Ruby/loofah/2.14.0

Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.

Loofah also includes some HTML sanitizers based on html5lib's safelist, which are a specific application of the general transformation functionality.

Repo Link: https://rubygems.org/gems/loofah
License: MIT

6 Security Vulnerabilities

Improper neutralization of data URIs may allow XSS in Loofah

Published date: 2022-12-13T17:39:36Z

CVE: CVE-2022-23515

Links:

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as Medium Severity 6.1.

References

Credit

This vulnerability was responsibly reported by Maciej Piechota (@haqpl).

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Uncontrolled Recursion in Loofah

Published date: 2022-12-13T17:40:50Z

CVE: CVE-2022-23516

Links:

Summary

Loofah >= 2.2.0, < 2.19.1 uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

CWE - CWE-674: Uncontrolled Recursion (4.9)

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13T17:36:28Z

CVE: CVE-2022-23514

Links:

Summary

Loofah < 2.19.1 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.

Mitigation

Upgrade to Loofah >= 2.19.1.

Severity

The Loofah maintainers have evaluated this as High Severity 7.5 (CVSS3.1).

References

Credit

This vulnerability was responsibly reported by @ooooooo-q (https://github.com/ooooooo-q).

Affected versions: ["2.7.0", "2.6.0", "2.5.0", "2.4.0", "2.3.1", "2.3.0", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.1.0", "2.1.0.rc2", "2.1.0.rc1", "2.0.3", "2.0.2", "2.0.1", "2.0.0", "1.2.1", "1.2.0", "1.1.0", "1.0.0", "1.0.0.beta.1", "0.4.7", "0.4.6", "0.4.5", "0.4.4", "0.4.3", "0.4.2", "0.4.1", "0.4.0", "0.3.1", "0.3.0", "0.2.2", "0.2.1", "0.2.0", "2.8.0", "2.9.0", "2.9.1", "2.10.0", "2.11.0", "2.12.0", "2.13.0", "2.14.0", "2.15.0", "2.16.0", "2.17.0", "2.18.0", "2.19.0"]

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Inefficient Regular Expression Complexity in Loofah

Published date: 2022-12-13

CVE: 2022-23514

CVSS V3: 7.5

Links:

https://github.com/flavorjones/loofah/security/advisories/GHSA-486f-hjj9-9vhh

Summary

Mitigation

Upgrade to Loofah >= 2.19.1.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Improper neutralization of data URIs may allow XSS in Loofah

Published date: 2022-12-13

CVE: 2022-23515

CVSS V3: 6.1

Links:

https://github.com/flavorjones/loofah/security/advisories/GHSA-228g-948r-83gx

Summary

Loofah >= 2.1.0, < 2.19.1 is vulnerable to cross-site scripting via the image/svg+xml media type in data URIs.

Mitigation

Upgrade to Loofah >= 2.19.1.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

Uncontrolled Recursion in Loofah

Published date: 2022-12-13

CVE: 2022-23516

CVSS V3: 7.5

Links:

https://github.com/flavorjones/loofah/security/advisories/GHSA-3x8r-x6xp-q4vm

Summary

Mitigation

Upgrade to Loofah >= 2.19.1.

Users who are unable to upgrade may be able to mitigate this vulnerability by limiting the length of the strings that are sanitized.

Secure versions: [2.19.1, 2.21.0.rc1, 2.20.0, 2.21.1, 2.21.0, 2.21.2, 2.21.3, 2.21.4, 2.22.0, 2.23.0, 2.23.1, 2.24.0]

Recommendation: Update to version 2.24.0.

61 Other Versions

Version	License	Security	Released
2.24.0	MIT		2025-01-01 - 03:05	4 months
2.23.1	MIT		2024-10-25 - 12:43	7 months
2.23.0	MIT		2024-10-24 - 12:59	7 months
2.22.0	MIT		2023-11-13 - 21:41	over 1 year
2.21.4	MIT		2023-10-10 - 17:55	over 1 year
2.21.3	MIT		2023-05-15 - 21:10	almost 2 years
2.21.2	MIT		2023-05-11 - 15:39	almost 2 years
2.21.1	MIT		2023-05-10 - 14:39	almost 2 years
2.21.0	MIT		2023-05-10 - 13:50	almost 2 years
2.21.0.rc1	MIT		2023-04-03 - 02:21	about 2 years
2.20.0	MIT		2023-04-01 - 17:07	about 2 years
2.19.1	MIT		2022-12-13 - 13:22	over 2 years
2.19.0	MIT	6	2022-09-14 - 13:38	over 2 years
2.18.0	MIT	6	2022-05-11 - 18:42	almost 3 years
2.17.0	MIT	6	2022-04-28 - 13:35	about 3 years
2.16.0	MIT	6	2022-04-01 - 18:27	about 3 years
2.15.0	MIT	6	2022-03-14 - 17:09	about 3 years
2.14.0	MIT	6	2022-02-11 - 19:10	about 3 years
2.13.0	MIT	6	2021-12-10 - 05:21	over 3 years
2.12.0	MIT	6	2021-08-11 - 17:30	over 3 years
2.11.0	MIT	6	2021-07-31 - 21:31	almost 4 years
2.10.0	MIT	6	2021-06-06 - 17:01	almost 4 years
2.9.1	MIT	6	2021-04-07 - 15:23	about 4 years
2.9.0	MIT	6	2021-01-14 - 21:36	over 4 years
2.8.0	MIT	6	2020-11-25 - 21:16	over 4 years
2.7.0	MIT	6	2020-08-26 - 19:33	over 4 years
2.6.0	MIT	6	2020-06-16 - 21:22	almost 5 years
2.5.0	MIT	6	2020-04-05 - 20:51	about 5 years
2.4.0	MIT	6	2019-11-25 - 18:45	over 5 years
2.3.1	MIT	6	2019-10-22 - 13:14	over 5 years
2.3.0	MIT	8	2019-09-28 - 17:37	over 5 years
2.2.3	MIT	8	2018-10-30 - 13:01	over 6 years
2.2.2	MIT	10	2018-03-22 - 15:10	about 7 years
2.2.1	MIT	10	2018-03-19 - 20:32	about 7 years
2.2.0	MIT	12	2018-02-11 - 22:23	about 7 years
2.1.1	MIT	10	2017-09-25 - 01:11	over 7 years
2.1.0	MIT	10	2017-09-24 - 20:48	over 7 years
2.1.0.rc2	MIT	8	2016-01-11 - 18:31	over 9 years
2.1.0.rc1	MIT	8	2015-08-17 - 23:21	over 9 years
2.0.3	MIT	8	2015-08-17 - 18:13	over 9 years
2.0.2	MIT	8	2015-05-05 - 19:59	about 10 years
2.0.1	MIT	8	2014-08-21 - 21:28	over 10 years
2.0.0	MIT	8	2014-05-09 - 22:51	almost 11 years
1.2.1	UNKNOWN	8	2012-04-14 - 19:08	about 13 years
1.2.0	UNKNOWN	8	2011-08-08 - 16:54	almost 14 years
1.1.0	UNKNOWN	8	2011-08-08 - 05:30	almost 14 years
1.0.0	UNKNOWN	8	2010-10-26 - 04:52	over 14 years
1.0.0.beta.1	UNKNOWN	8	2010-07-21 - 06:56	almost 15 years
0.4.7	UNKNOWN	8	2010-03-09 - 20:47	about 15 years
0.4.6	UNKNOWN	8	2010-02-02 - 14:54	over 15 years
0.4.5	UNKNOWN	9	2010-02-02 - 12:27	over 15 years
0.4.4	UNKNOWN	9	2010-02-01 - 21:59	over 15 years
0.4.3	UNKNOWN	9	2010-01-31 - 20:18	over 15 years
0.4.2	UNKNOWN	9	2010-01-24 - 03:54	over 15 years
0.4.1	UNKNOWN	9	2009-11-23 - 12:17	over 15 years
0.4.0	UNKNOWN	9	2009-11-22 - 03:59	over 15 years
0.3.1	UNKNOWN	9	2009-10-13 - 06:15	over 15 years
0.3.0	UNKNOWN	9	2009-10-07 - 10:38	over 15 years
0.2.2	UNKNOWN	9	2009-09-24 - 22:14	over 15 years
0.2.1	UNKNOWN	9	2009-08-20 - 05:39	over 15 years
0.2.0	UNKNOWN	9	2009-08-18 - 05:20	over 15 years