Added CVE-2023-28362 for the actionpack gem.

postmodern · postmodern · commit de31578fa426 · 2023-06-26T17:16:16.000-07:00
diff --git a/gems/actionpack/CVE-2023-28362.yml b/gems/actionpack/CVE-2023-28362.yml
@@ -0,0 +1,34 @@
+---
+gem: actionpack
+framework: rails
+cve: 2023-28362
+url: https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
+title: Possible XSS via User Supplied Values to redirect_to
+date: 2023-06-26
+description: |
+  The redirect_to method in Rails allows provided values to contain characters
+  which are not legal in an HTTP header value. This results in the potential for
+  downstream services which enforce RFC compliance on HTTP response headers to
+  remove the assigned Location header. This vulnerability has been assigned the
+  CVE identifier CVE-2023-28362.
+
+  Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
+
+  # Impact
+  
+  This introduces the potential for a Cross-site-scripting (XSS) payload to be
+  delivered on the now static redirection page. Note that this both requires
+  user interaction and for a Rails app to be configured to allow redirects to
+  external hosts (defaults to false in Rails >= 7.0.x).
+
+  # Releases
+
+  The FIXED releases are available at the normal locations.
+
+  # Workarounds
+  
+  Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
+  method.
+patched_versions:
+  - "~> 6.1.7.4"
+  - ">= 7.0.5.1"
