A flaw was found in rubygem-actionview before versions 5.2.4.4 and 6.0.3.3. When an HTML-unsafe string is passed as the default for a missing translation key, the default string is incorrectly marked as HTML-safe and not escaped. References: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1
Created rubygem-actionview tracking bugs for this issue: Affects: fedora-all [bug 1877568]
Technical information: https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1 Upstream patch: https://github.com/rails/rails/commit/e663f084460ea56c55c3dc76f78c7caeddeeb02e
External References: https://weblog.rubyonrails.org/2020/9/10/Rails-5-2-4-4-and-6-0-3-3-have-been-released
Statement: Red Hat CloudForms and Red Hat Satellite 6 ships affected ActiveView RubyGem, however, those are not vulnerable since product code do not use such unsafe implementation.