GHSA SYNC: 4 brand new advisories

gems/actionmailer/CVE-2024-47889.yml

@@ -0,0 +1,47 @@
+---
+gem: actionmailer
+framework: rails
+cve: 2024-47889
+ghsa: h47h-mwp9-c6q6
+url: https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
+title: Possible ReDoS vulnerability in block_format in Action Mailer
+date: 2024-10-15
+description: |
+  There is a possible ReDoS vulnerability in the block_format helper
+  in Action Mailer. This vulnerability has been assigned the
+  CVE identifier CVE-2024-47889.
+
+  ## Impact
+
+  Carefully crafted text can cause the block_format helper to take an
+  unexpected amount of time, possibly resulting in a DoS vulnerability.
+  All users running an affected release should either upgrade or apply
+  the relevant patch immediately.
+
+  Ruby 3.2 has mitigations for this problem, so Rails applications
+  using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires
+  Ruby 3.2 or greater so is unaffected.
+
+  ## Releases
+
+  The fixed releases are available at the normal locations.
+
+  ## Workarounds
+
+  Users can avoid calling the `block_format` helper or upgrade
+  to Ruby 3.2.
+
+  ##Credits
+
+  Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
+unaffected_versions:
+  - "< 3.0.0"
+patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
+    - https://github.com/advisories/GHSA-h47h-mwp9-c6q6

gems/actionpack/CVE-2024-41128.yml

@@ -0,0 +1,46 @@
+---
+gem: actionpack
+framework: rails
+cve: 2024-41128
+ghsa: x76w-6vjr-8xgj
+url: https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
+title: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
+date: 2024-10-15
+description: |
+  There is a possible ReDoS vulnerability in the query parameter
+  filtering routines of Action Dispatch. This vulnerability has
+  been assigned the CVE identifier CVE-2024-41128.
+
+  ## Impact
+
+  Carefully crafted query parameters can cause query parameter
+  filtering to take an unexpected amount of time, possibly resulting
+  in a DoS vulnerability. All users running an affected release
+  should either upgrade or apply the relevant patch immediately.
+
+  Ruby 3.2 has mitigations for this problem, so Rails applications
+  using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
+  on Ruby 3.2 or greater so is unaffected.
+
+  ## Releases
+
+  The fixed releases are available at the normal locations.
+
+  ## Workarounds
+
+  Users on Ruby 3.2 are unaffected by this issue.
+
+  ## Credits
+
+  Thanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!
+unaffected_versions:
+  - "< 3.1.0"
+patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
+    - https://github.com/advisories/GHSA-x76w-6vjr-8xgj

gems/actionpack/CVE-2024-47887.yml

@@ -0,0 +1,49 @@
+---
+gem: actionpack
+framework: rails
+cve: 2024-47887
+ghsa: vfg9-r3fq-jvx4
+url: https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
+title: Possible ReDoS vulnerability in HTTP Token authentication
+  in Action Controller
+date: 2024-10-15
+description: |
+  There is a possible ReDoS vulnerability in Action Controller's
+  HTTP Token authentication. This vulnerability has been assigned
+  the CVE identifier CVE-2024-47887.
+
+  ## Impact
+
+  For applications using HTTP Token authentication via
+  `authenticate_or_request_with_http_token` or similar, a carefully
+  crafted header may cause header parsing to take an unexpected amount
+  of time, possibly resulting in a DoS vulnerability. All users running
+  an affected release should either upgrade or apply the relevant
+  patch immediately.
+
+  Ruby 3.2 has mitigations for this problem, so Rails applications
+  using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
+  on Ruby 3.2 or greater so is unaffected.
+
+  ## Releases
+
+  The fixed releases are available at the normal locations.
+
+  ## Workarounds
+
+  Users on Ruby 3.2 are unaffected by this issue.
+
+  ## Credits
+
+  Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
+unaffected_versions:
+  - "< 4.0.0"
+patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
+    - https://github.com/advisories/GHSA-vfg9-r3fq-jvx4

gems/actiontext/CVE-2024-47888.yml

@@ -0,0 +1,48 @@
+---
+gem: actiontext
+framework: rails
+cve: 2024-47888
+ghsa: wwhv-wxv9-rpgw
+url: https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
+title: Possible ReDoS vulnerability in plain_text_for_blockquote_node
+  in Action Text
+date: 2024-10-15
+description: |
+  There is a possible ReDoS vulnerability in the
+  plain_text_for_blockquote_node helper in Action Text. This
+  vulnerability has been assigned the CVE identifier CVE-2024-47888.
+
+  ## Impact
+
+  Carefully crafted text can cause the plain_text_for_blockquote_node
+  helper to take an unexpected amount of time, possibly resulting
+  in a DoS vulnerability. All users running an affected release should
+  either upgrade or apply the relevant patch immediately.
+
+  Ruby 3.2 has mitigations for this problem, so Rails applications
+  using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
+  on Ruby 3.2 or greater so is unaffected.
+
+  ## Releases
+
+  The fixed releases are available at the normal locations.
+
+  ## Workarounds
+
+  Users can avoid calling `plain_text_for_blockquote_node` or
+  upgrade to Ruby 3.2.
+
+  ## Credits
+
+  Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
+unaffected_versions:
+  - "< 6.0.0"
+patched_versions:
+  - "~> 6.1.7.9"
+  - "~> 7.0.8.5"
+  - "~> 7.1.4.1"
+  - ">= 7.2.1.1"
+related:
+  url:
+    - https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
+    - https://github.com/advisories/GHSA-wwhv-wxv9-rpgw