Bug 1204826 - (CVE-2022-3704) VUL-0: CVE-2022-3704: rubygem-actionpack-3_2,rubygem-actionpack-4_2,rubygem-actionpack-5_1: self-XSS in actionpack
(CVE-2022-3704)
VUL-0: CVE-2022-3704: rubygem-actionpack-3_2,rubygem-actionpack-4_2,rubygem-a...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Manuel Schnitzer
Security Team bot
https://smash.suse.de/issue/346314/
CVSSv3.1:SUSE:CVE-2022-3704:6.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-10-28 09:27 UTC by Thomas Leroy
Modified: 2023-01-20 04:32 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
stoyan.manolov: needinfo? (mschnitzer)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-10-28 09:27:33 UTC
CVE-2022-3704

A vulnerability classified as problematic has been found in Ruby on Rails. This
affects an unknown part of the file
actionpack/lib/action_dispatch/middleware/templates/routes/_table.html.erb. The
manipulation leads to cross site scripting. It is possible to initiate the
attack remotely. The name of the patch is
be177e4566747b73ff63fd5f529fab564e475ed4. It is recommended to apply a patch to
fix this issue. The associated identifier of this vulnerability is VDB-212319.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3704
https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
https://www.cve.org/CVERecord?id=CVE-2022-3704
https://github.com/rails/rails/issues/46244
https://vuldb.com/?id.212319
Comment 1 Thomas Leroy 2022-10-28 09:29:22 UTC
Affected:
- SUSE:SLE-15:Update/rubygem-actionpack-5_1
- openSUSE:Factory/rubygem-actionpack-7.0
- openSUSE:Backports:SLE-15-SP3/rubygem-actionpack-5.2
- openSUSE:Backports:SLE-15-SP4/rubygem-actionpack-5.2