Ruby/actionpack/6.1.7.5
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
https://rubygems.org/gems/actionpack
MIT
7 Security Vulnerabilities
Cross-site Scripting in actionpack
Published date: 2022-10-27T12:00:27Z
CVE: CVE-2022-3704
Links:
- https://nvd.nist.gov/vuln/detail/CVE-2022-3704
- https://github.com/rails/rails/issues/46244
- https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
- https://vuldb.com/?id.212319
- https://github.com/rails/rails/pull/46269
- https://github.com/advisories/GHSA-9chr-4fjh-5rgw
- https://github.com/rails/rails/issues/46244#issuecomment-1380875153
actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.
This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.
Affected versions:
["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.3.rc3", "5.1.3.rc2", "5.1.2", "5.1.0.rc1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta1.1", "4.2.11.3", "4.2.11.2", "4.2.10", "4.2.9.rc2", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.1.16", "4.1.15", "4.1.14", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.5", "4.1.2", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.10.rc1", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.4", "4.0.3", "4.0.2", "4.0.1.rc2", "4.0.1.rc1", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.1", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.8", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.2", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.11", "3.1.10", "3.1.7", "3.1.4", "3.1.4.rc1", "3.1.2.rc1", "3.1.1.rc3", "3.1.1.rc1", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc3", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.15", "3.0.14", "3.0.12", "3.0.12.rc1", "3.0.10", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc1", "3.0.8", "3.0.8.rc2", "3.0.6.rc2", "3.0.5.rc1", "3.0.4.rc1", "3.0.2", "3.0.1", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.12", "2.3.11", "2.3.7", "2.3.6", "2.3.4", "2.0.2", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.0.rc1", "5.2.0.beta1", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.4.rc1", "5.1.3", "5.1.3.rc1", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.beta1", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1", "4.2.11.1", "4.2.11", "4.2.10.rc1", "4.2.9", "4.2.9.rc1", "4.2.7.rc1", "4.2.5", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.0.beta1", "4.1.16.rc1", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14.rc2", "4.1.12.rc1", "4.1.10.rc3", "4.1.7.1", "4.1.6.rc1", "4.1.4", "4.1.3", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.9", "4.0.6.rc1", "4.0.5", "4.0.4.rc1", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.0", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22", "3.2.17", "3.2.16", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9.rc1", "3.2.8.rc2", "3.2.8.rc1", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2.rc1", "3.2.1", "3.1.12", "3.1.9", "3.1.8", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.1", "3.1.1.rc2", "3.1.0", "3.1.0.rc8", "3.1.0.rc4", "3.1.0.rc2", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.13", "3.0.13.rc1", "3.0.11", "3.0.10.rc1", "3.0.9.rc3", "3.0.8.rc4", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc1", "3.0.5", "3.0.4", "3.0.3", "3.0.0", "2.3.14", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.5", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.1", "1.13.5", "1.13.0", "1.12.2", "1.12.0", "1.11.0", "1.10.2", "1.9.0", "1.8.1", "1.6.0", "0.9.5", "2.0.0", "1.13.6", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.12.5", "1.12.4", "1.12.3", "1.12.1", "1.11.2", "1.11.1", "1.10.1", "1.9.1", "1.8.0", "1.7.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8", "6.1.7.9", "6.1.7.10"]
Secure versions:
[7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Missing security headers in Action Pack on non-HTML responses
Published date: 2024-06-04T22:26:24Z
CVE: CVE-2024-28103
Links:
- https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
- https://nvd.nist.gov/vuln/detail/CVE-2024-28103
- https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
- https://github.com/advisories/GHSA-fwhr-88qx-h9g7
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
- https://security.netapp.com/advisory/ntap-20241206-0002
Permissions-Policy is Only Served on HTML Content-Type
The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.
This has been assigned the CVE identifier CVE-2024-28103.
Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4
Impact
Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.
Releases
The fixed releases are available at the normal locations.
Workarounds
N/A
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.
- 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
- 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
- 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series
Credits
Thank you shinkbr for reporting this!
Affected versions:
["7.2.0.beta1", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.0.8.1", "7.0.8.2", "7.0.8.3", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.1.3", "6.1.3.1", "6.1.3.2", "6.1.4", "6.1.4.1", "6.1.4.3", "6.1.4.2", "6.1.4.4", "6.1.4.6", "6.1.4.5", "6.1.4.7", "6.1.5", "6.1.5.1", "6.1.6", "6.1.6.1", "6.1.7", "6.1.7.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7"]
Secure versions:
[7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
Published date: 2024-10-15T23:35:35Z
CVE: CVE-2024-47887
Links:
There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.
Impact
For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users on Ruby 3.2 are unaffected by this issue.
Credits
Thanks to scyoon for reporting
Affected versions:
["7.2.0", "7.2.1", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.0.8.1", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.3.rc3", "5.1.3.rc2", "5.1.2", "5.1.0.rc1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta1.1", "4.2.11.3", "4.2.11.2", "4.2.10", "4.2.9.rc2", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.1.16", "4.1.15", "4.1.14", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.5", "4.1.2", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.10.rc1", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.4", "4.0.3", "4.0.2", "4.0.1.rc2", "4.0.1.rc1", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.0.rc1", "5.2.0.beta1", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.4.rc1", "5.1.3", "5.1.3.rc1", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.beta1", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1", "4.2.11.1", "4.2.11", "4.2.10.rc1", "4.2.9", "4.2.9.rc1", "4.2.7.rc1", "4.2.5", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.0.beta1", "4.1.16.rc1", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14.rc2", "4.1.12.rc1", "4.1.10.rc3", "4.1.7.1", "4.1.6.rc1", "4.1.4", "4.1.3", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.9", "4.0.6.rc1", "4.0.5", "4.0.4.rc1", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "5.2.6.2", "5.2.6.1", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "6.0.5", "5.2.8", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "6.1.7", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8"]
Secure versions:
[7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Possible Content Security Policy bypass in Action Dispatch
Published date: 2024-12-10T22:42:27Z
CVE: CVE-2024-54133
Links:
- https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
- https://github.com/advisories/GHSA-vfm5-rmrh-j26v
- https://nvd.nist.gov/vuln/detail/CVE-2024-54133
- https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
- https://github.com/rails/rails/commit/3da2479cfe1e00177114b17e496213c40d286b3a
- https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
- https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
- https://security.netapp.com/advisory/ntap-20250306-0010
There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.
Impact
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.
Releases
The fixed releases are available at the normal locations.
Workarounds
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.
Credits
Thanks to ryotak for the report!
Affected versions:
["8.0.0", "7.2.0", "7.2.1", "7.2.1.1", "7.2.1.2", "7.2.2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.1.4.1", "7.1.4.2", "7.1.5", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.0.8.1", "6.1.7.7", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.7.8", "7.0.8.5", "6.1.7.9", "7.0.8.6", "6.1.7.10"]
Secure versions:
[7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Possible ReDoS vulnerability in query parameter filtering in Action Dispatch
Published date: 2024-10-15T23:35:33Z
CVE: CVE-2024-41128
Links:
- https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
- https://github.com/advisories/GHSA-x76w-6vjr-8xgj
- https://nvd.nist.gov/vuln/detail/CVE-2024-41128
- https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
- https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
- https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
- https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
- https://access.redhat.com/security/cve/cve-2024-41128
- https://bugzilla.redhat.com/show_bug.cgi?id=2319036
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.
Impact
Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
Users on Ruby 3.2 are unaffected by this issue.
Credits
Thanks to scyoon for the report and patches!
Affected versions:
["7.2.0", "7.2.1", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.0.8.1", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.3.rc3", "5.1.3.rc2", "5.1.2", "5.1.0.rc1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta1.1", "4.2.11.3", "4.2.11.2", "4.2.10", "4.2.9.rc2", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.1.16", "4.1.15", "4.1.14", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.5", "4.1.2", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.10.rc1", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.4", "4.0.3", "4.0.2", "4.0.1.rc2", "4.0.1.rc1", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.1", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.8", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.2", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.11", "3.1.10", "3.1.7", "3.1.4", "3.1.4.rc1", "3.1.2.rc1", "3.1.1.rc3", "3.1.1.rc1", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.0.rc1", "5.2.0.beta1", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.4.rc1", "5.1.3", "5.1.3.rc1", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.beta1", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1", "4.2.11.1", "4.2.11", "4.2.10.rc1", "4.2.9", "4.2.9.rc1", "4.2.7.rc1", "4.2.5", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.0.beta1", "4.1.16.rc1", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14.rc2", "4.1.12.rc1", "4.1.10.rc3", "4.1.7.1", "4.1.6.rc1", "4.1.4", "4.1.3", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.9", "4.0.6.rc1", "4.0.5", "4.0.4.rc1", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.0", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22", "3.2.17", "3.2.16", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9.rc1", "3.2.8.rc2", "3.2.8.rc1", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2.rc1", "3.2.1", "3.1.12", "3.1.9", "3.1.8", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.1", "3.1.1.rc2", "3.1.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "5.2.6.2", "5.2.6.1", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "6.0.5", "5.2.8", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "6.1.7", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8"]
Secure versions:
[7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Missing security headers in Action Pack on non-HTML responses
Published date: 2024-06-04
Framework: rails
CVE: 2024-28103
CVSS V3: 5.4
Permissions-Policy is Only Served on HTML Content-Type
The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.
This has been assigned the CVE identifier CVE-2024-28103.
Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4
Impact
Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.
Releases
The fixed releases are available at the normal locations.
Workarounds
N/A
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.
- 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
- 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
- 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series
Credits
Thank you shinkbr for reporting this!
Affected versions:
["6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.1.3", "6.1.3.1", "6.1.3.2", "6.1.4", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "7.0.2.3", "6.1.4.7", "6.1.5", "7.0.2.4", "6.1.5.1", "6.1.6", "7.0.3", "7.0.3.1", "6.1.6.1", "7.0.4", "6.1.7", "6.1.7.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.0.8.1", "6.1.7.7", "7.1.3.3", "7.0.8.2", "7.0.8.3", "7.2.0.beta1"]
Secure versions:
[7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
Possible Content Security Policy bypass in Action Dispatch
Published date: 2024-12-10
Framework: rails
CVE: 2024-54133
There is a possible Cross Site Scripting (XSS) vulnerability
in the content_security_policy helper in Action Pack.
Impact
Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.
Releases
The fixed releases are available at the normal locations.
Workarounds
Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.
Credits
Thanks to ryotak for the report!
Affected versions:
["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "6.1.7.7", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4", "8.0.0.beta1", "7.2.1.1", "7.1.4.1", "6.1.7.9", "8.0.0.rc1", "7.2.1.2", "7.1.4.2", "6.1.7.10", "8.0.0.rc2", "7.2.2", "7.1.5", "8.0.0"]
Secure versions:
[7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation:
Update to version 8.0.2.
497 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 3.0.12 | UNKNOWN | 58 | 2012-03-01 - 17:50 | over 13 years |
| 3.0.12.rc1 | UNKNOWN | 59 | 2012-02-22 - 21:37 | over 13 years |
| 3.0.11 | UNKNOWN | 59 | 2011-11-18 - 01:22 | over 13 years |
| 3.0.10 | UNKNOWN | 60 | 2011-08-16 - 22:12 | almost 14 years |
| 3.0.10.rc1 | UNKNOWN | 63 | 2011-08-05 - 00:11 | almost 14 years |
| 3.0.9 | UNKNOWN | 63 | 2011-06-16 - 10:04 | about 14 years |
| 3.0.9.rc5 | UNKNOWN | 63 | 2011-06-12 - 21:29 | about 14 years |
| 3.0.9.rc4 | UNKNOWN | 63 | 2011-06-12 - 21:23 | about 14 years |
| 3.0.9.rc3 | UNKNOWN | 63 | 2011-06-09 - 22:50 | about 14 years |
| 3.0.9.rc1 | UNKNOWN | 63 | 2011-06-08 - 21:19 | about 14 years |
| 3.0.8 | UNKNOWN | 63 | 2011-06-08 - 00:14 | about 14 years |
| 3.0.8.rc4 | UNKNOWN | 64 | 2011-05-31 - 00:07 | about 14 years |
| 3.0.8.rc2 | UNKNOWN | 64 | 2011-05-27 - 16:31 | about 14 years |
| 3.0.8.rc1 | UNKNOWN | 64 | 2011-05-26 - 00:10 | about 14 years |
| 3.0.7 | UNKNOWN | 64 | 2011-04-18 - 21:04 | about 14 years |
| 3.0.7.rc2 | UNKNOWN | 65 | 2011-04-15 - 17:31 | about 14 years |
| 3.0.7.rc1 | UNKNOWN | 65 | 2011-04-14 - 21:55 | about 14 years |
| 3.0.6 | UNKNOWN | 65 | 2011-04-05 - 23:01 | about 14 years |
| 3.0.6.rc2 | UNKNOWN | 67 | 2011-03-31 - 05:27 | over 14 years |
| 3.0.6.rc1 | UNKNOWN | 67 | 2011-03-29 - 20:43 | over 14 years |
| 3.0.5 | UNKNOWN | 67 | 2011-02-27 - 02:29 | over 14 years |
| 3.0.5.rc1 | UNKNOWN | 67 | 2011-02-23 - 19:07 | over 14 years |
| 3.0.4 | UNKNOWN | 67 | 2011-02-08 - 21:15 | over 14 years |
| 3.0.4.rc1 | UNKNOWN | 73 | 2011-01-30 - 22:59 | over 14 years |
| 3.0.3 | UNKNOWN | 73 | 2010-11-16 - 16:28 | over 14 years |
| 3.0.2 | UNKNOWN | 73 | 2010-11-15 - 19:33 | over 14 years |
| 3.0.1 | UNKNOWN | 73 | 2010-10-14 - 20:55 | over 14 years |
| 3.0.0 | UNKNOWN | 73 | 2010-08-29 - 23:11 | almost 15 years |
| 3.0.0.rc2 | UNKNOWN | 42 | 2010-08-24 - 03:04 | almost 15 years |
| 3.0.0.rc | UNKNOWN | 42 | 2010-07-26 - 21:43 | almost 15 years |
| 3.0.0.beta4 | UNKNOWN | 41 | 2010-06-08 - 22:30 | about 15 years |
| 3.0.0.beta3 | UNKNOWN | 41 | 2010-04-13 - 19:22 | about 15 years |
| 3.0.0.beta2 | UNKNOWN | 41 | 2010-04-01 - 21:24 | about 15 years |
| 3.0.0.beta | UNKNOWN | 41 | 2010-02-05 - 02:59 | over 15 years |
| 2.3.18 | UNKNOWN | 35 | 2013-03-18 - 17:12 | over 12 years |
| 2.3.17 | UNKNOWN | 37 | 2013-02-11 - 18:16 | over 12 years |
| 2.3.16 | UNKNOWN | 37 | 2013-01-28 - 21:00 | over 12 years |
| 2.3.15 | UNKNOWN | 39 | 2013-01-08 - 20:06 | over 12 years |
| 2.3.14 | UNKNOWN | 39 | 2011-08-16 - 22:00 | almost 14 years |
| 2.3.12 | UNKNOWN | 45 | 2011-06-08 - 00:21 | about 14 years |
| 2.3.11 | UNKNOWN | 45 | 2011-02-08 - 21:15 | over 14 years |
| 2.3.10 | UNKNOWN | 48 | 2010-10-14 - 20:52 | over 14 years |
| 2.3.9 | UNKNOWN | 48 | 2010-09-04 - 21:54 | almost 15 years |
| 2.3.9.pre | UNKNOWN | 48 | 2010-08-30 - 03:31 | almost 15 years |
| 2.3.8 | UNKNOWN | 48 | 2010-05-25 - 04:52 | about 15 years |
| 2.3.8.pre1 | UNKNOWN | 48 | 2010-05-24 - 21:16 | about 15 years |
| 2.3.7 | UNKNOWN | 48 | 2010-05-24 - 08:22 | about 15 years |
| 2.3.6 | UNKNOWN | 48 | 2010-05-23 - 07:48 | about 15 years |
| 2.3.5 | UNKNOWN | 48 | 2009-11-27 - 00:12 | over 15 years |
| 2.3.4 | UNKNOWN | 50 | 2009-09-04 - 17:33 | almost 16 years |