GHSA SYNC: 5 brand new advisories

gems/rails-html-sanitizer/CVE-2024-53985.yml

@@ -0,0 +1,132 @@
+---
+gem: rails-html-sanitizer
+framework: rails
+cve: 2024-53985
+ghsa: w8gc-x259-rc7x
+url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
+title: rails-html-sanitizer has XSS vulnerability with certain configurations
+date: 2024-12-02
+description: |
+  ## Summary
+
+  There is a possible XSS vulnerability with certain configurations of
+  Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0 and
+  Nokogiri < 1.15.7, or 1.16.x < 1.16.8.
+
+  * Versions affected: 1.6.0
+  * Not affected: < 1.6.0
+  * Fixed versions: 1.6.1
+
+  Please note that the fix in v1.6.1 is to update the dependency on
+  Nokogiri to 1.15.7 or >= 1.16.8.
+
+  ## Impact
+
+  A possible XSS vulnerability with certain configurations of
+  Rails::HTML::Sanitizer may allow an attacker to inject content if
+  HTML5 sanitization is enabled and the application developer has
+  overridden the sanitizer's allowed tags in either of the following ways:
+
+  * allow both "math" and "style" elements
+  * or allow both "svg" and "style" elements
+
+  Code is only impacted if Rails is configured to use HTML5 sanitization,
+  please see documentation for
+  [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+  and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+  for more information on these configuration options.
+
+  Code is only impacted if allowed tags are being overridden.
+  Applications may be doing this in a few different ways:
+
+  1. using application configuration to configure Action View
+     sanitizers' allowed tags:
+
+    ```ruby
+    # In config/application.rb
+    config.action_view.sanitized_allowed_tags = ["math", "style"]
+    # or
+    config.action_view.sanitized_allowed_tags = ["svg", "style"]
+    ```
+
+    see https://guides.rubyonrails.org/configuring.html#configuring-action-view
+
+  2. using a `:tags` option to the Action View helper `sanitize`:
+
+    ```
+    <= sanitize @comment.body, tags: ["math", "style"] >
+    <# or>
+    <= sanitize @comment.body, tags: ["svg", "style"] >
+    ```
+
+    see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
+
+  3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:
+
+    ```ruby
+    # class-level option
+    Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]
+    # or
+    Rails::HTML5::SafeListSanitizer.allowed_tags = ["svg", "style"]
+    ```
+
+    (note that this class may also be referenced as
+    `Rails::Html::SafeListSanitizer`)
+
+  4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer
+     instance method `sanitize`:
+
+    ```ruby
+    # instance-level option
+    Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
+    # or
+    Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])
+    ```
+    (note that this class may also be referenced as `Rails::Html::SafeListSanitizer`)
+
+  5. setting ActionText::ContentHelper module attribute `allowed_tags`:
+
+    ```ruby
+    ActionText::ContentHelper.allowed_tags = ["math", "style"]
+    # or
+    ActionText::ContentHelper.allowed_tags = ["svg", "style"]
+    ```
+
+  All users overriding the allowed tags by any of the above mechanisms
+  to include (("math" or "svg") and "style") should either upgrade or
+  use one of the workarounds.
+
+  ## Workarounds
+
+  Any one of the following actions will work around this issue:
+
+  - Remove "style" from the overridden allowed tags,
+  - Or, remove "math" and "svg" from the overridden allowed tags,
+  - Or, downgrade sanitization to HTML4 (see documentation for
+    [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+    and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+    for more information)
+  - Or, independently upgrade Nokogiri to v1.15.7 or >= 1.16.8.
+
+  ## References
+
+  - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+  - Original report: https://hackerone.com/reports/2503220
+
+  ## Credit
+
+  This vulnerability was responsibly reported by HackerOne user
+  [@taise](https://hackerone.com/taise?type=user).
+cvss_v4: 2.3
+unaffected_versions:
+  - "< 1.6.0"
+patched_versions:
+  - ">= 1.6.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-53985
+    - https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
+    - https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-w8gc-x259-rc7x
+    - https://github.com/rails/rails-html-sanitizer/commit/b0220b8850d52199a15f83c472d175a4122dd7b1
+    - https://github.com/rails/rails-html-sanitizer/commit/cd18b0ef00aad1d4a9e1c5d860cd23f80f63c505
+    - https://github.com/advisories/GHSA-w8gc-x259-rc7x

gems/rails-html-sanitizer/CVE-2024-53986.yml

@@ -0,0 +1,116 @@
+---
+gem: rails-html-sanitizer
+framework: rails
+cve: 2024-53986
+ghsa: 638j-pmjw-jq48
+url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48
+title: rails-html-sanitizer has XSS vulnerability with certain configurations
+date: 2024-12-02
+description: |
+  ## Summary
+
+  There is a possible XSS vulnerability with certain configurations of
+  Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.
+
+  * Versions affected: 1.6.0
+  * Not affected: < 1.6.0
+  * Fixed versions: 1.6.1
+
+  ## Impact
+
+  A possible XSS vulnerability with certain configurations of
+  Rails::HTML::Sanitizer may allow an attacker to inject content if
+  HTML5 sanitization is enabled and the application developer has
+  overridden the sanitizer's allowed tags in the following way:
+
+  - the "math" and "style" elements are both explicitly allowed
+
+  Code is only impacted if Rails is configured to use HTML5 sanitization,
+  please see documentation for
+  [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+  and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+  for more information on these configuration options.
+
+  The default configuration is to disallow these elements. Code is only
+  impacted if allowed tags are being overridden. Applications may be
+  doing this in a few different ways:
+
+  1. using application configuration to configure Action View sanitizers'
+     allowed tags:
+
+    ```ruby
+    # In config/application.rb
+    config.action_view.sanitized_allowed_tags = ["math", "style"]
+    ```
+
+    see https://guides.rubyonrails.org/configuring.html#configuring-action-view
+
+  2. using a `:tags` option to the Action View helper `sanitize`:
+
+    ```
+    <= sanitize @comment.body, tags: ["math", "style"]>
+    ```
+
+    see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
+
+  3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:
+
+    ```ruby
+    # class-level option
+    Rails::HTML5::SafeListSanitizer.allowed_tags = ["math", "style"]
+    ```
+
+    (note that this class may also be referenced as
+    `Rails::Html::SafeListSanitizer`)
+
+  4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer
+     instance method `sanitize`:
+
+    ```ruby
+    # instance-level option
+    Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
+    ```
+
+    (note that this class may also be referenced as
+     `Rails::Html::SafeListSanitizer`)
+
+  5. setting ActionText::ContentHelper module attribute `allowed_tags`:
+
+    ```ruby
+    ActionText::ContentHelper.allowed_tags = ["math", "style"]
+    ```
+
+  All users overriding the allowed tags by any of the above mechanisms
+  to include both "math" and "style" should either upgrade or use one
+  of the workarounds.
+
+  ## Workarounds
+
+  Any one of the following actions will work around this issue:
+
+  - Remove "math" or "style" from the overridden allowed tags,
+  - Or, downgrade sanitization to HTML4 (see documentation for
+    [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+    and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+    for more information).
+
+  ## References
+
+  - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+  - Original report: https://hackerone.com/reports/2519941
+
+  ## Credit
+
+  This vulnerability was responsibly reported by So Sakaguchi (mokusou).
+cvss_v4: 2.3
+unaffected_versions:
+  - "< 1.6.0"
+patched_versions:
+  - ">= 1.6.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-53986
+    - https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
+    - https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48
+    - https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
+    - https://github.com/advisories/GHSA-638j-pmjw-jq48

gems/rails-html-sanitizer/CVE-2024-53987.yml

@@ -0,0 +1,114 @@
+---
+gem: rails-html-sanitizer
+framework: rails
+cve: 2024-53987
+ghsa: 2x5m-9ch4-qgrr
+url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr
+title: rails-html-sanitizer has XSS vulnerability with certain configurations
+date: 2024-12-02
+description: |
+  ## Summary
+
+  There is a possible XSS vulnerability with certain configurations of
+  Rails::HTML::Sanitizer 1.6.0 when used with Rails >= 7.1.0.
+
+  * Versions affected: 1.6.0
+  * Not affected: < 1.6.0
+  * Fixed versions: 1.6.1
+
+  ## Impact
+
+  A possible XSS vulnerability with certain configurations of
+  Rails::HTML::Sanitizer may allow an attacker to inject content if
+  HTML5 sanitization is enabled and the application developer has
+  overridden the sanitizer's allowed tags in the following way:
+
+  - the "style" element is explicitly allowed
+  - the "svg" or "math" element is not allowed
+
+  Code is only impacted if Rails is configured to use HTML5 sanitization,
+  please see documentation for [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+  and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+  for more information on these configuration options.
+
+  The default configuration is to disallow all of these elements. Code
+  is only impacted if allowed tags are being overridden. Applications
+  may be doing this in a few different ways:
+
+  1. using application configuration to configure Action View sanitizers'
+     allowed tags:
+
+    ```ruby
+    # In config/application.rb
+    config.action_view.sanitized_allowed_tags = ["style"]
+    ```
+
+    see https://guides.rubyonrails.org/configuring.html#configuring-action-view
+
+  2. using a `:tags` option to the Action View helper `sanitize`:
+
+    ```
+    <= sanitize @comment.body, tags: ["style"] >
+    ```
+
+    see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
+
+  3. setting Rails::HTML5::SafeListSanitizer class attribute `allowed_tags`:
+
+    ```ruby
+    # class-level option
+    Rails::HTML5::SafeListSanitizer.allowed_tags = ["style"]
+    ```
+
+    (note that this class may also be referenced as
+    `Rails::Html::SafeListSanitizer`)
+
+  4. using a `:tags` options to the Rails::HTML5::SafeListSanitizer instance method `sanitize`:
+
+    ```ruby
+    # instance-level option
+    Rails::HTML5::SafeListSanitizer.new.sanitize(@article.body, tags: ["style"])
+    ```
+
+    (note that this class may also be referenced as
+    `Rails::Html::SafeListSanitizer`)
+
+  5. setting ActionText::ContentHelper module attribute `allowed_tags`:
+
+    ```ruby
+    ActionText::ContentHelper.allowed_tags = ["style"]
+    ```
+
+  All users overriding the allowed tags by any of the above mechanisms
+  to include "style" and omit "svg" or "math" should either upgrade
+  or use one of the workarounds.
+
+  ## Workarounds
+
+  Any one of the following actions will work around this issue:
+
+  - Remove "style" from the overridden allowed tags,
+  - Or, downgrade sanitization to HTML4 (see documentation for
+    [`config.action_view.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-view-sanitizer-vendor)
+    and [`config.action_text.sanitizer_vendor`](https://guides.rubyonrails.org/configuring.html#config-action-text-sanitizer-vendor)
+    for more information).
+
+  ## References
+
+  - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+  - Original report: https://hackerone.com/reports/2519936
+
+  ## Credit
+
+  This vulnerability was responsibly reported by So Sakaguchi (mnokusou).
+cvss_v4: 2.3
+unaffected_versions:
+  - "< 1.6.0"
+patched_versions:
+  - ">= 1.6.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-53987
+    - https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr
+    - https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
+    - https://github.com/advisories/GHSA-2x5m-9ch4-qgrr