Bug 1213321

Summary: VUL-0: CVE-2023-28362: rmt-server: Possible XSS via User Supplied Values to redirect_to (from embedded actionpack)
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: SCC Bugs <scc-bugs>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: coldpool, security-team, tschmidt
Version: unspecifiedFlags: rfrohl: needinfo? (tschmidt)
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/372425/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-07-14 09:16:30 UTC 
+++ This bug was initially created as a clone of Bug #1213312 +++

CVE-2023-28362

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.

ref: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28362
https://bugzilla.redhat.com/show_bug.cgi?id=2217785
Comment 2 Thomas Schmidt 2023-07-14 09:53:31 UTC 
We're in the process of updating to RMT 2.13, which has the fixed actionpack version 6.1.7.4.