Rails XSS and JRuby DoS vulnerabilities

72 views

Skip to first unread message

phi...@state.io

unread,

Mar 18, 2013, 1:36:42 PM3/18/13

to rubysec-...@googlegroups.com

For those of you who don't also subscribe to rubyonrails-security, Aaron Patterson today wrote:

There is an XSS vulnerability in the `sanitize_css` method in Action Pack. This vulnerability has been assigned the CVE identifier CVE-2013-1855.

More info: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/4_QHo4BqnN8

There is an XSS vulnerability in the sanitize helper in Ruby on Rails. This vulnerability has been assigned the CVE identifier CVE-2013-1857.

More info: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/zAAU7vGTPvI

Upshot: These vulns affect all versions. Please upgrade to 3.2.13, 3.1.12 or 2.3.18

For JRuby users,

There is a vulnerability in the JDOM backend to ActiveSupport's XML parser. This could allow an attacker to perform a denial of service attack or gain access to files stored on the application server. This vulnerability has been assigned the CVE identifier CVE-2013-1856.

More info: https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/KZwsQbYsOiI

Upshot: If you are on JRuby and use 3.0.0 or higher upgrade to 3.2.13 or 3.1.12

Regards,

http://rubysec.github.com

Reply all

Reply to author

Forward

0 new messages