Ruby/loofah/0.4.2
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
Loofah also includes some HTML sanitizers based on html5lib's safelist, which are a specific
application of the general transformation functionality.
https://rubygems.org/gems/loofah
UNKNOWN
9 Security Vulnerabilities
Inefficient Regular Expression Complexity in Loofah
- https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh
- https://github.com/flavorjones/loofah/commit/a6e0a1ab90675a17b1b2be189129d94139e4b143
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2022-23514.yml
- https://github.com/advisories/GHSA-486f-hjj9-9vhh
- https://nvd.nist.gov/vuln/detail/CVE-2022-23514
- https://hackerone.com/reports/1684163
- https://lists.debian.org/debian-lts-announce/2023/09/msg00011.html
Summary
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Severity
The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).
References
- CWE - CWE-1333: Inefficient Regular Expression Complexity (4.9)
- https://hackerone.com/reports/1684163
Credit
This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).
Loofah Allows Cross-site Scripting
- https://nvd.nist.gov/vuln/detail/CVE-2019-15587
- https://github.com/advisories/GHSA-c3gv-9cxf-6f57
- https://github.com/flavorjones/loofah/issues/171
- https://hackerone.com/reports/709009
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4WK2UG7ORKRQOJ6E4XJ2NVIHYJES6BYZ/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMCWPLYPNIWYAY443IZZJ4IHBBLIHBP5/
- https://security.netapp.com/advisory/ntap-20191122-0003/
- https://usn.ubuntu.com/4498-1/
- https://www.debian.org/security/2019/dsa-4554
- https://github.com/flavorjones/loofah/commit/0c6617af440879ce97440f6eb6c58636456dc8ec
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2019-15587.yml
In the Loofah gem for Ruby through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Loofah Cross-site Scripting vulnerability
In the Loofah gem for Ruby, through version 2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished. Users are advised to upgrade to version 2.2.3.
See https://github.com/flavorjones/loofah/issues/154 for more details.
Cross-site Scripting in loofah
- https://nvd.nist.gov/vuln/detail/CVE-2018-8048
- https://github.com/advisories/GHSA-x7rv-cr6v-4vm4
- https://github.com/flavorjones/loofah/issues/144
- https://security.netapp.com/advisory/ntap-20191122-0003/
- https://www.debian.org/security/2018/dsa-4171
- http://www.openwall.com/lists/oss-security/2018/03/19/5
- https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116
- https://github.com/sparklemotion/nokogiri/pull/1746
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/loofah/CVE-2018-8048.yml
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/CVE-2018-8048.yml
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Users are affected if running Loofah < 2.2.1, but only:
- when running on MRI or RBX,
- in combination with libxml2 >= 2.9.2.
JRuby users are not affected.
Loofah XSS Vulnerability
In the Loofah gem, through v2.2.2, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Loofah XSS Vulnerability
Loofah allows non-whitelisted attributes to be present in sanitized output when input with specially-crafted HTML fragments.
Loofah XSS Vulnerability
In the Loofah gem, through v2.3.0, unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Inefficient Regular Expression Complexity in Loofah
Summary
Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
Mitigation
Upgrade to Loofah >= 2.19.1.
Loofah HTML and XSS injection vulnerability
Loofah Gem for Ruby contains a flaw that allows a remote cross-site scripting (XSS) attack. This flaw exists because the Loofah::HTML::Document#text function passes properly sanitized user-supplied input to the Loofah::XssFoliate and Loofah::Helpers#strip_tags functions which convert input back to text. This may allow an attacker to create a specially crafted request that would execute arbitrary script code in a user's browser within the trust relationship between their browser and the server.
62 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 0.4.6 | UNKNOWN | 8 | 2010-02-02 - 14:54 | over 15 years |
| 0.4.5 | UNKNOWN | 9 | 2010-02-02 - 12:27 | over 15 years |
| 0.4.4 | UNKNOWN | 9 | 2010-02-01 - 21:59 | over 15 years |
| 0.4.3 | UNKNOWN | 9 | 2010-01-31 - 20:18 | over 15 years |
| 0.4.2 | UNKNOWN | 9 | 2010-01-24 - 03:54 | over 15 years |
| 0.4.1 | UNKNOWN | 9 | 2009-11-23 - 12:17 | almost 16 years |
| 0.4.0 | UNKNOWN | 9 | 2009-11-22 - 03:59 | almost 16 years |
| 0.3.1 | UNKNOWN | 9 | 2009-10-13 - 06:15 | almost 16 years |
| 0.3.0 | UNKNOWN | 9 | 2009-10-07 - 10:38 | almost 16 years |
| 0.2.2 | UNKNOWN | 9 | 2009-09-24 - 22:14 | almost 16 years |
| 0.2.1 | UNKNOWN | 9 | 2009-08-20 - 05:39 | about 16 years |
| 0.2.0 | UNKNOWN | 9 | 2009-08-18 - 05:20 | about 16 years |