CVE-2022-23519
MEDIUM6.1EPSS 0.17%Possible XSS vulnerability with certain configurations of rails-html-sanitizer
描述
## Summary There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. - Versions affected: ALL - Not affected: NONE - Fixed versions: 1.4.4 ## Impact A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: - allow both "math" and "style" elements, - or allow both "svg" and "style" elements Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways: 1. using application configuration: ```ruby # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] ``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view 2. using a `:tags` option to the Action View helper `sanitize`: ``` <%= sanitize @comment.body, tags: ["math", "style"] %> <%# or %> <%= sanitize @comment.body, tags: ["svg", "style"] %> ``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize 3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`: ```ruby # class-level option Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"] # or Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"] ``` 4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`: ```ruby # instance-level option Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"]) # or Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"]) ``` All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately. ## Workarounds Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags. ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - https://hackerone.com/reports/1656627 ## Credit This vulnerability was responsibly reported by Dominic Breuker.
受影響套件(2)
- Debian/ruby-rails-html-sanitizerfrom 0, < 1.3.0-1+deb11u1
- RubyGems/rails-html-sanitizerfrom 0, < 1.4.4
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-23519
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2022-23519
- PATCHhttps://github.com/rails/rails-html-sanitizer
- WEBhttps://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
- WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml
- WEBhttps://hackerone.com/reports/1656627
- WEBhttps://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- WEBhttps://lists.debian.org/debian-lts-announce/2024/09/msg00045.html