DLA-3565-1

Source

https://storage.googleapis.com/debian-osv/dla-osv/DLA-3565-1.json

Published

2023-09-13T00:00:00Z

Modified

2023-09-13T16:15:20.954083Z

Details

Multiple vulnerabilities were discovered in Loofah, a Ruby library for HTML/XML transformation and sanitization. An attacker could launch cross-site scripting (XSS) and denial-of-service (DoS) attacks through crafted HTML/XML documents.

CVE-2022-23514 Inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption.
CVE-2022-23515 Cross-site scripting via the image/svg+xml media type in data URIs.
CVE-2022-23516 Loofah uses recursion for sanitizing CDATA sections, making it susceptible to stack exhaustion and raising a SystemStackError exception. This may lead to a denial of service through CPU resource consumption.

For Debian 10 buster, these problems have been fixed in version 2.2.3-1+deb10u2.

We recommend that you upgrade your ruby-loofah packages.

For the detailed security status of ruby-loofah please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ruby-loofah

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS

References

https://www.debian.org/lts/security/2023/dla-3565

Affected packages

Debian:10 / ruby-loofah

Source Details

Package Name: ruby-loofah

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0The exact introduced commit is unknown

Fixed

2.2.3-1+deb10u2

Affected versions

2.*

2.2.3-1

2.2.3-1+deb10u1