ADVISORIES
GEM
SEVERITY
CVSS v3.x: 4.3 (Medium)
UNAFFECTED VERSIONS
- < 2.0.0
PATCHED VERSIONS
- >= 2.12.2
DESCRIPTION
Summary
.ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output.
Details
Icalendar::Values::Uri falls back to the raw input string when
URI.parse fails and later serializes it with value.to_s without
removing or escaping \r or \n characters. That value is embedded
directly into the final ICS line by the normal serializer, so a
payload containing CRLF can terminate the original property and
create a new ICS property or component. (It looks like you can
inject via url, source, image, organizer, attach, attendee,
conference, tzurl because of this)
Relevant code:
lib/icalendar/values/uri.rb:16
Impact
Applications that generate .ics files from partially untrusted
metadata are impacted. As a result, downstream calendar clients
or importers may process attacker-supplied content as if it were
legitimate event data, such as added attendees, modified URLs,
alarms, or other calendar fields.
Fix
Reject raw CR and LF characters in URI-typed values before
serialization, or escape/encode them so they cannot terminate
the current ICS content line.