Bug 2267244 (CVE-2024-27285) - CVE-2024-27285 yard: Cross-site scripting in the frams.erb template file
Summary: CVE-2024-27285 yard: Cross-site scripting in the frams.erb template file
Keywords:
Status: NEW
Alias: CVE-2024-27285
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2267263 2267264 2267266 2267267 2267268 2267269 2267270 2267271 2267272 2267275 2267276 2267246 2267247 2267248 2267249 2267250 2267251 2267252 2267253 2267254 2267255 2267256 2267257 2267258 2267259 2267260 2267265 2267273 2267274 2267277 2267278 2267279 2267280 2267281 2267282 2267283 2267284 2267285 2267286 2267287 2267288 2267289 2267290 2267291 2267292 2267293 2267295 2267296 2267297 2267298 2267299 2267300 2267301 2267302 2267303 2267304 2267305 2267306 2267307 2267308 2267309 2267310 2267311 2267312 2267313 2267314 2267315 2267316 2267317 2267318
Blocks: 2267319
TreeView+ depends on / blocked
 
Reported: 2024-03-01 13:49 UTC by Pedro Sampaio
Modified: 2024-06-10 14:08 UTC (History)
19 users (show)

Fixed In Version: yard 0.9.35
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the YARD Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2024-03-01 13:49:23 UTC
YARD is a Ruby Documentation tool. The "frames.html" file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the "frames.erb" template file.  This vulnerability is fixed in 0.9.35.

References:

https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc

Comment 1 Pedro Sampaio 2024-03-01 14:08:38 UTC
Created golang-github-aws-aws-sdk-go tracking bugs for this issue:

Affects: epel-7 [bug 2267247]


Created puppet tracking bugs for this issue:

Affects: epel-8 [bug 2267254]


Created rubygem-aruba tracking bugs for this issue:

Affects: epel-8 [bug 2267255]


Created rubygem-asciidoctor tracking bugs for this issue:

Affects: epel-7 [bug 2267248]
Affects: epel-8 [bug 2267256]


Created rubygem-docile tracking bugs for this issue:

Affects: epel-8 [bug 2267257]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-7 [bug 2267249]


Created rubygem-fog-core tracking bugs for this issue:

Affects: epel-7 [bug 2267250]


Created rubygem-fog-softlayer tracking bugs for this issue:

Affects: epel-7 [bug 2267251]


Created rubygem-git tracking bugs for this issue:

Affects: epel-8 [bug 2267258]


Created rubygem-public_suffix tracking bugs for this issue:

Affects: epel-8 [bug 2267259]


Created rubygem-rouge tracking bugs for this issue:

Affects: epel-7 [bug 2267252]


Created rubygem-semantic_puppet tracking bugs for this issue:

Affects: epel-8 [bug 2267260]


Created rubygem-thread_safe tracking bugs for this issue:

Affects: epel-7 [bug 2267253]


Created rubygem-vault tracking bugs for this issue:

Affects: epel-7 [bug 2267246]

Comment 2 Pedro Sampaio 2024-03-01 14:23:48 UTC
Created golang-github-aws-aws-sdk-go tracking bugs for this issue:

Affects: epel-all [bug 2267263]


Created puppet tracking bugs for this issue:

Affects: epel-all [bug 2267264]


Created rubygem-aruba tracking bugs for this issue:

Affects: epel-all [bug 2267265]


Created rubygem-asciidoctor tracking bugs for this issue:

Affects: epel-all [bug 2267266]


Created rubygem-docile tracking bugs for this issue:

Affects: epel-all [bug 2267267]


Created rubygem-dynect_rest tracking bugs for this issue:

Affects: epel-all [bug 2267268]


Created rubygem-fog-core tracking bugs for this issue:

Affects: epel-all [bug 2267269]


Created rubygem-fog-softlayer tracking bugs for this issue:

Affects: epel-all [bug 2267270]


Created rubygem-git tracking bugs for this issue:

Affects: epel-all [bug 2267271]


Created rubygem-public_suffix tracking bugs for this issue:

Affects: epel-all [bug 2267272]


Created rubygem-rouge tracking bugs for this issue:

Affects: epel-all [bug 2267273]


Created rubygem-semantic_puppet tracking bugs for this issue:

Affects: epel-all [bug 2267274]


Created rubygem-thread_safe tracking bugs for this issue:

Affects: epel-all [bug 2267275]


Created rubygem-vault tracking bugs for this issue:

Affects: epel-all [bug 2267276]

Comment 3 Vít Ondruch 2024-03-01 14:33:36 UTC
I wonder how was this list compiled? I would be surprised if most of the trackers are false positives.

Comment 4 Pedro Sampaio 2024-03-01 14:34:35 UTC
Created alexandria tracking bugs for this issue:

Affects: fedora-all [bug 2267277]


Created rubygem-asciidoctor tracking bugs for this issue:

Affects: fedora-all [bug 2267278]


Created rubygem-byebug tracking bugs for this issue:

Affects: fedora-all [bug 2267279]


Created rubygem-childprocess tracking bugs for this issue:

Affects: fedora-all [bug 2267280]


Created rubygem-chunky_png tracking bugs for this issue:

Affects: fedora-all [bug 2267281]


Created rubygem-cookiejar tracking bugs for this issue:

Affects: fedora-all [bug 2267282]


Created rubygem-dnsruby tracking bugs for this issue:

Affects: fedora-all [bug 2267283]


Created rubygem-elasticsearch-transport tracking bugs for this issue:

Affects: fedora-all [bug 2267284]


Created rubygem-ffi tracking bugs for this issue:

Affects: fedora-all [bug 2267285]


Created rubygem-file-tail tracking bugs for this issue:

Affects: fedora-all [bug 2267286]


Created rubygem-fog-core tracking bugs for this issue:

Affects: fedora-all [bug 2267287]


Created rubygem-fog-libvirt tracking bugs for this issue:

Affects: fedora-all [bug 2267288]


Created rubygem-git tracking bugs for this issue:

Affects: fedora-all [bug 2267289]


Created rubygem-haml tracking bugs for this issue:

Affects: fedora-all [bug 2267290]


Created rubygem-hashdiff tracking bugs for this issue:

Affects: fedora-all [bug 2267291]


Created rubygem-locale tracking bugs for this issue:

Affects: fedora-all [bug 2267292]


Created rubygem-middleware tracking bugs for this issue:

Affects: fedora-all [bug 2267293]


Created rubygem-msgpack tracking bugs for this issue:

Affects: fedora-all [bug 2267295]


Created rubygem-prawn tracking bugs for this issue:

Affects: fedora-all [bug 2267296]


Created rubygem-prawn-table tracking bugs for this issue:

Affects: fedora-all [bug 2267297]


Created rubygem-protobuf tracking bugs for this issue:

Affects: fedora-all [bug 2267298]


Created rubygem-public_suffix tracking bugs for this issue:

Affects: fedora-all [bug 2267299]


Created rubygem-pundit tracking bugs for this issue:

Affects: fedora-all [bug 2267300]


Created rubygem-red-colors tracking bugs for this issue:

Affects: fedora-all [bug 2267301]


Created rubygem-rest-client tracking bugs for this issue:

Affects: fedora-all [bug 2267302]


Created rubygem-rouge tracking bugs for this issue:

Affects: fedora-all [bug 2267303]


Created rubygem-rspec-core tracking bugs for this issue:

Affects: fedora-all [bug 2267304]


Created rubygem-rspec-expectations tracking bugs for this issue:

Affects: fedora-all [bug 2267305]


Created rubygem-rspec-mocks tracking bugs for this issue:

Affects: fedora-all [bug 2267306]


Created rubygem-ruby-vips tracking bugs for this issue:

Affects: fedora-all [bug 2267307]


Created rubygem-selenium-webdriver tracking bugs for this issue:

Affects: fedora-all [bug 2267308]


Created rubygem-semantic_puppet tracking bugs for this issue:

Affects: fedora-all [bug 2267309]


Created rubygem-test-unit-notify tracking bugs for this issue:

Affects: fedora-all [bug 2267310]


Created rubygem-test-unit-rr tracking bugs for this issue:

Affects: fedora-all [bug 2267311]


Created rubygem-thread_safe tracking bugs for this issue:

Affects: fedora-all [bug 2267312]


Created rubygem-tins tracking bugs for this issue:

Affects: fedora-all [bug 2267313]

Comment 5 Vít Ondruch 2024-03-01 14:39:00 UTC
Ah, I see, yard is likely mentioned in shipped Gemfile, at least in rubygem-public_suffix, but ...

I really doubt about usefulness of the reports which are based on Gemfile, package.json and similar. Can this this be prevented? Or at least reported somewhere what is the reason for such reports? If there was some security issue, it will be lost among the sheer amount of this false positives.

Comment 7 Vít Ondruch 2024-03-01 15:53:00 UTC
Can you please scan the packages for the `frames.html` instead? That should be the file, which is vulnerable.

Comment 8 Pedro Sampaio 2024-06-10 14:08:41 UTC
In reply to comment #3:
> I wonder how was this list compiled? I would be surprised if most of the
> trackers are false positives.

Mostly through some automation to check deps in various places as you concluded yourself. We are working to improve the tools and get less false positive.

Thanks you for letting us know.


Note You need to log in before you can comment on or make changes to this bug.