Source: rails Version: 2:7.2.3+dfsg-3 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for rails. CVE-2026-33168[0]: | Action View provides conventions and helpers for building web pages | with the Rails framework. Prior to versions 8.1.2.1, 8.0.4.1, and | 7.2.3.1, when a blank string is used as an HTML attribute name in | Action View tag helpers, the attribute escaping is bypassed, | producing malformed HTML. A carefully crafted attribute value could | then be misinterpreted by the browser as a separate attribute name, | possibly leading to XSS. Applications that allow users to specify | custom HTML attributes are affected. Versions 8.1.2.1, 8.0.4.1, and | 7.2.3.1 contain a patch. CVE-2026-33169[1]: | Active Support is a toolkit of support libraries and Ruby core | extensions extracted from the Rails framework. | `NumberToDelimitedConverter` uses a lookahead-based regular | expression with `gsub!` to insert thousands delimiters. Prior to | versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, the interaction between the | repeated lookahead group and `gsub!` can produce quadratic time | complexity on long digit strings. Versions 8.1.2.1, 8.0.4.1, and | 7.2.3.1 contain a patch. CVE-2026-33170[2]: | Active Support is a toolkit of support libraries and Ruby core | extensions extracted from the Rails framework. Prior to versions | 8.1.2.1, 8.0.4.1, and 7.2.3.1, `SafeBuffer#%` does not propagate the | `@html_unsafe` flag to the newly created buffer. If a `SafeBuffer` | is mutated in place (e.g. via `gsub!`) and then formatted with `%` | using untrusted arguments, the result incorrectly reports | `html_safe? == true`, bypassing ERB auto-escaping and possibly | leading to XSS. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a | patch. CVE-2026-33173[3]: | Active Storage allows users to attach cloud and local files in Rails | applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, | `DirectUploadsController` accepts arbitrary metadata from the client | and persists it on the blob. Because internal flags like | `identified` and `analyzed` are stored in the same metadata hash, a | direct-upload client can set these flags to skip MIME detection and | analysis. This allows an attacker to upload arbitrary content while | claiming a safe `content_type`, bypassing any validations that rely | on Active Storage's automatic content type identification. Versions | 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch. CVE-2026-33174[4]: | Active Storage allows users to attach cloud and local files in Rails | applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, when | serving files through Active Storage's proxy delivery mode, the | proxy controller loads the entire requested byte range into memory | before sending it. A request with a large or unbounded Range header | (e.g. `bytes=0-`) could cause the server to allocate memory | proportional to the file size, possibly resulting in a DoS | vulnerability through memory exhaustion. Versions 8.1.2.1, 8.0.4.1, | and 7.2.3.1 contain a patch. CVE-2026-33176[5]: | Active Support is a toolkit of support libraries and Ruby core | extensions extracted from the Rails framework. Prior to versions | 8.1.2.1, 8.0.4.1, and 7.2.3.1, Active Support number helpers accept | strings containing scientific notation (e.g. `1e10000`), which | `BigDecimal` expands into extremely large decimal representations. | This can cause excessive memory allocation and CPU consumption when | the expanded number is formatted, possibly resulting in a DoS | vulnerability. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a | patch. CVE-2026-33195[6]: | Active Storage allows users to attach cloud and local files in Rails | applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, | Active Storage's `DiskService#path_for` does not validate that the | resolved filesystem path remains within the storage root directory. | If a blob key containing path traversal sequences (e.g. `../`) is | used, it could allow reading, writing, or deleting arbitrary files | on the server. Blob keys are expected to be trusted strings, but | some applications could be passing user input as keys and would be | affected. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch. CVE-2026-33202[7]: | Active Storage allows users to attach cloud and local files in Rails | applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, | Active Storage's `DiskService#delete_prefixed` passes blob keys | directly to `Dir.glob` without escaping glob metacharacters. If a | blob key contains attacker-controlled input or custom-generated keys | with glob metacharacters, it may be possible to delete unintended | files from the storage directory. Versions 8.1.2.1, 8.0.4.1, and | 7.2.3.1 contain a patch. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-33168 https://www.cve.org/CVERecord?id=CVE-2026-33168 [1] https://security-tracker.debian.org/tracker/CVE-2026-33169 https://www.cve.org/CVERecord?id=CVE-2026-33169 [2] https://security-tracker.debian.org/tracker/CVE-2026-33170 https://www.cve.org/CVERecord?id=CVE-2026-33170 [3] https://security-tracker.debian.org/tracker/CVE-2026-33173 https://www.cve.org/CVERecord?id=CVE-2026-33173 [4] https://security-tracker.debian.org/tracker/CVE-2026-33174 https://www.cve.org/CVERecord?id=CVE-2026-33174 [5] https://security-tracker.debian.org/tracker/CVE-2026-33176 https://www.cve.org/CVERecord?id=CVE-2026-33176 [6] https://security-tracker.debian.org/tracker/CVE-2026-33195 https://www.cve.org/CVERecord?id=CVE-2026-33195 [7] https://security-tracker.debian.org/tracker/CVE-2026-33202 https://www.cve.org/CVERecord?id=CVE-2026-33202 Regards, Salvatore
