Skip to content

Add CVE-2022-32209 #506

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Jun 30, 2022
Merged

Add CVE-2022-32209 #506

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
067529c
Add CVE-2022-32209
sudoremo Jun 13, 2022
6d083b5
Merge branch 'master' of github.com:sudoremo/ruby-advisory-db
sudoremo Jun 30, 2022
34ce214
Add CVE-2022-32209 (fix patched_versions)
sudoremo Jun 30, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 67 additions & 0 deletions gems/rails-html-sanitizer/CVE-2022-32209.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
---
gem: rails-html-sanitizer
cve: 2022-32209
url: https://groups.google.com/g/rubyonrails-security/c/ce9PhUANQ6s
title: Possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer
date: 2022-06-10
description: |
There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
This vulnerability has been assigned the CVE identifier CVE-2022-32209.

Versions Affected: ALL
Not affected: NONE
Fixed Versions: v1.4.3

## Impact

A possible XSS vulnerability with certain configurations of
Rails::Html::Sanitizer may allow an attacker to inject content if the
application developer has overridden the sanitizer's allowed tags to allow
both `select` and `style` elements.

Code is only impacted if allowed tags are being overridden. This may be done via application configuration:

```ruby
# In config/application.rb
config.action_view.sanitized_allowed_tags = ["select", "style"]
```

see https://guides.rubyonrails.org/configuring.html#configuring-action-view

Or it may be done with a `:tags` option to the Action View helper `sanitize`:

```
<%= sanitize @comment.body, tags: ["select", "style"] %>
```

see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize

Or it may be done with Rails::Html::SafeListSanitizer directly:

```ruby
# class-level option
Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
```

or

```ruby
# instance-level option
Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
```

All users overriding the allowed tags by any of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.

## Releases

The FIXED releases are available at the normal locations.

## Workarounds

Remove either `select` or `style` from the overridden allowed tags.

## Credits

This vulnerability was responsibly reported by [windshock](https://hackerone.com/windshock?type=user).
patched_versions:
- '>= 1.4.3'