-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
CVE-2023-28120.yml
30 lines (23 loc) · 1.24 KB
/
CVE-2023-28120.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
---
gem: activesupport
framework: rails
cve: 2023-28120
ghsa: pj73-v5mw-pm9j
url: https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
title: Possible XSS Security Vulnerability in SafeBuffer#bytesplice
date: 2023-03-13
description: |
There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.
This vulnerability has been assigned the CVE identifier CVE-2023-28120.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3
# Impact
ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized.
When these strings are mutated, the tag is should be removed to mark them as no longer being html_safe.
Ruby 3.2 introduced a new bytesplice method which ActiveSupport did not yet understand to be a mutation.
Users on older versions of Ruby are likely unaffected.
All users running an affected release and using bytesplice should either upgrade or use one of the workarounds immediately.
# Workarounds
Avoid calling bytesplice on a SafeBuffer (html_safe) string with untrusted user input.
patched_versions:
- "~> 6.1.7, >= 6.1.7.3"
- ">= 7.0.4.3"