Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

6 enhanced advisories; 1 brand new advisory #849

Merged
merged 1 commit into from
Feb 13, 2025
Merged

6 enhanced advisories; 1 brand new advisory #849

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions gems/actionpack/CVE-2024-54133.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,6 @@ patched_versions:
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-54133
- https://hackerone.com/reports/2905532
- https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
- https://github.com/advisories/GHSA-vfm5-rmrh-j26v
1 change: 1 addition & 0 deletions gems/net-imap/CVE-2025-25186.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ patched_versions:
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-25186
- https://www.ruby-lang.org/en/news/2025/02/10/dos-net-imap-cve-2025-25186
- https://github.com/ruby/net-imap/security/advisories/GHSA-7fc5-f82f-cx69
- https://github.com/ruby/net-imap/commit/70e3ddd071a94e450b3238570af482c296380b35
- https://github.com/ruby/net-imap/commit/c8c5a643739d2669f0c9a6bb9770d0c045fd74a3
Expand Down
48 changes: 48 additions & 0 deletions gems/rack/CVE-2025-25184.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
---
gem: rack
cve: 2025-25184
ghsa: 7g2v-jj9q-g3rg
url: https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
title: Possible Log Injection in Rack::CommonLogger
date: 2025-02-12
description: |
## Summary
`Rack::CommonLogger` can be exploited by crafting input that includes
newline characters to manipulate log entries. The supplied
proof-of-concept demonstrates injecting malicious content into logs.
## Details
When a user provides the authorization credentials via
`Rack::Auth::Basic`, if success, the username will be put in
`env['REMOTE_USER']` and later be used by `Rack::CommonLogger`
for logging purposes.
The issue occurs when a server intentionally or unintentionally
allows a user creation with the username contain CRLF and white
space characters, or the server just want to log every login
attempts. If an attacker enters a username with CRLF character,
the logger will log the malicious username with CRLF characters
into the logfile.
## Impact
Attackers can break log formats or insert fraudulent entries,
potentially obscuring real activity or injecting malicious data
into log files.
## Mitigation
- Update to the latest version of Rack.
cvss_v4: 5.7
patched_versions:
- "~> 2.2.11"
- "~> 3.0.12"
- ">= 3.1.10"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-25184
- https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
- https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
- https://github.com/advisories/GHSA-7g2v-jj9q-g3rg
1 change: 1 addition & 0 deletions gems/rails-html-sanitizer/CVE-2024-53986.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -110,6 +110,7 @@ patched_versions:
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53986
- https://hackerone.com/reports/2931636
- https://github.com/rails/rails-html-sanitizer/blob/v1.6.1/CHANGELOG.md
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-638j-pmjw-jq48
- https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
Expand Down
2 changes: 2 additions & 0 deletions gems/rails-html-sanitizer/CVE-2024-53987.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,8 @@ patched_versions:
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53987
- https://hackerone.com/reports/2931639
- https://hackerone.com/reports/2931688
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-2x5m-9ch4-qgrr
- https://github.com/rails/rails-html-sanitizer/commit/f02ffbb8465e73920b6de0da940f5530f855965e
- https://github.com/advisories/GHSA-2x5m-9ch4-qgrr
1 change: 1 addition & 0 deletions gems/rails-html-sanitizer/CVE-2024-53988.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,7 @@ patched_versions:
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53988
- https://hackerone.com/reports/2931710
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-cfjx-w229-hgx5
- https://github.com/rails/rails-html-sanitizer/commit/a0a3e8b76b696446ffc6bffcff3bc7b7c6393c72
- https://github.com/advisories/GHSA-cfjx-w229-hgx5
1 change: 1 addition & 0 deletions gems/rails-html-sanitizer/CVE-2024-53989.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ patched_versions:
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-53989
- https://hackerone.com/reports/2931691
- https://github.com/rails/rails-html-sanitizer/security/advisories/GHSA-rxv5-gxqc-xx8g
- https://github.com/rails/rails-html-sanitizer/commit/16251735e36ebdc302e2f90f2a39cad56879414f
- https://github.com/advisories/GHSA-rxv5-gxqc-xx8g