Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: v2 CVE-2024-22191 #2382

Merged
merged 1 commit into from
Jan 18, 2024
Merged

security: v2 CVE-2024-22191 #2382

merged 1 commit into from
Jan 18, 2024

Conversation

Paul-Bob
Copy link
Contributor

Description

Addresses GHSA-ghjv-mh6x-7q6h

Fixes a security issue where the output for the key_value field is not sanitized.

@Paul-Bob Paul-Bob self-assigned this Jan 18, 2024
@Paul-Bob Paul-Bob merged commit fc92a05 into 2.x Jan 18, 2024
11 of 13 checks passed
@Paul-Bob Paul-Bob deleted the 2.x_security/CVE-2024-22191 branch January 18, 2024 08:48
@tamaloa
Copy link

tamaloa commented Jan 18, 2024
edited
Loading

Hi, i just stumbled across here because my updated avo (2.47) is still reported as vulnerable. I assume it takes some time for the ruby-vulnerability-db to pick up the change but maybe the avo security-advisory should be updated to reflect that only <= 2.46.0 is affected?

Screenshot from 2024-01-18 13-29-40

@adrianthedev
Copy link
Collaborator

Hey @tamaloa.
I updated it now with <= 2.46.
Please let me know if that fixes it.

@tamaloa tamaloa mentioned this pull request Jan 18, 2024
Merged
tamaloa added a commit to tamaloa/ruby-advisory-db that referenced this pull request Jan 18, 2024
@tamaloa
Update CVE-2024-22191.yml
1267d85 
Fix was backported to 2.x in avo-hq/avo#2382 and the security-advisory updated to reflect this: GHSA-ghjv-mh6x-7q6h
@tamaloa tamaloa mentioned this pull request Jan 18, 2024
Merged
@tamaloa
Copy link

tamaloa commented Jan 18, 2024

First off: Thanks for backporting the fix - we are just not yet ready for 2 -> 3 upgrade :)

I am also a bit confused regarding what path a security-advisory takes until it ends up in the tool you are using (bundler-audit in our case which uses ruby-advisory-db which uses github-advisories). But it seems it worked out for this CVE :)

Regarding ruby-advisory-db: I noticed they have the next advisory which would affect the avo 2.x branch lined up (rubysec/ruby-advisory-db#736) -> "Possible XSS in Action messages". This is taken from the linked github-advisory (GHSA-g8vp-2v5p-9qfh) which also flags avo 2.x as vulnerable (affected versions: < 3.0.2). But your own security-advisory (GHSA-g8vp-2v5p-9qfh) only mentions one specific release (3.0.0.pre12) to be vulnerable.

So is the 2.x branch vulnerable to "Possible XSS in Action messages"? If not it would be great if the advisories were changed :)

Sorry this does not really belong into this PR but i could not find a better place to comment on this.

postmodern pushed a commit to rubysec/ruby-advisory-db that referenced this pull request Jan 18, 2024
@tamaloa @postmodern
Update CVE-2024-22191.yml
ad21440 
Fix was backported to 2.x in avo-hq/avo#2382 and the security-advisory updated to reflect this: GHSA-ghjv-mh6x-7q6h
@shelbyc shelbyc mentioned this pull request Jan 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adrianthedev adrianthedev Awaiting requested review from adrianthedev

Assignees

@Paul-Bob Paul-Bob

Labels
Chore Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Paul-Bob @tamaloa @adrianthedev