Ruby/loofah/0.4.2

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.

Loofah also includes some HTML sanitizers based on html5lib's safelist, which are a specific application of the general transformation functionality.

https://rubygems.org/gems/loofah
UNKNOWN

9 Security Vulnerabilities

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13T17:36:28Z
CVE: CVE-2022-23514
Links:

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Loofah Allows Cross-site Scripting

Published date: 2019-11-05T23:58:25Z
CVE: CVE-2019-15587
Links:

In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected versions: ["2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Loofah Cross-site Scripting vulnerability

Published date: 2018-11-01T14:46:01Z
CVE: CVE-2018-16468
Links:

In the Loofah gem for Ruby, through version 2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Users are advised to upgrade to version 2.2.3.

See https://github.com/flavorjones/loofah/issues/154 for more details.

Affected versions: ["2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Cross-site Scripting in loofah

Published date: 2018-03-21T11:57:11Z
CVE: CVE-2018-8048
Links:

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Users are affected if running Loofah < 2.2.1, but only:

  • when running on MRI or RBX,
  • in combination with libxml2 >= 2.9.2.

JRuby users are not affected.

Affected versions: ["2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Loofah XSS Vulnerability

Published date: 2018-10-30
CVE: 2018-16468
CVSS V3: 6.4
Links:

In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected versions: ["2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Loofah XSS Vulnerability

Published date: 2018-03-16
CVE: 2018-8048
CVSS V3: 6.1
Links:

Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.

Affected versions: ["2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Loofah XSS Vulnerability

Published date: 2019-10-22
CVE: 2019-15587
CVSS V3: 6.4
Links:

In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected versions: ["2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13
CVE: 2022-23514
CVSS V3: 7.5
Links:

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

Loofah HTML and XSS injection vulnerability

Published date: 2012-09-08
CVSS V2: 5.0
Links:

Loofah Gem for Ruby contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Loofah::HTML::Document#text function passes properly sanitized user-supplied input to the Loofah::XssFoliate and Loofah::Helpers#strip_tags functions which convert input back to text. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.

Affected versions: ["0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0"]
Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0]
Recommendation: Update to version 2.22.0.

58 Other Versions

Version License Security Released
2.22.0 MIT 2023-11-13 - 21:41 6 months
2.21.4 MIT 2023-10-10 - 17:55 7 months
2.21.3 MIT 2023-05-15 - 21:10 12 months
2.21.2 MIT 2023-05-11 - 15:39 12 months
2.21.1 MIT 2023-05-10 - 14:39 12 months
2.21.0 MIT 2023-05-10 - 13:50 12 months
2.21.0.rc1 MIT 2023-04-03 - 02:21 about 1 year
2.20.0 MIT 2023-04-01 - 17:07 about 1 year
2.19.1 MIT 2022-12-13 - 13:22 over 1 year
2.19.0 MIT 6 2022-09-14 - 13:38 over 1 year
2.18.0 MIT 6 2022-05-11 - 18:42 almost 2 years
2.17.0 MIT 6 2022-04-28 - 13:35 about 2 years
2.16.0 MIT 6 2022-04-01 - 18:27 about 2 years
2.15.0 MIT 6 2022-03-14 - 17:09 about 2 years
2.14.0 MIT 6 2022-02-11 - 19:10 about 2 years
2.13.0 MIT 6 2021-12-10 - 05:21 over 2 years
2.12.0 MIT 6 2021-08-11 - 17:30 over 2 years
2.11.0 MIT 6 2021-07-31 - 21:31 almost 3 years
2.10.0 MIT 6 2021-06-06 - 17:01 almost 3 years
2.9.1 MIT 6 2021-04-07 - 15:23 about 3 years
2.9.0 MIT 6 2021-01-14 - 21:36 over 3 years
2.8.0 MIT 6 2020-11-25 - 21:16 over 3 years
2.7.0 MIT 6 2020-08-26 - 19:33 over 3 years
2.6.0 MIT 6 2020-06-16 - 21:22 almost 4 years
2.5.0 MIT 6 2020-04-05 - 20:51 about 4 years
2.4.0 MIT 6 2019-11-25 - 18:45 over 4 years
2.3.1 MIT 6 2019-10-22 - 13:14 over 4 years
2.3.0 MIT 8 2019-09-28 - 17:37 over 4 years
2.2.3 MIT 8 2018-10-30 - 13:01 over 5 years
2.2.2 MIT 10 2018-03-22 - 15:10 about 6 years
2.2.1 MIT 10 2018-03-19 - 20:32 about 6 years
2.2.0 MIT 12 2018-02-11 - 22:23 about 6 years
2.1.1 MIT 10 2017-09-25 - 01:11 over 6 years
2.1.0 MIT 10 2017-09-24 - 20:48 over 6 years
2.1.0.rc2 MIT 8 2016-01-11 - 18:31 over 8 years
2.1.0.rc1 MIT 8 2015-08-17 - 23:21 over 8 years
2.0.3 MIT 8 2015-08-17 - 18:13 over 8 years
2.0.2 MIT 8 2015-05-05 - 19:59 almost 9 years
2.0.1 MIT 8 2014-08-21 - 21:28 over 9 years
2.0.0 MIT 8 2014-05-09 - 22:51 almost 10 years
1.2.1 UNKNOWN 8 2012-04-14 - 19:08 about 12 years
1.2.0 UNKNOWN 8 2011-08-08 - 16:54 over 12 years
1.1.0 UNKNOWN 8 2011-08-08 - 05:30 over 12 years
1.0.0 UNKNOWN 8 2010-10-26 - 04:52 over 13 years
1.0.0.beta.1 UNKNOWN 8 2010-07-21 - 06:56 almost 14 years
0.4.7 UNKNOWN 8 2010-03-09 - 20:47 about 14 years
0.4.6 UNKNOWN 8 2010-02-02 - 14:54 about 14 years
0.4.5 UNKNOWN 9 2010-02-02 - 12:27 about 14 years
0.4.4 UNKNOWN 9 2010-02-01 - 21:59 about 14 years
0.4.3 UNKNOWN 9 2010-01-31 - 20:18 about 14 years
0.4.2 UNKNOWN 9 2010-01-24 - 03:54 over 14 years
0.4.1 UNKNOWN 9 2009-11-23 - 12:17 over 14 years
0.4.0 UNKNOWN 9 2009-11-22 - 03:59 over 14 years
0.3.1 UNKNOWN 9 2009-10-13 - 06:15 over 14 years
0.3.0 UNKNOWN 9 2009-10-07 - 10:38 over 14 years
0.2.2 UNKNOWN 9 2009-09-24 - 22:14 over 14 years
0.2.1 UNKNOWN 9 2009-08-20 - 05:39 over 14 years
0.2.0 UNKNOWN 9 2009-08-18 - 05:20 over 14 years