CVE-2022-27777
Cross-site Scripting vulnerability in actionview (RubyGems)
What is CVE-2022-27777 About?
This is a Cross-site Scripting (XSS) vulnerability in Action View tag helpers, affecting all versions of Rails before the fixed versions. It occurs when untrusted input is passed as hash keys for tag attributes, leading to improper escaping of data. Exploitation is moderately complex as it relies on specific coding patterns to process untrusted input.
Affected Software
- actionview
- >=7.0.0, <7.0.2.4
- >=6.1.0, <6.1.5.1
- <5.2.7.1
- >=6.0.0, <6.0.4.8
Technical Details
The vulnerability, CVE-2022-27777, resides in Action View tag helpers across all affected Rails versions (before 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1). It occurs when developers pass untrusted user-supplied data directly as hash keys for HTML tag attributes (e.g., aria: { malicious_input => 'value' }). The HTML escaping mechanism for tag attributes fails to properly neutralize this untrusted input when it is used as a hash key, allowing an attacker to inject malicious code. This malicious code is then rendered in the HTML, leading to a Cross-site Scripting attack. The attack vector involves an attacker providing a payload as the hash key.
What is the Impact of CVE-2022-27777?
Successful exploitation may allow attackers to inject malicious scripts into web pages, leading to session hijacking, defacement, or redirection to malicious sites.
What is the Exploitability of CVE-2022-27777?
Exploitation depends on application code patterns where untrusted input is used directly as hash keys for Action View tag attributes. This makes the exploitation complexity moderate, as it requires the application to implement this specific vulnerable pattern. No authentication may be required if the vulnerable input is handled in a public-facing component; otherwise, user authentication would be a prerequisite. Privilege requirements are low, as an attacker only needs to submit malicious input. This is typically a remote attack via specially crafted web requests. The special condition is the specific usage of untrusted data as hash keys for tag attributes. The risk increases if the application heavily relies on user-supplied data in tag helper methods without proper sanitization of hash keys.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-27777?
Available Upgrade Options
- actionview
- <5.2.7.1 → Upgrade to 5.2.7.1
- actionview
- >=6.0.0, <6.0.4.8 → Upgrade to 6.0.4.8
- actionview
- >=6.1.0, <6.1.5.1 → Upgrade to 6.1.5.1
- actionview
- >=7.0.0, <7.0.2.4 → Upgrade to 7.0.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://www.debian.org/security/2023/dsa-5372
- https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://github.com/rails/rails
- https://nvd.nist.gov/vuln/detail/CVE-2022-27777
- https://discuss.rubyonrails.org/t/cve-2022-27777-possible-xss-vulnerability-in-action-view-tag-helpers/80534
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2022-27777.yml
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://groups.google.com/g/ruby-security-ann/c/9wJPEDv-iRw
- https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
What are Similar Vulnerabilities to CVE-2022-27777?
Similar Vulnerabilities: CVE-2024-53989 , CVE-2022-23519 , CVE-2021-22927 , CVE-2020-8166 , CVE-2018-8048
