Jhawthorn

**Name of the Vulnerable Software and Affected Versions** Rails versions prior to 8.1.2.1 Rails versions prior to 8.0.4.1 Rails versions prior to 7.2.3.1 **Description** Action View tag helpers are susceptible to an issue where attribute escaping is bypassed when a blank string is used as an HTML attribute name, resulting in malformed HTML. A specially crafted attribute value could be misinterpreted by the browser as a separate attribute name, potentially leading to cross-site scripting (XSS). Applications that permit users to define custom HTML attributes are at risk. **Recommendations** Update to Rails version 8.1.2.1 or later. Update to Rails version 8.0.4.1 or later. Update to Rails version 7.2.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Active Support versions prior to 8.1.2.1 Active Support versions prior to 8.0.4.1 Active Support versions prior to 7.2.3.1 **Description** The `NumberToDelimitedConverter` component utilizes a regular expression with `gsub!` to insert thousands delimiters. The interaction between a repeated lookahead group and `gsub!` can result in quadratic time complexity when processing long digit strings. This can potentially stall Ruby on Rails applications. **Recommendations** Upgrade to Active Support version 8.1.2.1. Upgrade to Active Support version 8.0.4.1. Upgrade to Active Support version 7.2.3.1.

**Name of the Vulnerable Software and Affected Versions** Active Support versions prior to 8.1.2.1 Active Support versions prior to 8.0.4.1 Active Support versions prior to 7.2.3.1 **Description** Active Support number helpers are susceptible to a denial-of-service condition. The number helpers accept strings containing scientific notation, such as `1e10000`, which are expanded into extremely large decimal representations by `BigDecimal`. This expansion can lead to excessive memory allocation and CPU usage during formatting, potentially causing a DoS. **Recommendations** Update to Active Support version 8.1.2.1 or later. Update to Active Support version 8.0.4.1 or later. Update to Active Support version 7.2.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Rails versions prior to 8.1.2.1 Rails versions prior to 8.0.4.1 Rails versions prior to 7.2.3.1 **Description** Active Storage enables users to attach cloud and local files within Rails applications. A flaw exists in the `DiskService#delete prefixed` function where blob keys are passed directly to `Dir.glob` without proper escaping of glob metacharacters. This can lead to the deletion of unintended files from the storage directory if a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters. **Recommendations** Update to Rails version 8.1.2.1 or later. Update to Rails version 8.0.4.1 or later. Update to Rails version 7.2.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** Action Pack versions 5.2.0 through 7.0.8.6 Action Pack versions 7.0.8.7 through 7.1.5.0 Action Pack versions 7.1.5.1 through 7.2.2.0 Action Pack versions 7.2.2.1 through 8.0.0.0 **Description** The issue is related to the `content security policy` helper in Action Pack, which may allow an attacker to conduct Cross Site Scripting (XSS) attacks by injecting new directives into the Content-Security-Policy (CSP) headers. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Applications that set CSP headers dynamically from untrusted user input may be vulnerable. **Recommendations** For Action Pack versions 5.2.0 through 7.0.8.6, update to version 7.0.8.7 or later. For Action Pack versions 7.0.8.7 through 7.1.5.0, update to version 7.1.5.1 or later. For Action Pack versions 7.1.5.1 through 7.2.2.0, update to version 7.2.2.1 or later. For Action Pack versions 7.2.2.1 through 8.0.0.0, update to version 8.0.0.1 or later. As a temporary workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

**Name of the Vulnerable Software and Affected Versions** yajl-ruby versions 1.x through 2.x **Description** The issue is related to an integer overflow in the yajl-ruby library, which leads to heap memory corruption when dealing with large inputs (~2GB). The reallocation logic at `yajl buf.c#L64` may result in the `need` 32bit integer wrapping to 0, causing a reallocation of `buf->alloc` into a small heap chunk. This vulnerability mostly impacts process availability, and maintainers believe exploitation for arbitrary code execution is unlikely. **Recommendations** For yajl-ruby versions 1.x through 2.x, update to version 1.4.3 to resolve the issue. As a temporary workaround, avoid passing large inputs to YAJL.