Bug 750306 (CVE-2010-1330) - CVE-2010-1330 jruby: XSS in the regular expression engine when processing invalid UTF-8 byte sequences
Summary: CVE-2010-1330 jruby: XSS in the regular expression engine when processing inv...
Alias: CVE-2010-1330
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 750310 750311
Blocks: 750308
TreeView+ depends on / blocked
Reported: 2011-10-31 16:25 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:48 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-08-08 06:14:47 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1456 0 normal SHIPPED_LIVE Moderate: JBoss Enterprise SOA Platform 5.2.0 update 2011-11-17 04:54:04 UTC

Description Jan Lieskovsky 2011-10-31 16:25:22 UTC
A cross-site scripting (XSS) flaw was found in the way the regular expression engine of the JRuby, Java implementation of the Ruby programming language, processed certain invalid UTF-8 byte sequences. A remote attacker could use this flaw to execute arbitrary HTML or web script via specially-crafted input provided to an JRuby application.

[1] http://www.jruby.org/2010/04/26/jruby-1-4-1-xss-vulnerability.html
[2] https://bugs.gentoo.org/show_bug.cgi?id=317435

Proposed upstream solution (is to upgrage to jcodings-v1.0.3):
[3] http://repo1.maven.org/maven2/org/jruby/jcodings/jcodings/1.0.3/jcodings-1.0.3.jar

Comment 1 Jan Lieskovsky 2011-10-31 16:26:54 UTC
This issue affects the versions of the jcodings package, as shipped with Fedora release of 14 and 15.


This issue did NOT affect the versions of the jcodings and jruby packages, as planned to be included into upcoming Fedora release of 16.

Comment 2 Jan Lieskovsky 2011-10-31 16:38:34 UTC
Created jcodings tracking bugs for this issue

Affects: fedora-14 [bug 750310]
Affects: fedora-15 [bug 750311]

Comment 5 errata-xmlrpc 2011-11-16 23:55:08 UTC
This issue has been addressed in following products:

JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2011:1456 https://rhn.redhat.com/errata/RHSA-2011-1456.html

Note You need to log in before you can comment on or make changes to this bug.