Ruby/actionpack/6.1.7.9

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

3 Security Vulnerabilities

Cross-site Scripting in actionpack

Published date: 2022-10-27T12:00:27Z
CVE: CVE-2022-3704
Links:

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

Affected versions: ["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.3.rc3", "5.1.3.rc2", "5.1.2", "5.1.0.rc1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta1.1", "4.2.11.3", "4.2.11.2", "4.2.10", "4.2.9.rc2", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.1.16", "4.1.15", "4.1.14", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.5", "4.1.2", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.10.rc1", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.4", "4.0.3", "4.0.2", "4.0.1.rc2", "4.0.1.rc1", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.1", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.8", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.2", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.11", "3.1.10", "3.1.7", "3.1.4", "3.1.4.rc1", "3.1.2.rc1", "3.1.1.rc3", "3.1.1.rc1", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc3", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.15", "3.0.14", "3.0.12", "3.0.12.rc1", "3.0.10", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc1", "3.0.8", "3.0.8.rc2", "3.0.6.rc2", "3.0.5.rc1", "3.0.4.rc1", "3.0.2", "3.0.1", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.12", "2.3.11", "2.3.7", "2.3.6", "2.3.4", "2.0.2", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.0.rc1", "5.2.0.beta1", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.4.rc1", "5.1.3", "5.1.3.rc1", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.beta1", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1", "4.2.11.1", "4.2.11", "4.2.10.rc1", "4.2.9", "4.2.9.rc1", "4.2.7.rc1", "4.2.5", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.0.beta1", "4.1.16.rc1", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14.rc2", "4.1.12.rc1", "4.1.10.rc3", "4.1.7.1", "4.1.6.rc1", "4.1.4", "4.1.3", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.9", "4.0.6.rc1", "4.0.5", "4.0.4.rc1", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.0", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22", "3.2.17", "3.2.16", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9.rc1", "3.2.8.rc2", "3.2.8.rc1", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2.rc1", "3.2.1", "3.1.12", "3.1.9", "3.1.8", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.1", "3.1.1.rc2", "3.1.0", "3.1.0.rc8", "3.1.0.rc4", "3.1.0.rc2", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.13", "3.0.13.rc1", "3.0.11", "3.0.10.rc1", "3.0.9.rc3", "3.0.8.rc4", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc1", "3.0.5", "3.0.4", "3.0.3", "3.0.0", "2.3.14", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.5", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.1", "1.13.5", "1.13.0", "1.12.2", "1.12.0", "1.11.0", "1.10.2", "1.9.0", "1.8.1", "1.6.0", "0.9.5", "2.0.0", "1.13.6", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.12.5", "1.12.4", "1.12.3", "1.12.1", "1.11.2", "1.11.1", "1.10.1", "1.9.1", "1.8.0", "1.7.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8", "6.1.7.9", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10T22:42:27Z
CVE: CVE-2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["8.0.0", "7.2.0", "7.2.1", "7.2.1.1", "7.2.1.2", "7.2.2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.1.4.1", "7.1.4.2", "7.1.5", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.0.8.1", "6.1.7.7", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.7.8", "7.0.8.5", "6.1.7.9", "7.0.8.6", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10
Framework: rails
CVE: 2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "6.1.7.7", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4", "8.0.0.beta1", "7.2.1.1", "7.1.4.1", "6.1.7.9", "8.0.0.rc1", "7.2.1.2", "7.1.4.2", "6.1.7.10", "8.0.0.rc2", "7.2.2", "7.1.5", "8.0.0"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

497 Other Versions

Version License Security Released
5.2.3.rc1 MIT 21 2019-03-22 - 03:34 over 6 years
5.2.2.1 MIT 21 2019-03-13 - 16:47 over 6 years
5.2.2 MIT 21 2018-12-04 - 18:13 over 6 years
5.2.2.rc1 MIT 21 2018-11-28 - 22:54 over 6 years
5.2.1.1 MIT 21 2018-11-27 - 20:13 over 6 years
5.2.1 MIT 21 2018-08-07 - 21:43 almost 7 years
5.2.1.rc1 MIT 21 2018-07-30 - 20:20 almost 7 years
5.2.0 MIT 21 2018-04-09 - 20:05 about 7 years
5.2.0.rc2 MIT 17 2018-03-20 - 17:53 over 7 years
5.2.0.rc1 MIT 17 2018-01-30 - 23:37 over 7 years
5.2.0.beta2 MIT 17 2017-11-28 - 05:03 over 7 years
5.2.0.beta1 MIT 17 2017-11-27 - 18:04 over 7 years
5.1.7 MIT 21 2019-03-28 - 02:47 over 6 years
5.1.7.rc1 MIT 21 2019-03-22 - 04:12 over 6 years
5.1.6.2 MIT 21 2019-03-13 - 16:45 over 6 years
5.1.6.1 MIT 21 2018-11-27 - 20:11 over 6 years
5.1.6 MIT 21 2018-03-29 - 18:28 over 7 years
5.1.5 MIT 21 2018-02-14 - 20:00 over 7 years
5.1.5.rc1 MIT 21 2018-02-01 - 18:59 over 7 years
5.1.4 MIT 21 2017-09-08 - 00:50 almost 8 years
5.1.4.rc1 MIT 21 2017-08-24 - 19:36 almost 8 years
5.1.3 MIT 21 2017-08-03 - 19:14 almost 8 years
5.1.3.rc3 MIT 21 2017-07-31 - 19:11 almost 8 years
5.1.3.rc2 MIT 21 2017-07-25 - 20:17 almost 8 years
5.1.3.rc1 MIT 21 2017-07-19 - 19:37 almost 8 years
5.1.2 MIT 21 2017-06-26 - 21:50 about 8 years
5.1.2.rc1 MIT 21 2017-06-20 - 17:03 about 8 years
5.1.1 MIT 21 2017-05-12 - 20:10 about 8 years
5.1.0 MIT 21 2017-04-27 - 20:59 about 8 years
5.1.0.rc2 MIT 21 2017-04-21 - 01:30 about 8 years
5.1.0.rc1 MIT 21 2017-03-20 - 18:57 over 8 years
5.1.0.beta1 MIT 21 2017-02-23 - 19:57 over 8 years
5.0.7.2 MIT 21 2019-03-13 - 16:40 over 6 years
5.0.7.1 MIT 21 2018-11-27 - 20:08 over 6 years
5.0.7 MIT 21 2018-03-29 - 17:58 over 7 years
5.0.6 MIT 21 2017-09-08 - 00:46 almost 8 years
5.0.6.rc1 MIT 21 2017-08-24 - 19:10 almost 8 years
5.0.5 MIT 21 2017-07-31 - 19:04 almost 8 years
5.0.5.rc2 MIT 21 2017-07-25 - 20:25 almost 8 years
5.0.5.rc1 MIT 21 2017-07-19 - 19:43 almost 8 years
5.0.4 MIT 21 2017-06-19 - 21:58 about 8 years
5.0.4.rc1 MIT 21 2017-06-14 - 20:48 about 8 years
5.0.3 MIT 21 2017-05-12 - 20:03 about 8 years
5.0.2 MIT 21 2017-03-01 - 23:13 over 8 years
5.0.2.rc1 MIT 21 2017-02-25 - 00:55 over 8 years
5.0.1 MIT 21 2016-12-21 - 00:06 over 8 years
5.0.1.rc2 MIT 21 2016-12-09 - 19:12 over 8 years
5.0.1.rc1 MIT 21 2016-11-30 - 20:01 over 8 years
5.0.0.1 MIT 21 2016-08-11 - 17:32 almost 9 years
5.0.0 MIT 22 2016-06-30 - 21:21 about 9 years