-
-
Notifications
You must be signed in to change notification settings - Fork 217
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
432e641
commit c6c0993
Showing
2 changed files
with
127 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
--- | ||
gem: actionview | ||
framework: rails | ||
cve: 2023-23913 | ||
url: https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468 | ||
title: DOM Based Cross-site Scripting in rails-ujs for | ||
contenteditable HTML Elements | ||
date: 2023-03-13 | ||
description: | | ||
NOTE: rails-ujs is part of Rails/actionview since 5.1.0. | ||
There is a potential DOM based cross-site scripting issue in rails-ujs | ||
which leverages the Clipboard API to target HTML elements that are | ||
assigned the contenteditable attribute. This has the potential to | ||
occur when pasting malicious HTML content from the clipboard that | ||
includes a data-method, data-remote or data-disable-with attribute. | ||
This vulnerability has been assigned the CVE identifier CVE-2023-23913. | ||
Not affected: < 5.1.0 | ||
Versions Affected: >= 5.1.0 | ||
Fixed Versions: 6.1.7.3, 7.0.4.3 | ||
Impact | ||
If the specified malicious HTML clipboard content is provided to a | ||
contenteditable element, this could result in the arbitrary execution | ||
of javascript on the origin in question. | ||
Releases | ||
The FIXED releases are available at the normal locations. | ||
Workarounds | ||
We recommend that all users upgrade to one of the FIXED versions. | ||
In the meantime, users can attempt to mitigate this vulnerability | ||
by removing the contenteditable attribute from elements in pages | ||
that rails-ujs will interact with. | ||
Patches | ||
To aid users who aren’t able to upgrade immediately we have provided | ||
patches for the two supported release series. They are in git-am | ||
format and consist of a single changeset. | ||
* rails-ujs-data-method-contenteditable-6-1.patch - Patch for 6.1 series | ||
* rails-ujs-data-method-contenteditable-7-0.patch - Patch for 7.0 series | ||
Please note that only the 7.0.Z and 6.1.Z series are | ||
supported at present, and 6.0.Z for severe vulnerabilities. | ||
Users of earlier unsupported releases are advised to upgrade as | ||
soon as possible as we cannot guarantee the continued availability | ||
of security fixes for unsupported releases. | ||
Credits | ||
We would like to thank ryotak 15 for reporting this! | ||
* rails-ujs-data-method-contenteditable-6-1.patch (8.5 KB) | ||
* rails-ujs-data-method-contenteditable-7-0.patch (8.5 KB) | ||
* rails-ujs-data-method-contenteditable-main.patch (8.9 KB) | ||
cvss_v3: 7.5 | ||
unaffected_versions: | ||
- "< 5.1.0" | ||
patched_versions: | ||
- "~> 6.1.7.3" | ||
- ">= 7.0.4.3" | ||
related: | ||
url: | ||
- https://discuss.rubyonrails.org/t/cve-2023-23913-dom-based-cross-site-scripting-in-rails-ujs-for-contenteditable-html-elements/82468 | ||
- https://www.cve.org/CVERecord?id=CVE-2023-23913 | ||
- https://vulmon.com/vendoradvisory?qidtp=debian_cvelist_bugreportlogs&qid=aa67066c383f12dee5aee964667de4d8 | ||
- https://access.redhat.com/security/cve/cve-2023-23913 | ||
- https://bugzilla.redhat.com/show_bug.cgi?id=2182160 | ||
- https://security.snyk.io/vuln/SNYK-RUBY-RAILS-5291540 | ||
- https://www.suse.com/security/cve/CVE-2023-23913.html | ||
- https://security-tracker.debian.org/tracker/CVE-2023-23913 | ||
- https://www.mend.io/vulnerability-database/CVE-2023-23913 | ||
- https://github.com/jasnow/gsd-database/blob/main/2023/23xxx/GSD-2023-23913.json | ||
notes: "CVE has been reserved, but not filled out." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
--- | ||
gem: kredis | ||
framework: rails | ||
cve: 2023-27531 | ||
url: https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467#post_1 | ||
title: Possible Deserialization of Untrusted Data Vulnerability in Kredis JSON | ||
date: 2023-03-13 | ||
description: | | ||
There is a deserialization of untrusted data vulnerability in | ||
the Kredis JSON deserialization code. This vulnerability has | ||
been assigned the CVE identifier CVE-2023-27531. | ||
'Not affected: None.' | ||
'Versions Affected: All.' | ||
'Fixed Versions: 1.3.0.1' | ||
Impact | ||
Carefully crafted JSON data processed by Kredis may result in | ||
deserialization of untrusted data, potentially leading to | ||
deserialization of unexpected objects in the system. | ||
Any applications using Kredis with JSON are affected. | ||
Releases | ||
The fixed releases are available at the normal locations. | ||
Workarounds | ||
There are no feasible workarounds for this issue. | ||
Patches | ||
To aid users who aren’t able to upgrade immediately we have | ||
provided patches for the two supported release series. They | ||
are in git-am format and consist of a single changeset. | ||
* 1-3-0-1-kredis.patch - Patch for 1.3.0 series | ||
Credits | ||
Thank you ooooooo_k 7 for reporting this! | ||
patched_versions: | ||
- ">= 1.3.0.1" | ||
related: | ||
url: | ||
- https://discuss.rubyonrails.org/t/cve-2023-27531-possible-deserialization-of-untrusted-data-vulnerability-in-kredis-json/82467#post_1 | ||
- https://github.com/rails/kredis/releases/tag/v1.3.0.1 | ||
- https://my.diffend.io/gems/kredis/1.3.0/1.3.0.1 | ||
- https://cve.report/CVE-2023-27531 | ||
- https://github.com/jasnow/gsd-database/blob/main/2023/27xxx/GSD-2023-27531.json | ||
notes: "CVE has be reserved, but not filled in." |