3 advisories from GHSA sync script

Author: jasnow

gems/RedCloth/CVE-2023-31606.yml

@@ -0,0 +1,23 @@
+---
+gem: RedCloth
+cve: 2023-31606
+ghsa: qcm3-vfq5-wfr2
+url: https://github.com/e23e/CVE-2023-31606#readme
+title: RedCloth Regular Expression Denial of Service issue
+date: 2023-06-06
+description: |
+  A Regular Expression Denial of Service (ReDoS) issue was discovered
+  in the "sanitize_html" function of RedCloth gem >= v4.0.0.
+  This vulnerability allows attackers to cause a
+  Denial of Service (DoS) via supplying a crafted payload.
+cvss_v3: 7.5
+unaffected_versions:
+  - "< 4.0.0"
+notes: "Never patched: vulnerableVersionRange: <= 4.3.2; NVD has no cvss values"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-31606
+    - https://github.com/e23e/CVE-2023-31606#readme
+    - https://github.com/jgarber/redcloth/issues/73
+    - https://github.com/jgarber/redcloth/blob/v4.3.2/lib/redcloth/formatters/html.rb#L327
+    - https://github.com/advisories/GHSA-qcm3-vfq5-wfr2

gems/avo/CVE-2023-34102.yml

@@ -0,0 +1,70 @@
+---
+gem: avo
+cve: 2023-34102
+ghsa: 86h2-2g4g-29qx
+url: https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
+title: avo possible unsafe reflection / partial DoS vulnerability
+date: 2023-06-06
+description: |
+  ### Summary
+
+  "The polymorphic field type stores the classes to operate on when updating
+  a record with user input, and does not validate them in the back end.
+  This can lead to unexpected behavior, remote code execution, or
+  application crashes when viewing a manipulated record.
+
+  ### Details
+
+  After reviewing the polymorphic field implementation and performing
+  some black box approaches, we identified a potential security issue
+  related to the use of safe_constantize / constantize. This Rails
+  functionality is capable of searching for classes within the Rails
+  context and returning the class for further use. Because Avo does
+  not validate user input when updating or creating a new polymorphic
+  resource, it is possible to create database entries with completely
+  different or invalid class names than the preselected ones. Avo
+  assumes that the class specified by the user request is a valid one
+  and attempts to work with it, which may result in dangerous behavior
+  and code execution.
+
+  ### PoC
+
+  ![image](https://user-images.githubusercontent.com/26464774/243437854-933d94c8-4ae0-43fe-b2da-35b103e28796.png)\n_In the test scenario we choose the demo app and the review resource which has a polymorphic
+  reviewable field._![image](https://user-images.githubusercontent.com/26464774/243437954-2d947c6d-4e97-4e91-a442-405e553dd047.png)\n_Intercepting
+  the request and switching the review[reviewable_type] from “Fish”
+  to “File” which is a real class inside Rails_![image](https://user-images.githubusercontent.com/26464774/243438031-109de6d0-9370-4318-b18e-c5bcea61cf54.png)\n_Corrupting
+  the database with unusable classes will cause a crash at the
+  application while viewing the new record or the index
+  view (partial DoS)_\n\n![image](https://user-images.githubusercontent.com/26464774/243438104-80df5aae-86de-40fc-870d-689a03cae389.png)\n_Manual
+  delete the corrupted resource in order to recover the applications functionality_\n\n![image](https://user-images.githubusercontent.com/26464774/243438182-1e7eef54-73ba-47d0-b5df-4bad14859af3.png)\n_Of
+  course it is possible to use other class names or namespaces. The
+  local development environment displays the backend error message
+  when visiting a corrupted record. Avo is trying to apply a scope to
+  this class that does not exist._\n\n![image](https://user-images.githubusercontent.com/26464774/243438257-dbb59153-58a8-4421-b796-f2a0f2c20083.png)\n_Specifying
+  an invalid class name in the parameter will cause the application
+  to crash again while trying constanize the provided string_
+
+  ### Impact
+
+  The final exploitation of this vulnerability requires more time than
+  is provided in this assessment, but initial testing of the post request
+  shows the potential critical risk. The classes could be instantiated
+  at any point in the code and this could also lead to code execution.
+
+  ### Recommendation
+
+  Avo should be configured to never trust user-supplied input, especially
+  when defining classes for records. In this particular case, Avo can
+  evaluate the options list given for the polymorphic field and only allow
+  strings from that list. With this white-list approach, an attacker
+  cannot supply unintended classes."
+cvss_v3: 8.3
+patched_versions:
+  - ">= 2.33.3"
+related:
+  url:
+    - https://github.com/avo-hq/avo/security/advisories/GHSA-86h2-2g4g-29qx
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-34102
+    - https://github.com/avo-hq/avo/commit/ec117882ddb1b519481bdd046dc3cfa4474e6e17
+    - https://github.com/avo-hq/avo/releases/tag/v2.33.3
+    - https://github.com/advisories/GHSA-86h2-2g4g-29qx

gems/avo/CVE-2023-34103.yml

@@ -0,0 +1,61 @@
+---
+gem: avo
+cve: 2023-34103
+ghsa: 5cr9-5jx3-2g39
+url: https://github.com/avo-hq/avo/security/advisories/GHSA-5cr9-5jx3-2g39
+title: avo vulnerable to Stored XSS (Cross Site Scripting) in
+  html content based fields
+date: 2023-06-06
+description: |
+  ### Summary
+
+  Some avo fields are vulnerable to XSS when rendering html based content.
+
+  ### Details
+  During the analysis of the web application, a rendered field was
+  discovered that did not filter JS / HTML tags in a safe way and can
+  be abused to execute js code on a client side. The trix field uses
+  the trix editor in the backend to edit rich text data which basically
+  operates with html tags. To display the stored data in a rendered view,
+  the HasHTMLAttributes concern is used. This can be exploited by an
+  attacker to store javascript code in any trix field by intercepting
+  the request and modifying the post data, as the trix editor does not
+  allow adding custom html or js tags on the frontend.
+
+  ### PoC
+
+  ![image](https://user-images.githubusercontent.com/26464774/243434868-47857054-9b20-437f-842f-0750d53c9b0e.png)
+  _Adding javascript in the post request which is used when editing a "post" resource (body is declared as a trix field)_
+  ![image](https://user-images.githubusercontent.com/26464774/243435009-948593a0-5179-4368-977c-ec36d2373925.png)
+  _Successful execution of JS code on live demo environment_
+
+  ### Impact
+
+  Unlike non-persistent XSS, persistent XSS does not require a social
+  engineering phase. Victims of this attack do not need to be tricked
+  into clicking a link or something like that. However, by exploiting
+  such a vulnerability on this particular target, attackers may be able
+  to gain access to accounts that require special protection, such as
+  administrators of the web service, which is what Avo is primarily
+  intended to be used for.
+
+  ### Recommendation
+
+  The content of a field that contains html code should be sanitized
+  using the according rails helper which uses a whitelist of known-safe
+  tags and attributes. Also this security consideration should be
+  applied to the “as_html” attribute as well because it may contain
+  user controlled input as well.
+
+  https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
+
+cvss_v3: 7.3
+patched_versions:
+  - ">= 2.33.3"
+related:
+  url:
+    - https://github.com/avo-hq/avo/security/advisories/GHSA-5cr9-5jx3-2g39
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-34103
+    - https://github.com/avo-hq/avo/releases/tag/v2.33.3
+    - https://github.com/avo-hq/avo/commit/7891c01e1fba9ca5d7dbccc43d27f385e5d08563
+    - https://github.com/advisories/GHSA-5cr9-5jx3-2g39