Updated advisory posts against rubysec/ruby-advisory-db@df41005

flavorjones · RubySec CI · commit 7920e992bb81 · 2026-05-12T14:34:34.000Z
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33167.md b/advisories/_posts/2026-03-23-CVE-2026-33167.md
@@ -0,0 +1,36 @@
+---
+layout: advisory
+title: 'CVE-2026-33167 (actionpack): Rails has a possible XSS vulnerability in its
+  Action Pack debug exceptions'
+comments: false
+categories:
+- actionpack
+- rails
+advisory:
+  gem: actionpack
+  framework: rails
+  cve: 2026-33167
+  ghsa: pgm4-439c-5jp6
+  url: https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
+  title: Rails has a possible XSS vulnerability in its Action Pack debug exceptions
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    The debug exceptions page does not properly escape exception messages.
+    A carefully crafted exception message could inject arbitrary HTML and JavaScript into the page, leading to XSS.
+    This affects applications with detailed exception pages enabled (`config.consider_all_requests_local = true`),
+    which is the default in development.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  unaffected_versions:
+  - "< 8.1.0"
+  patched_versions:
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-pgm4-439c-5jp6
+    - https://github.com/rails/rails/commit/6752711c8c31d79ba50d13af6a6698a3b85415e0
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-pgm4-439c-5jp6
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33168.md b/advisories/_posts/2026-03-23-CVE-2026-33168.md
@@ -0,0 +1,40 @@
+---
+layout: advisory
+title: 'CVE-2026-33168 (actionview): Rails has a possible XSS vulnerability in its
+  Action View tag helpers'
+comments: false
+categories:
+- actionview
+- rails
+advisory:
+  gem: actionview
+  framework: rails
+  cve: 2026-33168
+  ghsa: v55j-83pf-r9cq
+  url: https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
+  title: Rails has a possible XSS vulnerability in its Action View tag helpers
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    When a blank string is used as an HTML attribute name in Action View tag helpers,
+    the attribute escaping is bypassed, producing malformed HTML.
+    A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name,
+    possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-v55j-83pf-r9cq
+    - https://github.com/rails/rails/commit/0b6f8002b52b9c606fd6be9e7915d9f944cf539c
+    - https://github.com/rails/rails/commit/63f5ad83edaa0b976f82d46988d745426aa4a42d
+    - https://github.com/rails/rails/commit/c79a07df1e88738df8f68cb0ee759ad6128ca924
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-v55j-83pf-r9cq
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33169.md b/advisories/_posts/2026-03-23-CVE-2026-33169.md
@@ -0,0 +1,38 @@
+---
+layout: advisory
+title: 'CVE-2026-33169 (activesupport): Rails Active Support has a possible ReDoS
+  vulnerability in number_to_delimited'
+comments: false
+categories:
+- activesupport
+- rails
+advisory:
+  gem: activesupport
+  framework: rails
+  cve: 2026-33169
+  ghsa: cg4j-q9v8-6v38
+  url: https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
+  title: Rails Active Support has a possible ReDoS vulnerability in number_to_delimited
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    `NumberToDelimitedConverter` used a regular expression with `gsub!` to insert thousands delimiters.
+    This could produce quadratic time complexity on long digit strings.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-cg4j-q9v8-6v38
+    - https://github.com/rails/rails/commit/29154f1097da13d48fdb3200760b3e3da66dcb11
+    - https://github.com/rails/rails/commit/b54a4b373c6f042cab6ee2033246b1c9ecc38974
+    - https://github.com/rails/rails/commit/ec1a0e215efd27a3b3911aae6df978a80f456a49
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-cg4j-q9v8-6v38
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33170.md b/advisories/_posts/2026-03-23-CVE-2026-33170.md
@@ -0,0 +1,39 @@
+---
+layout: advisory
+title: 'CVE-2026-33170 (activesupport): Rails Active Support has a possible XSS vulnerability
+  in SafeBuffer#%'
+comments: false
+categories:
+- activesupport
+- rails
+advisory:
+  gem: activesupport
+  framework: rails
+  cve: 2026-33170
+  ghsa: 89vf-4333-qx8v
+  url: https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
+  title: Rails Active Support has a possible XSS vulnerability in SafeBuffer#%
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    `SafeBuffer#%` does not propagate the `@html_unsafe` flag to the newly created buffer.
+    If a `SafeBuffer` is mutated in place (e.g. via `gsub!`) and then formatted with `%` using untrusted arguments,
+    the result incorrectly reports `html_safe? == true`, bypassing ERB auto-escaping and possibly leading to XSS.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-89vf-4333-qx8v
+    - https://github.com/rails/rails/commit/50d732af3b7c8aaf63cbcca0becbc00279b215b7
+    - https://github.com/rails/rails/commit/6e8a81108001d58043de9e54a06fca58962fc2db
+    - https://github.com/rails/rails/commit/c1ad0e8e1972032f3395853a5e99cea035035beb
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-89vf-4333-qx8v
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33173.md b/advisories/_posts/2026-03-23-CVE-2026-33173.md
@@ -0,0 +1,40 @@
+---
+layout: advisory
+title: 'CVE-2026-33173 (activestorage): Rails Active Storage has possible content
+  type bypass via metadata in direct uploads'
+comments: false
+categories:
+- activestorage
+- rails
+advisory:
+  gem: activestorage
+  framework: rails
+  cve: 2026-33173
+  ghsa: qcfx-2mfw-w4cg
+  url: https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
+  title: Rails Active Storage has possible content type bypass via metadata in direct
+    uploads
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    Active Storage's `DirectUploadsController` accepts arbitrary metadata from the client and persists it on the blob.
+    Because internal flags like `identified` and `analyzed` are stored in the same metadata hash,
+    a malicious direct-upload client could set these flags.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-qcfx-2mfw-w4cg
+    - https://github.com/rails/rails/commit/707c0f1f41f067fdf96d54e99d43b28dfaae7e53
+    - https://github.com/rails/rails/commit/8fcb934caadc79c8cc4ce53287046d0f67005b3e
+    - https://github.com/rails/rails/commit/d9502f5214e2198245a4c1defe9cd02a7c8057d0
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-qcfx-2mfw-w4cg
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33174.md b/advisories/_posts/2026-03-23-CVE-2026-33174.md
@@ -0,0 +1,41 @@
+---
+layout: advisory
+title: 'CVE-2026-33174 (activestorage): Rails Active Storage has a possible DoS vulnerability
+  when in proxy mode via Range requests'
+comments: false
+categories:
+- activestorage
+- rails
+advisory:
+  gem: activestorage
+  framework: rails
+  cve: 2026-33174
+  ghsa: r46p-8f7g-vvvg
+  url: https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
+  title: Rails Active Storage has a possible DoS vulnerability when in proxy mode
+    via Range requests
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    When serving files through Active Storage's `Blobs::ProxyController`,
+    the controller loads the entire requested byte range into memory before sending it.
+    A request with a large or unbounded Range header (e.g. `bytes=0-`) could cause the server
+    to allocate memory proportional to the file size, possibly resulting in a DoS vulnerability through memory exhaustion.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-r46p-8f7g-vvvg
+    - https://github.com/rails/rails/commit/2cd933c366b777f873d4d590127da2f4a25e4ba5
+    - https://github.com/rails/rails/commit/42012eaaa88dfc7d0030161b2bc8074a7bbce92a
+    - https://github.com/rails/rails/commit/8159a9c3de3f27a2bcf2866b8bf9ceb9075e229b
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-r46p-8f7g-vvvg
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33176.md b/advisories/_posts/2026-03-23-CVE-2026-33176.md
@@ -0,0 +1,40 @@
+---
+layout: advisory
+title: 'CVE-2026-33176 (activesupport): Rails Active Support has a possible DoS vulnerability
+  in its number helpers'
+comments: false
+categories:
+- activesupport
+- rails
+advisory:
+  gem: activesupport
+  framework: rails
+  cve: 2026-33176
+  ghsa: 2j26-frm8-cmj9
+  url: https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
+  title: Rails Active Support has a possible DoS vulnerability in its number helpers
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    Active Support number helpers accept strings containing scientific notation (e.g. `1e10000`),
+    which when converted to a string could be expanded into extremely large decimal representations.
+    This can cause excessive memory allocation and CPU consumption when the expanded number is formatted,
+    possibly resulting in a DoS vulnerability.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-2j26-frm8-cmj9
+    - https://github.com/rails/rails/commit/19dbab51ca086a657bb86458042bc44314916bcb
+    - https://github.com/rails/rails/commit/ebd6be18120d1136511eb516338e27af25ac0a1a
+    - https://github.com/rails/rails/commit/ee2c59e730e5b8faed502cd2c573109df093f856
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-2j26-frm8-cmj9
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33195.md b/advisories/_posts/2026-03-23-CVE-2026-33195.md
@@ -0,0 +1,42 @@
+---
+layout: advisory
+title: 'CVE-2026-33195 (activestorage): Rails Active Storage has possible Path Traversal
+  in DiskService'
+comments: false
+categories:
+- activestorage
+- rails
+advisory:
+  gem: activestorage
+  framework: rails
+  cve: 2026-33195
+  ghsa: 9xrj-h377-fr87
+  url: https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
+  title: Rails Active Storage has possible Path Traversal in DiskService
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    Active Storage's `DiskService#path_for` does not validate that the
+    resolved filesystem path remains within the storage root directory.
+    If a blob key containing path traversal sequences (e.g. `../`) is used,
+    it could allow reading, writing, or deleting arbitrary files on the server.
+    Blob keys are expected to be trusted strings,
+    but some applications could be passing user input as keys and would be affected.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-9xrj-h377-fr87
+    - https://github.com/rails/rails/commit/4933c1e3b8c1bb04925d60347be9f69270392f2c
+    - https://github.com/rails/rails/commit/9b06fbc0f504b8afe333f33d19548f3b85fbe655
+    - https://github.com/rails/rails/commit/a290c8a1ec189d793aa6d7f2570b6a763f675348
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+    - https://github.com/advisories/GHSA-9xrj-h377-fr87
+---
diff --git a/advisories/_posts/2026-03-23-CVE-2026-33202.md b/advisories/_posts/2026-03-23-CVE-2026-33202.md
@@ -0,0 +1,38 @@
+---
+layout: advisory
+title: 'CVE-2026-33202 (activestorage): Rails Active Storage has possible glob injection
+  in its DiskService'
+comments: false
+categories:
+- activestorage
+- rails
+advisory:
+  gem: activestorage
+  framework: rails
+  cve: 2026-33202
+  ghsa: 73f9-jhhh-hr5m
+  url: https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
+  title: Rails Active Storage has possible glob injection in its DiskService
+  date: 2026-03-23
+  description: |-
+    ### Impact
+    Active Storage's `DiskService#delete_prefixed` passes blob keys directly to `Dir.glob` without escaping glob metacharacters.
+    If a blob key contains attacker-controlled input or custom-generated keys with glob metacharacters,
+    it may be possible to delete unintended files from the storage directory.
+
+    ### Releases
+    The fixed releases are available at the normal locations.
+  patched_versions:
+  - "~> 7.2.3, >= 7.2.3.1"
+  - "~> 8.0.4, >= 8.0.4.1"
+  - ">= 8.1.2.1"
+  related:
+    url:
+    - https://github.com/rails/rails/security/advisories/GHSA-73f9-jhhh-hr5m
+    - https://github.com/rails/rails/commit/8c9676b803820110548cdb7523800db43bc6874c
+    - https://github.com/rails/rails/commit/955284d26e469a9c026a4eee5b21f0414ab0bccf
+    - https://github.com/rails/rails/commit/fa19073546360856e9f4dab221fc2c5d73a45e82
+    - https://github.com/rails/rails/releases/tag/v7.2.3.1
+    - https://github.com/rails/rails/releases/tag/v8.0.4.1
+    - https://github.com/rails/rails/releases/tag/v8.1.2.1
+---
