Bug 1176421 - (CVE-2020-15169) VUL-0: CVE-2020-15169: rubygem-actionview-4_2,rubygem-actionview-5_1: rubygem-activeview: Cross-site scripting in translation helpers
(CVE-2020-15169)
VUL-0: CVE-2020-15169: rubygem-actionview-4_2,rubygem-actionview-5_1: rubygem...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Manuel Schnitzer
Security Team bot
https://smash.suse.de/issue/267016/
CVSSv3.1:SUSE:CVE-2020-15169:7.4:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-09-10 14:45 UTC by Marcus Meissner
Modified: 2022-09-28 16:39 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
gabriele.sonnu: needinfo? (mschnitzer)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2020-09-10 14:45:32 UTC
A flaw was found in rubygem-actionview before versions 5.2.4.4 and 6.0.3.3. When an HTML-unsafe string is passed as the default for a missing  translation key, the default string is incorrectly marked as HTML-safe and not escaped.

References:

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2020-15169.yml
https://groups.google.com/g/rubyonrails-security/c/b-C9kSGXYrc?pli=1
Comment 3 Swamp Workflow Management 2020-09-21 13:19:36 UTC
SUSE-SU-2020:2686-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1176421
CVE References: CVE-2020-15169
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    rubygem-actionview-4_2-4.2.9-9.12.1
SUSE OpenStack Cloud Crowbar 8 (src):    rubygem-actionview-4_2-4.2.9-9.12.1
SUSE OpenStack Cloud 7 (src):    rubygem-actionview-4_2-4.2.9-9.12.1
SUSE OpenStack Cloud 6-LTSS (src):    rubygem-actionview-4_2-4.2.9-9.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Jacek Tomasiak 2020-09-22 08:35:57 UTC
Fix released. Assigning to security for final checking.