Bug 1036910 (CVE-2013-6415) - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
Summary: CVE-2013-6415 rubygem-actionpack: number_to_currency XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-6415
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1036415 1036420 1036421 1037487 1120007 1120008 1159435 1165381 1165382
Blocks: 1000138 1036411
TreeView+ depends on / blocked
 
Reported: 2013-12-02 21:38 UTC by Tomas Hoger
Modified: 2023-05-13 00:57 UTC (History)
40 users (show)

Fixed In Version: rubygem-actionpack 3.2.16, rubygem-actionpack 4.0.2
Clone Of:
Environment:
Last Closed: 2015-01-17 05:35:41 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch for 3.2.x (2.83 KB, patch)
2013-12-02 21:47 UTC, Tomas Hoger 		no flags Details | Diff
Upstream patch for 4.0.x (2.20 KB, patch)
2013-12-02 21:48 UTC, Tomas Hoger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1794 0 normal SHIPPED_LIVE Important: ruby193-rubygem-actionpack security update 2013-12-06 03:00:44 UTC
Red Hat Product Errata RHSA-2014:0008 0 normal SHIPPED_LIVE Important: ruby193-rubygem-actionpack security update 2014-01-06 23:02:25 UTC
Red Hat Product Errata RHSA-2014:1863 0 normal SHIPPED_LIVE Important: Subscription Asset Manager 1.4 security update 2014-11-17 22:08:19 UTC

Description Tomas Hoger 2013-12-02 21:38:24 UTC 
Quoting from an upcoming Ruby on Rails security advisory:


XSS Vulnerability in number_to_currency

There is an XSS vulnerability in the number_to_currency helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6415.

Versions Affected:  All.
Fixed Versions:     4.0.2, 3.2.16.

Impact 
------ 
The number_to_currency helper allows users to nicely format a numeric value. One of the parameters to the helper (unit) is not escaped correctly.  Application which pass user controlled data as the unit parameter are vulnerable to an XSS attack.

All users passing user controlled data as number_to_currency's unit parameters should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 4.0.2 and 3.2.16 releases are available at the normal locations. 

Credits 
------- 
Thanks to Ankit Gupta for reporting the issue to us and working with us on a fix.
Comment 1 Tomas Hoger 2013-12-02 21:47:28 UTC 
Created attachment 831790 [details]
Upstream patch for 3.2.x
Comment 2 Tomas Hoger 2013-12-02 21:48:38 UTC 
Created attachment 831792 [details]
Upstream patch for 4.0.x
Comment 7 Tomas Hoger 2013-12-04 10:35:35 UTC 
Fixed upstream in 3.2.16 and 4.0.2:

http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
https://groups.google.com/forum/#!topic/ruby-security-ann/9WiRn2nhfq0
http://seclists.org/oss-sec/2013/q4/402

Upstream commits (3.2 and 4.0):

https://github.com/rails/rails/commit/5ed70c591fa086d745b35a16713d91fc0e3ec858
https://github.com/rails/rails/commit/6658782d60651a65efc43b621225543dd30125c5
Comment 9 errata-xmlrpc 2013-12-05 22:04:29 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1794 https://rhn.redhat.com/errata/RHSA-2013-1794.html
Comment 10 errata-xmlrpc 2014-01-06 18:04:48 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0008 https://rhn.redhat.com/errata/RHSA-2014-0008.html
Comment 14 Kurt Seifried 2014-11-13 06:22:09 UTC 
Acknowledgements:

Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Ankit Gupta as the original reporter.
Comment 15 Martin Prpič 2014-11-14 16:21:41 UTC 
IssueDescription:

It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.
Comment 16 errata-xmlrpc 2014-11-17 17:09:09 UTC 
This issue has been addressed in the following products:

  Red Hat Subscription Asset Manager 1.4

Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html
Note You need to log in before you can comment on or make changes to this bug.