Bug 1774081 (CVE-2019-15587) - CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished
Summary: CVE-2019-15587 rubygem-loofah: XXS when a crafted SVG element is republished
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-15587
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1791636 1791637 1791638 1791639 1791640 1791641 1791642 1791643 1791644 1791645 1791646 1791647 1797919 1797920 1797921 1797922 1797923 1797924 1805187 1805200
Blocks: 1774086
TreeView+ depends on / blocked
 
Reported: 2019-11-19 14:18 UTC by msiddiqu
Modified: 2021-12-14 18:47 UTC (History)
30 users (show)

Fixed In Version: rubygem-loofah 2.3.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-27 10:55:41 UTC
Embargoed:


Attachments (Terms of Use)

Description msiddiqu 2019-11-19 14:18:02 UTC
In the Loofah gem for Ruby through v2.3.0 unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Upstream issue: 

https://github.com/flavorjones/loofah/issues/171

References:  

https://hackerone.com/reports/709009
https://www.debian.org/security/2019/dsa-4554
https://www.debian.org/security/2019/dsa-4554
https://www.openwall.com/lists/oss-security/2019/10/22/1

Comment 12 Cedric Buissart 2020-02-20 13:34:13 UTC
Created rubygem-loofah tracking bugs for this issue:

Affects: fedora-all [bug 1805200]

Comment 13 Cedric Buissart 2020-02-20 13:52:44 UTC
Statement:

Supported versions of Satellite 6 contain a vulnerable version of rubygem-loofah. However, it is not possible to inject untrusted SVG files, and thus it is considered that this vulnerability can not be triggered. A future update may fix this vulnerability.


Note You need to log in before you can comment on or make changes to this bug.