github - ghsa-x7rv-cr6v-4vm4

ghsa-x7rv-cr6v-4vm4

Vulnerability from github

Published

2018-03-21 11:57

Modified

2023-07-05 20:45

Severity ?

6.1 (Medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Summary

Cross-site Scripting in loofah

Details

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Users are affected if running Loofah < 2.2.1, but only:

when running on MRI or RBX,
in combination with libxml2 >= 2.9.2.

JRuby users are not affected.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "loofah"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.8.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-8048"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T22:02:35Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.\n\nUsers are affected if running Loofah \u003c 2.2.1, but only:\n\n* when running on MRI or RBX,\n* in combination with libxml2 \u003e= 2.9.2.\n\nJRuby users are not affected.",
  "id": "GHSA-x7rv-cr6v-4vm4",
  "modified": "2023-07-05T20:45:55Z",
  "published": "2018-03-21T11:57:11Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-8048"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah/issues/144"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/pull/1746"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-x7rv-cr6v-4vm4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/flavorjones/loofah"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2018-8048.yml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20191122-0003"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2018/dsa-4171"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-site Scripting in loofah"
}

CVE-2018-8048 (GCVE-0-2018-8048)

Vulnerability from cvelistv5

Published

2018-03-27 17:00

Modified

2024-08-05 06:46

Severity ?

CWE

Summary

In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.

References

URL

Tags

	https://github.com/flavorjones/loofah/issues/144	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2018/03/19/5	mailing-list, x_refsource_MLIST
	https://www.debian.org/security/2018/dsa-4171	vendor-advisory, x_refsource_DEBIAN
	https://security.netapp.com/advisory/ntap-20191122-0003/	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T06:46:13.172Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/flavorjones/loofah/issues/144"
          },
          {
            "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
          },
          {
            "name": "DSA-4171",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4171"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2018-03-19T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-11-22T08:07:07",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/flavorjones/loofah/issues/144"
        },
        {
          "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
        },
        {
          "name": "DSA-4171",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4171"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-8048",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/flavorjones/loofah/issues/144",
              "refsource": "CONFIRM",
              "url": "https://github.com/flavorjones/loofah/issues/144"
            },
            {
              "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
            },
            {
              "name": "DSA-4171",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4171"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20191122-0003/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-8048",
    "datePublished": "2018-03-27T17:00:00",
    "dateReserved": "2018-03-11T00:00:00",
    "dateUpdated": "2024-08-05T06:46:13.172Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

gsd-2018-8048

Vulnerability from gsd

Modified

2018-03-16 00:00

Details

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Aliases

CVE-2018-8048

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-8048",
    "description": "In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.",
    "id": "GSD-2018-8048",
    "references": [
      "https://www.suse.com/security/cve/CVE-2018-8048.html",
      "https://www.debian.org/security/2018/dsa-4171",
      "https://access.redhat.com/errata/RHSA-2019:0212"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "loofah",
            "purl": "pkg:gem/loofah"
          }
        }
      ],
      "aliases": [
        "CVE-2018-8048",
        "GHSA-x7rv-cr6v-4vm4"
      ],
      "details": "Loofah allows non-whitelisted attributes to be present in sanitized\noutput when input with specially-crafted HTML fragments.\n",
      "id": "GSD-2018-8048",
      "modified": "2018-03-16T00:00:00.000Z",
      "published": "2018-03-16T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/flavorjones/loofah/issues/144"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 6.1,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Loofah XSS Vulnerability"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2018-8048",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/flavorjones/loofah/issues/144",
            "refsource": "CONFIRM",
            "url": "https://github.com/flavorjones/loofah/issues/144"
          },
          {
            "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
          },
          {
            "name": "DSA-4171",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2018/dsa-4171"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20191122-0003/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2018-8048",
      "date": "2018-03-29",
      "description": "[MRI] Behavior in libxml2 has been reverted which caused\nCVE-2018-8048 (loofah gem), CVE-2018-3740 (sanitize gem), and\nCVE-2018-3741 (rails-html-sanitizer gem). The commit in question is\nhere:\n\nhttps://github.com/GNOME/libxml2/commit/960f0e2\n\nand more information is available about this commit and its impact\nhere:\n\nhttps://github.com/flavorjones/loofah/issues/144\n\nThis release simply reverts the libxml2 commit in question to protect\nusers of Nokogiri\u0027s vendored libraries from similar vulnerabilities.\n\nIf you\u0027re offended by what happened here, I\u0027d kindly ask that you\ncomment on the upstream bug report here:\n\nhttps://bugzilla.gnome.org/show_bug.cgi?id=769760\n",
      "gem": "nokogiri",
      "patched_versions": [
        "\u003e= 1.8.3"
      ],
      "related": {
        "cve": [
          "2018-3740",
          "2018-3741"
        ],
        "url": [
          "https://github.com/GNOME/libxml2/commit/960f0e2",
          "https://bugzilla.gnome.org/show_bug.cgi?id=769760"
        ]
      },
      "title": "Revert libxml2 behavior in Nokogiri gem that could cause XSS",
      "url": "https://github.com/sparklemotion/nokogiri/pull/1746"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.2.1",
          "affected_versions": "All versions before 2.2.1",
          "credit": "Shopify Application Security Team",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2019-11-22",
          "description": "Loofah allows attributes that are not explicitly allowed to be present in sanitized output when input with specially-crafted HTML fragments.",
          "fixed_versions": [
            "2.2.1"
          ],
          "identifier": "CVE-2018-8048",
          "identifiers": [
            "CVE-2018-8048"
          ],
          "not_impacted": "JRuby environments",
          "package_slug": "gem/loofah",
          "pubdate": "2018-03-27",
          "solution": "Upgrade to 2.2.1.",
          "title": "XSS Vulnerability",
          "urls": [
            "https://github.com/flavorjones/loofah/issues/144"
          ],
          "uuid": "30131569-843b-42af-9628-de66ecbab5d9"
        },
        {
          "affected_range": "\u003c1.8.3",
          "affected_versions": "All versions before 1.8.3",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2019-11-22",
          "description": "In the Loofah gem for Ruby, denylisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.",
          "fixed_versions": [
            "1.8.3"
          ],
          "identifier": "CVE-2018-8048",
          "identifiers": [
            "CVE-2018-8048"
          ],
          "not_impacted": "All versions starting from 1.8.3",
          "package_slug": "gem/nokogiri",
          "pubdate": "2018-03-27",
          "solution": "Upgrade to version 1.8.3 or above",
          "title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-8048"
          ],
          "uuid": "3018fe66-9e8f-4329-8ef9-580f6b496dff"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:loofah_project:loofah:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.2.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-8048"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/flavorjones/loofah/issues/144",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/flavorjones/loofah/issues/144"
            },
            {
              "name": "[oss-security] 20180319 [CVE-2018-8048] Loofah XSS Vulnerability",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2018/03/19/5"
            },
            {
              "name": "DSA-4171",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2018/dsa-4171"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20191122-0003/",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://security.netapp.com/advisory/ntap-20191122-0003/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2019-11-22T09:15Z",
      "publishedDate": "2018-03-27T17:29Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

ghsa-x7rv-cr6v-4vm4

Vulnerability from github

CVE-2018-8048 (GCVE-0-2018-8048)

Vulnerability from cvelistv5

gsd-2018-8048

Vulnerability from gsd

Tags

Sightings

Nomenclature