Red Hat Bugzilla – Bug 1036922
CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS
Last modified: 2016-04-26 10:06:44 EDT
Quoting from an upcoming Ruby on Rails security advisory: Reflective XSS Vulnerability in Ruby on Rails There is a vulnerability in the internationalization component of Ruby on Rails. Under certain common configurations an attacker can provide specially crafted input which will execute a reflective XSS attack. This vulnerability has been assigned the CVE identifier CVE-2013-4491. Versions Affected: 3.0.6 and all later versions. Not affected: 3.0.5 and earlier 3.0.x versions. Fixed Versions: 4.0.2, 3.2.16. The root cause of this issue is a vulnerability in the i18n gem which has been assigned the identifier CVE-2013-4492. For this reason applications are also not affected if they have upgraded to the following i18n versions: * i18n-0.6.6 for Rails 4.0.x and 3.2.x applications * i18n-0.5.1 for Rails 3.1.x and 3.0.x applications Impact ------ When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The 4.0.2 and 3.2.16 releases are available at the normal locations. Credits ------- Thanks to Peter McLarnan of Matasano Security for reporting the issue to us, and to Sven Fuchs and Christopher Dell for working with us on the fix.
Created attachment 831807 [details] Upstream patch for 3.2.x
Created attachment 831819 [details] Upstream patch for 4.0.x
Fixed upstream in 3.2.16 and 4.0.2: http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/ https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998 http://seclists.org/oss-sec/2013/q4/401 Upstream commits (3.2 and 4.0): https://github.com/rails/rails/commit/78790e4bceedc632cb40f9597792d7e27234138a https://github.com/rails/rails/commit/ec16ba75a5493b9da972eea08bae630eba35b62f
This issue has been addressed in following products: Red Hat Software Collections for RHEL-6 Via RHSA-2013:1794 https://rhn.redhat.com/errata/RHSA-2013-1794.html
This issue has been addressed in following products: OpenStack 3 for RHEL 6 Via RHSA-2014:0008 https://rhn.redhat.com/errata/RHSA-2014-0008.html
Acknowledgements: Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Peter McLarnan as the original reporter.
IssueDescription: It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.
This issue has been addressed in the following products: Red Hat Subscription Asset Manager 1.4 Via RHSA-2014:1863 https://rhn.redhat.com/errata/RHSA-2014-1863.html