Correct affected versions for CVE-2024-34341

chadlwilson · postmodern · commit 3f8ac23071db · 2024-06-03T06:37:35.000-07:00
As documented officially at https://discuss.rubyonrails.org/t/xss-vulnerabilities-in-trix-editor/85803 Signed-off-by: Chad Wilson <chadw@thoughtworks.com>
diff --git a/gems/actiontext/CVE-2024-34341.yml b/gems/actiontext/CVE-2024-34341.yml
@@ -6,7 +6,7 @@ url: https://github.com/advisories/GHSA-qjqp-xr96-cj99
 title: Arbitrary Code Execution Vulnerability in Trix Editor included in ActionText
 date: 2024-05-07
 description: |
-  The ActionText gem includes a copy of the Trix rich text editor.
+  From version 7.0 onwards the ActionText gem includes a copy of the Trix rich text editor.
   Prior to versions 7.0.8.3 and 7.1.3.3, ActionText included a version of Trix that
   is vulnerable to arbitrary code execution when
   copying and pasting content from the web or other documents with markup into the editor.
@@ -16,7 +16,6 @@ description: |
   # Vulnerable Versions:
     * 7.1 series older than 7.1.3.3
     * 7.0 series older than 7.0.8.3
-    * All versions of ActionText older than 7.0
 
   # Fixed Versions:
     * 7.1.3.3
@@ -55,6 +54,8 @@ description: |
   can significantly mitigate the risk of such vulnerabilities.
   Set CSP policies such as script-src 'self' to ensure that only scripts hosted on the same origin
   are executed, and explicitly prohibit inline scripts using script-src-elem.
+unaffected_versions:
+  - "< 7.0.0"
 patched_versions:
   - "~> 7.0.8.3"
   - ">= 7.1.3.3"
