Bug 1036922 (CVE-2013-4491) - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
Summary: CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-4491
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1036415 1036420 1036421 1037487 1120007 1120008 1159440 1165370 1165371
Blocks: 1000138 1036411
TreeView+ depends on / blocked
 
Reported: 2013-12-02 22:19 UTC by Tomas Hoger
Modified: 2023-05-12 23:23 UTC (History)
40 users (show)

Fixed In Version: rubygem-actionpack 3.2.16, rubygem-actionpack 4.0.2
Doc Type: Bug Fix
Doc Text:
It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.
Clone Of:
Environment:
Last Closed: 2015-01-17 05:35:48 UTC
Embargoed:

Attachments (Terms of Use)
Upstream patch for 3.2.x (3.80 KB, patch)
2013-12-02 22:22 UTC, Tomas Hoger 		no flags Details | Diff
Upstream patch for 4.0.x (3.77 KB, patch)
2013-12-02 22:23 UTC, Tomas Hoger 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1794 0 normal SHIPPED_LIVE Important: ruby193-rubygem-actionpack security update 2013-12-06 03:00:44 UTC
Red Hat Product Errata RHSA-2014:0008 0 normal SHIPPED_LIVE Important: ruby193-rubygem-actionpack security update 2014-01-06 23:02:25 UTC
Red Hat Product Errata RHSA-2014:1863 0 normal SHIPPED_LIVE Important: Subscription Asset Manager 1.4 security update 2014-11-17 22:08:19 UTC

Description Tomas Hoger 2013-12-02 22:19:09 UTC 
Quoting from an upcoming Ruby on Rails security advisory:


Reflective XSS Vulnerability in Ruby on Rails

There is a vulnerability in the internationalization component of Ruby on Rails. Under certain common configurations an attacker can provide specially crafted input which will execute a reflective XSS attack.  This vulnerability has been assigned the CVE identifier CVE-2013-4491.

Versions Affected:  3.0.6 and all later versions.
Not affected:       3.0.5 and earlier 3.0.x versions.
Fixed Versions:     4.0.2, 3.2.16.

The root cause of this issue is a vulnerability in the i18n gem which has been assigned the identifier CVE-2013-4492. For this reason applications are also not affected if they have upgraded to the following i18n versions: 
* i18n-0.6.6 for Rails 4.0.x and 3.2.x applications
* i18n-0.5.1 for Rails 3.1.x and 3.0.x applications

Impact 
------ 
When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string.  Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack.

All users running an affected release should either upgrade or use one of the workarounds immediately. 

Releases 
-------- 
The 4.0.2 and 3.2.16 releases are available at the normal locations. 

Credits 
------- 
Thanks to Peter McLarnan of Matasano Security for reporting the issue to us, and to Sven Fuchs and Christopher Dell for working with us on the fix.
Comment 1 Tomas Hoger 2013-12-02 22:22:20 UTC 
Created attachment 831807 [details]
Upstream patch for 3.2.x
Comment 2 Tomas Hoger 2013-12-02 22:23:22 UTC 
Created attachment 831819 [details]
Upstream patch for 4.0.x
Comment 3 Tomas Hoger 2013-12-04 10:37:48 UTC 
Fixed upstream in 3.2.16 and 4.0.2:

http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/
https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998
http://seclists.org/oss-sec/2013/q4/401

Upstream commits (3.2 and 4.0):

https://github.com/rails/rails/commit/78790e4bceedc632cb40f9597792d7e27234138a
https://github.com/rails/rails/commit/ec16ba75a5493b9da972eea08bae630eba35b62f
Comment 4 errata-xmlrpc 2013-12-05 22:04:45 UTC 
This issue has been addressed in following products:

  Red Hat Software Collections for RHEL-6

Via RHSA-2013:1794 https://rhn.redhat.com/errata/RHSA-2013-1794.html
Comment 5 errata-xmlrpc 2014-01-06 18:04:54 UTC 
This issue has been addressed in following products:

  OpenStack 3 for RHEL 6

Via RHSA-2014:0008 https://rhn.redhat.com/errata/RHSA-2014-0008.html
Comment 9 Kurt Seifried 2014-11-13 06:18:29 UTC 
Acknowledgements:

Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges  Peter McLarnan as the original reporter.
Comment 10 Martin Prpič 2014-11-14 16:20:49 UTC 
IssueDescription:

It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.
Comment 11 errata-xmlrpc 2014-11-17 17:09:13 UTC 
This issue has been addressed in the following products:

  Red Hat Subscription Asset Manager 1.4

Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html
Note You need to log in before you can comment on or make changes to this bug.