Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY1Y3YtcjZ4Ny03OWh2
Cross site scripting vulnerability in ActionView
There is a possible cross site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers. Views that use the j or escape_javascript methods may be susceptible to XSS attacks.
Impact
There is a possible XSS vulnerability in the j and escape_javascript methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this:
<script>let a = `<%= j unknown_input %>`</script>
or
<script>let a = `<%= escape_javascript unknown_input %>`</script>
Releases
The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations.
Workarounds
For those that can't upgrade, the following monkey patch may be used:
ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!(
{
"`" => "\\`",
"$" => "\\$"
}
)
module ActionView::Helpers::JavaScriptHelper
alias :old_ej :escape_javascript
alias :old_j :j
def escape_javascript(javascript)
javascript = javascript.to_s
if javascript.empty?
result = ""
else
result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP)
end
javascript.html_safe? ? result.html_safe : result
end
alias :j :escape_javascript
end
Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
- 5-2-js-helper-xss.patch - Patch for 5.2 series
- 6-0-js-helper-xss.patch - Patch for 6.0 series
Please note that only the 5.2 and 6.0 series are supported at present. Users
of earlier unsupported releases are advised to upgrade as soon as possible as we
cannot guarantee the continued availability of security fixes for unsupported
releases.
Credits
Thanks to Jesse Campos from Chef Secure
Permalink: https://github.com/advisories/GHSA-65cv-r6x7-79hvJSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY1Y3YtcjZ4Ny03OWh2
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 4 years ago
Updated: about 1 year ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Identifiers: GHSA-65cv-r6x7-79hv, CVE-2020-5267
References:
- https://github.com/rails/rails/security/advisories/GHSA-65cv-r6x7-79hv
- https://github.com/rails/rails/commit/033a738817abd6e446e1b320cb7d1a5c15224e9a
- https://nvd.nist.gov/vuln/detail/CVE-2020-5267
- https://lists.debian.org/debian-lts-announce/2020/03/msg00022.html
- http://www.openwall.com/lists/oss-security/2020/03/19/1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-5267.yml
- https://groups.google.com/forum/#!topic/rubyonrails-security/55reWMM_Pg8
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00019.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/
- https://github.com/advisories/GHSA-65cv-r6x7-79hv
Blast Radius: 27.7
Affected Packages
rubygems:actionview
Dependent packages: 354Dependent repositories: 601,072
Downloads: 477,673,908 total
Affected Version Ranges: <= 5.2.4.1, >= 6.0.0, <= 6.0.2.1
Fixed in: 5.2.4.2, 6.0.2.2
All affected versions: 4.1.0, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3
All unaffected versions: