Bug 1036914 (CVE-2013-6416) - CVE-2013-6416 rubygem-actionpack: simple_format XSS
Summary: CVE-2013-6416 rubygem-actionpack: simple_format XSS
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-6416
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1036421
Blocks: 1036411
TreeView+ depends on / blocked
 
Reported: 2013-12-02 21:47 UTC by Tomas Hoger
Modified: 2019-09-29 13:10 UTC (History)
10 users (show)

Fixed In Version: rubygem-actionpack 4.0.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-16 14:59:59 UTC


Attachments (Terms of Use)
Upstream patch for 4.0.x (1.11 KB, patch)
2013-12-02 21:49 UTC, Tomas Hoger
no flags Details | Diff

Description Tomas Hoger 2013-12-02 21:47:29 UTC
Quoting from an upcoming Ruby on Rails security advisory:


XSS Vulnerability in simple_format helper 

There is a vulnerability in the simple_format helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-6416.

Versions Affected:  4.0.0 & 4.0.1
Not affected:       Versions prior to 4.0
Fixed Versions:     4.0.2

Impact 
------ 
The simple_format helper converts user supplied text into html text which is intended to be safe for display.  A change  made to the implementation of this helper means that any user provided HTML attributes will not be escaped correctly.  As a result of this error, applications which pass user-controlled data to be included as html attributes will be vulnerable to an XSS attack.

All users running an affected release and passing user-controlled html attributes to simple_format should either upgrade or use one of the work arounds immediately. 

Releases 
-------- 
The 4.0.2 release is available at the normal locations. 

Credits 
------- 
Thanks to Kevin Reintjes for reporting the vulnerability to us and helping us work on a fix.

Comment 1 Tomas Hoger 2013-12-02 21:49:45 UTC
Created attachment 831793 [details]
Upstream patch for 4.0.x

Comment 3 Tomas Hoger 2013-12-16 14:59:59 UTC
This issue only affected Ruby on Rails 4.0, which is not shipped as part of any Red Hat product.

Statement:

Not vulnerable. This issue did not affect the versions of rubygem-actionpack as shipped with various Red Hat products.


Note You need to log in before you can comment on or make changes to this bug.