Updated advisory posts against rubysec/ruby-advisory-db@95316e8

Author: postmodern

advisories/_posts/2024-02-21-CVE-2024-26142.md

@@ -0,0 +1,44 @@
+---
+layout: advisory
+title: 'CVE-2024-26142 (actionpack): Possible ReDoS vulnerability in Accept header
+  parsing in Action Dispatch'
+comments: false
+categories:
+- actionpack
+- rails
+advisory:
+  gem: actionpack
+  framework: rails
+  cve: 2024-26142
+  url: https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
+  title: Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
+  date: 2024-02-21
+  description: |
+    There is a possible ReDoS vulnerability in the Accept header parsing routines
+    of Action Dispatch. This vulnerability has been assigned the CVE identifier
+    CVE-2024-26142.
+
+    Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1
+
+    # Impact
+
+    Carefully crafted Accept headers can cause Accept header parsing in
+    Action Dispatch to take an unexpected amount of time, possibly resulting in a
+    DoS vulnerability. All users running an affected release should either upgrade
+    or use one of the workarounds immediately.
+
+    Ruby 3.2 has mitigations for this problem, so Rails applications using
+    Ruby 3.2 or newer are unaffected.
+
+    # Releases
+
+    The fixed releases are available at the normal locations.
+
+    # Workarounds
+
+    There are no feasible workarounds for this issue.
+  unaffected_versions:
+  - "< 7.1.0"
+  patched_versions:
+  - ">= 7.1.3.1"
+---

advisories/_posts/2024-02-21-CVE-2024-26143.md

@@ -0,0 +1,36 @@
+---
+layout: advisory
+title: 'CVE-2024-26143 (actionpack): Possible XSS Vulnerability in Action Controller'
+comments: false
+categories:
+- actionpack
+- rails
+advisory:
+  gem: actionpack
+  framework: rails
+  cve: 2024-26143
+  url: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
+  title: Possible XSS Vulnerability in Action Controller
+  date: 2024-02-21
+  description: "There is a possible XSS vulnerability when using the translation helpers\n(`translate`,
+    `t`, etc) in Action Controller. This vulnerability has been\nassigned the CVE
+    identifier CVE-2024-26143.\n\nVersions Affected: All. Not affected: None Fixed
+    Versions: 7.1.3.1, 7.0.8.1\n\n# Impact\n\nApplications using translation methods
+    like `translate`, or `t` on a\ncontroller, with a key ending in “_html”, a `:default`
+    key which contains\nuntrusted user input, and the resulting string is used in
+    a view, may be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted
+    code will look something like this:\n\n```\nclass ArticlesController < ApplicationController\n
+    \ def show  \n    @message = t(\"message_html\", default: untrusted_input)\n    #
+    The `show` template displays the contents of `@message`\n  end\nend\n```\n\nTo
+    reiterate the pre-conditions, applications must:\n\n* Use a translation function
+    from a controller (i.e. *not* `I18n.t`, or\n`t` from a view)\n* Use a key that
+    ends in `_html`\n* Use a default value where the default value is untrusted and
+    unescaped input\n* Send the text to the victim (whether that’s part of a template,
+    or a\n  `render` call)\n\nAll users running an affected release should either
+    upgrade or use one of the workarounds immediately.\n\n# Releases\n\nThe fixed
+    releases are available at the normal locations.\n\n# Workarounds\n\nThere are
+    no feasible workarounds for this issue.\n"
+  patched_versions:
+  - "~> 7.0.8, >= 7.0.8.1"
+  - ">= 7.1.3.1"
+---

advisories/_posts/2024-02-21-CVE-2024-26144.md

@@ -0,0 +1,52 @@
+---
+layout: advisory
+title: 'CVE-2024-26144 (actionpack): Possible Sensitive Session Information Leak in
+  Active Storage'
+comments: false
+categories:
+- actionpack
+- rails
+advisory:
+  gem: actionpack
+  framework: rails
+  cve: 2024-26144
+  url: https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
+  title: Possible Sensitive Session Information Leak in Active Storage
+  date: 2024-02-21
+  description: |
+    There is a possible sensitive session information leak in Active Storage.
+    By default, Active Storage sends a `Set-Cookie` header along with the user’s
+    session cookie when serving blobs. It also sets `Cache-Control` to public.
+    Certain proxies may cache the `Set-Cookie`, leading to an information leak.
+
+    This vulnerability has been assigned the CVE identifier CVE-2024-26144.
+
+    Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7
+
+    # Impact
+
+    A proxy which chooses to caches this request can cause users to share
+    sessions. This may include a user receiving an attacker’s session or vice
+    versa.
+
+    This was patched in 7.1.0 but not previously identified as a security
+    vulnerability.
+
+    All users running an affected release should either upgrade or use one of the
+    workarounds immediately.
+
+    # Releases
+
+    The fixed releases are available at the normal locations.
+
+    # Workarounds
+
+    Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
+    `Set-Cookie` headers.
+  unaffected_versions:
+  - "< 5.2.0"
+  - ">= 7.1.0"
+  patched_versions:
+  - "~> 6.1.7, >= 6.1.7.7"
+  - ">= 7.0.8.1"
+---