CVE-2022-23519: Possible XSS vulnerability with certain configurations of rails-html-sanitizer
First published: Tue Dec 13 2022(Updated: )
## Summary There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. - Versions affected: ALL - Not affected: NONE - Fixed versions: 1.4.4 ## Impact A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways: - allow both "math" and "style" elements, - or allow both "svg" and "style" elements Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways: 1. using application configuration: ```ruby # In config/application.rb config.action_view.sanitized_allowed_tags = ["math", "style"] # or config.action_view.sanitized_allowed_tags = ["svg", "style"] ``` see https://guides.rubyonrails.org/configuring.html#configuring-action-view 2. using a `:tags` option to the Action View helper `sanitize`: ``` <%= sanitize @comment.body, tags: ["math", "style"] %> <%# or %> <%= sanitize @comment.body, tags: ["svg", "style"] %> ``` see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize 3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`: ```ruby # class-level option Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"] # or Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"] ``` 4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`: ```ruby # instance-level option Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"]) # or Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"]) ``` All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately. ## Workarounds Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags. ## References - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html) - https://hackerone.com/reports/1656627 ## Credit This vulnerability was responsibly reported by Dominic Breuker.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/rails-html-sanitizer | <1.4.4 | 1.4.4 |
| redhat/rubygem-rails-html-sanitizer | <0:1.4.4-1.el8 | 0:1.4.4-1.el8 |
| redhat/rubygem-rails-html-sanitizer | <1.4.4 | 1.4.4 |
| Ruby on Rails HTML Sanitizer | <1.4.4 | |
| Ruby on Rails HTML Sanitizer | <1.4.4 | |
| Debian Linux | =10.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
- https://hackerone.com/reports/1656627
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails-html-sanitizer/CVE-2022-23519.yml
- https://nvd.nist.gov/vuln/detail/CVE-2022-23519
- https://lists.debian.org/debian-lts-announce/2023/09/msg00012.html
- https://github.com/advisories/GHSA-9h9g-93gc-623h (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2153746
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2153747
- https://access.redhat.com/errata/RHSA-2023:2097
- https://access.redhat.com/security/cve/cve-2022-23519
- https://bugzilla.redhat.com/show_bug.cgi?id=2153744
- https://www.cve.org/CVERecord?id=CVE-2022-23519 https://nvd.nist.gov/vuln/detail/CVE-2022-23519 https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
Frequently Asked Questions
What is the severity of CVE-2022-23519?
CVE-2022-23519 is considered a critical XSS vulnerability that can impact the security of applications utilizing Rails::Html::Sanitizer.
How do I fix CVE-2022-23519?
To fix CVE-2022-23519, update Rails::Html::Sanitizer to version 1.4.4 or later.
What are the affected versions of CVE-2022-23519?
All versions of Rails::Html::Sanitizer are affected by CVE-2022-23519.
Is there a workaround for CVE-2022-23519?
No effective workaround exists for CVE-2022-23519; upgrading to the fixed version is necessary.
What is the impact of CVE-2022-23519?
CVE-2022-23519 may allow attackers to execute arbitrary JavaScript code in the context of a user's browser.
- collector/github-advisory-latest
- alias/GHSA-9h9g-93gc-623h
- alias/CVE-2022-23519
- collector/github-advisory
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- agent/references
- agent/weakness
- agent/author
- agent/severity
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/trending
- agent/source
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/last-modified-date
- agent/tags
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- package-manager/rubygems
- package-manager/redhat
- vendor/rails html sanitizer project
- canonical/ruby on rails html sanitizer
- vendor/rubyonrails
- vendor/debian
- canonical/debian linux
- version/debian linux/10.0