Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to

Published date: 2023-06-29T15:03:16Z

CVE: CVE-2023-28362

Links:

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.

Affected versions: ["7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Cross-site Scripting in actionpack

Published date: 2022-10-27T12:00:27Z

CVE: CVE-2022-3704

Links:

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

Affected versions: ["7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Missing security headers in Action Pack on non-HTML responses

Published date: 2024-06-04T22:26:24Z

CVE: CVE-2024-28103

Links:

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Affected versions: ["7.2.0.beta1", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

Published date: 2024-10-15T23:35:35Z

CVE: CVE-2024-47887

Links:

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

Affected versions: ["7.2.1", "7.2.0", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10T22:42:27Z

CVE: CVE-2024-54133

Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["8.0.0", "7.2.2", "7.2.1.2", "7.2.1.1", "7.2.1", "7.2.0", "7.1.5", "7.1.4.2", "7.1.4.1", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.0.8.6", "7.0.8.5", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "7.0.0.rc3", "7.0.0.rc2", "7.0.0.rc1", "7.0.0.alpha2", "7.0.0.alpha1", "6.1.7.10", "6.1.7.9", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

Published date: 2024-10-15T23:35:33Z

CVE: CVE-2024-41128

Links:

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

Affected versions: ["7.2.1", "7.2.0", "7.1.4", "7.1.3.4", "7.1.3.3", "7.1.3.2", "7.1.3.1", "7.1.3", "7.1.2", "7.1.1", "7.1.0", "7.0.8.4", "7.0.8.3", "7.0.8.2", "7.0.8.1", "7.0.8", "7.0.7.2", "7.0.7.1", "7.0.7", "7.0.6", "7.0.5.1", "7.0.5", "7.0.4.3", "7.0.4.2", "7.0.4.1", "7.0.4", "7.0.3.1", "7.0.3", "7.0.2.4", "7.0.2.3", "7.0.2.2", "7.0.2.1", "7.0.2", "7.0.1", "7.0.0", "6.1.7.8", "6.1.7.7", "6.1.7.6", "6.1.7.5", "6.1.7.4", "6.1.7.3", "6.1.7.2", "6.1.7.1", "6.1.7", "6.1.6.1", "6.1.6", "6.1.5.1", "6.1.5", "6.1.4.7", "6.1.4.6", "6.1.4.5", "6.1.4.4", "6.1.4.3", "6.1.4.2", "6.1.4.1", "6.1.4", "6.1.3.2", "6.1.3.1", "6.1.3", "6.1.2.1", "6.1.2", "6.1.1", "6.1.0", "6.1.0.rc2", "6.1.0.rc1", "6.0.6.1", "6.0.6", "6.0.5.1", "6.0.5", "6.0.4.8", "6.0.4.7", "6.0.4.6", "6.0.4.5", "6.0.4.4", "6.0.4.3", "6.0.4.2", "6.0.4.1", "6.0.4", "6.0.3.7", "6.0.3.6", "6.0.3.5", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.8.1", "5.2.8", "5.2.7.1", "5.2.7", "5.2.6.3", "5.2.6.2", "5.2.6.1", "5.2.6", "5.2.5", "5.2.4.6", "5.2.4.5", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "5.0.0.racecar1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Missing security headers in Action Pack on non-HTML responses

Published date: 2024-06-04

Framework: rails

CVE: 2024-28103

CVSS V3: 5.4

Links:

https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Affected versions: ["6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.1.3", "6.1.3.1", "6.1.3.2", "6.1.4", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.1.4.7", "7.0.2.3", "6.1.5", "6.1.5.1", "7.0.2.4", "7.0.3", "6.1.6", "6.1.6.1", "7.0.3.1", "7.0.4", "6.1.7", "7.0.4.1", "6.1.7.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "6.1.7.6", "7.0.7.2", "7.0.7.1", "6.1.7.5", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.1", "6.1.7.7", "7.1.3.2", "7.0.8.1", "7.0.8.2", "7.1.3.3", "7.0.8.3", "7.2.0.beta1"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10

Framework: rails

CVE: 2024-54133

Links:

https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["6.0.3.3", "6.0.2.2", "6.0.2.rc2", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.2", "5.2.4", "6.0.2.1", "6.0.2.rc1", "6.0.3", "5.2.4.3", "5.2.3", "6.0.0", "5.2.4.1", "5.2.4.rc1", "5.2.3.rc1", "5.2.0", "5.2.2.rc1", "5.2.1.1", "6.0.1", "6.0.0.beta3", "6.0.0.beta1", "6.1.0.rc1", "6.0.3.2", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.4.4", "6.0.3.4", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1.rc1", "6.0.0.rc1", "5.2.2.1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "5.2.4.5", "6.0.3.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "6.1.3.2", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.0.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "6.0.4.6", "6.0.4.5", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.1.4.7", "7.0.2.3", "5.2.6.3", "6.0.4.7", "6.1.5", "5.2.7", "6.0.4.8", "6.1.5.1", "5.2.7.1", "7.0.2.4", "6.0.5", "7.0.3", "6.1.6", "5.2.8", "6.0.5.1", "6.1.6.1", "5.2.8.1", "7.0.3.1", "6.0.6", "7.0.4", "6.1.7", "6.0.6.1", "7.0.4.1", "6.1.7.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "6.1.7.6", "7.0.7.2", "7.0.7.1", "6.1.7.5", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.1", "6.1.7.7", "7.1.3.2", "7.0.8.1", "7.0.8.2", "7.1.3.3", "7.0.8.3", "7.2.0.beta1", "7.1.3.4", "7.0.8.4", "7.2.0.beta2", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4", "8.0.0.beta1", "7.2.1.1", "7.0.8.5", "7.1.4.1", "6.1.7.9", "8.0.0.rc1", "7.0.8.6", "7.1.4.2", "6.1.7.10", "7.2.1.2", "8.0.0.rc2", "7.1.5", "7.2.2", "8.0.0"]

Secure versions: [7.0.10, 7.0.8.7, 7.1.5.1, 7.1.5.2, 7.1.6, 7.2.2.1, 7.2.2.2, 7.2.3, 8.0.0.1, 8.0.1, 8.0.2, 8.0.2.1, 8.0.3, 8.0.4, 8.1.0, 8.1.0.beta1, 8.1.0.rc1, 8.1.1]

Recommendation: Update to version 8.1.1.

Version	License	Security	Released
5.2.6.1	MIT	15	2022-02-11 - 18:44	almost 4 years
5.2.6	MIT	15	2021-05-05 - 17:08	over 4 years
5.2.5	MIT	17	2021-03-26 - 17:19	over 4 years
5.2.4.6	MIT	15	2021-05-05 - 15:29	over 4 years
5.2.4.5	MIT	17	2021-02-10 - 20:35	almost 5 years
5.2.4.4	MIT	17	2020-09-09 - 18:36	about 5 years
5.2.4.3	MIT	17	2020-05-18 - 15:42	over 5 years
5.2.4.2	MIT	21	2020-03-19 - 16:37	over 5 years
5.2.4.1	MIT	21	2019-12-18 - 19:02	almost 6 years
5.2.4	MIT	21	2019-11-27 - 15:46	about 6 years
5.2.4.rc1	MIT	21	2019-11-23 - 00:28	about 6 years
5.2.3	MIT	21	2019-03-28 - 03:02	over 6 years
5.2.3.rc1	MIT	21	2019-03-22 - 03:34	over 6 years
5.2.2.1	MIT	21	2019-03-13 - 16:47	over 6 years
5.2.2	MIT	21	2018-12-04 - 18:13	about 7 years
5.2.2.rc1	MIT	21	2018-11-28 - 22:54	about 7 years
5.2.1.1	MIT	21	2018-11-27 - 20:13	about 7 years
5.2.1	MIT	21	2018-08-07 - 21:43	over 7 years
5.2.1.rc1	MIT	21	2018-07-30 - 20:20	over 7 years
5.2.0	MIT	21	2018-04-09 - 20:05	over 7 years
5.2.0.rc2	MIT	17	2018-03-20 - 17:53	over 7 years
5.2.0.rc1	MIT	17	2018-01-30 - 23:37	almost 8 years
5.2.0.beta2	MIT	17	2017-11-28 - 05:03	about 8 years
5.2.0.beta1	MIT	17	2017-11-27 - 18:04	about 8 years
5.1.7	MIT	21	2019-03-28 - 02:47	over 6 years
5.1.7.rc1	MIT	21	2019-03-22 - 04:12	over 6 years
5.1.6.2	MIT	21	2019-03-13 - 16:45	over 6 years
5.1.6.1	MIT	21	2018-11-27 - 20:11	about 7 years
5.1.6	MIT	21	2018-03-29 - 18:28	over 7 years
5.1.5	MIT	21	2018-02-14 - 20:00	almost 8 years
5.1.5.rc1	MIT	21	2018-02-01 - 18:59	almost 8 years
5.1.4	MIT	21	2017-09-08 - 00:50	about 8 years
5.1.4.rc1	MIT	21	2017-08-24 - 19:36	over 8 years
5.1.3	MIT	21	2017-08-03 - 19:14	over 8 years
5.1.3.rc3	MIT	21	2017-07-31 - 19:11	over 8 years
5.1.3.rc2	MIT	21	2017-07-25 - 20:17	over 8 years
5.1.3.rc1	MIT	21	2017-07-19 - 19:37	over 8 years
5.1.2	MIT	21	2017-06-26 - 21:50	over 8 years
5.1.2.rc1	MIT	21	2017-06-20 - 17:03	over 8 years
5.1.1	MIT	21	2017-05-12 - 20:10	over 8 years
5.1.0	MIT	21	2017-04-27 - 20:59	over 8 years
5.1.0.rc2	MIT	21	2017-04-21 - 01:30	over 8 years
5.1.0.rc1	MIT	21	2017-03-20 - 18:57	over 8 years
5.1.0.beta1	MIT	21	2017-02-23 - 19:57	almost 9 years
5.0.7.2	MIT	21	2019-03-13 - 16:40	over 6 years
5.0.7.1	MIT	21	2018-11-27 - 20:08	about 7 years
5.0.7	MIT	21	2018-03-29 - 17:58	over 7 years
5.0.6	MIT	21	2017-09-08 - 00:46	about 8 years
5.0.6.rc1	MIT	21	2017-08-24 - 19:10	over 8 years
5.0.5	MIT	21	2017-07-31 - 19:04	over 8 years

Ruby/actionpack/6.1.7.3

8 Security Vulnerabilities

Impact

Releases

Workarounds

Permissions-Policy is Only Served on HTML Content-Type

Impact

Releases

Workarounds

Patches

Credits

Impact

Releases

Workarounds

Credits

Impact

Releases

Workarounds

Credits

Impact

Releases

Workarounds

Credits

Impact

Releases

Workarounds

Patches

Credits

Impact

Releases

Workarounds

Credits

509 Other Versions