Bugzilla – Bug 934799
VUL-0: CVE-2015-3226: rubygem-activesupport: XSS Vulnerability in ActiveSupport::JSON.encode
Last modified: 2017-09-11 16:03:11 UTC
EMBARGOED CRD: 2015-06-16 XSS Vulnerability in ActiveSupport::JSON.encode There is an XSS vulnerability in the ActiveSupport::JSON.encode method in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2015-3226. Versions Affected: 3.0.x, 3.1.x, 3.2.x, 4.1.x, 4.2.x. Not affected: 4.0.x. Fixed Versions: 4.2.2, 4.1.11 Impact ------ When a `Hash` containing user-controlled data is encode as JSON (either through `Hash#to_json` or `ActiveSupport::JSON.encode`), Rails does not perform adequate escaping that matches the guarantee implied by the `escape_html_entities_in_json` option (which is enabled by default). If this resulting JSON string is subsequently inserted directly into an HTML page, the page will be vulnerable to XSS attacks. For example, the following code snippet is vulnerable to this attack: <%= javascript_tag "var data = #{user_supplied_data.to_json};" %> Similarly, the following is also vulnerable: <script> var data = <%= ActiveSupport::JSON.encode(user_supplied_data).html_safe %>; </script> All applications that renders JSON-encoded strings that contains user-controlled data in their views should either upgrade to one of the FIXED versions or use the suggested workaround immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- To work around this problem add an initializer with the following code: module ActiveSupport module JSON module Encoding private class EscapedString def to_s self end end end end end Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-1-to_json_xss.patch - Patch for 4.1 series * 4-2-to_json_xss.patch - Patch for 4.2 series Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Francois Chagnon of Shopify for reporting the vulnerability to us, and working with us on a fix.
bugbot adjusting priority
public
openSUSE:13.1 rubygem-actionpack-3_2 openSUSE:13.2 rubygem-actionpack-3_2 openSUSE:Factory rubygem-actionpack-4_2 in devel project: devel:languages:ruby:extensions rubygem-actionpack-2_3 devel:languages:ruby:extensions rubygem-actionpack-3_2 devel:languages:ruby:extensions rubygem-actionpack-4_1 devel:languages:ruby:extensions rubygem-actionpack-4_2
(In reply to Jordi Massaguer from comment #6) > openSUSE:13.1 > rubygem-actionpack-3_2 > > openSUSE:13.2 > rubygem-actionpack-3_2 > > openSUSE:Factory > rubygem-actionpack-4_2 > > in devel project: > > devel:languages:ruby:extensions > rubygem-actionpack-2_3 > devel:languages:ruby:extensions > rubygem-actionpack-3_2 > devel:languages:ruby:extensions > rubygem-actionpack-4_1 > devel:languages:ruby:extensions > rubygem-actionpack-4_2 substitute actionpack by activesupport...
Rails < 4.1 is not affected see: https://groups.google.com/forum/#!topic/rubyonrails-core/qBUqVlXERag
thus, we will update only openSUSE:Factory | rubygem-actionpack-4_2
activesupport 4.2.3 is already in Factory which contains the fix.
Created attachment 640101 [details] test code Run "ruby.ruby2.1 test.rb" this is the result prior to patching {"<>":"\u003c\u003e"} and this is the result after patching {"\u003c\u003e":"\u003c\u003e"}
assigning to security team
Releasing last update, closind.
SUSE-SU-2016:0082-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 934799,934800 CVE References: CVE-2015-3226,CVE-2015-3227 Sources used: SUSE OpenStack Cloud 5 (src): rubygem-activesupport-4_1-4.1.9-9.2