Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 878495 (CVE-2022-3704) - dev-ruby/rails: XSS within Route Error Page
Summary: dev-ruby/rails: XSS within Route Error Page
Status: CONFIRMED
Alias: CVE-2022-3704
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://github.com/rails/rails/issues...
Whiteboard: B4 [upstream/ebuild]
Keywords:
Depends on:
Blocks:
 
Reported: 2022-10-28 02:28 UTC by John Helmert III
Modified: 2022-10-30 09:54 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-10-28 02:28:59 UTC
CVE-2022-3704:

A vulnerability classified as problematic has been found in Ruby on Rails. This affects an unknown part of the file actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The name of the patch is be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to fix this issue. The associated identifier of this vulnerability is VDB-212319.

Patch: https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4

Bit silly to say that XSS is possible to initiate remotely, I
think. Looks like we're waiting for a release or downstream patch.
Comment 1 Hans de Graaff gentoo-dev 2022-10-30 09:54:49 UTC
(In reply to John Helmert III from comment #0)

> A vulnerability classified as problematic has been found in Ruby on Rails.
> This affects an unknown part of the file
> actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb.
> The manipulation leads to cross site scripting. It is possible to initiate
> the attack remotely. The name of the patch is
> be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch
> to fix this issue. The associated identifier of this vulnerability is
> VDB-212319.

I'd be very interested to learn how this is triggered remotely. My understanding is that the page that includes this code is only available in development mode. I guess you could run a rails app in development on a public IP address and then link to this page. Seems far fetched in practice. Or not, reading the pentest comment :-(

> Bit silly to say that XSS is possible to initiate remotely, I
> think. Looks like we're waiting for a release or downstream patch.

I'd wait for a release here.