Headline
Red Hat Security Advisory 2023-1486-01
Red Hat Security Advisory 2023-1486-01 - Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Issues addressed include HTTP request smuggling, code execution, and denial of service vulnerabilities.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
=====================================================================
Red Hat Security Advisory
Synopsis: Important: Red Hat Gluster Storage web-admin-build security update
Advisory ID: RHSA-2023:1486-01
Product: Red Hat Gluster Storage
Advisory URL: https://access.redhat.com/errata/RHSA-2023:1486
Issue date: 2023-03-28
CVE Names: CVE-2022-24790 CVE-2022-30122 CVE-2022-30123
CVE-2022-31129 CVE-2022-31163
=====================================================================
- Summary:
An update is now available for Red Hat Gluster Storage 3.5 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.
- Relevant releases/architectures:
Red Hat Gluster 3.5 Web Administration on RHEL-7 - noarch, x86_64
- Description:
Grafana is an open source, feature rich metrics dashboard and graph editor
for Graphite, InfluxDB & OpenTSDB.
Django is a high-level Python Web framework that encourages rapid
development and a clean, pragmatic design. It focuses on automating as much
as possible and adhering to the DRY (Don’t Repeat Yourself) principle.
Ruby is an extensible, interpreted, object-oriented, scripting language. It
has features to process text files and to perform system management tasks.
Security Fix(es):
puma-5.6.4: http request smuggling vulnerabilities (CVE-2022-24790)
rubygem-rack: crafted requests can cause shell escape sequences
(CVE-2022-30123)moment: inefficient parsing algorithm resulting in DoS (CVE-2022-31129)
rubygem-tzinfo: arbitrary code execution (CVE-2022-31163)
rubygem-rack: crafted multipart POST request may cause a DoS
(CVE-2022-30122)
For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.
- Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
2071616 - CVE-2022-24790 puma-5.6.4: http request smuggling vulnerabilities
2099519 - CVE-2022-30122 rubygem-rack: crafted multipart POST request may cause a DoS
2099524 - CVE-2022-30123 rubygem-rack: crafted requests can cause shell escape sequences
2105075 - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
2110551 - CVE-2022-31163 rubygem-tzinfo: arbitrary code execution
- Package List:
Red Hat Gluster 3.5 Web Administration on RHEL-7:
Source:
grafana-5.2.4-6.el7rhgs.src.rpm
python-django-1.11.27-4.el7rhgs.src.rpm
ruby-2.4.9-94.el7rhgs.src.rpm
rubygem-activemodel-5.2.0-1.el7rhgs.src.rpm
rubygem-activesupport-5.2.0-1.el7rhgs.src.rpm
rubygem-bcrypt-3.1.12-2.el7rhgs.src.rpm
rubygem-concurrent-ruby-1.1.9-1.el7rhgs.src.rpm
rubygem-i18n-1.9.1-1.el7rhgs.src.rpm
rubygem-mustermann-1.0.3-1.el7rhgs.src.rpm
rubygem-nio4r-2.3.1-2.el7rhgs.src.rpm
rubygem-puma-4.3.12-1.el7rhgs.src.rpm
rubygem-rack-2.2.4-1.el7rhgs.src.rpm
rubygem-rack-protection-2.2.0-1.el7rhgs.src.rpm
rubygem-sinatra-2.2.0-1.el7rhgs.src.rpm
rubygem-thread_safe-0.3.6-1.el7rhgs.src.rpm
rubygem-tilt-2.0.11-1.el7rhgs.src.rpm
rubygem-tzinfo-1.2.10-1.el7rhgs.src.rpm
noarch:
python-django-bash-completion-1.11.27-4.el7rhgs.noarch.rpm
python2-django-1.11.27-4.el7rhgs.noarch.rpm
python2-django-doc-1.11.27-4.el7rhgs.noarch.rpm
ruby-doc-2.4.9-94.el7rhgs.noarch.rpm
ruby-irb-2.4.9-94.el7rhgs.noarch.rpm
rubygem-activemodel-5.2.0-1.el7rhgs.noarch.rpm
rubygem-activemodel-doc-5.2.0-1.el7rhgs.noarch.rpm
rubygem-activesupport-5.2.0-1.el7rhgs.noarch.rpm
rubygem-activesupport-doc-5.2.0-1.el7rhgs.noarch.rpm
rubygem-bcrypt-doc-3.1.12-2.el7rhgs.noarch.rpm
rubygem-concurrent-ruby-1.1.9-1.el7rhgs.noarch.rpm
rubygem-concurrent-ruby-doc-1.1.9-1.el7rhgs.noarch.rpm
rubygem-i18n-1.9.1-1.el7rhgs.noarch.rpm
rubygem-i18n-doc-1.9.1-1.el7rhgs.noarch.rpm
rubygem-minitest-5.10.1-94.el7rhgs.noarch.rpm
rubygem-mustermann-1.0.3-1.el7rhgs.noarch.rpm
rubygem-mustermann-doc-1.0.3-1.el7rhgs.noarch.rpm
rubygem-nio4r-doc-2.3.1-2.el7rhgs.noarch.rpm
rubygem-power_assert-0.4.1-94.el7rhgs.noarch.rpm
rubygem-puma-doc-4.3.12-1.el7rhgs.noarch.rpm
rubygem-rack-2.2.4-1.el7rhgs.noarch.rpm
rubygem-rack-doc-2.2.4-1.el7rhgs.noarch.rpm
rubygem-rack-protection-2.2.0-1.el7rhgs.noarch.rpm
rubygem-rack-protection-doc-2.2.0-1.el7rhgs.noarch.rpm
rubygem-rake-12.0.0-94.el7rhgs.noarch.rpm
rubygem-rdoc-5.0.1-94.el7rhgs.noarch.rpm
rubygem-sinatra-2.2.0-1.el7rhgs.noarch.rpm
rubygem-sinatra-doc-2.2.0-1.el7rhgs.noarch.rpm
rubygem-test-unit-3.2.3-94.el7rhgs.noarch.rpm
rubygem-thread_safe-0.3.6-1.el7rhgs.noarch.rpm
rubygem-thread_safe-doc-0.3.6-1.el7rhgs.noarch.rpm
rubygem-tilt-2.0.11-1.el7rhgs.noarch.rpm
rubygem-tilt-doc-2.0.11-1.el7rhgs.noarch.rpm
rubygem-tzinfo-1.2.10-1.el7rhgs.noarch.rpm
rubygem-tzinfo-doc-1.2.10-1.el7rhgs.noarch.rpm
rubygem-xmlrpc-0.2.1-94.el7rhgs.noarch.rpm
rubygems-2.6.14.4-94.el7rhgs.noarch.rpm
rubygems-devel-2.6.14.4-94.el7rhgs.noarch.rpm
x86_64:
grafana-5.2.4-6.el7rhgs.x86_64.rpm
ruby-2.4.9-94.el7rhgs.x86_64.rpm
ruby-debuginfo-2.4.9-94.el7rhgs.x86_64.rpm
ruby-devel-2.4.9-94.el7rhgs.x86_64.rpm
ruby-libs-2.4.9-94.el7rhgs.x86_64.rpm
rubygem-bcrypt-3.1.12-2.el7rhgs.x86_64.rpm
rubygem-bcrypt-debuginfo-3.1.12-2.el7rhgs.x86_64.rpm
rubygem-bigdecimal-1.3.2-94.el7rhgs.x86_64.rpm
rubygem-did_you_mean-1.1.0-94.el7rhgs.x86_64.rpm
rubygem-io-console-0.4.6-94.el7rhgs.x86_64.rpm
rubygem-json-2.0.4-94.el7rhgs.x86_64.rpm
rubygem-net-telnet-0.1.1-94.el7rhgs.x86_64.rpm
rubygem-nio4r-2.3.1-2.el7rhgs.x86_64.rpm
rubygem-nio4r-debuginfo-2.3.1-2.el7rhgs.x86_64.rpm
rubygem-openssl-2.0.9-94.el7rhgs.x86_64.rpm
rubygem-psych-2.2.2-94.el7rhgs.x86_64.rpm
rubygem-puma-4.3.12-1.el7rhgs.x86_64.rpm
rubygem-puma-debuginfo-4.3.12-1.el7rhgs.x86_64.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2022-24790
https://access.redhat.com/security/cve/CVE-2022-30122
https://access.redhat.com/security/cve/CVE-2022-30123
https://access.redhat.com/security/cve/CVE-2022-31129
https://access.redhat.com/security/cve/CVE-2022-31163
https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUBZCJbr9zjgjWX9erEAQjn5RAAoUF/k8EPq7iO9+x35TIISMUb+zNQON1F
iM5r74vbqDjgB7HjNBJptdMj25UA+gOqrzl2UfpWpw5QZlPpnr3nCEcHrq1qKHHt
IT7cZUWdvp1Gz+e0OtSPHDvmSlS/Wko1ElsH4i5SZayl+K9V7DJjShd0KJGpK9F4
grBeCjGqGr9Yl2QVAjrKLtWg4JGzbKO0WNJ+vs5XaN3SToCy534sIsRTkH2/JMcG
B9yQPQ0uQ6p6GBzPNWwReZngACEgEVIVwyFFVuEEbli7b5d5qzRCSFycrp8qqlGd
HGYVRXIk8pWnzq/Ex99Rv9ni3zQlwBkBWeQxko30NfTZAS5mS94n66+dJc6Ynxhr
yQo/WHGd4OlHlBt4d3HTLfgl0O9Fwz60B/o8MWHf+FkR/byxOiPbLPuNZekCXNEP
jVGnFw46osRgBjw2qerUuftnMLi9NY6+SoaEfRTjaQSxC+wv+9gUmgKkOSKgK3xr
ThraNkkupLwWNA+AsIQGlGwfPHKyAbP3qr6yCulFB4fKb9btOprq7b+cxGhZt5ql
R7NFlVZuMg6uTnb+YXAOoAsLzWQJpZiOXO8g3B3UhQcjqamgo/7Rr62n4kFDslfN
HDWP2/GJeYe7A3DlfRawVi5zAFa5HCSDdsZUjvFa67cwv/3H2jgnFg4kSBj6yb3P
dK9wE3y07no=
=kXpV
-----END PGP SIGNATURE-----
–
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce
Related news
Ubuntu Security Notice 7036-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.
Ubuntu Security Notice 6682-1 - ZeddYu Lu discovered that Puma incorrectly handled parsing certain headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue only affected Ubuntu 20.04 LTS. It was discovered that Puma incorrectly handled parsing certain headers. A remote attacker could possibly use this issue to perform an HTTP Request Smuggling attack. This issue only affected Ubuntu 20.04 LTS.
Gentoo Linux Security Advisory 202310-18 - Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging components. Versions greater than or equal to 2.2.3.1 are affected.
Debian Linux Security Advisory 5530-1 - Several vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface, which may result in denial of service and shell escape sequence injection.
An authorization/sensitive information disclosure vulnerability was identified in GitHub Enterprise Server that allowed a fork to retain read access to an upstream repository after its visibility was changed to private. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.10.0 and was fixed in versions 3.9.4, 3.8.9, 3.7.16 and 3.6.18. This vulnerability was reported via the GitHub Bug Bounty program.
Red Hat Security Advisory 2023-3623-01 - Red Hat Ceph Storage is a scalable, open, software-defined storage platform that combines the most stable version of the Ceph storage system with a Ceph management platform, deployment utilities, and support services. These new packages include numerous enhancements and bug fixes. Issues addressed include cross site scripting and denial of service vulnerabilities.
Red Hat Security Advisory 2023-2097-03 - Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool. Issues addressed include code execution, cross site scripting, denial of service, deserialization, improper neutralization, information leakage, and remote shell upload vulnerabilities.
Ubuntu Security Notice 5896-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.
Ubuntu Security Notice 5896-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.
Red Hat Security Advisory 2023-0632-01 - Logging Subsystem 5.4.11 - Red Hat OpenShift.
An update is now available for the Logging subsystem for Red Hat OpenShift 5.4. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30123: A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal. * CVE-2022-41717: A flaw was f...
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.
Red Hat Security Advisory 2022-8532-01 - Red Hat Satellite is a system management solution that allows organizations to configure and maintain their systems without the necessity to provide public Internet access to their servers or other client systems. It performs provisioning and configuration management of predefined standard operating environments. Issues addressed include a HTTP request smuggling vulnerability.
Updated Satellite 6.9 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-24790: puma-5.6.4: http request smuggling vulnerabilities
Red Hat Security Advisory 2022-7343-01 - The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities. Issues addressed include code execution and denial of service vulnerabilities.
An update for pcs is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2019-11358: jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection * CVE-2022-30123: rubygem-rack: crafted requests can cause shell escape sequences
Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30122: rubygem-rack: crafted multipart POST request may cause a DoS * CVE-2022-31163: rubygem-tzinfo: arbitrary code execution
Updated Satellite 6.11 packages that fix several bugs are now available for Red Hat Satellite.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-30122: rubygem-rack: crafted multipart POST request may cause a DoS * CVE-2022-31163: rubygem-tzinfo: arbitrary code execution
Red Hat Security Advisory 2022-7055-01 - An update is now available for Red Hat Openshift distributed tracing 2.6.0. Issues addressed include denial of service and traversal vulnerabilities.
Red Hat Security Advisory 2022-6813-01 - Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services. This asynchronous security patch is an update to Red Hat Process Automation Manager 7. Issues addressed include XML injection, bypass, denial of service, and traversal vulnerabilities.
Red Hat Security Advisory 2022-6507-01 - Red Hat Advanced Cluster Management for Kubernetes 2.5.2 images Red Hat Advanced Cluster Management for Kubernetes provides the capabilities to address common challenges that administrators and site reliability engineers face as they work across a range of public and private cloud environments. Clusters and applications are all visible and managed from a single console—with security policy built in. This advisory contains the container images for Red Hat Advanced Cluster Management for Kubernetes, which fix several bugs. Issues addressed include a denial of service vulnerability.
Multicluster Engine for Kubernetes 2.0.2 General Availability release images, which fix bugs and update container images. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS * CVE-2022-36067: vm2: Sandbox Escape in vm2
Red Hat Security Advisory 2022-6392-01 - The ovirt-host package consolidates host package requirements into a single meta package. Issues addressed include a denial of service vulnerability.
Red Hat Advanced Cluster Management for Kubernetes 2.3.12 General Availability release images, which provide security updates and bug fixes. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE links in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
Gentoo Linux Security Advisory 202208-28 - Multiple vulnerabilities have been discovered in Puma, the worst of which could result in denial of service. Versions less than 5.6.4 are affected.
Arvados is an open source platform for managing, processing, and sharing genomic and other large scientific and biomedical data. A remote code execution (RCE) vulnerability in the Arvados Workbench allows authenticated attackers to execute arbitrary code via specially crafted JSON payloads. This exists in all versions up to 2.4.1 and is fixed in 2.4.2. This vulnerability is specific to the Ruby on Rails Workbench application (“Workbench 1”). We do not believe any other Arvados components, including the TypesScript browser-based Workbench application (“Workbench 2”) or API Server, are vulnerable to this attack. For versions of Arvados earlier than 2.4.2: remove the Ruby-based "Workbench 1" app ("apt-get remove arvados-workbench") from your installation as a workaround.
Red Hat Security Advisory 2022-5913-01 - Red Hat Kiali for OpenShift Service Mesh is Red Hat's distribution of the Istio service mesh project, tailored for installation into an on-premise OpenShift Container Platform installation. This advisory covers containers for the release. Issues addressed include a denial of service vulnerability.
Red Hat Kiali for OpenShift Service Mesh 2.2 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
Red Hat Kiali for OpenShift Service Mesh 2.1 Containers Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
An update for openshift-istio-kiali-rhel8-container is now available for OpenShift Service Mesh 2.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-31129: moment: inefficient parsing algorithm resulting in DoS
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the ...
### Impact #### Affected versions - 0.3.60 and earlier. - 1.0.0 to 1.2.9 when used with the Ruby data source (tzinfo-data). #### Vulnerability With the Ruby data source (the tzinfo-data gem for tzinfo version 1.0.0 and later and built-in to earlier versions), time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, `TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby process. For example, with version 1.2.9, you can run the following to load a file with path `/tmp/payload.rb`: ```ruby TZInfo::Timezone.get("foo\n/../../../../../../../../../../../../../../../../tmp/payload") ``` The exact number of parent directory traversals needed will vary depending on the location of t...
There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122. Versions Affected: >= 1.2 Not affected: < 1.2 Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1 ## Impact Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this: ``` params = Rack::Multipart.parse_multipart(env) ``` But it also includes reading POST data from a Rack request object like this: ``` p request.POST # read POST data p request.params # reads both query params and POST data ``` All users running an affected release should either upgrade or use one of the workarounds immediately. ## Workarounds There are no feasible workarounds for this issue.
There is a possible shell escape sequence injection vulnerability in the Lint and CommonLogger components of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30123. Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1 ## Impact Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal. Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this: ``` use Rack::Lint ``` Or ``` use Rack::CommonLogger ``` All users running an affected release should either upgrade or use one of the workarounds immediately. ## Workarounds Remove these middleware from your application
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.