Ruby/actionpack/7.0.5
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
https://rubygems.org/gems/actionpack
MIT
4 Security Vulnerabilities
Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to
- https://github.com/rails/rails/commit/1c3f93d1e90a3475f9ae2377ead25ccf11f71441
- https://github.com/rails/rails/commit/c9ab9b32bcdcfd8bcd55907f6c7b20b4e004cc23
- https://discuss.rubyonrails.org/t/cve-2023-28362-possible-xss-via-user-supplied-values-to-redirect-to/83132
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-28362.yml
- https://github.com/advisories/GHSA-4g8v-vg43-wpgf
The redirect_to
method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to
method.
Rails has possible XSS Vulnerability in Action Controller
- https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4
- https://nvd.nist.gov/vuln/detail/CVE-2024-26143
- https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc
- https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e
- https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml
- https://github.com/advisories/GHSA-9822-6m93-xqf4
Possible XSS Vulnerability in Action Controller
There is a possible XSS vulnerability when using the translation helpers
(translate
, t
, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.
Versions Affected: >= 7.0.0. Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1
Impact
Applications using translation methods like translate
, or t
on a
controller, with a key ending in _html
, a :default
key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.
For example, impacted code will look something like this:
class ArticlesController < ApplicationController
def show
@message = t("message_html", default: untrusted_input)
# The `show` template displays the contents of `@message`
end
end
To reiterate the pre-conditions, applications must:
- Use a translation function from a controller (i.e. not I18n.t, or
t
from a view) - Use a key that ends in
_html
- Use a default value where the default value is untrusted and unescaped input
- Send the text to the victim (whether that's part of a template, or a
render
call)
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 7-0-translate-xss.patch - Patch for 7.0 series
- 7-1-translate-xss.patch - Patch for 7.1 series
Credits
Thanks to ooooooo_q for the patch and fix!
Possible XSS via User Supplied Values to redirect_to
The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.
Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4
Impact
This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).
Releases
The FIXED releases are available at the normal locations.
Workarounds
Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.
Possible XSS Vulnerability in Action Controller
There is a possible XSS vulnerability when using the translation helpers
(translate
, t
, etc) in Action Controller. This vulnerability has been
assigned the CVE identifier CVE-2024-26143.
Versions Affected: >= 7.0.0 Not affected: < 7.0.0 Fixed Versions: 7.1.3.1, 7.0.8.1
Impact
Applications using translation methods like translate
, or t
on a
controller, with a key ending in “_html”, a :default
key which contains
untrusted user input, and the resulting string is used in a view, may be
susceptible to an XSS vulnerability.
For example, impacted code will look something like this:
class ArticlesController < ApplicationController
def show
@message = t("message_html", default: untrusted_input)
# The `show` template displays the contents of `@message`
end
end
To reiterate the pre-conditions, applications must:
- Use a translation function from a controller (i.e. not
I18n.t
, ort
from a view) - Use a key that ends in
_html
- Use a default value where the default value is untrusted and unescaped input
- Send the text to the victim (whether that’s part of a template, or a
render
call)
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
467 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
3.0.0.beta4 | UNKNOWN | 44 | 2010-06-08 - 22:30 | almost 14 years |
3.0.0.beta3 | UNKNOWN | 44 | 2010-04-13 - 19:22 | about 14 years |
3.0.0.beta2 | UNKNOWN | 44 | 2010-04-01 - 21:24 | about 14 years |
3.0.0.beta | UNKNOWN | 44 | 2010-02-05 - 02:59 | over 14 years |
2.3.18 | UNKNOWN | 41 | 2013-03-18 - 17:12 | about 11 years |
2.3.17 | UNKNOWN | 43 | 2013-02-11 - 18:16 | over 11 years |
2.3.16 | UNKNOWN | 43 | 2013-01-28 - 21:00 | over 11 years |
2.3.15 | UNKNOWN | 43 | 2013-01-08 - 20:06 | over 11 years |
2.3.14 | UNKNOWN | 43 | 2011-08-16 - 22:00 | almost 13 years |
2.3.12 | UNKNOWN | 49 | 2011-06-08 - 00:21 | almost 13 years |
2.3.11 | UNKNOWN | 49 | 2011-02-08 - 21:15 | over 13 years |
2.3.10 | UNKNOWN | 52 | 2010-10-14 - 20:52 | over 13 years |
2.3.9 | UNKNOWN | 52 | 2010-09-04 - 21:54 | over 13 years |
2.3.9.pre | UNKNOWN | 52 | 2010-08-30 - 03:31 | over 13 years |
2.3.8 | UNKNOWN | 52 | 2010-05-25 - 04:52 | almost 14 years |
2.3.8.pre1 | UNKNOWN | 52 | 2010-05-24 - 21:16 | almost 14 years |
2.3.7 | UNKNOWN | 52 | 2010-05-24 - 08:22 | almost 14 years |
2.3.6 | UNKNOWN | 52 | 2010-05-23 - 07:48 | almost 14 years |
2.3.5 | UNKNOWN | 52 | 2009-11-27 - 00:12 | over 14 years |
2.3.4 | UNKNOWN | 53 | 2009-09-04 - 17:33 | over 14 years |
2.3.3 | UNKNOWN | 57 | 2009-08-04 - 23:43 | almost 15 years |
2.3.2 | UNKNOWN | 57 | 2009-07-25 - 18:36 | almost 15 years |
2.2.3 | UNKNOWN | 61 | 2009-09-28 - 09:22 | over 14 years |
2.2.2 | UNKNOWN | 63 | 2009-07-25 - 18:36 | almost 15 years |
2.1.2 | UNKNOWN | 66 | 2009-07-25 - 18:36 | almost 15 years |
2.1.1 | UNKNOWN | 66 | 2009-07-25 - 18:36 | almost 15 years |
2.1.0 | UNKNOWN | 66 | 2009-07-25 - 18:36 | almost 15 years |
2.0.5 | UNKNOWN | 61 | 2009-07-25 - 18:36 | almost 15 years |
2.0.4 | UNKNOWN | 61 | 2009-07-25 - 18:36 | almost 15 years |
2.0.2 | UNKNOWN | 61 | 2009-07-25 - 18:36 | almost 15 years |
2.0.1 | UNKNOWN | 61 | 2009-07-25 - 18:36 | almost 15 years |
2.0.0 | UNKNOWN | 61 | 2009-07-25 - 18:36 | almost 15 years |
1.13.6 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.13.5 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.13.4 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.13.3 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.13.2 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.13.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.13.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.12.5 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.12.4 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.12.3 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.12.2 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.12.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.12.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.11.2 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.11.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.11.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.10.2 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.10.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.9.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.9.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.8.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.8.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.7.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.6.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.5.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.5.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.4.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.3.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.3.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.2.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.1.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.0.1 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
1.0.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
0.9.5 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |
0.9.0 | UNKNOWN | 55 | 2009-07-25 - 18:36 | almost 15 years |