rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >= 1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah >= 2.1.0. This issue is patched in version 1.4.4.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-91e69ea326 advisory.

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >=     1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah     >= 2.1.0. This issue is patched in version 1.4.4. (CVE-2022-23518)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an     attacker to inject content if the application developer has overridden the sanitizer's allowed tags in     either of the following ways: allow both math and style elements, or allow both svg and style     elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version     1.4.4. All users overriding the allowed tags to include math or svg and style should either upgrade     or use the following workaround immediately: Remove style from the overridden allowed tags, or remove     math and svg from the overridden allowed tags. (CVE-2022-23519)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to     an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the     application developer has overridden the sanitizer's allowed tags to allow both select and style     elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version     1.4.4. All users overriding the allowed tags to include both select and style should either upgrade or     use this workaround: Remove either select or style from the overridden allowed tags. NOTE: Code is
    _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper     method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. (CVE-2022-23520)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2097 advisory.

  - jackson-databind: Possible DoS if using JDK serialization to serialize JsonNode (CVE-2021-46877)

  - SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

  - rubygem-actionpack: Possible cross-site scripting vulnerability in Action Pack (CVE-2022-22577)

  - rubygem-loofah: inefficient regular expression leading to denial of service (CVE-2022-23514)

  - rubygem-loofah: Improper neutralization of data URIs leading to Cross Site Scripting (CVE-2022-23515)

  - rubygem-loofah: Uncontrolled Recursion leading to denial of service (CVE-2022-23516)

  - rubygem-rails-html-sanitizer: Inefficient Regular Expression leading to denial of service (CVE-2022-23517)

  - rubygem-rails-html-sanitizer: Improper neutralization of data URIs leading to Cross site scripting     (CVE-2022-23518)

  - rubygem-rails-html-sanitizer: Cross site scripting vulnerability with certain configurations     (CVE-2022-23519, CVE-2022-23520)

  - snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

  - tfm-rubygem-actionview: Possible cross-site scripting vulnerability in Action View tag helpers     (CVE-2022-27777)

  - rubygem-tzinfo: arbitrary code execution (CVE-2022-31163)

  - activerecord: Possible RCE escalation bug with Serialized Columns in Active Record (CVE-2022-32224)

  - apache-commons-configuration: Apache Commons Configuration insecure interpolation defaults     (CVE-2022-33980)

  - snakeyaml: Uncaught exception in org.yaml.snakeyaml.composer.Composer.composeSequenceNode (CVE-2022-38749)

  - snakeyaml: Uncaught exception in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject     (CVE-2022-38750)

  - snakeyaml: Uncaught exception in java.base/java.util.regex.Pattern$Ques.match (CVE-2022-38751)

  - snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

  - python-django: Potential denial-of-service vulnerability in internationalized URLs (CVE-2022-41323)

  - postgresql-jdbc: Information leak of prepared statement data due to insecure temporary file permissions     (CVE-2022-41946)

  - jackson-databind: deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS (CVE-2022-42003)

  - jackson-databind: use of deeply nested arrays (CVE-2022-42004)

  - apache-commons-text: variable interpolation RCE (CVE-2022-42889)

  - python-django: Potential denial-of-service via Accept-Language headers (CVE-2023-23969)

  - python-django: Potential denial-of-service vulnerability in file uploads (CVE-2023-24580)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3714-1 advisory.

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain     configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible     to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of     service through CPU resource consumption. This issue has been patched in version 1.4.4. (CVE-2022-23517)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >=     1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah     >= 2.1.0. This issue is patched in version 1.4.4. (CVE-2022-23518)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an     attacker to inject content if the application developer has overridden the sanitizer's allowed tags in     either of the following ways: allow both math and style elements, or allow both svg and style     elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version     1.4.4. All users overriding the allowed tags to include math or svg and style should either upgrade     or use the following workaround immediately: Remove style from the overridden allowed tags, or remove     math and svg from the overridden allowed tags. (CVE-2022-23519)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to     an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the     application developer has overridden the sanitizer's allowed tags to allow both select and style     elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version     1.4.4. All users overriding the allowed tags to include both select and style should either upgrade or     use this workaround: Remove either select or style from the overridden allowed tags. NOTE: Code is
    _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper     method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. (CVE-2022-23520)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3566 advisory.

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain     configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible     to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of     service through CPU resource consumption. This issue has been patched in version 1.4.4. (CVE-2022-23517)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >=     1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah     >= 2.1.0. This issue is patched in version 1.4.4. (CVE-2022-23518)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an     attacker to inject content if the application developer has overridden the sanitizer's allowed tags in     either of the following ways: allow both math and style elements, or allow both svg and style     elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version     1.4.4. All users overriding the allowed tags to include math or svg and style should either upgrade     or use the following workaround immediately: Remove style from the overridden allowed tags, or remove     math and svg from the overridden allowed tags. (CVE-2022-23519)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to     an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the     application developer has overridden the sanitizer's allowed tags to allow both select and style     elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version     1.4.4. All users overriding the allowed tags to include both select and style should either upgrade or     use this workaround: Remove either select or style from the overridden allowed tags. NOTE: Code is
    _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper     method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. (CVE-2022-23520)

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:2097 advisory.

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
    Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using     SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend     upgrading to version 2.0 and beyond. (CVE-2022-1471)

  - An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for     non HTML like responses. (CVE-2022-22577)

  - Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on     top of Nokogiri. Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to     excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of     service through CPU resource consumption. This issue is patched in version 2.19.1. (CVE-2022-23514)

  - Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on     top of Nokogiri. Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml     media type in data URIs. This issue is patched in version 2.19.1. (CVE-2022-23515)

  - Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on     top of Nokogiri. Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it     susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of     service through CPU resource consumption. This issue is patched in version 2.19.1. Users who are unable to     upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are     sanitized. (CVE-2022-23516)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain     configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible     to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of     service through CPU resource consumption. This issue has been patched in version 1.4.4. (CVE-2022-23517)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Versions >=     1.0.3, < 1.4.4 are vulnerable to cross-site scripting via data URIs when used in combination with Loofah     >= 2.1.0. This issue is patched in version 1.4.4. (CVE-2022-23518)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer may allow an     attacker to inject content if the application developer has overridden the sanitizer's allowed tags in     either of the following ways: allow both math and style elements, or allow both svg and style     elements. Code is only impacted if allowed tags are being overridden. . This issue is fixed in version     1.4.4. All users overriding the allowed tags to include math or svg and style should either upgrade     or use the following workaround immediately: Remove style from the overridden allowed tags, or remove     math and svg from the overridden allowed tags. (CVE-2022-23519)

  - rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Prior to version     1.4.4, there is a possible XSS vulnerability with certain configurations of Rails::Html::Sanitizer due to     an incomplete fix of CVE-2022-32209. Rails::Html::Sanitizer may allow an attacker to inject content if the     application developer has overridden the sanitizer's allowed tags to allow both select and style     elements. Code is only impacted if allowed tags are being overridden. This issue is patched in version     1.4.4. All users overriding the allowed tags to include both select and style should either upgrade or     use this workaround: Remove either select or style from the overridden allowed tags. NOTE: Code is
    _not_ impacted if allowed tags are overridden using either the :tags option to the Action View helper     method sanitize or the :tags option to the instance method SafeListSanitizer#sanitize. (CVE-2022-23520)

  - The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due     missing to nested depth limitation for collections. (CVE-2022-25857)

  - A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to     inject content if able to control input into specific attributes. (CVE-2022-27777)

  - TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using     time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data     source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are     defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on     demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers     correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later,     `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby     process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions     2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path     if their name follows the rules for a valid time zone identifier and the file has a prefix of     `tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files     are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated     before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression     `\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`. (CVE-2022-31163)

  - A possible escalation to RCE vulnerability exists when using YAML serialized columns in Active Record <     7.0.3.1, <6.1.6.1, <6.0.5.1 and <5.2.8.1 which could allow an attacker, that can manipulate data in the     database (via means like SQL injection), the ability to escalate to an RCE. (CVE-2022-32224)

  - Apache Commons Configuration performs variable interpolation, allowing properties to be dynamically     evaluated and expanded. The standard format for interpolation is ${prefix:name}, where prefix is used     to locate an instance of org.apache.commons.configuration2.interpol.Lookup that performs the     interpolation. Starting with version 2.4 and continuing through 2.7, the set of default Lookup instances     included interpolators that could result in arbitrary code execution or contact with remote servers. These     lookups are: - script - execute expressions using the JVM script execution engine (javax.script) - dns
    - resolve dns records - url - load values from urls, including from remote servers Applications using     the interpolation defaults in the affected versions may be vulnerable to remote code execution or     unintentional contact with remote servers if untrusted configuration values are used. Users are     recommended to upgrade to Apache Commons Configuration 2.8.0, which disables the problematic interpolators     by default. (CVE-2022-33980)

  - Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stackoverflow. (CVE-2022-38749, CVE-2022-38750, CVE-2022-38751)

  - Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stack-overflow. (CVE-2022-38752)

  - In Django 3.2 before 3.2.16, 4.0 before 4.0.8, and 4.1 before 4.1.2, internationalized URLs were subject     to a potential denial of service attack via the locale parameter, which is treated as a regular     expression. (CVE-2022-41323)

  - pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either     `PreparedStatement.setText(int, InputStream)` or `PreparedStatemet.setBytea(int, InputStream)` will create     a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable     by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory     is shared between all users on that system. Because of this, when files and directories are written into     this directory they are, by default, readable by other users on that same system. This vulnerability does     not allow other users to overwrite the contents of these directories or files. This is purely an     information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7,     this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this     vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to     patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a     directory that is exclusively owned by the executing user will mitigate this vulnerability.
    (CVE-2022-41946)

  - In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a     check in primitive value deserializers to avoid deep wrapper array nesting, when the     UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1     (CVE-2022-42003)

  - In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in     BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is     vulnerable only with certain customized choices for deserialization. (CVE-2022-42004)

  - Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and     expanded. The standard format for interpolation is ${prefix:name}, where prefix is used to locate an     instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with     version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that     could result in arbitrary code execution or contact with remote servers. These lookups are: - script -     execute expressions using the JVM script execution engine (javax.script) - dns - resolve dns records -     url - load values from urls, including from remote servers Applications using the interpolation defaults     in the affected versions may be vulnerable to remote code execution or unintentional contact with remote     servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons     Text 1.10.0, which disables the problematic interpolators by default. (CVE-2022-42889)

  - In Django 3.2 before 3.2.17, 4.0 before 4.0.9, and 4.1 before 4.1.6, the parsed values of Accept-Language     headers are cached in order to avoid repetitive parsing. This leads to a potential denial-of-service     vector via excessive memory usage if the raw value of Accept-Language headers is very large.
    (CVE-2023-23969)

  - An issue was discovered in the Multipart Request Parser in Django 3.2 before 3.2.18, 4.0 before 4.0.10,     and 4.1 before 4.1.7. Passing certain inputs (e.g., an excessive number of parts) to multipart forms could     result in too many open files or memory exhaustion, and provided a potential vector for a denial-of-     service attack. (CVE-2023-24580)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194514	Fedora 40 : rubygem-rails-html-sanitizer (2023-91e69ea326)	Nessus	Fedora Local Security Checks	medium
194316	RHEL 8 : Satellite 6.13 Release (Important) (RHSA-2023:2097)	Nessus	Red Hat Local Security Checks	critical
181743	SUSE SLES15 / openSUSE 15 Security Update : rubygem-rails-html-sanitizer (SUSE-SU-2023:3714-1)	Nessus	SuSE Local Security Checks	medium
181447	Debian DLA-3566-1 : ruby-rails-html-sanitizer - LTS security update	Nessus	Debian Local Security Checks	medium
175139	Rocky Linux 8 : Satellite 6.13 Release (Important) (RLSA-2023:2097)	Nessus	Rocky Linux Local Security Checks	critical

Detections

Analytics

CVE-2022-23518

medium

Tenable Plugins

medium

critical

medium

medium

critical