Advisories for Gem/Activesupport package

2023

Active Support Possibly Discloses Locally Encrypted Files

There is a possible file disclosure of locally encrypted files in Active Support. This vulnerability has been assigned the CVE identifier CVE-2023-38037. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.7.1, 6.1.7.5 Impact ActiveSupport::EncryptedFile writes contents that will be encrypted to a temporary file. The temporary file’s permissions are defaulted to the user’s current umask settings, meaning that it’s possible for other users on the same system to …

Possible XSS Security Vulnerability in SafeBuffer#bytesplice

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input. This vulnerability has been assigned the CVE identifier CVE-2023-28120. Versions Affected: All. Not affected: None Fixed Versions: 7.0.4.3, 6.1.7.3 Impact ActiveSupport uses the SafeBuffer string subclass to tag strings as html_safe after they have been sanitized. When these strings are mutated, the tag is should be removed to mark them …

Inefficient Regular Expression Complexity

A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.

Duplicate of ./gem/activesupport/CVE-2023-22796.yml

There is a possible regular expression based DoS vulnerability in Active Support. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. This affects String#underscore, ActiveSupport::Inflector.underscore, String#titleize, and any other methods using these. All users running an affected release …

2020
2018

Command Injection

active-support could allow a remote attacker to execute arbitrary code on the system, caused by containing a malicious backdoor. An attacker could exploit this vulnerability to execute arbitrary code on the system.

2017
2015

XSS Vulnerability in ActiveSupport::JSON.encode

When a Hash containing user-controlled data is encoded as JSON (either through Hash#to_json or ActiveSupport::JSON.encode), Rails does not perform adequate escaping that matches the guarantee implied by the escape_html_entities_in_json option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks.

Possible Denial of Service

Specially crafted XML documents can cause applications to raise a SystemStackError and potentially cause a denial of service attack. This nonly impacts applications using REXML or JDOM as their XML processor. Other XML processors that Rails supports are not impacted.

2013
2012

Potential XSS Vulnerability in Ruby on Rails

The HTML escaping code in Ruby on Rails does not escape all potentially dangerous characters. In particular the code does not escape the single quote character. The helpers used in Rails itself never use single quotes, so most applications are unlikely to be vulnerable, however all users running an affected release should still upgrade.

Direct Manipulation XSS

Ruby on Rails contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the application does not validate direct manipulations of SafeBuffer objects via '[]' and other methods. This may allow a user to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.