4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
47.5%
XSS vulnerability with certain configurations of
Rails::Html::Sanitizer.This vulnerability has been assigned the CVE
identifier CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed
Versions: v1.4.3## ImpactA possible XSS vulnerability with certain
configurations of Rails::Html::Sanitizer may allow an attacker to inject
content if the application developer has overridden the sanitizer’s allowed
tags to allow both select
and style
elements.Code is only impacted if
allowed tags are being overridden. This may be done via application
configuration:ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags = ["select", "style"]
see
https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr
it may be done with a :tags
option to the Action View helper
sanitize
:<%= sanitize @comment.body, tags: ["select", "style"] %>
see
https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr
it may be done with Rails::Html::SafeListSanitizer directly:ruby# class-level optionRails::Html::SafeListSanitizer.allowed_tags = ["select", "style"]
orruby# instance-level optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: ["select", "style"])
All users overriding the allowed tags by any of the
above mechanisms to include both “select” and “style” should either upgrade
or use one of the workarounds immediately.## ReleasesThe FIXED releases are
available at the normal locations.## WorkaroundsRemove either select
or
style
from the overridden allowed tags.## CreditsThis vulnerability was
responsibly reported by
windshock.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | ruby-rails-html-sanitizer | < any | UNKNOWN |
ubuntu | 20.04 | noarch | ruby-rails-html-sanitizer | < any | UNKNOWN |
ubuntu | 22.04 | noarch | ruby-rails-html-sanitizer | < any | UNKNOWN |
ubuntu | 16.04 | noarch | ruby-rails-html-sanitizer | < any | UNKNOWN |
discuss.rubyonrails.org/t/cve-2022-32209-possible-xss-vulnerability-in-rails-sanitizer/80800
github.com/rails/rails-html-sanitizer/commit/45a5c10fed3d9aa141594c80afa06d748fa0967d (v1.4.3)
hackerone.com/reports/1530898
launchpad.net/bugs/cve/CVE-2022-32209
nvd.nist.gov/vuln/detail/CVE-2022-32209
security-tracker.debian.org/tracker/CVE-2022-32209
www.cve.org/CVERecord?id=CVE-2022-32209
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
47.5%