Bug 1036910 (CVE-2013-6415)
| Summary: | CVE-2013-6415 rubygem-actionpack: number_to_currency XSS | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
| Status: | CLOSED ERRATA | QA Contact: | |||||||
| Severity: | medium | Docs Contact: | |||||||
| Priority: | medium | ||||||||
| Version: | unspecified | CC: | aortega, apevec, athomas, ayoung, bdunne, bgollahe, bkearney, bleanhar, ccoleman, chrisw, cpelland, dmcphers, drieden, gkotton, gmollett, hhorak, iheim, jdetiber, jfrey, jialiu, jorton, jrafanie, jrusnack, kseifried, lhh, lmeyer, markmc, mmaslano, mmccune, mmcgrath, nobody+bgollahe, obarenbo, rbryant, ruby-maint, sclewis, security-response-team, tdawson, vondruch, xlecauch, yeylon | ||||||
| Target Milestone: | --- | Keywords: | Security | ||||||
| Target Release: | --- | ||||||||
| Hardware: | All | ||||||||
| OS: | Linux | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | rubygem-actionpack 3.2.16, rubygem-actionpack 4.0.2 | Doc Type: | Bug Fix | ||||||
| Doc Text: |
It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2015-01-17 05:35:41 UTC | Type: | --- | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1036415, 1036420, 1036421, 1037487, 1120007, 1120008, 1159435, 1165381, 1165382 | ||||||||
| Bug Blocks: | 1000138, 1036411 | ||||||||
| Attachments: |
|
||||||||
|
Description
Tomas Hoger
2013-12-02 21:38:24 UTC
Created attachment 831790 [details]
Upstream patch for 3.2.x
Created attachment 831792 [details]
Upstream patch for 4.0.x
Fixed upstream in 3.2.16 and 4.0.2: http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0 http://seclists.org/oss-sec/2013/q4/402 Upstream commits (3.2 and 4.0): https://github.com/rails/rails/commit/5ed70c591fa086d745b35a16713d91fc0e3ec858 https://github.com/rails/rails/commit/6658782d60651a65efc43b621225543dd30125c5 This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2013:1794 https://rhn.redhat.com/errata/RHSA-2013-1794.html This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0008 https://rhn.redhat.com/errata/RHSA-2014-0008.html Acknowledgements: Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Ankit Gupta as the original reporter. IssueDescription: It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. This issue has been addressed in the following products: Red Hat Subscription Asset Manager 1.4 Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html |