Summary: | <dev-ruby/rails-7.1.1: XSS within Route Error Page | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | minor | CC: | ruby |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://github.com/rails/rails/issues/46244 | ||
Whiteboard: | ~4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
John Helmert III
2022-10-28 02:28:59 UTC
(In reply to John Helmert III from comment #0) > A vulnerability classified as problematic has been found in Ruby on Rails. > This affects an unknown part of the file > actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. > The manipulation leads to cross site scripting. It is possible to initiate > the attack remotely. The name of the patch is > be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch > to fix this issue. The associated identifier of this vulnerability is > VDB-212319. I'd be very interested to learn how this is triggered remotely. My understanding is that the page that includes this code is only available in development mode. I guess you could run a rails app in development on a public IP address and then link to this page. Seems far fetched in practice. Or not, reading the pentest comment :-( > Bit silly to say that XSS is possible to initiate remotely, I > think. Looks like we're waiting for a release or downstream patch. I'd wait for a release here. I don't think there was ever a stable version in tree so dropping to ~ and pushing to cleanup. The developers also said isn't an actual security issue because of how the bug is ran, is this good to close? https://github.com/rails/rails/issues/46244#issuecomment-1380875153 (In reply to Hans de Graaff from comment #1) > I'd be very interested to learn how this is triggered remotely. My > understanding is that the page that includes this code is only available in > development mode. I guess you could run a rails app in development on a > public IP address and then link to this page. Seems far fetched in practice. > Or not, reading the pentest comment :-( Reading the upstream response seems to validate this, and we should not consider this a security bug either. I'm closing it with noglsa (I don't think we have a whiteboard status for "oh, not a security issue"). |