1585218 – (CVE-2018-11627) CVE-2018-11627 rubygem-sinatra: XSS in the 400 Bad Request page

Bug 1585218 (CVE-2018-11627) - CVE-2018-11627 rubygem-sinatra: XSS in the 400 Bad Request page

Summary: CVE-2018-11627 rubygem-sinatra: XSS in the 400 Bad Request page

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-11627
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1585220 1585221 1585278 1585279 1667140
Blocks:	1585222
TreeView+	depends on / blocked

Reported:	2018-06-01 14:36 UTC by Andrej Nemec
Modified:	2019-09-29 14:40 UTC (History)
CC List:	61 users (show)
Fixed In Version:	rubygem-sinatra 2.0.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:27:16 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:0212	0	None	None	None	2019-02-07 23:00:34 UTC
Red Hat Product Errata	RHSA-2019:0315	0	None	None	None	2019-02-12 13:58:53 UTC

Description Andrej Nemec 2018-06-01 14:36:20 UTC

It was found that Sinatra is vulnerable to an XSS via the 400 Bad Request page that occurs upon a params parser exception.

Upstream issue:

https://github.com/sinatra/sinatra/issues/1428

Introduced by:

https://github.com/sinatra/sinatra/commit/8f8df53ff29938ace79b31097c27d9cdac803b44

Upstream patch:

https://github.com/sinatra/sinatra/commit/12786867d6faaceaec62c7c2cb5b0e2dc074d71a

Comment 1 Andrej Nemec 2018-06-01 14:37:15 UTC

Created rubygem-sinatra tracking bugs for this issue:

Affects: fedora-all [bug 1585221]

Comment 7 errata-xmlrpc 2019-02-07 23:00:32 UTC

This issue has been addressed in the following products:

  CloudForms Management Engine 5.10

Via RHSA-2019:0212 https://access.redhat.com/errata/RHSA-2019:0212

Comment 8 errata-xmlrpc 2019-02-12 13:58:51 UTC

This issue has been addressed in the following products:

  CloudForms Management Engine 5.9

Via RHSA-2019:0315 https://access.redhat.com/errata/RHSA-2019:0315

Note You need to log in before you can comment on or make changes to this bug.

anprice
apevec
bcourt
bhu
bkearney
cbillett
cfeist
chrisw
cluster-maint
cpelland
dajohnso
dominic
gblomqui
gmccullo
gtanzill
hhorak
hhudgeon
iboverma
idevat
jaruga
jfrey
jhardy
jjoyce
jmatthew
jorton
jpokorny
jprause
jross
jschluet
kbasil
lhh
lkundrak
lpeer
markmc
matt
mburns
mcressma
mmccune
mrike
obarenbo
ohadlevy
omular
rbryant
rchan
rhos-maint
roliveri
ruby-maint
sclewis
simaishi
sisharma
slinaber
srevivo
ssaha
tdecacqu
tojeline
tomckay
tsanders
valtri
vbellur
vondruch
williams