Ruby/yard/0.7.3
YARD is a documentation generation tool for the Ruby programming language.
It enables the user to generate consistent, usable documentation that can be
exported to a number of formats very easily, and also supports extending for
custom Ruby constructs such as custom class level definitions.
https://rubygems.org/gems/yard
UNKNOWN
6 Security Vulnerabilities
YARD's default template vulnerable to Cross-site Scripting in generated frames.html
- https://github.com/lsegal/yard/security/advisories/GHSA-8mq4-9jjh-9xrc
- https://github.com/lsegal/yard/commit/2069e2bf08293bda2fcc78f7d0698af6354054be
- https://nvd.nist.gov/vuln/detail/CVE-2024-27285
- https://github.com/advisories/GHSA-8mq4-9jjh-9xrc
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/yard/CVE-2024-27285.yml
- https://github.com/lsegal/yard/pull/1538
- https://github.com/lsegal/yard/commit/1fcb2d8b316caf8779cfdcf910715e9ab583f0aa
- https://lists.debian.org/debian-lts-announce/2024/03/msg00006.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MR3Z2E2UIZZ7YOR7R645EVSBGWMB2RGA
Summary
The frames.html
file within the Yard Doc's generated documentation is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate sanitization of user input within the JavaScript segment of the frames.erb
template file.
Details
The vulnerability stems from mishandling user-controlled data retrieved from the URL hash in the embedded JavaScript code within the frames.erb
template file. Specifically, the script lacks proper sanitization of the hash data before utilizing it to establish the top-level window's location. This oversight permits an attacker to inject malicious JavaScript payloads through carefully crafted URLs.
Snippet from frames.erb
:
(v0.9.34)
erb
<script type="text/javascript">
var match = unescape(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
window.top.location = name;
</script>
(v0.9.35)
erb
<script type="text/javascript">
var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
window.top.location.replace(name)
</script>
PoC (Proof of Concept)
To exploit this vulnerability:
1. Gain access to the generated Yard Doc.
2. Locate and access the frames.html
file.
3. Construct a URL containing the malicious payload in the hash segment, for instance: #!javascript:xss
for v0.9.34, and #:javascript:xss
for v0.9.35
Impact
This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.
Arbitrary file read vulnerability in yard server
lib/yard/core_ext/file.rb
in the server in YARD before 0.9.11 does not block relative paths with an initial ../
sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
Potential arbitrary file read vulnerability in yard server
lib/yard/core_ext/file.rb in the server in YARD before 0.9.11 does not block relative paths with an initial ../ sequence, which allows attackers to conduct directory traversal attacks and read arbitrary files.
Arbitrary path traversal and file access via `yard server`
A path traversal vulnerability was discovered in YARD <= 0.9.19 when using
yard server
to serve documentation. This bug would allow unsanitized HTTP
requests to access arbitrary files on the machine of a yard server host under
certain conditions.
The issue is resolved in v0.9.20 and later.
YARD's default template vulnerable to Cross-site Scripting in generated frames.html
Summary
The frames.html
file within the Yard Doc's generated documentation
is vulnerable to Cross-Site Scripting (XSS) attacks due to inadequate
sanitization of user input within the JavaScript segment of the
frames.erb
template file.
Details
The vulnerability stems from mishandling user-controlled data retrieved
from the URL hash in the embedded JavaScript code within the frames.erb
template file. Specifically, the script lacks proper sanitization of
the hash data before utilizing it to establish the top-level window's
location. This oversight permits an attacker to inject malicious
JavaScript payloads through carefully crafted URLs.
Snippet from frames.erb
:
(v0.9.34)
erb
<script type="text/javascript">
var match = unescape(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^(\w+):\/\//, '').replace(/^\/\//, '');
window.top.location = name;
</script>
(v0.9.35)
erb
<script type="text/javascript">
var match = decodeURIComponent(window.location.hash).match(/^#!(.+)/);
var name = match ? match[1] : '<%= url_for_main %>';
name = name.replace(/^((\w*):)?[\/\\]*/gm, '').trim();
window.top.location.replace(name)
</script>
Impact
This XSS vulnerability presents a substantial threat by enabling an attacker to execute arbitrary JavaScript code within the user's session context. Potential ramifications include session hijacking, theft of sensitive data, unauthorized access to user accounts, and defacement of websites. Any user visiting the compromised page is susceptible to exploitation. It is critical to promptly address this vulnerability to mitigate potential harm to users and preserve the application's integrity.
Possible arbitrary path traversal and file access via `yard server`
A path traversal vulnerability was discovered in YARD <= 0.9.19 when
using yard server
to serve documentation. This bug would allow unsanitized HTTP
requests to access arbitrary files on the machine of a yard server host under certain
conditions.
92 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
0.9.37 | MIT | 2024-09-04 - 08:51 | 17 days | |
0.9.36 | MIT | 2024-02-29 - 22:19 | 7 months | |
0.9.35 | MIT | 2 | 2024-02-28 - 18:12 | 7 months |
0.9.34 | MIT | 2 | 2023-04-12 - 21:27 | over 1 year |
0.9.33 | MIT | 2 | 2023-04-12 - 06:23 | over 1 year |
0.9.32 | MIT | 2 | 2023-04-09 - 19:25 | over 1 year |
0.9.31 | MIT | 2 | 2023-04-09 - 18:22 | over 1 year |
0.9.30 | MIT | 2 | 2023-04-09 - 17:17 | over 1 year |
0.9.29 | MIT | 2 | 2023-04-08 - 22:02 | over 1 year |
0.9.28 | MIT | 2 | 2022-06-01 - 20:20 | over 2 years |
0.9.27 | MIT | 2 | 2021-11-29 - 22:07 | almost 3 years |
0.9.26 | MIT | 2 | 2020-12-27 - 00:17 | over 3 years |
0.9.25 | MIT | 2 | 2020-05-03 - 21:36 | over 4 years |
0.9.24 | MIT | 2 | 2020-01-08 - 18:36 | over 4 years |
0.9.23 | MIT | 2 | 2020-01-05 - 19:08 | over 4 years |
0.9.22 | MIT | 2 | 2019-12-31 - 20:45 | over 4 years |
0.9.21 | MIT | 2 | 2019-12-31 - 20:23 | over 4 years |
0.9.20 | MIT | 2 | 2019-06-27 - 23:37 | about 5 years |
0.9.19 | MIT | 4 | 2019-04-02 - 01:28 | over 5 years |
0.9.18 | MIT | 4 | 2019-01-22 - 02:07 | over 5 years |
0.9.17 | MIT | 4 | 2019-01-22 - 02:01 | over 5 years |
0.9.16 | MIT | 4 | 2018-08-11 - 20:39 | about 6 years |
0.9.15 | MIT | 4 | 2018-07-18 - 05:09 | about 6 years |
0.9.14 | MIT | 4 | 2018-06-03 - 01:44 | over 6 years |
0.9.13 | MIT | 4 | 2018-05-28 - 22:45 | over 6 years |
0.9.12 | MIT | 4 | 2017-11-26 - 20:39 | almost 7 years |
0.9.11 | MIT | 4 | 2017-11-23 - 21:48 | almost 7 years |
0.9.10 | MIT | 6 | 2017-11-18 - 21:52 | almost 7 years |
0.9.9 | MIT | 6 | 2017-04-23 - 22:05 | over 7 years |
0.9.8 | MIT | 6 | 2017-01-13 - 19:57 | over 7 years |
0.9.7 | MIT | 6 | 2017-01-10 - 00:16 | over 7 years |
0.9.6 | MIT | 6 | 2017-01-07 - 19:40 | over 7 years |
0.9.5 | MIT | 6 | 2016-07-22 - 23:22 | about 8 years |
0.9.4 | MIT | 6 | 2016-07-21 - 19:06 | about 8 years |
0.9.3 | MIT | 6 | 2016-07-20 - 22:38 | about 8 years |
0.9.2 | MIT | 6 | 2016-07-19 - 21:27 | about 8 years |
0.9.1 | MIT | 6 | 2016-07-18 - 19:00 | about 8 years |
0.9.0 | MIT | 6 | 2016-07-04 - 19:32 | about 8 years |
0.8.7.6 | MIT | 6 | 2014-10-26 - 22:30 | almost 10 years |
0.8.7.5 | MIT | 6 | 2014-10-26 - 10:40 | almost 10 years |
0.8.7.4 | MIT | 6 | 2014-03-22 - 21:48 | over 10 years |
0.8.7.3 | MIT | 6 | 2013-11-02 - 00:17 | almost 11 years |
0.8.7.2 | MIT | 6 | 2013-09-19 - 00:31 | about 11 years |
0.8.7.1 | MIT | 6 | 2013-09-12 - 00:32 | about 11 years |
0.8.7 | MIT | 6 | 2013-07-27 - 04:55 | about 11 years |
0.8.6.2 | MIT | 6 | 2013-06-28 - 06:47 | about 11 years |
0.8.6.1 | MIT | 6 | 2013-04-15 - 07:24 | over 11 years |
0.8.6 | MIT | 6 | 2013-04-13 - 20:47 | over 11 years |
0.8.5.2 | MIT | 6 | 2013-02-26 - 08:57 | over 11 years |
0.8.5.1 | MIT | 6 | 2013-02-26 - 05:18 | over 11 years |
0.8.5 | MIT | 6 | 2013-02-25 - 06:11 | over 11 years |
0.8.4.1 | UNKNOWN | 6 | 2013-02-05 - 20:21 | over 11 years |
0.8.4 | UNKNOWN | 6 | 2013-02-05 - 05:01 | over 11 years |
0.8.3 | UNKNOWN | 6 | 2012-10-15 - 05:50 | almost 12 years |
0.8.2.1 | UNKNOWN | 6 | 2012-06-10 - 19:58 | over 12 years |
0.8.2 | UNKNOWN | 6 | 2012-06-07 - 19:52 | over 12 years |
0.8.1 | UNKNOWN | 6 | 2012-05-02 - 20:33 | over 12 years |
0.8.0 | UNKNOWN | 6 | 2012-04-30 - 23:45 | over 12 years |
0.7.5 | UNKNOWN | 6 | 2012-01-31 - 23:12 | over 12 years |
0.7.4 | UNKNOWN | 6 | 2011-12-03 - 19:57 | almost 13 years |
0.7.3 | UNKNOWN | 6 | 2011-10-15 - 18:28 | almost 13 years |
0.7.2 | UNKNOWN | 6 | 2011-06-14 - 17:09 | over 13 years |
0.7.1 | UNKNOWN | 6 | 2011-05-18 - 15:18 | over 13 years |
0.7.0 | UNKNOWN | 6 | 2011-05-17 - 23:51 | over 13 years |
0.6.8 | UNKNOWN | 6 | 2011-04-14 - 20:41 | over 13 years |
0.6.7 | UNKNOWN | 6 | 2011-04-06 - 23:14 | over 13 years |
0.6.6 | UNKNOWN | 6 | 2011-04-06 - 18:16 | over 13 years |
0.6.5 | UNKNOWN | 6 | 2011-03-14 - 03:18 | over 13 years |
0.6.4 | UNKNOWN | 6 | 2010-12-22 - 01:07 | over 13 years |
0.6.3 | UNKNOWN | 6 | 2010-11-21 - 20:52 | almost 14 years |
0.6.2 | UNKNOWN | 6 | 2010-11-15 - 21:49 | almost 14 years |
0.6.1 | UNKNOWN | 6 | 2010-09-06 - 21:04 | about 14 years |
0.6.0 | UNKNOWN | 6 | 2010-08-29 - 21:23 | about 14 years |
0.5.8 | UNKNOWN | 6 | 2010-06-22 - 19:04 | about 14 years |
0.5.7 | UNKNOWN | 6 | 2010-06-21 - 18:01 | over 14 years |
0.5.6 | UNKNOWN | 6 | 2010-06-12 - 22:23 | over 14 years |
0.5.5 | UNKNOWN | 6 | 2010-05-22 - 16:04 | over 14 years |
0.5.4 | UNKNOWN | 6 | 2010-03-22 - 20:42 | over 14 years |
0.5.3 | UNKNOWN | 6 | 2010-01-11 - 07:59 | over 14 years |
0.5.2 | UNKNOWN | 6 | 2009-12-16 - 20:30 | almost 15 years |
0.5.1 | UNKNOWN | 6 | 2009-12-15 - 22:26 | almost 15 years |
0.5.0 | UNKNOWN | 6 | 2009-12-15 - 01:02 | almost 15 years |
0.5.1p1 | UNKNOWN | 6 | 2009-12-16 - 20:24 | almost 15 years |
0.4.0 | UNKNOWN | 6 | 2009-11-15 - 13:11 | almost 15 years |
0.2.3.5 | UNKNOWN | 6 | 2009-08-18 - 05:30 | about 15 years |
0.2.3.4 | UNKNOWN | 6 | 2009-08-07 - 20:51 | about 15 years |
0.2.3.3 | UNKNOWN | 6 | 2009-07-27 - 04:30 | about 15 years |
0.2.3.2 | UNKNOWN | 6 | 2009-08-05 - 14:12 | about 15 years |
0.2.3 | UNKNOWN | 6 | 2009-07-25 - 17:46 | about 15 years |
0.2.2 | UNKNOWN | 6 | 2009-07-25 - 17:46 | about 15 years |
0.2.1 | UNKNOWN | 6 | 2009-07-25 - 17:46 | about 15 years |
0.2.0 | UNKNOWN | 6 | 2009-07-25 - 17:46 | about 15 years |