1213321 – VUL-0: CVE-2023-28362: rmt-server: Possible XSS via User Supplied Values to redirect_to (from embedded actionpack)

Bug 1213321 - VUL-0: CVE-2023-28362: rmt-server: Possible XSS via User Supplied Values to redirect_to (from embedded actionpack)

Summary: VUL-0: CVE-2023-28362: rmt-server: Possible XSS via User Supplied Values to r...

Status:	NEW

Alias:	None

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	SCC Bugs
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/372425/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-07-14 09:16 UTC by Robert Frohl
Modified:	2023-07-17 12:46 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Flags:	rfrohl: needinfo? (tschmidt)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Frohl 2023-07-14 09:16:30 UTC

+++ This bug was initially created as a clone of Bug #1213312 +++

CVE-2023-28362

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header.

ref: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-28362
https://bugzilla.redhat.com/show_bug.cgi?id=2217785

Comment 2 Thomas Schmidt 2023-07-14 09:53:31 UTC

We're in the process of updating to RMT 2.13, which has the fixed actionpack version 6.1.7.4.