Loofah is a general library for manipulating and transforming HTML/XML
documents and fragments. It's built on top of Nokogiri and libxml2, so
it's fast and has a nice API.
Loofah excels at HTML sanitization (XSS prevention). It includes some
nice HTML sanitizers, which are based on HTML5lib's whitelist, so it
most likely won't make your codes less secure. (These statements have
not been evaluated by Netexperts.)
ActiveRecord extensions for sanitization are available in the
`loofah-activerecord` gem (see
https://github.com/flavorjones/loofah-activerecord).
CVE-2018-8048 - Medium Severity Vulnerability
Vulnerable Library - loofah-2.1.1.gem
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments. It's built on top of Nokogiri and libxml2, so it's fast and has a nice API. Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's whitelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.) ActiveRecord extensions for sanitization are available in the `loofah-activerecord` gem (see https://github.com/flavorjones/loofah-activerecord).
Library home page: https://rubygems.org/gems/loofah-2.1.1.gem
Path to dependency file: /chaltron/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/loofah-2.1.1.gem
Dependency Hierarchy: - factory_bot_rails-4.8.2.gem (Root Library) - railties-5.1.4.gem - actionpack-5.1.4.gem - actionview-5.1.4.gem - rails-html-sanitizer-1.0.3.gem - :x: **loofah-2.1.1.gem** (Vulnerable Library)
Found in HEAD commit: 1a064cdc3927fccfa0d178d4932613686897f05c
Vulnerability Details
In the Loofah gem through 2.2.0 for Ruby, non-whitelisted HTML attributes may occur in sanitized output by republishing a crafted HTML fragment.
Publish Date: 2018-03-27
URL: CVE-2018-8048
CVSS 3 Score Details (6.1)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Change files
Origin: https://github.com/flavorjones/loofah/commit/f739cf8eac5851f328b8044281d6653f74eff116
Release Date: 2018-03-15
Fix Resolution: Replace or update the following files: scrub.rb, test_ad_hoc.rb, loofah.rb, libxml2_workarounds.rb
Step up your Open Source Security Game with WhiteSource here