Ruby/actionpack/6.1.7.9

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

3 Security Vulnerabilities

Cross-site Scripting in actionpack

Published date: 2022-10-27T12:00:27Z
CVE: CVE-2022-3704
Links:

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

Affected versions: ["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.3.rc3", "5.1.3.rc2", "5.1.2", "5.1.0.rc1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta1.1", "4.2.11.3", "4.2.11.2", "4.2.10", "4.2.9.rc2", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.1.16", "4.1.15", "4.1.14", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.5", "4.1.2", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.10.rc1", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.4", "4.0.3", "4.0.2", "4.0.1.rc2", "4.0.1.rc1", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.1", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.8", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.2", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.11", "3.1.10", "3.1.7", "3.1.4", "3.1.4.rc1", "3.1.2.rc1", "3.1.1.rc3", "3.1.1.rc1", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc3", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.15", "3.0.14", "3.0.12", "3.0.12.rc1", "3.0.10", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc1", "3.0.8", "3.0.8.rc2", "3.0.6.rc2", "3.0.5.rc1", "3.0.4.rc1", "3.0.2", "3.0.1", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.12", "2.3.11", "2.3.7", "2.3.6", "2.3.4", "2.0.2", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.0.rc1", "5.2.0.beta1", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.4.rc1", "5.1.3", "5.1.3.rc1", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.beta1", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1", "4.2.11.1", "4.2.11", "4.2.10.rc1", "4.2.9", "4.2.9.rc1", "4.2.7.rc1", "4.2.5", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.0.beta1", "4.1.16.rc1", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14.rc2", "4.1.12.rc1", "4.1.10.rc3", "4.1.7.1", "4.1.6.rc1", "4.1.4", "4.1.3", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.9", "4.0.6.rc1", "4.0.5", "4.0.4.rc1", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.0", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22", "3.2.17", "3.2.16", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9.rc1", "3.2.8.rc2", "3.2.8.rc1", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2.rc1", "3.2.1", "3.1.12", "3.1.9", "3.1.8", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.1", "3.1.1.rc2", "3.1.0", "3.1.0.rc8", "3.1.0.rc4", "3.1.0.rc2", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.13", "3.0.13.rc1", "3.0.11", "3.0.10.rc1", "3.0.9.rc3", "3.0.8.rc4", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc1", "3.0.5", "3.0.4", "3.0.3", "3.0.0", "2.3.14", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.5", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.1", "1.13.5", "1.13.0", "1.12.2", "1.12.0", "1.11.0", "1.10.2", "1.9.0", "1.8.1", "1.6.0", "0.9.5", "2.0.0", "1.13.6", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.12.5", "1.12.4", "1.12.3", "1.12.1", "1.11.2", "1.11.1", "1.10.1", "1.9.1", "1.8.0", "1.7.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8", "6.1.7.9", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10T22:42:27Z
CVE: CVE-2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["8.0.0", "7.2.0", "7.2.1", "7.2.1.1", "7.2.1.2", "7.2.2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.1.4.1", "7.1.4.2", "7.1.5", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.0.8.1", "6.1.7.7", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.7.8", "7.0.8.5", "6.1.7.9", "7.0.8.6", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10
Framework: rails
CVE: 2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "6.1.7.7", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4", "8.0.0.beta1", "7.2.1.1", "7.1.4.1", "6.1.7.9", "8.0.0.rc1", "7.2.1.2", "7.1.4.2", "6.1.7.10", "8.0.0.rc2", "7.2.2", "7.1.5", "8.0.0"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

497 Other Versions

Version License Security Released
4.0.6.rc2 MIT 39 2014-06-16 - 16:15 about 11 years
4.0.6.rc1 MIT 39 2014-05-27 - 16:06 about 11 years
4.0.5 MIT 39 2014-05-06 - 16:12 about 11 years
4.0.4 MIT 41 2014-03-14 - 17:36 over 11 years
4.0.4.rc1 MIT 41 2014-03-11 - 17:30 over 11 years
4.0.3 MIT 41 2014-02-18 - 18:49 over 11 years
4.0.2 MIT 42 2013-12-03 - 19:00 over 11 years
4.0.1 MIT 57 2013-11-01 - 19:07 over 11 years
4.0.1.rc4 MIT 57 2013-10-30 - 20:48 over 11 years
4.0.1.rc3 MIT 57 2013-10-23 - 21:40 over 11 years
4.0.1.rc2 MIT 57 2013-10-21 - 21:55 over 11 years
4.0.1.rc1 MIT 57 2013-10-17 - 16:45 over 11 years
4.0.0 MIT 57 2013-06-25 - 14:32 about 12 years
4.0.0.rc2 MIT 28 2013-06-11 - 20:24 about 12 years
4.0.0.rc1 MIT 28 2013-04-29 - 15:38 about 12 years
4.0.0.beta1 MIT 28 2013-02-26 - 00:05 over 12 years
3.2.22.5 MIT 11 2016-09-14 - 21:18 almost 9 years
3.2.22.4 MIT 11 2016-08-11 - 19:19 almost 9 years
3.2.22.3 MIT 11 2016-08-11 - 17:31 almost 9 years
3.2.22.2 MIT 12 2016-02-29 - 19:23 over 9 years
3.2.22.1 MIT 15 2016-01-25 - 19:23 over 9 years
3.2.22 MIT 26 2015-06-16 - 18:06 about 10 years
3.2.21 MIT 26 2014-11-17 - 15:58 over 10 years
3.2.20 MIT 28 2014-10-30 - 18:35 over 10 years
3.2.19 MIT 30 2014-07-02 - 17:02 almost 11 years
3.2.18 MIT 30 2014-05-06 - 16:16 about 11 years
3.2.17 MIT 32 2014-02-18 - 18:54 over 11 years
3.2.16 MIT 35 2013-12-03 - 19:00 over 11 years
3.2.15 MIT 39 2013-10-16 - 17:22 over 11 years
3.2.15.rc3 MIT 39 2013-10-11 - 21:16 over 11 years
3.2.15.rc2 MIT 39 2013-10-04 - 20:48 over 11 years
3.2.15.rc1 MIT 39 2013-10-03 - 18:53 over 11 years
3.2.14 MIT 39 2013-07-22 - 16:43 almost 12 years
3.2.14.rc2 MIT 39 2013-07-16 - 16:12 almost 12 years
3.2.14.rc1 MIT 39 2013-07-13 - 00:24 almost 12 years
3.2.13 UNKNOWN 39 2013-03-18 - 17:12 over 12 years
3.2.13.rc2 UNKNOWN 43 2013-03-06 - 23:05 over 12 years
3.2.13.rc1 UNKNOWN 43 2013-02-27 - 20:24 over 12 years
3.2.12 UNKNOWN 43 2013-02-11 - 18:16 over 12 years
3.2.11 UNKNOWN 43 2013-01-08 - 20:06 over 12 years
3.2.10 UNKNOWN 45 2013-01-02 - 21:18 over 12 years
3.2.9 UNKNOWN 45 2012-11-12 - 15:20 over 12 years
3.2.9.rc3 UNKNOWN 45 2012-11-09 - 17:59 over 12 years
3.2.9.rc2 UNKNOWN 45 2012-11-01 - 17:39 over 12 years
3.2.9.rc1 UNKNOWN 45 2012-10-29 - 17:06 over 12 years
3.2.8 UNKNOWN 45 2012-08-09 - 21:22 almost 13 years
3.2.8.rc2 UNKNOWN 49 2012-08-03 - 14:28 almost 13 years
3.2.8.rc1 UNKNOWN 49 2012-08-01 - 20:56 almost 13 years
3.2.7 UNKNOWN 49 2012-07-26 - 22:06 almost 13 years
3.2.7.rc1 UNKNOWN 51 2012-07-23 - 21:45 almost 13 years