Bug 1065520 (CVE-2014-0081)

Summary: CVE-2014-0081 rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aortega, apevec, athomas, ayoung, bdunne, bgollahe, bkearney, bleanhar, briang, ccoleman, chrisw, cpelland, dajohnso, dclarizi, dmcphers, drieden, gkotton, hhorak, iheim, jdetiber, jfrey, jialiu, jrafanie, kseifried, lhh, lmeyer, markmc, mmaslano, mmccune, mmcgrath, mpovolny, obarenbo, rbryant, sclewis, security-response-team, srevivo, tdawson, vondruch, xlecauch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20140218,reported=20140212,source=upstream,cvss2=4.3/AV:N/AC:M/Au:N/C:N/I:P/A:N,rhscl-1/ruby193-rubygem-actionpack=affected,rhscl-1/ror40-rubygem-actionpack=affected,sam-1/ruby193-rubygem-actionpack=wontfix,cfme-5/ruby193-rubygem-actionpack=affected,openstack-3/ruby193-rubygem-actionpack=affected,openstack-4/ruby193-rubygem-actionpack=affected,openshift-enterprise-1/ruby193-rubygem-actionpack=wontfix,openshift-1/ruby193-rubygem-actionpack=affected,openshift-1/rubygem-actionpack=affected,rhn_satellite_6/ruby193-rubygem-actionpack=affected,fedora-all/rubygem-actionpack=affected,epel-5/rubygem-actionpack=affected,cwe=CWE-79[auto]
Fixed In Version: rubygem-actionpack 3.2.17, rubygem-actionpack 4.0.3, rubygem-actionpack 4.1.0.beta2 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 1065587, 1065588, 1065589, 1065590, 1065591, 1065592, 1065593, 1065891, 1066666, 1165362    
Bug Blocks: 1065543    
Attachments:
Description Flags
3-2-number_helpers_xss.patch
none
4-0-number_helpers_xss.patch
none
4-1-beta-number_helpers_xss.patch none

Description Kurt Seifried 2014-02-14 15:41:07 EST
Aaron Patterson of the Ruby on Rails project reports:

There is an XSS vulnerability in the number_to_currency, number_to_percentage
and number_to_human helpers in Ruby on Rails. 

Versions Affected:  All.
Fixed Versions:     4.1.0.beta2, 4.0.3, 3.2.17.

Impact
------
These helpers allows users to nicely format a numeric value. Some of the parameters
to the helper (format, negative_format and units) are not escaped correctly.
Application which pass user controlled data as one of these parameters are
vulnerable to an XSS attack.

All users passing user controlled data to these parameters of the number helpers
should either upgrade or use one of the workarounds immediately.
Comment 1 Kurt Seifried 2014-02-14 16:41:13 EST
Created attachment 863436 [details]
3-2-number_helpers_xss.patch
Comment 2 Kurt Seifried 2014-02-14 16:41:34 EST
Created attachment 863437 [details]
4-0-number_helpers_xss.patch
Comment 3 Kurt Seifried 2014-02-14 16:41:52 EST
Created attachment 863438 [details]
4-1-beta-number_helpers_xss.patch
Comment 4 Kurt Seifried 2014-02-14 23:41:28 EST
Acknowledgements:

Red Hat would like to thank the Ruby on Rails Project for reporting this issue. Upstream acknowledges Kevin Reintjes as the original reporter.
Comment 11 Vincent Danen 2014-02-18 15:49:08 EST
Created rubygem-actionpack tracking bugs for this issue:

Affects: fedora-all [bug 1066666]
Comment 13 Fedora Update System 2014-03-10 23:59:53 EDT
rubygem-activerecord-4.0.0-2.fc20, rubygem-actionpack-4.0.0-3.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2014-03-11 12:59:35 EDT
This issue has been addressed in following products:

  CloudForms Management Engine 5.x

Via RHSA-2014:0215 https://rhn.redhat.com/errata/RHSA-2014-0215.html
Comment 15 errata-xmlrpc 2014-03-17 13:33:08 EDT
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2014:0306 https://rhn.redhat.com/errata/RHSA-2014-0306.html
Comment 16 Kurt Seifried 2014-06-25 03:24:11 EDT
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.