CVE-2023-28120

medium

Description

There is a vulnerability in ActiveSupport if the new bytesplice method is called on a SafeBuffer with untrusted user input.

References

https://www.debian.org/security/2023/dsa-5389

https://security.netapp.com/advisory/ntap-20240202-0006/

https://lists.fedoraproject.org/archives/list/[email protected]/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO/

https://lists.fedoraproject.org/archives/list/[email protected]/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/

https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70

https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469

Details

Source: Mitre, NVD

Published: 2025-01-09

Updated: 2025-01-09

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Severity: Medium