Ruby/actionpack/6.1.7.1
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
https://rubygems.org/gems/actionpack
MIT
2 Security Vulnerabilities
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
- https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
- https://github.com/advisories/GHSA-4g8v-vg43-wpgf
The redirect_to
method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
method.
Cross-site Scripting in actionpack
- https://nvd.nist.gov/vuln/detail/CVE-2022-3704
- https://github.com/rails/rails/issues/46244
- https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
- https://vuldb.com/?id.212319
- https://github.com/rails/rails/pull/46269
- https://github.com/advisories/GHSA-9chr-4fjh-5rgw
- https://github.com/rails/rails/issues/46244#issuecomment-1380875153
actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.
This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.
467 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
4.0.0.rc1 | MIT | 26 | 2013-04-29 - 15:38 | about 11 years |
4.0.0.rc2 | MIT | 26 | 2013-06-11 - 20:24 | almost 11 years |
4.0.0.beta1 | MIT | 26 | 2013-02-26 - 00:05 | about 11 years |
7.0.5.1 | MIT | 2 | 2023-06-26 - 21:42 | 11 months |
7.0.8 | MIT | 2 | 2023-09-09 - 19:12 | 8 months |
7.0.7.1 | MIT | 2 | 2023-08-22 - 17:20 | 9 months |
7.0.7 | MIT | 2 | 2023-08-09 - 23:57 | 10 months |
7.0.6 | MIT | 2 | 2023-06-29 - 20:56 | 11 months |
7.0.7.2 | MIT | 2 | 2023-08-22 - 20:10 | 9 months |
7.1.0.rc1 | MIT | 1 | 2023-09-27 - 04:01 | 8 months |
7.1.0.rc2 | MIT | 1 | 2023-10-01 - 22:00 | 8 months |
7.1.0.beta1 | MIT | 1 | 2023-09-13 - 00:40 | 8 months |
7.1.2 | MIT | 4 | 2023-11-10 - 21:50 | 6 months |
7.1.1 | MIT | 4 | 2023-10-11 - 22:17 | 7 months |
7.1.3 | MIT | 4 | 2024-01-16 - 22:54 | 4 months |
7.1.0 | MIT | 4 | 2023-10-05 - 08:07 | 8 months |
7.0.4.3 | MIT | 4 | 2023-03-13 - 18:53 | about 1 year |
7.0.4.2 | MIT | 4 | 2023-01-25 - 03:14 | over 1 year |
7.0.5 | MIT | 4 | 2023-05-24 - 19:11 | 12 months |
7.0.4.1 | MIT | 4 | 2023-01-17 - 18:55 | over 1 year |
7.0.0.rc2 | MIT | 6 | 2021-12-14 - 19:39 | over 2 years |
7.0.0.rc3 | MIT | 6 | 2021-12-14 - 23:04 | over 2 years |
6.1.4.4 | MIT | 11 | 2021-12-15 - 22:53 | over 2 years |
6.1.4.3 | MIT | 11 | 2021-12-14 - 23:02 | over 2 years |
5.2.4.6 | MIT | 11 | 2021-05-05 - 15:29 | about 3 years |
6.0.4.4 | MIT | 11 | 2021-12-15 - 22:46 | over 2 years |
5.2.6 | MIT | 11 | 2021-05-05 - 17:08 | about 3 years |
6.0.4.2 | MIT | 11 | 2021-12-14 - 20:10 | over 2 years |
6.1.4.2 | MIT | 11 | 2021-12-14 - 19:49 | over 2 years |
6.0.4.3 | MIT | 11 | 2021-12-14 - 23:00 | over 2 years |
7.0.0 | MIT | 15 | 2021-12-15 - 23:43 | over 2 years |
7.0.1 | MIT | 15 | 2022-01-06 - 21:54 | over 2 years |
7.0.2 | MIT | 15 | 2022-02-08 - 23:12 | over 2 years |
6.0.4.6 | MIT | 9 | 2022-02-11 - 19:39 | over 2 years |
6.1.5 | MIT | 9 | 2022-03-10 - 21:16 | about 2 years |
5.2.6.3 | MIT | 9 | 2022-03-08 - 17:45 | about 2 years |
5.2.7 | MIT | 9 | 2022-03-11 - 00:00 | about 2 years |
5.2.6.2 | MIT | 9 | 2022-02-11 - 19:37 | over 2 years |
6.1.4.6 | MIT | 9 | 2022-02-11 - 19:41 | over 2 years |
6.1.4.7 | MIT | 9 | 2022-03-08 - 17:48 | about 2 years |
6.0.4.7 | MIT | 9 | 2022-03-08 - 17:47 | about 2 years |
7.0.2.3 | MIT | 13 | 2022-03-08 - 17:50 | about 2 years |
7.0.2.2 | MIT | 13 | 2022-02-11 - 19:43 | over 2 years |
7.0.0.rc1 | MIT | 7 | 2021-12-06 - 21:31 | over 2 years |
7.0.0.alpha2 | MIT | 7 | 2021-09-15 - 23:15 | over 2 years |
7.0.0.alpha1 | MIT | 7 | 2021-09-15 - 21:56 | over 2 years |
6.0.4 | MIT | 15 | 2021-06-15 - 20:17 | almost 3 years |
6.1.4 | MIT | 15 | 2021-06-24 - 20:40 | almost 3 years |
6.1.3.2 | MIT | 15 | 2021-05-05 - 15:34 | about 3 years |
6.0.3.7 | MIT | 15 | 2021-05-05 - 16:01 | about 3 years |
6.1.0.rc2 | MIT | 17 | 2020-12-01 - 22:01 | over 3 years |
6.1.0.rc1 | MIT | 15 | 2020-11-02 - 21:20 | over 3 years |
6.1.0 | MIT | 25 | 2020-12-09 - 19:57 | over 3 years |
6.1.2 | MIT | 25 | 2021-02-09 - 21:28 | over 3 years |
6.1.1 | MIT | 25 | 2021-01-07 - 22:59 | over 3 years |
6.0.3.2 | MIT | 25 | 2020-06-17 - 14:54 | almost 4 years |
6.0.3.3 | MIT | 25 | 2020-09-09 - 18:24 | over 3 years |
3.2.22.4 | MIT | 10 | 2016-08-11 - 19:19 | almost 8 years |
3.2.22.5 | MIT | 10 | 2016-09-14 - 21:18 | over 7 years |
3.2.22.3 | MIT | 10 | 2016-08-11 - 17:31 | almost 8 years |
3.2.22.2 | MIT | 11 | 2016-02-29 - 19:23 | about 8 years |
6.0.0.beta2 | MIT | 12 | 2019-02-25 - 22:45 | about 5 years |
6.0.0.rc1 | MIT | 12 | 2019-04-24 - 18:51 | about 5 years |
6.0.0.rc2 | MIT | 12 | 2019-07-22 - 21:10 | almost 5 years |
6.0.0.beta3 | MIT | 12 | 2019-03-13 - 17:02 | about 5 years |
6.0.0.beta1 | MIT | 12 | 2019-01-18 - 20:46 | over 5 years |
4.2.10 | MIT | 13 | 2017-09-27 - 14:28 | over 6 years |
4.2.9.rc2 | MIT | 13 | 2017-06-19 - 22:27 | almost 7 years |
4.2.11.1 | MIT | 13 | 2019-03-13 - 16:37 | about 5 years |
4.2.9.rc1 | MIT | 13 | 2017-06-13 - 18:49 | almost 7 years |
4.2.7.1 | MIT | 13 | 2016-08-11 - 17:31 | almost 8 years |
4.2.8.rc1 | MIT | 13 | 2017-02-10 - 02:45 | over 7 years |
4.2.11.2 | MIT | 13 | 2020-05-15 - 16:30 | about 4 years |
4.2.11 | MIT | 13 | 2018-11-27 - 20:06 | over 5 years |
4.2.9 | MIT | 13 | 2017-06-26 - 21:30 | almost 7 years |
4.2.10.rc1 | MIT | 13 | 2017-09-20 - 19:41 | over 6 years |
5.0.0.rc1 | MIT | 13 | 2016-05-06 - 21:56 | about 8 years |
5.0.0.rc2 | MIT | 13 | 2016-06-22 - 20:02 | almost 8 years |
5.0.0.beta4 | MIT | 13 | 2016-04-27 - 20:54 | about 8 years |
5.0.0.beta3 | MIT | 13 | 2016-02-24 - 16:15 | about 8 years |
4.2.8 | MIT | 13 | 2017-02-21 - 16:08 | about 7 years |
5.0.0.beta1 | MIT | 13 | 2015-12-18 - 21:17 | over 8 years |
5.0.0.beta2 | MIT | 13 | 2016-02-01 - 22:05 | over 8 years |
5.0.0.beta1.1 | MIT | 13 | 2016-01-25 - 19:23 | over 8 years |
4.2.11.3 | MIT | 13 | 2020-05-15 - 18:35 | about 4 years |
4.2.5.2 | MIT | 14 | 2016-02-29 - 19:16 | about 8 years |
4.2.6.rc1 | MIT | 14 | 2016-03-01 - 18:37 | about 8 years |
4.2.7.rc1 | MIT | 14 | 2016-07-01 - 00:32 | almost 8 years |
4.2.6 | MIT | 14 | 2016-03-07 - 22:32 | about 8 years |
4.2.7 | MIT | 14 | 2016-07-13 - 02:55 | almost 8 years |
5.0.0.racecar1 | MIT | 17 | 2016-05-06 - 22:01 | about 8 years |
6.1.4.5 | MIT | 11 | 2022-02-11 - 18:22 | over 2 years |
6.0.4.5 | MIT | 11 | 2022-02-11 - 18:24 | over 2 years |
5.2.6.1 | MIT | 11 | 2022-02-11 - 18:44 | over 2 years |
7.0.2.1 | MIT | 15 | 2022-02-11 - 18:18 | over 2 years |
6.0.4.1 | MIT | 13 | 2021-08-19 - 16:22 | almost 3 years |
6.1.4.1 | MIT | 13 | 2021-08-19 - 16:25 | almost 3 years |
5.2.4.5 | MIT | 13 | 2021-02-10 - 20:35 | over 3 years |
5.2.4.3 | MIT | 13 | 2020-05-18 - 15:42 | about 4 years |
5.2.4.4 | MIT | 13 | 2020-09-09 - 18:36 | over 3 years |