diff --git a/gems/icalendar/CVE-2026-33635.yml b/gems/icalendar/CVE-2026-33635.yml new file mode 100644 index 0000000000..b1e7288b69 --- /dev/null +++ b/gems/icalendar/CVE-2026-33635.yml @@ -0,0 +1,51 @@ +--- +gem: icalendar +cve: 2026-33635 +ghsa: pv9c-9mfh-hvxq +url: https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq +title: iCalendar has ICS injection via unsanitized URI property values +date: 2026-03-24 +description: | + ### Summary + + .ics serialization does not properly sanitize URI property values, + enabling ICS injection through attacker-controlled input, adding + arbitrary calendar lines to the output. + + ### Details + + `Icalendar::Values::Uri` falls back to the raw input string when + `URI.parse` fails and later serializes it with `value.to_s` without + removing or escaping `\r` or `\n` characters. That value is embedded + directly into the final ICS line by the normal serializer, so a + payload containing CRLF can terminate the original property and + create a new ICS property or component. (It looks like you can + inject via url, source, image, organizer, attach, attendee, + conference, tzurl because of this) + + Relevant code: + - `lib/icalendar/values/uri.rb:16` + + ### Impact + + Applications that generate `.ics` files from partially untrusted + metadata are impacted. As a result, downstream calendar clients + or importers may process attacker-supplied content as if it were + legitimate event data, such as added attendees, modified URLs, + alarms, or other calendar fields. + + ## Fix + + Reject raw CR and LF characters in `URI`-typed values before + serialization, or escape/encode them so they cannot terminate + the current ICS content line. +cvss_v3: 4.3 +unaffected_versions: + - "< 2.0.0" +patched_versions: + - ">= 2.12.2" +related: + url: + - https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq + - https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265 + - https://github.com/advisories/GHSA-pv9c-9mfh-hvxq