Comment 1 Hans de Graaff 2022-10-30 09:54:49 UTC

(In reply to John Helmert III from comment #0)

> A vulnerability classified as problematic has been found in Ruby on Rails.
> This affects an unknown part of the file
> actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb.
> The manipulation leads to cross site scripting. It is possible to initiate
> the attack remotely. The name of the patch is
> be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch
> to fix this issue. The associated identifier of this vulnerability is
> VDB-212319.

I'd be very interested to learn how this is triggered remotely. My understanding is that the page that includes this code is only available in development mode. I guess you could run a rails app in development on a public IP address and then link to this page. Seems far fetched in practice. Or not, reading the pentest comment :-(

> Bit silly to say that XSS is possible to initiate remotely, I
> think. Looks like we're waiting for a release or downstream patch.

I'd wait for a release here.

I don't think there was ever a stable version in tree so dropping to ~ and pushing to cleanup. The developers also said isn't an actual security issue because of how the bug is ran, is this good to close?

https://github.com/rails/rails/issues/46244#issuecomment-1380875153

Comment 3 Hans de Graaff 2024-05-05 08:07:09 UTC

(In reply to Hans de Graaff from comment #1)

> I'd be very interested to learn how this is triggered remotely. My
> understanding is that the page that includes this code is only available in
> development mode. I guess you could run a rails app in development on a
> public IP address and then link to this page. Seems far fetched in practice.
> Or not, reading the pentest comment :-(

Reading the upstream response seems to validate this, and we should not consider this a security bug either. I'm closing it with noglsa (I don't think we have a whiteboard status for "oh, not a security issue").