Ruby/actionpack/6.1.7.6

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

2 Security Vulnerabilities

Cross-site Scripting in actionpack

Published date: 2022-10-27T12:00:27Z
CVE: CVE-2022-3704
Links:

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

Affected versions: ["6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "7.0.3", "6.1.6", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "7.0.4", "6.1.7", "6.0.6", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8"]
Secure versions: [7.2.0.beta2, 7.1.3.4, 7.0.8.4]
Recommendation: Update to version 7.1.3.4.

Missing security headers in Action Pack on non-HTML responses

Published date: 2024-06-04T22:26:24Z
CVE: CVE-2024-28103
Links:

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

  • 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
  • 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
  • 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

Affected versions: ["7.2.0.beta1", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.0.8.1", "7.0.8.2", "7.0.8.3", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.1.3", "6.1.3.1", "6.1.3.2", "6.1.4", "6.1.4.1", "6.1.4.3", "6.1.4.2", "6.1.4.4", "6.1.4.6", "6.1.4.5", "6.1.4.7", "6.1.5", "6.1.5.1", "6.1.6", "6.1.6.1", "6.1.7", "6.1.7.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7"]
Secure versions: [7.2.0.beta2, 7.1.3.4, 7.0.8.4]
Recommendation: Update to version 7.1.3.4.

472 Other Versions

Version License Security Released
7.2.0.beta2 MIT 2024-06-04 - 18:14 6 days
7.2.0.beta1 MIT 2 2024-05-29 - 23:38 12 days
7.1.3.4 MIT 2024-06-04 - 18:00 6 days
7.1.3.3 MIT 1 2024-05-16 - 19:22 25 days
7.1.3.2 MIT 1 2024-02-21 - 21:46 4 months
7.1.3.1 MIT 1 2024-02-21 - 18:46 4 months
7.1.3 MIT 6 2024-01-16 - 22:54 5 months
7.1.2 MIT 6 2023-11-10 - 21:50 7 months
7.1.1 MIT 6 2023-10-11 - 22:17 8 months
7.1.0 MIT 6 2023-10-05 - 08:07 8 months
7.1.0.rc2 MIT 2 2023-10-01 - 22:00 8 months
7.1.0.rc1 MIT 2 2023-09-27 - 04:01 9 months
7.1.0.beta1 MIT 2 2023-09-13 - 00:40 9 months
7.0.8.4 MIT 2024-06-04 - 17:56 6 days
7.0.8.3 MIT 1 2024-05-17 - 19:53 24 days
7.0.8.2 MIT 1 2024-05-16 - 18:58 25 days
7.0.8.1 MIT 1 2024-02-21 - 18:42 4 months
7.0.8 MIT 4 2023-09-09 - 19:12 9 months
7.0.7.2 MIT 4 2023-08-22 - 20:10 10 months
7.0.7.1 MIT 4 2023-08-22 - 17:20 10 months
7.0.7 MIT 4 2023-08-09 - 23:57 10 months
7.0.6 MIT 4 2023-06-29 - 20:56 12 months
7.0.5.1 MIT 4 2023-06-26 - 21:42 12 months
7.0.5 MIT 6 2023-05-24 - 19:11 about 1 year
7.0.4.3 MIT 6 2023-03-13 - 18:53 about 1 year
7.0.4.2 MIT 6 2023-01-25 - 03:14 over 1 year
7.0.4.1 MIT 6 2023-01-17 - 18:55 over 1 year
7.0.4 MIT 13 2022-09-09 - 18:42 almost 2 years
7.0.3.1 MIT 13 2022-07-12 - 17:31 almost 2 years
7.0.3 MIT 13 2022-05-09 - 13:40 about 2 years
7.0.2.4 MIT 13 2022-04-26 - 19:33 about 2 years
7.0.2.3 MIT 15 2022-03-08 - 17:50 over 2 years
7.0.2.2 MIT 15 2022-02-11 - 19:43 over 2 years
7.0.2.1 MIT 17 2022-02-11 - 18:18 over 2 years
7.0.2 MIT 17 2022-02-08 - 23:12 over 2 years
7.0.1 MIT 17 2022-01-06 - 21:54 over 2 years
7.0.0 MIT 17 2021-12-15 - 23:43 over 2 years
7.0.0.rc3 MIT 7 2021-12-14 - 23:04 over 2 years
7.0.0.rc2 MIT 7 2021-12-14 - 19:39 over 2 years
7.0.0.rc1 MIT 8 2021-12-06 - 21:31 over 2 years
7.0.0.alpha2 MIT 8 2021-09-15 - 23:15 over 2 years
7.0.0.alpha1 MIT 8 2021-09-15 - 21:56 over 2 years
6.1.7.8 MIT 1 2024-06-04 - 17:55 6 days
6.1.7.7 MIT 2 2024-02-21 - 18:39 4 months
6.1.7.6 MIT 2 2023-08-22 - 20:07 10 months
6.1.7.5 MIT 2 2023-08-22 - 17:15 10 months
6.1.7.4 MIT 2 2023-06-26 - 21:31 12 months
6.1.7.3 MIT 3 2023-03-13 - 18:48 about 1 year
6.1.7.2 MIT 3 2023-01-25 - 03:23 over 1 year
6.1.7.1 MIT 3 2023-01-17 - 18:54 over 1 year
6.1.7 MIT 9 2022-09-09 - 18:38 almost 2 years
6.1.6.1 MIT 9 2022-07-12 - 17:29 almost 2 years
6.1.6 MIT 9 2022-05-09 - 13:45 about 2 years
6.1.5.1 MIT 9 2022-04-26 - 19:30 about 2 years
6.1.5 MIT 11 2022-03-10 - 21:16 over 2 years
6.1.4.7 MIT 11 2022-03-08 - 17:48 over 2 years
6.1.4.6 MIT 11 2022-02-11 - 19:41 over 2 years
6.1.4.5 MIT 13 2022-02-11 - 18:22 over 2 years
6.1.4.4 MIT 13 2021-12-15 - 22:53 over 2 years
6.1.4.3 MIT 13 2021-12-14 - 23:02 over 2 years
6.1.4.2 MIT 13 2021-12-14 - 19:49 over 2 years
6.1.4.1 MIT 15 2021-08-19 - 16:25 almost 3 years
6.1.4 MIT 17 2021-06-24 - 20:40 almost 3 years
6.1.3.2 MIT 17 2021-05-05 - 15:34 about 3 years
6.1.3.1 MIT 25 2021-03-26 - 18:06 about 3 years
6.1.3 MIT 25 2021-02-17 - 18:41 over 3 years
6.1.2.1 MIT 25 2021-02-10 - 20:44 over 3 years
6.1.2 MIT 27 2021-02-09 - 21:28 over 3 years
6.1.1 MIT 27 2021-01-07 - 22:59 over 3 years
6.1.0 MIT 27 2020-12-09 - 19:57 over 3 years
6.1.0.rc2 MIT 17 2020-12-01 - 22:01 over 3 years
6.1.0.rc1 MIT 15 2020-11-02 - 21:20 over 3 years
6.0.6.1 MIT 7 2023-01-17 - 18:53 over 1 year
6.0.6 MIT 7 2022-09-09 - 18:32 almost 2 years
6.0.5.1 MIT 7 2022-07-12 - 17:28 almost 2 years
6.0.5 MIT 7 2022-05-09 - 13:50 about 2 years
6.0.4.8 MIT 7 2022-04-26 - 19:27 about 2 years
6.0.4.7 MIT 9 2022-03-08 - 17:47 over 2 years
6.0.4.6 MIT 9 2022-02-11 - 19:39 over 2 years
6.0.4.5 MIT 11 2022-02-11 - 18:24 over 2 years
6.0.4.4 MIT 11 2021-12-15 - 22:46 over 2 years
6.0.4.3 MIT 11 2021-12-14 - 23:00 over 2 years
6.0.4.2 MIT 11 2021-12-14 - 20:10 over 2 years
6.0.4.1 MIT 13 2021-08-19 - 16:22 almost 3 years
6.0.4 MIT 15 2021-06-15 - 20:17 almost 3 years
6.0.3.7 MIT 15 2021-05-05 - 16:01 about 3 years
6.0.3.6 MIT 21 2021-03-26 - 17:32 about 3 years
6.0.3.5 MIT 21 2021-02-10 - 20:39 over 3 years
6.0.3.4 MIT 23 2020-10-07 - 16:50 over 3 years
6.0.3.3 MIT 25 2020-09-09 - 18:24 almost 4 years
6.0.3.2 MIT 25 2020-06-17 - 14:54 almost 4 years
6.0.3.1 MIT 27 2020-05-18 - 15:47 about 4 years
6.0.3 MIT 31 2020-05-06 - 18:04 about 4 years
6.0.3.rc1 MIT 31 2020-05-01 - 17:18 about 4 years
6.0.2.2 MIT 31 2020-03-19 - 16:43 about 4 years
6.0.2.1 MIT 31 2019-12-18 - 19:08 over 4 years
6.0.2 MIT 31 2019-12-13 - 18:20 over 4 years
6.0.2.rc2 MIT 31 2019-12-09 - 16:12 over 4 years
6.0.2.rc1 MIT 31 2019-11-27 - 15:11 over 4 years
6.0.1 MIT 31 2019-11-05 - 14:39 over 4 years