製品・ソフトウェアに関する情報

JVN脆弱性詳細

Ruby on Rails 用 rails-html-sanitizer gem におけるクロスサイトスクリプティングの脆弱性

Title	Ruby on Rails 用 rails-html-sanitizer gem におけるクロスサイトスクリプティングの脆弱性
Summary	Ruby on Rails 用 rails-html-sanitizer gem には、クロスサイトスクリプティングの脆弱性が存在します。
Possible impacts	第三者により、巧妙に細工されたタグの属性を介して、任意の Web スクリプトまたは HTML を挿入される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 26, 2015, midnight
Registration Date	March 4, 2016, 3:45 p.m.
Last Update	March 4, 2016, 3:45 p.m.

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

Ruby on Rails project

Rails 4.2.x

Rails 5.x

Rails 4.2.x

Rails 5.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-7578	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7578
2	CVE-2015-7578	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7578
National Vulnerability Database (NVD)
3	CVE-2015-7578	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7578
4	CVE-2015-7578	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7578

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html
2	CWE-79	https://jvndb.jvn.jp/ja/cwe/CWE-79.html

ベンダー情報

No	Name	URL
GitHub
1	Define a less permissive list of tags and attributes	https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
2	Define a less permissive list of tags and attributes	https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
Google Groups
3	[CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ
4	[CVE-2015-7578] Possible XSS vulnerability in rails-html-sanitizer	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ

Change Log

No	Changed Details	Date of change
0	[2016年03月04日] 掲載	Feb. 17, 2018, 10:37 a.m.
0	[2016年03月04日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2015-7578

Summary	Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.
Publication Date	Feb. 16, 2016, 11:59 a.m.
Registration Date	Jan. 26, 2021, 2:56 p.m.
Last Update	Nov. 21, 2024, 11:37 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:rubyonrails:html_sanitizer::::::ruby::*			1.0.2
execution environment
1	cpe:2.3:a:rubyonrails:rails:4.2.0:beta1::::::
2	cpe:2.3:a:rubyonrails:rails:4.2.0:beta2::::::
3	cpe:2.3:a:rubyonrails:rails:4.2.0:beta3::::::
4	cpe:2.3:a:rubyonrails:rails:4.2.0:beta4::::::
5	cpe:2.3:a:rubyonrails:rails:4.2.0:rc1::::::
6	cpe:2.3:a:rubyonrails:rails:4.2.0:rc2::::::
7	cpe:2.3:a:rubyonrails:rails:4.2.0:rc3::::::
8	cpe:2.3:a:rubyonrails:rails:4.2.0:::::::*
9	cpe:2.3:a:rubyonrails:rails:4.2.1:rc1::::::
10	cpe:2.3:a:rubyonrails:rails:4.2.1:rc2::::::
11	cpe:2.3:a:rubyonrails:rails:4.2.1:rc3::::::
12	cpe:2.3:a:rubyonrails:rails:4.2.1:::::::*
13	cpe:2.3:a:rubyonrails:rails:4.2.1:rc4::::::
14	cpe:2.3:a:rubyonrails:rails:4.2.2:::::::*
15	cpe:2.3:a:rubyonrails:rails:4.2.3:rc1::::::
16	cpe:2.3:a:rubyonrails:rails:4.2.3:::::::*
17	cpe:2.3:a:rubyonrails:rails:4.2.4:::::::*
18	cpe:2.3:a:rubyonrails:rails:4.2.4:rc1::::::
19	cpe:2.3:a:rubyonrails:rails:4.2.5:rc1::::::
20	cpe:2.3:a:rubyonrails:rails:4.2.5:rc2::::::
21	cpe:2.3:a:rubyonrails:rails:4.2.5:::::::*
22	cpe:2.3:a:rubyonrails:rails:4.2.5.1:::::::*
23	cpe:2.3:a:rubyonrails:rails:4.2.5.2:::::::*
24	cpe:2.3:a:rubyonrails:rails:4.2.6:rc1::::::
25	cpe:2.3:a:rubyonrails:rails:5.0.0:beta1::::::
26	cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1::::::
27	cpe:2.3:a:rubyonrails:rails:5.0.0:beta2::::::
28	cpe:2.3:a:rubyonrails:rails:5.0.0:beta3::::::

Related information, measures and tools

No	URL	refsource	タグ
1	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
2	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178046.html
3	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
4	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178064.html
5	http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
6	http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00014.html
7	http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
8	http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00024.html
9	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
10	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
11	http://www.openwall.com/lists/oss-security/2016/01/25/11
12	http://www.openwall.com/lists/oss-security/2016/01/25/11
13	http://www.securitytracker.com/id/1034816
14	http://www.securitytracker.com/id/1034816
15	https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
16	https://github.com/rails/rails-html-sanitizer/commit/297161e29a3e11186ce4c02bf7defc088bf544d4
17	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ
18	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/uh--W4TDwmI/ygHE7hlZEgAJ

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-79	クロスサイト・スクリプティング（XSS）	https://cwe.mitre.org/data/definitions/79.html

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:rubyonrails:html_sanitizer::::::ruby::*			1.0.2
execution environment
1	cpe:2.3:a:rubyonrails:rails:4.2.0:beta1::::::
2	cpe:2.3:a:rubyonrails:rails:4.2.0:beta2::::::
3	cpe:2.3:a:rubyonrails:rails:4.2.0:beta3::::::
4	cpe:2.3:a:rubyonrails:rails:4.2.0:beta4::::::
5	cpe:2.3:a:rubyonrails:rails:4.2.0:rc1::::::
6	cpe:2.3:a:rubyonrails:rails:4.2.0:rc2::::::
7	cpe:2.3:a:rubyonrails:rails:4.2.0:rc3::::::
8	cpe:2.3:a:rubyonrails:rails:4.2.0:::::::*
9	cpe:2.3:a:rubyonrails:rails:4.2.1:rc1::::::
10	cpe:2.3:a:rubyonrails:rails:4.2.1:rc2::::::
11	cpe:2.3:a:rubyonrails:rails:4.2.1:rc3::::::
12	cpe:2.3:a:rubyonrails:rails:4.2.1:::::::*
13	cpe:2.3:a:rubyonrails:rails:4.2.1:rc4::::::
14	cpe:2.3:a:rubyonrails:rails:4.2.2:::::::*
15	cpe:2.3:a:rubyonrails:rails:4.2.3:rc1::::::
16	cpe:2.3:a:rubyonrails:rails:4.2.3:::::::*
17	cpe:2.3:a:rubyonrails:rails:4.2.4:::::::*
18	cpe:2.3:a:rubyonrails:rails:4.2.4:rc1::::::
19	cpe:2.3:a:rubyonrails:rails:4.2.5:rc1::::::
20	cpe:2.3:a:rubyonrails:rails:4.2.5:rc2::::::
21	cpe:2.3:a:rubyonrails:rails:4.2.5:::::::*
22	cpe:2.3:a:rubyonrails:rails:4.2.5.1:::::::*
23	cpe:2.3:a:rubyonrails:rails:4.2.5.2:::::::*
24	cpe:2.3:a:rubyonrails:rails:4.2.6:rc1::::::
25	cpe:2.3:a:rubyonrails:rails:5.0.0:beta1::::::
26	cpe:2.3:a:rubyonrails:rails:5.0.0:beta1.1::::::
27	cpe:2.3:a:rubyonrails:rails:5.0.0:beta2::::::
28	cpe:2.3:a:rubyonrails:rails:5.0.0:beta3::::::