Debian DSA-5372-1 : rails - security update

critical Nessus Plugin ID 172505

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5372 advisory.

- A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. (CVE-2021-22942)

- A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a X-Forwarded-Host headers in combination with certain allowed host formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. (CVE-2021-44528)

- A code injection vulnerability exists in the Active Storage >= v5.2.0 that could allow an attacker to execute code via image_processing arguments. (CVE-2022-21831)

- An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses. (CVE-2022-22577)

- Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA- wh98-p28r-vrc9 can be used. (CVE-2022-23633)

- A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes. (CVE-2022-27777)

- A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1.
Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. (CVE-2023-22792)

- A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments.
If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the database withinsufficient sanitization and be able to inject SQL outside of the comment. (CVE-2023-22794)

- A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If- None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. (CVE-2023-22795)

- A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability. (CVE-2023-22796)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the rails packages.

For the stable distribution (bullseye), these problems have been fixed in version 2

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586

https://security-tracker.debian.org/tracker/source-package/rails

https://www.debian.org/security/2023/dsa-5372

https://security-tracker.debian.org/tracker/CVE-2021-22942

https://security-tracker.debian.org/tracker/CVE-2021-44528

https://security-tracker.debian.org/tracker/CVE-2022-21831

https://security-tracker.debian.org/tracker/CVE-2022-22577

https://security-tracker.debian.org/tracker/CVE-2022-23633

https://security-tracker.debian.org/tracker/CVE-2022-27777

https://security-tracker.debian.org/tracker/CVE-2023-22792

https://security-tracker.debian.org/tracker/CVE-2023-22794

https://security-tracker.debian.org/tracker/CVE-2023-22795

https://security-tracker.debian.org/tracker/CVE-2023-22796

https://packages.debian.org/source/bullseye/rails

Plugin Details

Severity: Critical

ID: 172505

File Name: debian_DSA-5372.nasl

Version: 1.1

Type: local

Agent: unix

Published: 3/14/2023

Updated: 8/30/2023

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-21831

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:ruby-rails, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:ruby-actiontext, p-cpe:/a:debian:debian_linux:ruby-activerecord, p-cpe:/a:debian:debian_linux:ruby-activestorage, p-cpe:/a:debian:debian_linux:ruby-actionmailer, p-cpe:/a:debian:debian_linux:ruby-railties, p-cpe:/a:debian:debian_linux:ruby-actionmailbox, p-cpe:/a:debian:debian_linux:ruby-activemodel, p-cpe:/a:debian:debian_linux:ruby-activejob, p-cpe:/a:debian:debian_linux:ruby-activesupport, p-cpe:/a:debian:debian_linux:ruby-actionpack, p-cpe:/a:debian:debian_linux:rails, p-cpe:/a:debian:debian_linux:ruby-actioncable, p-cpe:/a:debian:debian_linux:ruby-actionview

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/13/2023

Vulnerability Publication Date: 10/18/2021

Reference Information

CVE: CVE-2021-22942, CVE-2021-44528, CVE-2022-21831, CVE-2022-22577, CVE-2022-23633, CVE-2022-27777, CVE-2023-22792, CVE-2023-22794, CVE-2023-22795, CVE-2023-22796