Bug 2217785 (CVE-2023-28362)
| Summary: | CVE-2023-28362 actionpack: Possible XSS via User Supplied Values to redirect_to | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | amasferr, bbuckingham, bcourt, chazlett, ehelms, jsherril, lzap, mhulan, mkudlej, myarboro, nmoumoul, orabin, pcreech, rchan, tjochec |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rubygem-actionpack 6.1.7.4, rubygem-actionpack 7.0.5.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A Cross-site Scripting (XSS) vulnerability was found in Actionpack due to improper sanitization of user-supplied values. This allows provided values to contain characters that are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned location header.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2217787, 2217788, 2217789, 2222764, 2222765 | ||
| Bug Blocks: | 2217790 | ||
|
Description
Avinash Hanwate
2023-06-27 05:37:49 UTC
Created perl-HTTP-Headers-ActionPack tracking bugs for this issue: Affects: fedora-all [bug 2222764] Created rubygem-actionpack tracking bugs for this issue: Affects: fedora-all [bug 2222765] This issue has been addressed in the following products: Red Hat Satellite 6.14 for RHEL 8 Via RHSA-2023:7851 https://access.redhat.com/errata/RHSA-2023:7851 |