add CVEs for loofah and rails-html-sanitizer (#531)

Author: flavorjones

gems/loofah/CVE-2022-23514.yml

@@ -0,0 +1,35 @@
+---
+gem: loofah
+cve: 2022-23514
+ghsa: 486f-hjj9-9vhh
+url: https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
+title: "Inefficient Regular Expression Complexity in Loofah"
+date: 2022-12-13
+description: |
+  ## Summary
+
+  Loofah `< 2.19.1` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
+
+
+  ## Mitigation
+
+  Upgrade to Loofah `>= 2.19.1`.
+
+
+  ## Severity
+
+  The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
+
+
+  ## References
+
+  - [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)
+  - https://hackerone.com/reports/1684163
+
+
+  ## Credit
+
+  This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
+cvss_v3: 7.5
+patched_versions:
+  - ">= 2.19.1"

gems/loofah/CVE-2022-23515.yml

@@ -0,0 +1,38 @@
+---
+gem: loofah
+cve: 2022-23515
+ghsa: 228g-948r-83gx
+url: https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx
+title: "Improper neutralization of data URIs may allow XSS in Loofah"
+date: 2022-12-13
+description: |
+  ## Summary
+
+  Loofah `>= 2.1.0, < 2.19.1` is vulnerable to cross-site scripting via the `image/svg+xml` media type in data URIs.
+
+
+  ## Mitigation
+
+  Upgrade to Loofah `>= 2.19.1`.
+
+
+  ## Severity
+
+  The Loofah maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
+
+
+  ## References
+
+  - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+  - [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)
+  - https://hackerone.com/reports/1694173
+  - https://github.com/flavorjones/loofah/issues/101
+
+  ## Credit
+
+  This vulnerability was responsibly reported by Maciej Piechota (@haqpl).
+cvss_v3: 6.1
+unaffected_versions:
+  - "< 2.1.0"
+patched_versions:
+  - ">= 2.19.1"

gems/loofah/CVE-2022-23516.yml

@@ -0,0 +1,33 @@
+---
+gem: loofah
+cve: 2022-23516
+ghsa: 3x8r-x6xp-q4vm
+url: https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm
+title: "Uncontrolled Recursion in Loofah"
+date: 2022-12-13
+description: |
+  ## Summary
+
+  Loofah `>= 2.2.0, < 2.19.1` uses recursion for sanitizing `CDATA` sections, making it susceptible to stack exhaustion and raising a `SystemStackError` exception.  This may lead to a denial of service through CPU resource consumption.
+
+
+  ## Mitigation
+
+  Upgrade to Loofah `>= 2.19.1`.
+
+  Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.
+
+
+  ## Severity
+
+  The Loofah maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
+
+
+  ## References
+
+  - [CWE - CWE-674: Uncontrolled Recursion (4.9)](https://cwe.mitre.org/data/definitions/674.html)
+cvss_v3: 7.5
+unaffected_versions:
+  - "< 2.2.0"
+patched_versions:
+  - ">= 2.19.1"

gems/rails-html-sanitizer/CVE-2022-23517.yml

@@ -0,0 +1,35 @@
+---
+gem: rails-html-sanitizer
+cve: 2022-23517
+ghsa: 5x79-w82f-gw8w
+url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-5x79-w82f-gw8w
+title: "Inefficient Regular Expression Complexity in rails-html-sanitizer"
+date: 2022-12-13
+description: |
+  ## Summary
+
+  Certain configurations of rails-html-sanitizer `< 1.4.4` use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
+
+
+  ## Mitigation
+
+  Upgrade to rails-html-sanitizer `>= 1.4.4`.
+
+
+  ## Severity
+
+  The maintainers have evaluated this as [High Severity 7.5 (CVSS3.1)](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
+
+
+  ## References
+
+  - [CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)](https://cwe.mitre.org/data/definitions/1333.html)
+  - https://hackerone.com/reports/1684163
+
+
+  ## Credit
+
+  This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
+cvss_v3: 7.5
+patched_versions:
+  - ">= 1.4.4"

gems/rails-html-sanitizer/CVE-2022-23518.yml

@@ -0,0 +1,39 @@
+---
+gem: rails-html-sanitizer
+cve: 2022-23518
+ghsa: mcvf-2q2m-x72m
+url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-mcvf-2q2m-x72m
+title: "Improper neutralization of data URIs may allow XSS in rails-html-sanitizer"
+date: 2022-12-13
+description: |
+  ## Summary
+
+  rails-html-sanitizer `>= 1.0.3, < 1.4.4` is vulnerable to cross-site scripting via data URIs when used in combination with Loofah `>= 2.1.0`.
+
+
+  ## Mitigation
+
+  Upgrade to rails-html-sanitizer `>= 1.4.4`.
+
+
+  ## Severity
+
+  The maintainers have evaluated this as [Medium Severity 6.1](https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
+
+
+  ## References
+
+  - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+  - [SVG MIME Type (image/svg+xml) is misleading to developers · Issue #266 · w3c/svgwg](https://github.com/w3c/svgwg/issues/266)
+  - https://github.com/rails/rails-html-sanitizer/issues/135
+  - https://hackerone.com/reports/1694173
+
+
+  ## Credit
+
+  This vulnerability was independently reported by Maciej Piechota (@haqpl) and Mrinmoy Das (@goromlagche).
+cvss_v3: 6.1
+unaffected_versions:
+  - "< 1.0.3"
+patched_versions:
+  - ">= 1.4.4"

gems/rails-html-sanitizer/CVE-2022-23519.yml

@@ -0,0 +1,84 @@
+---
+gem: rails-html-sanitizer
+cve: 2022-23519
+ghsa: 9h9g-93gc-623h
+url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-9h9g-93gc-623h
+title: "Possible XSS vulnerability with certain configurations of rails-html-sanitizer"
+date: 2022-12-13
+description: |
+  ## Summary
+
+  There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer.
+
+  - Versions affected: ALL
+  - Not affected: NONE
+  - Fixed versions: 1.4.4
+
+
+  ## Impact
+
+  A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags in either of the following ways:
+
+  - allow both "math" and "style" elements,
+  - or allow both "svg" and "style" elements
+
+  Code is only impacted if allowed tags are being overridden. Applications may be doing this in four different ways:
+
+  1. using application configuration:
+
+    ```ruby
+    # In config/application.rb
+    config.action_view.sanitized_allowed_tags = ["math", "style"]
+    # or
+    config.action_view.sanitized_allowed_tags = ["svg", "style"]
+    ```
+
+    see https://guides.rubyonrails.org/configuring.html#configuring-action-view
+
+  2. using a `:tags` option to the Action View helper `sanitize`:
+
+    ```
+    <%= sanitize @comment.body, tags: ["math", "style"] %>
+    <%# or %>
+    <%= sanitize @comment.body, tags: ["svg", "style"] %>
+    ```
+
+    see https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitize
+
+  3. using Rails::Html::SafeListSanitizer class method `allowed_tags=`:
+
+    ```ruby
+    # class-level option
+    Rails::Html::SafeListSanitizer.allowed_tags = ["math", "style"]
+    # or
+    Rails::Html::SafeListSanitizer.allowed_tags = ["svg", "style"]
+    ```
+
+  4. using a `:tags` options to the Rails::Html::SafeListSanitizer instance method `sanitize`:
+
+    ```ruby
+    # instance-level option
+    Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["math", "style"])
+    # or
+    Rails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["svg", "style"])
+    ```
+
+  All users overriding the allowed tags by any of the above mechanisms to include (("math" or "svg") and "style") should either upgrade or use one of the workarounds immediately.
+
+
+  ## Workarounds
+
+  Remove "style" from the overridden allowed tags, or remove "math" and "svg" from the overridden allowed tags.
+
+
+  ## References
+
+  - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+  - https://hackerone.com/reports/1656627
+
+
+  ## Credit
+
+  This vulnerability was responsibly reported by Dominic Breuker.
+patched_versions:
+  - ">= 1.4.4"

gems/rails-html-sanitizer/CVE-2022-23520.yml

@@ -0,0 +1,64 @@
+---
+gem: rails-html-sanitizer
+cve: 2022-23520
+ghsa: rrfc-7g8p-99q8
+url: https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rrfc-7g8p-99q8
+title: "Possible XSS vulnerability with certain configurations of rails-html-sanitizer"
+date: 2022-12-13
+description: |
+  ## Summary
+
+  There is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer. This is due to an incomplete fix of CVE-2022-32209.
+
+  - Versions affected: ALL
+  - Not affected: NONE
+  - Fixed versions: 1.4.4
+
+
+  ## Impact
+
+  A possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject content if the application developer has overridden the sanitizer's allowed tags to allow both "select" and "style" elements.
+
+  Code is only impacted if allowed tags are being overridden using either of the following two mechanisms:
+
+  1. Using the Rails configuration `config.action_view.sanitized_allow_tags=`:
+
+    ```ruby
+    # In config/application.rb
+    config.action_view.sanitized_allowed_tags = ["select", "style"]
+    ```
+
+    (see https://guides.rubyonrails.org/configuring.html#configuring-action-view)
+
+  2. Using the class method `Rails::Html::SafeListSanitizer.allowed_tags=`:
+
+    ```ruby
+    # class-level option
+    Rails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
+    ```
+
+  All users overriding the allowed tags by either of the above mechanisms to include both "select" and "style" should either upgrade or use one of the workarounds immediately.
+
+  NOTE: Code is _not_ impacted if allowed tags are overridden using either of the following mechanisms:
+
+  - the `:tags` option to the Action View helper method `sanitize`.
+  - the `:tags` option to the instance method `SafeListSanitizer#sanitize`.
+
+
+  ## Workarounds
+
+  Remove either "select" or "style" from the overridden allowed tags.
+
+
+  ## References
+
+  - [CWE - CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (4.9)](https://cwe.mitre.org/data/definitions/79.html)
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32209
+  - https://hackerone.com/reports/1654310
+
+
+  ## Credit
+
+  This vulnerability was responsibly reported by Dominic Breuker.
+patched_versions:
+  - ">= 1.4.4"