CVE-2023-28120
Vulnerability with new bytesplice method vulnerability in activesupport (RubyGems)
What is CVE-2023-28120 About?
This vulnerability affects ActiveSupport when the `bytesplice` method is called on a `SafeBuffer` with untrusted user input, potentially leading to security bypasses. Ruby 3.2 introduced this new method, which ActiveSupport did not recognize as a mutating operation, thus failing to mark the buffer as no longer `html_safe`. Exploitation requires specific Ruby versions and interaction with `SafeBuffer` instances.
Affected Software
- activesupport
- >=7.0.0, <7.0.4.3
- <6.1.7.3
Technical Details
The vulnerability exists in ActiveSupport for Ruby versions 3.2 and higher, specifically concerning the new bytesplice method. ActiveSupport uses the SafeBuffer subclass to designate strings that have been sanitized and are considered safe for rendering as HTML (html_safe). The security mechanism dictates that if a SafeBuffer undergoes any mutation, its html_safe status should be revoked to prevent malicious content from being inadvertently rendered. Ruby 3.2 introduced the bytesplice method, which modifies a string in-place. However, ActiveSupport's SafeBuffer implementation was not updated to recognize bytesplice as a mutating operation, leading to a failure to clear the html_safe flag. Consequently, if bytesplice is called on a SafeBuffer containing or incorporating untrusted user input, the buffer might retain its html_safe status even though its content could now be unsafe, potentially leading to XSS or other injection attacks upon rendering.
What is the Impact of CVE-2023-28120?
Successful exploitation may allow attackers to bypass HTML sanitization, potentially leading to Cross-Site Scripting (XSS) or other content injection vulnerabilities if altered `SafeBuffer` content is rendered.
What is the Exploitability of CVE-2023-28120?
Exploitation complexity is moderate, as it requires the application to use Ruby 3.2+, ActiveSupport, and specifically call bytesplice on a SafeBuffer instance with user-controlled input. No specific authentication is required if the attacker can submit data that the application then processes in this vulnerable manner. Privilege requirements are typically those of a user interacting with the application. This can be a remote vulnerability if the application accepts untrusted data and uses bytesplice in the described context. The special condition is the specific Ruby version (3.2+) and the use of bytesplice. Risk factors are increased if applications handle user-provided content and use bytesplice on SafeBuffers, particularly in content management systems or applications allowing rich text input.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-28120?
Available Upgrade Options
- activesupport
- <6.1.7.3 → Upgrade to 6.1.7.3
- activesupport
- >=7.0.0, <7.0.4.3 → Upgrade to 7.0.4.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails/commit/3cf23c3f891e2e81c977ea4ab83b62bc2a444b70
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW/
- https://www.debian.org/security/2023/dsa-5389
- https://nvd.nist.gov/vuln/detail/CVE-2023-28120
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UPV6PVCX4VDJHLFFT42EXBBSGAWZICOW
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZE5W4MH6IE4DV7GELDK6ISCSTFLHKSYO
- https://discuss.rubyonrails.org/t/cve-2023-28120-possible-xss-security-vulnerability-in-safebuffer-bytesplice/82469
- https://www.debian.org/security/2023/dsa-5389
- https://security.netapp.com/advisory/ntap-20240202-0006/
- https://osv.dev/vulnerability/GHSA-pj73-v5mw-pm9j
What are Similar Vulnerabilities to CVE-2023-28120?
Similar Vulnerabilities: CVE-2022-32224 , CVE-2022-23633 , CVE-2021-22927 , CVE-2021-22942 , CVE-2020-8164
