GSD-2018-16471
Vulnerability from gsd - Updated: 2018-11-05 00:00Details
There is a possible vulnerability in Rack. This vulnerability has been
assigned the CVE identifier CVE-2018-16471.
Versions Affected: All.
Not affected: None.
Fixed Versions: 2.0.6, 1.6.11
Impact
------
There is a possible XSS vulnerability in Rack. Carefully crafted requests can
impact the data returned by the `scheme` method on `Rack::Request`.
Applications that expect the scheme to be limited to "http" or "https" and do
not escape the return value could be vulnerable to an XSS attack.
Vulnerable code looks something like this:
```
<%= request.scheme.html_safe %>
```
Note that applications using the normal escaping mechanisms provided by Rails
may not impacted, but applications that bypass the escaping mechanisms, or do
not use them may be vulnerable.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The 2.0.6 and 1.6.11 releases are available at the normal locations.
Workarounds
-----------
The following monkey patch can be applied to work around this issue:
```
require "rack"
require "rack/request"
class Rack::Request
SCHEME_WHITELIST = %w(https http).freeze
def scheme
if get_header(Rack::HTTPS) == 'on'
'https'
elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
'https'
elsif forwarded_scheme
forwarded_scheme
else
get_header(Rack::RACK_URL_SCHEME)
end
end
def forwarded_scheme
scheme_headers = [
get_header(HTTP_X_FORWARDED_SCHEME),
get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
]
scheme_headers.each do |header|
return header if SCHEME_WHITELIST.include?(header)
end
nil
end
end
```
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-16471",
"description": "There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to \u0027http\u0027 or \u0027https\u0027 and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.",
"id": "GSD-2018-16471",
"references": [
"https://www.suse.com/security/cve/CVE-2018-16471.html",
"https://ubuntu.com/security/CVE-2018-16471",
"https://advisories.mageia.org/CVE-2018-16471.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack",
"purl": "pkg:gem/rack"
}
}
],
"aliases": [
"CVE-2018-16471",
"GHSA-5r2p-j47h-mhpg"
],
"details": "There is a possible vulnerability in Rack. This vulnerability has been\nassigned the CVE identifier CVE-2018-16471.\n\nVersions Affected: All.\nNot affected: None.\nFixed Versions: 2.0.6, 1.6.11\n\nImpact\n------\nThere is a possible XSS vulnerability in Rack. Carefully crafted requests can\nimpact the data returned by the `scheme` method on `Rack::Request`.\nApplications that expect the scheme to be limited to \"http\" or \"https\" and do\nnot escape the return value could be vulnerable to an XSS attack.\n\nVulnerable code looks something like this:\n\n```\n\u003c%= request.scheme.html_safe %\u003e\n```\n\nNote that applications using the normal escaping mechanisms provided by Rails\nmay not impacted, but applications that bypass the escaping mechanisms, or do\nnot use them may be vulnerable.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe 2.0.6 and 1.6.11 releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch can be applied to work around this issue:\n\n```\nrequire \"rack\"\nrequire \"rack/request\"\n\nclass Rack::Request\nSCHEME_WHITELIST = %w(https http).freeze\n\ndef scheme\n if get_header(Rack::HTTPS) == \u0027on\u0027\n \u0027https\u0027\n elsif get_header(HTTP_X_FORWARDED_SSL) == \u0027on\u0027\n \u0027https\u0027\n elsif forwarded_scheme\n forwarded_scheme\n else\n get_header(Rack::RACK_URL_SCHEME)\n end\nend\n\ndef forwarded_scheme\n scheme_headers = [\n get_header(HTTP_X_FORWARDED_SCHEME),\n get_header(HTTP_X_FORWARDED_PROTO).to_s.split(\u0027,\u0027)[0]\n ]\n\n scheme_headers.each do |header|\n return header if SCHEME_WHITELIST.include?(header)\n end\n\n nil\nend\nend\n```\n",
"id": "GSD-2018-16471",
"modified": "2018-11-05T00:00:00.000Z",
"published": "2018-11-05T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o"
}
],
"schema_version": "1.4.0",
"summary": "Possible XSS vulnerability in Rack"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2018-16471",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Rack",
"version": {
"version_data": [
{
"version_value": "2.0.6, 1.6.11"
}
]
}
}
]
},
"vendor_name": "Rack"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to \u0027http\u0027 or \u0027https\u0027 and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS) - Stored (CWE-79)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag",
"refsource": "MISC",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag"
},
{
"name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1585-1] ruby-rack security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html"
},
{
"name": "openSUSE-SU-2019:1553",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html"
},
{
"name": "USN-4089-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/4089-1/"
},
{
"name": "openSUSE-SU-2020:0214",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2018-16471",
"date": "2018-11-05",
"description": "There is a possible vulnerability in Rack. This vulnerability has been\nassigned the CVE identifier CVE-2018-16471.\n\nVersions Affected: All.\nNot affected: None.\nFixed Versions: 2.0.6, 1.6.11\n\nImpact\n------\nThere is a possible XSS vulnerability in Rack. Carefully crafted requests can\nimpact the data returned by the `scheme` method on `Rack::Request`.\nApplications that expect the scheme to be limited to \"http\" or \"https\" and do\nnot escape the return value could be vulnerable to an XSS attack.\n\nVulnerable code looks something like this:\n\n```\n\u003c%= request.scheme.html_safe %\u003e\n```\n\nNote that applications using the normal escaping mechanisms provided by Rails\nmay not impacted, but applications that bypass the escaping mechanisms, or do\nnot use them may be vulnerable.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe 2.0.6 and 1.6.11 releases are available at the normal locations.\n\nWorkarounds\n-----------\nThe following monkey patch can be applied to work around this issue:\n\n```\nrequire \"rack\"\nrequire \"rack/request\"\n\nclass Rack::Request\nSCHEME_WHITELIST = %w(https http).freeze\n\ndef scheme\n if get_header(Rack::HTTPS) == \u0027on\u0027\n \u0027https\u0027\n elsif get_header(HTTP_X_FORWARDED_SSL) == \u0027on\u0027\n \u0027https\u0027\n elsif forwarded_scheme\n forwarded_scheme\n else\n get_header(Rack::RACK_URL_SCHEME)\n end\nend\n\ndef forwarded_scheme\n scheme_headers = [\n get_header(HTTP_X_FORWARDED_SCHEME),\n get_header(HTTP_X_FORWARDED_PROTO).to_s.split(\u0027,\u0027)[0]\n ]\n\n scheme_headers.each do |header|\n return header if SCHEME_WHITELIST.include?(header)\n end\n\n nil\nend\nend\n```\n",
"gem": "rack",
"ghsa": "5r2p-j47h-mhpg",
"patched_versions": [
"~\u003e 1.6.11",
"\u003e= 2.0.6"
],
"title": "Possible XSS vulnerability in Rack",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.6.0 \u003c1.6.11||\u003e=2.0.0 \u003c2.0.6",
"affected_versions": "All versions starting from 1.6.0 before 1.6.11, all versions starting from 2.0.0 before 2.0.6",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2019-06-13",
"description": "There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to HTTP or HTTPS and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not be impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.",
"fixed_versions": [
"1.6.11",
"2.0.6"
],
"identifier": "CVE-2018-16471",
"identifiers": [
"CVE-2018-16471"
],
"not_impacted": "All versions before 1.6.0, all versions starting from 1.6.11 before 2.0.0, all versions starting from 2.0.6",
"package_slug": "gem/rack",
"pubdate": "2018-11-13",
"solution": "Upgrade to versions 1.6.11, 2.0.6 or above.",
"title": "Cross-site Scripting",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-16471"
],
"uuid": "effd904a-dbb5-4117-945f-fe7e235d2380"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "1.6.11",
"versionStartIncluding": "1.6.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.0.6",
"versionStartIncluding": "2.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2018-16471"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to \u0027http\u0027 or \u0027https\u0027 and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag",
"refsource": "MISC",
"tags": [
"Mailing List",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag"
},
{
"name": "[debian-lts-announce] 20181121 [SECURITY] [DLA 1585-1] ruby-rack security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html"
},
{
"name": "openSUSE-SU-2019:1553",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html"
},
{
"name": "USN-4089-1",
"refsource": "UBUNTU",
"tags": [],
"url": "https://usn.ubuntu.com/4089-1/"
},
{
"name": "openSUSE-SU-2020:0214",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2019-06-13T21:29Z",
"publishedDate": "2018-11-13T23:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…