New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-16468 - Loofah XSS Vulnerability #154

Closed
flavorjones opened this Issue Oct 27, 2018 · 2 comments

Comments

Projects
None yet
1 participant
@flavorjones
Owner

flavorjones commented Oct 27, 2018

CVE-2018-16468 - Loofah XSS Vulnerability

This issue has been created for public disclosure of an XSS vulnerability that was responsibly reported (independently) by Shubham Pathak and @yasinS (Yasin Soliman).

I'd like to thank HackerOne for providing a secure, responsible mechanism for reporting, and for providing their fantastic service to the Loofah maintainers.

Severity

Loofah maintainers have evaluated this as Medium (CVSS3 6.4).

Description

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected Versions

Loofah < v2.2.3.

Mitigation

Upgrade to Loofah v2.2.3.

References

History of this public disclosure

2018-10-27: disclosure created, all information is embargoed
2018-10-30: embargo ends, full information made available

@flavorjones flavorjones changed the title from placeholder - security vulnerability to placeholder - embargoed security vulnerability Oct 28, 2018

@flavorjones

This comment has been minimized.

Owner

flavorjones commented Oct 30, 2018

This vulnerability has been assigned CVE-2018-16468.

flavorjones added a commit that referenced this issue Oct 30, 2018

remove the svg animate attribute `from` from the allowlist
this addresses CVE-2018-16468

see #154 for more information

#154
@flavorjones

This comment has been minimized.

Owner

flavorjones commented Oct 30, 2018

This issue has been updated with full unembargoed information.

@flavorjones flavorjones changed the title from placeholder - embargoed security vulnerability to CVE-2018-16468 - Loofah XSS Vulnerability Oct 30, 2018

flavorjones added a commit that referenced this issue Oct 30, 2018

remove the svg animate attribute `from` from the allowlist
this addresses CVE-2018-16468

see #154 for more information

#154

albertoalmagro added a commit to albertoalmagro/rails that referenced this issue Oct 30, 2018

floehopper added a commit to Crown-Commercial-Service/crown-marketplace that referenced this issue Oct 30, 2018

threedaymonk added a commit to Crown-Commercial-Service/crown-marketplace that referenced this issue Oct 30, 2018

chrishunt added a commit to codecation/trailmix that referenced this issue Oct 30, 2018

Update loofah gem
Fixes CVE-2018-16468:

flavorjones/loofah#154

danbernier added a commit to tedconf/crushinator_helpers that referenced this issue Oct 30, 2018

va-bot added a commit to department-of-veterans-affairs/caseflow that referenced this issue Oct 31, 2018

ignoring CVE-2018-1000201 until rails fixes it (#7627)
ruby advisory fails on

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3
```

Once rails/rails-html-sanitizer#73 is merged, we can remove this exception.

kaspergrubbe added a commit to kaspergrubbe/rails-html-sanitizer that referenced this issue Oct 31, 2018

annaswims added a commit to department-of-veterans-affairs/vets-api that referenced this issue Oct 31, 2018

update loofah gem to address CVE
CVE-2018-16468 - Loofah XSS Vulnerability

flavorjones/loofah#154

@annaswims annaswims referenced this issue Oct 31, 2018

Merged

Update loofah gem to address CVE #2409

5 of 5 tasks complete

dylanpinn added a commit to dylanpinn/rails-html-sanitizer that referenced this issue Oct 31, 2018

Bump loofah dependency
Fixes exploit CVE-2018-16468 - Loofah XSS Vulnerability

Issue: flavorjones/loofah#154

robbkidd added a commit to chef/supermarket that referenced this issue Oct 31, 2018

upgrade loofah to quiet bundle-audit
loofah < 2.2.3 has a cross-site scriting vulnerability reported.[1]

[1] flavorjones/loofah#154

Supermarket is not vulnerable to this. The library is being updated out
of an abundance of caution and to appease the vulnerability scanner.

Signed-off-by: Robb Kidd <rkidd@chef.io>

dLobatog added a commit to dLobatog/rails-html-sanitizer that referenced this issue Nov 5, 2018

Update Loofah for CVE-2018-16468
According to flavorjones/loofah#154 the change
is minimal, just removing the 'from' attribute from the HTML5 Loofah whitelist 
fixes the CVE, so I don't think there should be any change in this gem 
aside from this update.

@perobertson perobertson referenced this issue Nov 5, 2018

Merged

bump loofah #1

csexton added a commit to csexton/corporate-tool that referenced this issue Nov 5, 2018

Update loofah
> CVE-2018-16468
>
> In the Loofah gem for Ruby, through version 2.2.2, unsanitized
> JavaScript may occur in sanitized output when a crafted SVG element is
> republished. Users are advised to upgrade to version 2.2.3.
>
> See flavorjones/loofah#154 for more details.

@csexton csexton referenced this issue Nov 5, 2018

Merged

Update loofah #13

kronn added a commit to hitobito/hitobito that referenced this issue Nov 6, 2018

olivierlacan added a commit to orientation/orientation that referenced this issue Nov 6, 2018

tessi added a commit to bitcrowd/rails-monitoring that referenced this issue Nov 6, 2018

security update: lofah 2.2.2 -> 2.2.3
see: flavorjones/loofah#154

Lofah is a gem to provide XML/HTML sanitization (through nokogiri).
In version 2.2.3 they fixed an issue where unsanitized JavaScript may
occur in sanitized output when a crafted SVG element is republished.

janissbinder added a commit to hitobito/hitobito that referenced this issue Nov 7, 2018

Vulnerable Gem updates
* Update Loofah to mitigate CVE-2018-16468 (See flavorjones/loofah#154 for details)

* Update rake to mitigate CVE-2018-16471

* Update locked gems

@pooza pooza referenced this issue Nov 8, 2018

Closed

CVE-2018-16468 #112

buren added a commit to buren/ghost_blazer that referenced this issue Nov 9, 2018

arsley added a commit to kinc-shinshu/smaT-api that referenced this issue Nov 12, 2018

antw added a commit to quintel/etmodel that referenced this issue Nov 12, 2018

IsaacDurand added a commit to IsaacDurand/dinder that referenced this issue Nov 12, 2018

matt-hh added a commit to produktgenuss/administrate that referenced this issue Nov 13, 2018

Update gems
- Fix some vulnerabilities

```
Name: loofah
Version: 2.2.2
Advisory: CVE-2018-16468
Criticality: Unknown
URL: flavorjones/loofah#154
Title: Loofah XSS Vulnerability
Solution: upgrade to >= 2.2.3

Name: nokogiri
Version: 1.8.4
Advisory: CVE-2018-14404
Criticality: Unknown
URL: sparklemotion/nokogiri#1785
Title: Nokogiri gem, via libxml2, is affected by multiple vulnerabilities
Solution: upgrade to >= 1.8.5

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16470
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk
Title: Possible DoS vulnerability in Rack
Solution: upgrade to >= 2.0.6

Name: rack
Version: 2.0.5
Advisory: CVE-2018-16471
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
Title: Possible XSS vulnerability in Rack
Solution: upgrade to ~> 1.6.11, >= 2.0.6
```

- Fix factory_bot issues
- Closes thoughtbot#1225

anthonycrumley added a commit to anthonycrumley/network that referenced this issue Nov 14, 2018

ramontayag added a commit to bloom-solutions/crypto-cold-store that referenced this issue Nov 15, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment