-store that referenced this issue Nov 15, 2018
antw added a commit to quintel/etmodel that referenced this issue Nov 20, 2018
antw added a commit to quintel/etengine that referenced this issue Nov 20, 2018
antw added a commit to quintel/etengine that referenced this issue Nov 20, 2018
csexton added a commit to Terrastories/terrastories that referenced this issue Nov 20, 2018
There was one CVE filed against the loofah gem, this bumps the version
from 1.8.4 to 1.8.5

[CVE-2018-16468][1]

> moderate severity
> Vulnerable versions: < 2.2.3
> Patched version: 2.2.3
>
> In the Loofah gem for Ruby, through version 2.2.2, unsanitized
> JavaScript may occur in sanitized output when a crafted SVG element is
> republished. Users are advised to upgrade to version 2.2.3.

See flavorjones/loofah#154 for more details.

[1]: https://nvd.nist.gov/vuln/detail/CVE-2018-16468
composerinteralia added a commit to thoughtbot/administrate that referenced this issue Nov 28, 2018
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes #1225
gabebw added a commit to hotline-webring/hotline-webring that referenced this issue Dec 12, 2018
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
gabebw added a commit to hotline-webring/hotline-webring that referenced this issue Dec 12, 2018
The vulnerability message is below. In order to upgrade activejob, I had
to upgrade Rails to version 5.1.6.1, which touched quite a few other
gems.

    Name: activejob
    Version: 5.1.4
    Advisory: CVE-2018-16476
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
    Title: Broken Access Control vulnerability in Active Job
    Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, >= 5.2.1.1

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3

    Name: loofah
    Version: 2.1.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: flavorjones/loofah#144
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.1

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-14404
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1785
    Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
    Solution: upgrade to >= 1.8.5

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2017-15412
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1714
    Title: Nokogiri gem, via libxml, is affected by DoS vulnerabilities
    Solution: upgrade to >= 1.8.2

    Name: nokogiri
    Version: 1.8.1
    Advisory: CVE-2018-8048
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1746
    Title: Revert libxml2 behavior in Nokogiri gem that could cause XSS
    Solution: upgrade to >= 1.8.3

    Name: rack
    Version: 2.0.3
    Advisory: CVE-2018-16471
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
    Title: Possible XSS vulnerability in Rack
    Solution: upgrade to ~> 1.6.11, >= 2.0.6

    Name: rails-html-sanitizer
    Version: 1.0.3
    Advisory: CVE-2018-3741
    Criticality: Unknown
    URL: https://groups.google.com/d/msg/rubyonrails-security/tP7W3kLc5u4/uDy2Br7xBgAJ
    Title: XSS vulnerability in rails-html-sanitizer
    Solution: upgrade to >= 1.0.4

    Name: sprockets
    Version: 3.7.1
    Advisory: CVE-2018-3760
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k
    Title: Path Traversal in Sprockets
    Solution: upgrade to < 3.0.0, >= 2.12.5, < 4.0.0, >= 3.7.2, >= 4.0.0.beta8
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue May 19, 2019
www/ruby-loofah: security update

Revisions pulled up:
- www/ruby-loofah/Makefile                                      1.5
- www/ruby-loofah/PLIST                                         1.4
- www/ruby-loofah/distinfo                                      1.5

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Nov  1 16:11:45 UTC 2018

   Modified Files:
   	pkgsrc/www/ruby-loofah: Makefile PLIST distinfo

   Log Message:
   www/ruby-loofah: update to 2.2.3

   ## 2.2.3 / 2018-10-30

   ### Security

   Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

   This CVE's public notice is at flavorjones/loofah#154

   ## Meta / 2018-10-27

   The mailing list is now on Google Groups [#146](flavorjones/loofah#146):

   * Mail: loofah-talk@googlegroups.com
   * Archive: https://groups.google.com/forum/#!forum/loofah-talk

   This change was made because librelist no longer appears to be maintained.


   To generate a diff of this commit:
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \
       pkgsrc/www/ruby-loofah/distinfo
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST
azul pushed a commit to riseuplabs/crabgrass-core that referenced this issue May 29, 2019
loofah Version: 2.2.2 Advisory: CVE-2018-16468 Criticality: Unknown URL: flavorjones/loofah#154 Title: Loofah XSS Vulnerability Solution: upgrade to >= 2.2.3
alexdean added a commit to alexdean/focus_group that referenced this issue Jun 25, 2019
$ bundle exec bundle-audit check

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5419
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Title: Denial of Service Vulnerability in Action View
Solution: upgrade to >= 6.0.0.beta3, >= 5.2.2.1, ~> 5.2.2, >= 5.1.6.2, ~> 5.1.6, >= 5.0.7.2, ~> 5.0.7, >= 4.2.11.1, ~> 4.2.11

Name: actionview
Version: 5.2.1
Advisory: CVE-2019-5418
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q
Title: File Content Disclosure in Action View
Solution: upgrade to >= 4.2.11.1, ~> 4.2.11, >= 5.0.7.2, ~> 5.0.7, >= 5.1.6.2, ~> 5.1.6, >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Name: activejob
Version: 5.2.1
Advisory: CVE-2018-16476
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/FL4dSdzr2zw
Title: Broken Access Control vulnerability in Active Job
Solution: upgrade to ~> 4.2.11, ~> 5.0.7.1, ~> 5.1.6.1, ~> 5.1.7, >= 5.2.1.1

Name: activestorage
Version: 5.2.1
Advisory: CVE-2018-16477
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/3KQRnXDIuLg
Title: Bypass vulnerability in Active Storage
Solution: upgrade to >= 5.2.1.1

Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2019-11068
Criticality: Unknown
URL: sparklemotion/nokogiri#1892
Title: Nokogiri gem, via libxslt, is affected by improper access control vulnerability
Solution: upgrade to >= 1.10.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6

Name: railties
Version: 5.2.1
Advisory: CVE-2019-5420
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/IsQKvDqZdKw
Title: Possible Remote Code Execution Exploit in Rails Development Mode
Solution: upgrade to >= 5.2.2.1, ~> 5.2.2, >= 6.0.0.beta3

Vulnerabilities found!
Koronen added a commit to swanson/stringer that referenced this issue Nov 3, 2019
As reported by `bundler-audit`:

    Name: loofah
    Version: 2.2.1
    Advisory: CVE-2018-16468
    Criticality: Unknown
    URL: flavorjones/loofah#154
    Title: Loofah XSS Vulnerability
    Solution: upgrade to >= 2.2.3
@flavorjones flavorjones mentioned this issue Nov 26, 2019
2 of 7 tasks complete
svqualitydev pushed a commit to svqualitydev/admin-cms that referenced this issue Dec 16, 2019
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes #1225
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Jan 14, 2020
www/ruby-loofah: security update

Revisions pulled up:
- www/ruby-loofah/Makefile                                      1.5
- www/ruby-loofah/PLIST                                         1.4
- www/ruby-loofah/distinfo                                      1.5

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Nov  1 16:11:45 UTC 2018

   Modified Files:
   	pkgsrc/www/ruby-loofah: Makefile PLIST distinfo

   Log Message:
   www/ruby-loofah: update to 2.2.3

   ## 2.2.3 / 2018-10-30

   ### Security

   Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

   This CVE's public notice is at flavorjones/loofah#154

   ## Meta / 2018-10-27

   The mailing list is now on Google Groups [#146](flavorjones/loofah#146):

   * Mail: loofah-talk@googlegroups.com
   * Archive: https://groups.google.com/forum/#!forum/loofah-talk

   This change was made because librelist no longer appears to be maintained.


   To generate a diff of this commit:
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \
       pkgsrc/www/ruby-loofah/distinfo
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST
MartinGantenbein added a commit to MartinGantenbein/hitobito that referenced this issue Mar 22, 2020
* Update Loofah to mitigate CVE-2018-16468 (See flavorjones/loofah#154 for details)

* Update rake to mitigate CVE-2018-16471

* Update locked gems
MartinGantenbein added a commit to MartinGantenbein/hitobito that referenced this issue Mar 22, 2020
* Update Loofah to mitigate CVE-2018-16468 (See flavorjones/loofah#154 for details)

* Update rake to mitigate CVE-2018-16471

* Update locked gems
netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue May 27, 2020
www/ruby-loofah: security update

Revisions pulled up:
- www/ruby-loofah/Makefile                                      1.5
- www/ruby-loofah/PLIST                                         1.4
- www/ruby-loofah/distinfo                                      1.5

-------------------------------------------------------------------
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Thu Nov  1 16:11:45 UTC 2018

   Modified Files:
   	pkgsrc/www/ruby-loofah: Makefile PLIST distinfo

   Log Message:
   www/ruby-loofah: update to 2.2.3

   ## 2.2.3 / 2018-10-30

   ### Security

   Address CVE-2018-16468: Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

   This CVE's public notice is at flavorjones/loofah#154

   ## Meta / 2018-10-27

   The mailing list is now on Google Groups [#146](flavorjones/loofah#146):

   * Mail: loofah-talk@googlegroups.com
   * Archive: https://groups.google.com/forum/#!forum/loofah-talk

   This change was made because librelist no longer appears to be maintained.


   To generate a diff of this commit:
   cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/ruby-loofah/Makefile \
       pkgsrc/www/ruby-loofah/distinfo
   cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/ruby-loofah/PLIST
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.