Ruby/actionpack/6.1.7.6
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
https://rubygems.org/gems/actionpack
MIT
2 Security Vulnerabilities
Cross-site Scripting in actionpack
- https://nvd.nist.gov/vuln/detail/CVE-2022-3704
- https://github.com/rails/rails/issues/46244
- https://github.com/rails/rails/commit/be177e4566747b73ff63fd5f529fab564e475ed4
- https://vuldb.com/?id.212319
- https://github.com/rails/rails/pull/46269
- https://github.com/advisories/GHSA-9chr-4fjh-5rgw
- https://github.com/rails/rails/issues/46244#issuecomment-1380875153
actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.
This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.
Missing security headers in Action Pack on non-HTML responses
- https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
- https://nvd.nist.gov/vuln/detail/CVE-2024-28103
- https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
- https://github.com/advisories/GHSA-fwhr-88qx-h9g7
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
Permissions-Policy is Only Served on HTML Content-Type
The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.
This has been assigned the CVE identifier CVE-2024-28103.
Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4
Impact
Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.
Releases
The fixed releases are available at the normal locations.
Workarounds
N/A
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.
- 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
- 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
- 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series
Credits
Thank you shinkbr for reporting this!
472 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
7.2.0.beta2 | MIT | 2024-06-04 - 18:14 | 6 days | |
7.2.0.beta1 | MIT | 2 | 2024-05-29 - 23:38 | 12 days |
7.1.3.4 | MIT | 2024-06-04 - 18:00 | 6 days | |
7.1.3.3 | MIT | 1 | 2024-05-16 - 19:22 | 25 days |
7.1.3.2 | MIT | 1 | 2024-02-21 - 21:46 | 4 months |
7.1.3.1 | MIT | 1 | 2024-02-21 - 18:46 | 4 months |
7.1.3 | MIT | 6 | 2024-01-16 - 22:54 | 5 months |
7.1.2 | MIT | 6 | 2023-11-10 - 21:50 | 7 months |
7.1.1 | MIT | 6 | 2023-10-11 - 22:17 | 8 months |
7.1.0 | MIT | 6 | 2023-10-05 - 08:07 | 8 months |
7.1.0.rc2 | MIT | 2 | 2023-10-01 - 22:00 | 8 months |
7.1.0.rc1 | MIT | 2 | 2023-09-27 - 04:01 | 9 months |
7.1.0.beta1 | MIT | 2 | 2023-09-13 - 00:40 | 9 months |
7.0.8.4 | MIT | 2024-06-04 - 17:56 | 6 days | |
7.0.8.3 | MIT | 1 | 2024-05-17 - 19:53 | 24 days |
7.0.8.2 | MIT | 1 | 2024-05-16 - 18:58 | 25 days |
7.0.8.1 | MIT | 1 | 2024-02-21 - 18:42 | 4 months |
7.0.8 | MIT | 4 | 2023-09-09 - 19:12 | 9 months |
7.0.7.2 | MIT | 4 | 2023-08-22 - 20:10 | 10 months |
7.0.7.1 | MIT | 4 | 2023-08-22 - 17:20 | 10 months |
7.0.7 | MIT | 4 | 2023-08-09 - 23:57 | 10 months |
7.0.6 | MIT | 4 | 2023-06-29 - 20:56 | 12 months |
7.0.5.1 | MIT | 4 | 2023-06-26 - 21:42 | 12 months |
7.0.5 | MIT | 6 | 2023-05-24 - 19:11 | about 1 year |
7.0.4.3 | MIT | 6 | 2023-03-13 - 18:53 | about 1 year |
7.0.4.2 | MIT | 6 | 2023-01-25 - 03:14 | over 1 year |
7.0.4.1 | MIT | 6 | 2023-01-17 - 18:55 | over 1 year |
7.0.4 | MIT | 13 | 2022-09-09 - 18:42 | almost 2 years |
7.0.3.1 | MIT | 13 | 2022-07-12 - 17:31 | almost 2 years |
7.0.3 | MIT | 13 | 2022-05-09 - 13:40 | about 2 years |
7.0.2.4 | MIT | 13 | 2022-04-26 - 19:33 | about 2 years |
7.0.2.3 | MIT | 15 | 2022-03-08 - 17:50 | over 2 years |
7.0.2.2 | MIT | 15 | 2022-02-11 - 19:43 | over 2 years |
7.0.2.1 | MIT | 17 | 2022-02-11 - 18:18 | over 2 years |
7.0.2 | MIT | 17 | 2022-02-08 - 23:12 | over 2 years |
7.0.1 | MIT | 17 | 2022-01-06 - 21:54 | over 2 years |
7.0.0 | MIT | 17 | 2021-12-15 - 23:43 | over 2 years |
7.0.0.rc3 | MIT | 7 | 2021-12-14 - 23:04 | over 2 years |
7.0.0.rc2 | MIT | 7 | 2021-12-14 - 19:39 | over 2 years |
7.0.0.rc1 | MIT | 8 | 2021-12-06 - 21:31 | over 2 years |
7.0.0.alpha2 | MIT | 8 | 2021-09-15 - 23:15 | over 2 years |
7.0.0.alpha1 | MIT | 8 | 2021-09-15 - 21:56 | over 2 years |
6.1.7.8 | MIT | 1 | 2024-06-04 - 17:55 | 6 days |
6.1.7.7 | MIT | 2 | 2024-02-21 - 18:39 | 4 months |
6.1.7.6 | MIT | 2 | 2023-08-22 - 20:07 | 10 months |
6.1.7.5 | MIT | 2 | 2023-08-22 - 17:15 | 10 months |
6.1.7.4 | MIT | 2 | 2023-06-26 - 21:31 | 12 months |
6.1.7.3 | MIT | 3 | 2023-03-13 - 18:48 | about 1 year |
6.1.7.2 | MIT | 3 | 2023-01-25 - 03:23 | over 1 year |
6.1.7.1 | MIT | 3 | 2023-01-17 - 18:54 | over 1 year |
6.1.7 | MIT | 9 | 2022-09-09 - 18:38 | almost 2 years |
6.1.6.1 | MIT | 9 | 2022-07-12 - 17:29 | almost 2 years |
6.1.6 | MIT | 9 | 2022-05-09 - 13:45 | about 2 years |
6.1.5.1 | MIT | 9 | 2022-04-26 - 19:30 | about 2 years |
6.1.5 | MIT | 11 | 2022-03-10 - 21:16 | over 2 years |
6.1.4.7 | MIT | 11 | 2022-03-08 - 17:48 | over 2 years |
6.1.4.6 | MIT | 11 | 2022-02-11 - 19:41 | over 2 years |
6.1.4.5 | MIT | 13 | 2022-02-11 - 18:22 | over 2 years |
6.1.4.4 | MIT | 13 | 2021-12-15 - 22:53 | over 2 years |
6.1.4.3 | MIT | 13 | 2021-12-14 - 23:02 | over 2 years |
6.1.4.2 | MIT | 13 | 2021-12-14 - 19:49 | over 2 years |
6.1.4.1 | MIT | 15 | 2021-08-19 - 16:25 | almost 3 years |
6.1.4 | MIT | 17 | 2021-06-24 - 20:40 | almost 3 years |
6.1.3.2 | MIT | 17 | 2021-05-05 - 15:34 | about 3 years |
6.1.3.1 | MIT | 25 | 2021-03-26 - 18:06 | about 3 years |
6.1.3 | MIT | 25 | 2021-02-17 - 18:41 | over 3 years |
6.1.2.1 | MIT | 25 | 2021-02-10 - 20:44 | over 3 years |
6.1.2 | MIT | 27 | 2021-02-09 - 21:28 | over 3 years |
6.1.1 | MIT | 27 | 2021-01-07 - 22:59 | over 3 years |
6.1.0 | MIT | 27 | 2020-12-09 - 19:57 | over 3 years |
6.1.0.rc2 | MIT | 17 | 2020-12-01 - 22:01 | over 3 years |
6.1.0.rc1 | MIT | 15 | 2020-11-02 - 21:20 | over 3 years |
6.0.6.1 | MIT | 7 | 2023-01-17 - 18:53 | over 1 year |
6.0.6 | MIT | 7 | 2022-09-09 - 18:32 | almost 2 years |
6.0.5.1 | MIT | 7 | 2022-07-12 - 17:28 | almost 2 years |
6.0.5 | MIT | 7 | 2022-05-09 - 13:50 | about 2 years |
6.0.4.8 | MIT | 7 | 2022-04-26 - 19:27 | about 2 years |
6.0.4.7 | MIT | 9 | 2022-03-08 - 17:47 | over 2 years |
6.0.4.6 | MIT | 9 | 2022-02-11 - 19:39 | over 2 years |
6.0.4.5 | MIT | 11 | 2022-02-11 - 18:24 | over 2 years |
6.0.4.4 | MIT | 11 | 2021-12-15 - 22:46 | over 2 years |
6.0.4.3 | MIT | 11 | 2021-12-14 - 23:00 | over 2 years |
6.0.4.2 | MIT | 11 | 2021-12-14 - 20:10 | over 2 years |
6.0.4.1 | MIT | 13 | 2021-08-19 - 16:22 | almost 3 years |
6.0.4 | MIT | 15 | 2021-06-15 - 20:17 | almost 3 years |
6.0.3.7 | MIT | 15 | 2021-05-05 - 16:01 | about 3 years |
6.0.3.6 | MIT | 21 | 2021-03-26 - 17:32 | about 3 years |
6.0.3.5 | MIT | 21 | 2021-02-10 - 20:39 | over 3 years |
6.0.3.4 | MIT | 23 | 2020-10-07 - 16:50 | over 3 years |
6.0.3.3 | MIT | 25 | 2020-09-09 - 18:24 | almost 4 years |
6.0.3.2 | MIT | 25 | 2020-06-17 - 14:54 | almost 4 years |
6.0.3.1 | MIT | 27 | 2020-05-18 - 15:47 | about 4 years |
6.0.3 | MIT | 31 | 2020-05-06 - 18:04 | about 4 years |
6.0.3.rc1 | MIT | 31 | 2020-05-01 - 17:18 | about 4 years |
6.0.2.2 | MIT | 31 | 2020-03-19 - 16:43 | about 4 years |
6.0.2.1 | MIT | 31 | 2019-12-18 - 19:08 | over 4 years |
6.0.2 | MIT | 31 | 2019-12-13 - 18:20 | over 4 years |
6.0.2.rc2 | MIT | 31 | 2019-12-09 - 16:12 | over 4 years |
6.0.2.rc1 | MIT | 31 | 2019-11-27 - 15:11 | over 4 years |
6.0.1 | MIT | 31 | 2019-11-05 - 14:39 | over 4 years |