gsd-2023-23627
Vulnerability from gsd
Modified
2023-01-28 00:00
Details
### Impact
Using carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `>= 5.0.0, < 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.
Sanitize's default configs don't allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.
### Patches
Sanitize `>= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.
### Workarounds
Users who are unable to upgrade can prevent this issue by using one of Sanitize's default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.
### Details
The root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn't support scripting so it follows the "scripting disabled" rules, but a web browser with scripting enabled will follow the "scripting enabled" rules. This means that Sanitize can't reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-23627",
"id": "GSD-2023-23627"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "sanitize",
"purl": "pkg:gem/sanitize"
}
}
],
"aliases": [
"CVE-2023-23627",
"GHSA-fw3g-2h3j-qmm7"
],
"details": "### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `\u003e= 5.0.0, \u003c 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nSanitize\u0027s default configs don\u0027t allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.\n\n### Patches\n\nSanitize `\u003e= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\n\n### Details\n\nThe root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn\u0027t support scripting so it follows the \"scripting disabled\" rules, but a web browser with scripting enabled will follow the \"scripting enabled\" rules. This means that Sanitize can\u0027t reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.",
"id": "GSD-2023-23627",
"modified": "2023-01-28T00:00:00.000Z",
"published": "2023-01-28T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
},
{
"type": "WEB",
"url": "https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22"
},
{
"type": "WEB",
"url": "https://github.com/rgrove/sanitize/releases/tag/v6.0.1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.1,
"type": "CVSS_V3"
}
],
"summary": "Improper neutralization of `noscript` element content may allow XSS in Sanitize"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-23627",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "sanitize",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "\u003e= 5.0.0, \u003c 6.0.1"
}
]
}
}
]
},
"vendor_name": "rgrove"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-79",
"lang": "eng",
"value": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
"refsource": "MISC",
"url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
}
]
},
"source": {
"advisory": "GHSA-fw3g-2h3j-qmm7",
"discovery": "UNKNOWN"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2023-23627",
"cvss_v3": 6.1,
"date": "2023-01-28",
"description": "### Impact\n\nUsing carefully crafted input, an attacker may be able to sneak arbitrary HTML through Sanitize `\u003e= 5.0.0, \u003c 6.0.1` when Sanitize is configured with a custom allowlist that allows `noscript` elements. This could result in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser.\n\nSanitize\u0027s default configs don\u0027t allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist.\n\n### Patches\n\nSanitize `\u003e= 6.0.1` always removes `noscript` elements and their contents, even when `noscript` is in the allowlist.\n\n### Workarounds\n\nUsers who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.\n\n### Details\n\nThe root cause of this issue is that HTML parsing rules treat the contents of a `noscript` element differently depending on whether scripting is enabled in the user agent. Nokogiri (the HTML parser Sanitize uses) doesn\u0027t support scripting so it follows the \"scripting disabled\" rules, but a web browser with scripting enabled will follow the \"scripting enabled\" rules. This means that Sanitize can\u0027t reliably make the contents of a `noscript` element safe for scripting enabled browsers. The safest thing to do is to remove the element and its contents entirely, which is now what Sanitize does in version 6.0.1 and later.",
"gem": "sanitize",
"ghsa": "fw3g-2h3j-qmm7",
"patched_versions": [
"\u003e= 6.0.1"
],
"related": {
"url": [
"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22",
"https://github.com/rgrove/sanitize/releases/tag/v6.0.1"
]
},
"title": "Improper neutralization of `noscript` element content may allow XSS in Sanitize",
"unaffected_versions": [
"\u003c 5.0.0"
],
"url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=5.0.0 \u003c6.0.1",
"affected_versions": "All versions starting from 5.0.0 before 6.0.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2023-02-06",
"description": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, is vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist.",
"fixed_versions": [
"6.0.1"
],
"identifier": "CVE-2023-23627",
"identifiers": [
"CVE-2023-23627",
"GHSA-fw3g-2h3j-qmm7"
],
"not_impacted": "All versions before 5.0.0, all versions starting from 6.0.1",
"package_slug": "gem/sanitize",
"pubdate": "2023-01-28",
"solution": "Upgrade to version 6.0.1 or above.",
"title": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"urls": [
"https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
"https://nvd.nist.gov/vuln/detail/CVE-2023-23627",
"https://github.com/rgrove/sanitize/commit/ec14265e530dc3fe31ce2ef773594d3a97778d22",
"https://github.com/advisories/GHSA-fw3g-2h3j-qmm7"
],
"uuid": "a1a57593-2f27-48ab-9797-b13257c0b1fb"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sanitize_project:sanitize:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "6.0.1",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2023-23627"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Sanitize is an allowlist-based HTML and CSS sanitizer. Versions 5.0.0 and later, prior to 6.0.1, are vulnerable to Cross-site Scripting. When Sanitize is configured with a custom allowlist that allows `noscript` elements, attackers are able to include arbitrary HTML, resulting in XSS (cross-site scripting) or other undesired behavior when that HTML is rendered in a browser. The default configurations do not allow `noscript` elements and are not vulnerable. This issue only affects users who are using a custom config that adds `noscript` to the element allowlist. This issue has been patched in version 6.0.1. Users who are unable to upgrade can prevent this issue by using one of Sanitize\u0027s default configs or by ensuring that their custom config does not include `noscript` in the element allowlist."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7",
"refsource": "MISC",
"tags": [
"Mitigation",
"Release Notes",
"Third Party Advisory"
],
"url": "https://github.com/rgrove/sanitize/security/advisories/GHSA-fw3g-2h3j-qmm7"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-02-06T19:05Z",
"publishedDate": "2023-01-28T00:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…