Updated advisory posts against rubysec/ruby-advisory-db@443cfb9

jasnow · RubySec CI · commit a850e34a1390 · 2024-10-16T18:04:03.000Z
diff --git a/advisories/_posts/2024-10-15-CVE-2024-41128.md b/advisories/_posts/2024-10-15-CVE-2024-41128.md
@@ -0,0 +1,55 @@
+---
+layout: advisory
+title: 'CVE-2024-41128 (actionpack): Possible ReDoS vulnerability in query parameter
+  filtering in Action Dispatch'
+comments: false
+categories:
+- actionpack
+- rails
+advisory:
+  gem: actionpack
+  framework: rails
+  cve: 2024-41128
+  ghsa: x76w-6vjr-8xgj
+  url: https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
+  title: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
+  date: 2024-10-15
+  description: |
+    There is a possible ReDoS vulnerability in the query parameter
+    filtering routines of Action Dispatch. This vulnerability has
+    been assigned the CVE identifier CVE-2024-41128.
+
+    ## Impact
+
+    Carefully crafted query parameters can cause query parameter
+    filtering to take an unexpected amount of time, possibly resulting
+    in a DoS vulnerability. All users running an affected release
+    should either upgrade or apply the relevant patch immediately.
+
+    Ruby 3.2 has mitigations for this problem, so Rails applications
+    using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
+    on Ruby 3.2 or greater so is unaffected.
+
+    ## Releases
+
+    The fixed releases are available at the normal locations.
+
+    ## Workarounds
+
+    Users on Ruby 3.2 are unaffected by this issue.
+
+    ## Credits
+
+    Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!
+  unaffected_versions:
+  - "< 3.1.0"
+  patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
+    - https://github.com/advisories/GHSA-x76w-6vjr-8xgj
+---
diff --git a/advisories/_posts/2024-10-15-CVE-2024-47887.md b/advisories/_posts/2024-10-15-CVE-2024-47887.md
@@ -0,0 +1,57 @@
+---
+layout: advisory
+title: 'CVE-2024-47887 (actionpack): Possible ReDoS vulnerability in HTTP Token authentication
+  in Action Controller'
+comments: false
+categories:
+- actionpack
+- rails
+advisory:
+  gem: actionpack
+  framework: rails
+  cve: 2024-47887
+  ghsa: vfg9-r3fq-jvx4
+  url: https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
+  title: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
+  date: 2024-10-15
+  description: |
+    There is a possible ReDoS vulnerability in Action Controller's
+    HTTP Token authentication. This vulnerability has been assigned
+    the CVE identifier CVE-2024-47887.
+
+    ## Impact
+
+    For applications using HTTP Token authentication via
+    `authenticate_or_request_with_http_token` or similar, a carefully
+    crafted header may cause header parsing to take an unexpected amount
+    of time, possibly resulting in a DoS vulnerability. All users running
+    an affected release should either upgrade or apply the relevant
+    patch immediately.
+
+    Ruby 3.2 has mitigations for this problem, so Rails applications
+    using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
+    on Ruby 3.2 or greater so is unaffected.
+
+    ## Releases
+
+    The fixed releases are available at the normal locations.
+
+    ## Workarounds
+
+    Users on Ruby 3.2 are unaffected by this issue.
+
+    ## Credits
+
+    Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
+  unaffected_versions:
+  - "< 4.0.0"
+  patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
+    - https://github.com/advisories/GHSA-vfg9-r3fq-jvx4
+---
diff --git a/advisories/_posts/2024-10-15-CVE-2024-47888.md b/advisories/_posts/2024-10-15-CVE-2024-47888.md
@@ -0,0 +1,57 @@
+---
+layout: advisory
+title: 'CVE-2024-47888 (actiontext): Possible ReDoS vulnerability in plain_text_for_blockquote_node
+  in Action Text'
+comments: false
+categories:
+- actiontext
+- rails
+advisory:
+  gem: actiontext
+  framework: rails
+  cve: 2024-47888
+  ghsa: wwhv-wxv9-rpgw
+  url: https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
+  title: Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action
+    Text
+  date: 2024-10-15
+  description: |
+    There is a possible ReDoS vulnerability in the
+    plain_text_for_blockquote_node helper in Action Text. This
+    vulnerability has been assigned the CVE identifier CVE-2024-47888.
+
+    ## Impact
+
+    Carefully crafted text can cause the plain_text_for_blockquote_node
+    helper to take an unexpected amount of time, possibly resulting
+    in a DoS vulnerability. All users running an affected release should
+    either upgrade or apply the relevant patch immediately.
+
+    Ruby 3.2 has mitigations for this problem, so Rails applications
+    using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
+    on Ruby 3.2 or greater so is unaffected.
+
+    ## Releases
+
+    The fixed releases are available at the normal locations.
+
+    ## Workarounds
+
+    Users can avoid calling `plain_text_for_blockquote_node` or
+    upgrade to Ruby 3.2.
+
+    ## Credits
+
+    Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
+  unaffected_versions:
+  - "< 6.0.0"
+  patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
+    - https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
+---
diff --git a/advisories/_posts/2024-10-15-CVE-2024-47889.md b/advisories/_posts/2024-10-15-CVE-2024-47889.md
@@ -0,0 +1,56 @@
+---
+layout: advisory
+title: 'CVE-2024-47889 (actionmailer): Possible ReDoS vulnerability in block_format
+  in Action Mailer'
+comments: false
+categories:
+- actionmailer
+- rails
+advisory:
+  gem: actionmailer
+  framework: rails
+  cve: 2024-47889
+  ghsa: h47h-mwp9-c6q6
+  url: https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
+  title: Possible ReDoS vulnerability in block_format in Action Mailer
+  date: 2024-10-15
+  description: |
+    There is a possible ReDoS vulnerability in the block_format helper
+    in Action Mailer. This vulnerability has been assigned the
+    CVE identifier CVE-2024-47889.
+
+    ## Impact
+
+    Carefully crafted text can cause the block_format helper to take an
+    unexpected amount of time, possibly resulting in a DoS vulnerability.
+    All users running an affected release should either upgrade or apply
+    the relevant patch immediately.
+
+    Ruby 3.2 has mitigations for this problem, so Rails applications
+    using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires
+    Ruby 3.2 or greater so is unaffected.
+
+    ## Releases
+
+    The fixed releases are available at the normal locations.
+
+    ## Workarounds
+
+    Users can avoid calling the `block_format` helper or upgrade
+    to Ruby 3.2.
+
+    ##Credits
+
+    Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
+  unaffected_versions:
+  - "< 3.0.0"
+  patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
+    - https://github.com/advisories/GHSA-h47h-mwp9-c6q6
+---
