Tenderlove

**Name of the Vulnerable Software and Affected Versions** Rack versions 3.1.0 through 3.1.15 **Description** The issue is a denial of service vulnerability in the Content-Disposition parsing component of Rack. It can be triggered by carefully crafted input, causing the Content-Disposition header parsing to take an unexpected amount of time, which may result in a denial of service attack. This vulnerability affects applications that parse multipart posts using Rack, including virtually all Rails applications. **Recommendations** For Rack versions 3.1.0 through 3.1.15, update to version 3.1.16, which contains a patch for the vulnerability.

**Name of the Vulnerable Software and Affected Versions** Rack versions 2.0.0 through 2.2.6.3 Rack versions 3.0.0 through 3.0.6.0 **Description** The issue is related to the header parsing component of Rack, which can be exploited to cause a denial of service. This can happen when carefully crafted input causes the header parsing to take an unexpected amount of time. The vulnerability can be exploited remotely, potentially allowing an attacker to cause a denial of service. **Recommendations** For Rack versions 2.0.0 through 2.2.6.3, update to version 2.2.6.4 or later. For Rack versions 3.0.0 through 3.0.6.0, update to version 3.0.6.1 or later. As a temporary workaround, consider setting Regexp.timeout in Ruby 3.2 to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Rails versions prior to 7.0.2.2 Rails versions prior to 6.1.4.6 Rails versions prior to 6.0.4.6 Rails versions prior to 5.2.6.2 Puma versions prior to 5.6.2 Puma versions prior to 4.3.11 **Description** Action Pack is a framework for handling and responding to web requests. Under certain circumstances, response bodies will not be closed. In the event a response is not notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests, especially when interacting with `ActiveSupport::CurrentAttributes`. The combination of Puma not closing the body and Rails' Executor implementation causes information leakage. **Recommendations** For Rails versions prior to 7.0.2.2, upgrade to version 7.0.2.2 or later. For Rails versions prior to 6.1.4.6, upgrade to version 6.1.4.6 or later. For Rails versions prior to 6.0.4.6, upgrade to version 6.0.4.6 or later. For Rails versions prior to 5.2.6.2, upgrade to version 5.2.6.2 or later. For Puma versions prior to 5.6.2, upgrade to version 5.6.2 or later. For Puma versions prior to 4.3.11, upgrade to version 4.3.11 or later. As a temporary workaround, consider using the middleware described in GHSA-wh98-p28r-vrc9 to mitigate the issue. Alternatively, you can use the following middleware: ```ruby class GuardedExecutor < ActionDispatch::Executor def call(env) ensure completed! super end private def ensure completed! @executor.new.complete! if @executor.active? end end # Ensure the guard is inserted before ActionDispatch::Executor Rails.application.configure do config.middleware.swap ActionDispatch::Executor, GuardedExecutor, executor end ```

**Name of the Vulnerable Software and Affected Versions** rails-html-sanitizer gem versions prior to 1.0.3 Ruby on Rails versions 4.2.x and 5.x **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node. This is due to a vulnerability in the lib/rails/html/scrubbers.rb file in the rails-html-sanitizer gem. **Recommendations** For rails-html-sanitizer gem versions prior to 1.0.3, update to version 1.0.3 or later. For Ruby on Rails versions 4.2.x and 5.x, ensure the rails-html-sanitizer gem is updated to version 1.0.3 or later.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 2.3.x through 2.3.12 **Description** The issue allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header. This is due to a CRLF injection vulnerability in the actionpack/lib/action controller/response.rb file. **Recommendations** For Ruby on Rails versions 2.3.x through 2.3.12, update to version 2.3.13 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 2.x through 2.3.12 Ruby on Rails versions 3.0.x through 3.0.9 Ruby on Rails versions 3.1.x through 3.1.0.rc4 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a malformed Unicode string, related to a "UTF-8 escaping vulnerability" in the `activesupport/lib/active support/core ext/string/output safety.rb` file. This issue affects Ruby on Rails, enabling attackers to execute malicious scripts on user browsers. **Recommendations** For Ruby on Rails versions 2.x through 2.3.12, update to version 2.3.13 or later. For Ruby on Rails versions 3.0.x through 3.0.9, update to version 3.0.10 or later. For Ruby on Rails versions 3.1.x through 3.1.0.rc4, update to version 3.1.0.rc5 or later.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions prior to 2.3.13 Ruby on Rails versions 3.0.x prior to 3.0.10 Ruby on Rails versions 3.1.x prior to 3.1.0.rc5 **Description** The issue allows remote attackers to execute arbitrary SQL commands via a crafted column name, due to multiple SQL injection vulnerabilities in the `quote table name` method in the ActiveRecord adapters. **Recommendations** For versions prior to 2.3.13, update to version 2.3.13 or later. For versions 3.0.x prior to 3.0.10, update to version 3.0.10 or later. For versions 3.1.x prior to 3.1.0.rc5, update to version 3.1.0.rc5 or later.

**Name of the Vulnerable Software and Affected Versions** Ruby on Rails versions 3.0.x through 3.0.3 **Description** The issue allows remote attackers to conduct SQL injection attacks via a non-numeric argument to the limit function, as it does not ensure that arguments specify integer values. **Recommendations** For Ruby on Rails versions 3.0.x through 3.0.3, update to version 3.0.4 or later to resolve the issue.