Ruby/actionpack/7.0.8.5

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

1 Security Vulnerabilities

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10T22:42:27Z
CVE: CVE-2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["8.0.0", "7.2.0", "7.2.1", "7.2.1.1", "7.2.1.2", "7.2.2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.1.4.1", "7.1.4.2", "7.1.5", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.0.8.1", "6.1.7.7", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.7.8", "7.0.8.5", "6.1.7.9", "7.0.8.6", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

497 Other Versions

Version License Security Released
3.2.6 UNKNOWN 51 2012-06-12 - 21:24 about 13 years
3.2.5 UNKNOWN 53 2012-06-01 - 03:38 about 13 years
3.2.4 UNKNOWN 53 2012-05-31 - 18:23 about 13 years
3.2.4.rc1 UNKNOWN 55 2012-05-28 - 19:00 about 13 years
3.2.3 UNKNOWN 55 2012-03-30 - 22:25 over 13 years
3.2.3.rc2 UNKNOWN 55 2012-03-29 - 16:13 over 13 years
3.2.3.rc1 UNKNOWN 55 2012-03-27 - 17:10 over 13 years
3.2.2 UNKNOWN 55 2012-03-01 - 17:50 over 13 years
3.2.2.rc1 UNKNOWN 57 2012-02-22 - 21:37 over 13 years
3.2.1 UNKNOWN 57 2012-01-26 - 23:09 over 13 years
3.2.0 UNKNOWN 57 2012-01-20 - 16:47 over 13 years
3.2.0.rc2 UNKNOWN 47 2012-01-04 - 21:04 over 13 years
3.2.0.rc1 UNKNOWN 47 2011-12-20 - 00:40 over 13 years
3.1.12 UNKNOWN 50 2013-03-18 - 17:12 over 12 years
3.1.11 UNKNOWN 52 2013-02-11 - 18:16 over 12 years
3.1.10 UNKNOWN 52 2013-01-08 - 20:06 over 12 years
3.1.9 UNKNOWN 53 2013-01-02 - 21:18 over 12 years
3.1.8 UNKNOWN 53 2012-08-09 - 21:18 almost 13 years
3.1.7 UNKNOWN 55 2012-07-26 - 22:06 almost 13 years
3.1.6 UNKNOWN 56 2012-06-12 - 21:24 about 13 years
3.1.5 UNKNOWN 57 2012-05-31 - 18:23 about 13 years
3.1.5.rc1 UNKNOWN 58 2012-05-28 - 19:00 about 13 years
3.1.4 UNKNOWN 58 2012-03-01 - 17:50 over 13 years
3.1.4.rc1 UNKNOWN 59 2012-02-22 - 21:37 over 13 years
3.1.3 UNKNOWN 59 2011-11-20 - 22:51 over 13 years
3.1.2 UNKNOWN 59 2011-11-18 - 01:32 over 13 years
3.1.2.rc2 UNKNOWN 62 2011-11-14 - 15:48 over 13 years
3.1.2.rc1 UNKNOWN 62 2011-11-14 - 14:16 over 13 years
3.1.1 UNKNOWN 62 2011-10-07 - 15:28 over 13 years
3.1.1.rc3 UNKNOWN 62 2011-10-06 - 02:29 over 13 years
3.1.1.rc2 UNKNOWN 62 2011-09-29 - 22:15 almost 14 years
3.1.1.rc1 UNKNOWN 62 2011-09-15 - 00:24 almost 14 years
3.1.0 UNKNOWN 62 2011-08-31 - 02:17 almost 14 years
3.1.0.rc8 UNKNOWN 51 2011-08-29 - 03:25 almost 14 years
3.1.0.rc6 UNKNOWN 51 2011-08-16 - 22:32 almost 14 years
3.1.0.rc5 UNKNOWN 51 2011-07-25 - 23:04 almost 14 years
3.1.0.rc4 UNKNOWN 51 2011-06-09 - 22:55 about 14 years
3.1.0.rc3 UNKNOWN 51 2011-06-08 - 21:26 about 14 years
3.1.0.rc2 UNKNOWN 51 2011-06-08 - 00:14 about 14 years
3.1.0.rc1 UNKNOWN 51 2011-05-22 - 02:25 about 14 years
3.1.0.beta1 UNKNOWN 51 2011-05-05 - 01:22 about 14 years
3.0.20 UNKNOWN 53 2013-01-28 - 21:00 over 12 years
3.0.19 UNKNOWN 53 2013-01-08 - 20:06 over 12 years
3.0.18 UNKNOWN 54 2013-01-02 - 21:18 over 12 years
3.0.17 UNKNOWN 54 2012-08-09 - 21:15 almost 13 years
3.0.16 UNKNOWN 56 2012-07-26 - 22:06 almost 13 years
3.0.15 UNKNOWN 57 2012-06-13 - 03:06 about 13 years
3.0.14 UNKNOWN 57 2012-06-12 - 21:24 about 13 years
3.0.13 UNKNOWN 58 2012-05-31 - 18:23 about 13 years
3.0.13.rc1 UNKNOWN 58 2012-05-28 - 19:00 about 13 years