Bug 1559071 (CVE-2018-8048)

Summary: CVE-2018-8048 rubygem-loofah: XSS vulnerability due to unescaped comments within attributes by libxml2
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmidwood, cpelland, dajohnso, dmetzger, gblomqui, gmccullo, gtanzill, hhorak, hhudgeon, jaruga, jfrey, jhardy, jorton, jprause, kdixon, ktdreyer, lavenel, obarenbo, pvalena, rcosta, roliveri, ruby-maint, simaishi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: rubygem-loofah 2.2.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:18:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1559072, 1559073, 1560026, 1560027, 1560028, 1560029    
Bug Blocks: 1559074    

Description Adam Mariš 2018-03-21 16:16:54 UTC
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Affected versions: Loofah < 2.2.1, but only:

* when running on MRI or RBX,
* in combination with libxml2 >= 2.9.2.

Upstream bug:


Upstream patch:




Comment 1 Adam Mariš 2018-03-21 16:17:21 UTC
Created rubygem-loofah tracking bugs for this issue:

Affects: fedora-all [bug 1559072]

Comment 4 Kurt Seifried 2018-03-23 18:41:22 UTC

This issue affects the versions of rubygem-loofah as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having a security  impact of Moderate. This vulnerability won't be fixed on CloudForms 4, because it uses libxml 2.9.1 and since the vulnerability requires a libxml >= 2.9.2 in order to be exploitable. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/