Added CVE-2022-31160 for jquery-ui-rails (closes #747).

postmodern · postmodern · commit 23cb90ef0d54 · 2024-02-12T06:53:28.000-08:00
diff --git a/gems/jquery-ui-rails/CVE-2022-31160.yml b/gems/jquery-ui-rails/CVE-2022-31160.yml
@@ -0,0 +1,81 @@
+---
+gem: jquery-ui-rails
+cve: 2022-31160
+ghsa: h6gj-6jjq-h8g9
+url: https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+title:
+  jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like
+  initial text label
+date: 2022-07-15
+description: |
+  ### Impact
+  Initializing a checkboxradio widget on an input enclosed within a label makes
+  that parent label contents considered as the input label. If you call
+  `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained
+  encoded HTML entities, they will erroneously get decoded. This can lead to
+  potentially executing JavaScript code.
+
+  For example, starting with the following initial secure HTML:
+
+  ```html
+  <label>
+  	<input id="test-input">
+  	&lt;img src=x onerror="alert(1)"&gt;
+  </label>
+  ```
+
+  and calling:
+
+  ```javascript
+  $( "#test-input" ).checkboxradio();
+  $( "#test-input" ).checkboxradio( "refresh" );
+  ```
+
+  will turn the initial HTML into:
+
+  ```html
+  <label>
+  	<!-- some jQuery UI elements -->
+  	<input id="test-input">
+  	<img src=x onerror="alert(1)">
+  </label>
+  ```
+
+  and the alert will get executed.
+
+  ### Patches
+  The bug has been patched in jQuery UI 1.13.2.
+
+  ### Workarounds
+  To remediate the issue, if you can change the initial HTML, you can wrap all
+  the non-input contents of the `label` in a `span`:
+
+  ```html
+  <label>
+  	<input id="test-input">
+  	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
+  </label>
+  ```
+
+  ### References
+  https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
+
+  ### For more information
+  If you have any questions or comments about this advisory, search for a
+  relevant issue in [the jQuery UI repo](https://github.com/jquery/jquery-ui/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc).
+  If you don't find an answer, open a new issue.
+cvss_v3: 6.1
+patched_versions:
+  - ">= 7.0.0"
+related:
+  url:
+    - https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9
+    - https://nvd.nist.gov/vuln/detail/CVE-2022-31160
+    - https://github.com/advisories/GHSA-h6gj-6jjq-h8g9#:~:text=https%3A//nvd.nist,12/msg00015.html
+    - https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/
+    - https://www.drupal.org/sa-contrib-2022-052
+    - https://security.netapp.com/advisory/ntap-20220909-0007/
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/
+    - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/
+    - https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html
