Ruby/actionpack/7.0.8.5

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

1 Security Vulnerabilities

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10T22:42:27Z
CVE: CVE-2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["8.0.0", "7.2.0", "7.2.1", "7.2.1.1", "7.2.1.2", "7.2.2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.1.4.1", "7.1.4.2", "7.1.5", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.0.8.1", "6.1.7.7", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.7.8", "7.0.8.5", "6.1.7.9", "7.0.8.6", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

497 Other Versions

Version License Security Released
3.0.12 UNKNOWN 58 2012-03-01 - 17:50 over 13 years
3.0.12.rc1 UNKNOWN 59 2012-02-22 - 21:37 over 13 years
3.0.11 UNKNOWN 59 2011-11-18 - 01:22 over 13 years
3.0.10 UNKNOWN 60 2011-08-16 - 22:12 almost 14 years
3.0.10.rc1 UNKNOWN 63 2011-08-05 - 00:11 almost 14 years
3.0.9 UNKNOWN 63 2011-06-16 - 10:04 about 14 years
3.0.9.rc5 UNKNOWN 63 2011-06-12 - 21:29 about 14 years
3.0.9.rc4 UNKNOWN 63 2011-06-12 - 21:23 about 14 years
3.0.9.rc3 UNKNOWN 63 2011-06-09 - 22:50 about 14 years
3.0.9.rc1 UNKNOWN 63 2011-06-08 - 21:19 about 14 years
3.0.8 UNKNOWN 63 2011-06-08 - 00:14 about 14 years
3.0.8.rc4 UNKNOWN 64 2011-05-31 - 00:07 about 14 years
3.0.8.rc2 UNKNOWN 64 2011-05-27 - 16:31 about 14 years
3.0.8.rc1 UNKNOWN 64 2011-05-26 - 00:10 about 14 years
3.0.7 UNKNOWN 64 2011-04-18 - 21:04 about 14 years
3.0.7.rc2 UNKNOWN 65 2011-04-15 - 17:31 about 14 years
3.0.7.rc1 UNKNOWN 65 2011-04-14 - 21:55 about 14 years
3.0.6 UNKNOWN 65 2011-04-05 - 23:01 about 14 years
3.0.6.rc2 UNKNOWN 67 2011-03-31 - 05:27 over 14 years
3.0.6.rc1 UNKNOWN 67 2011-03-29 - 20:43 over 14 years
3.0.5 UNKNOWN 67 2011-02-27 - 02:29 over 14 years
3.0.5.rc1 UNKNOWN 67 2011-02-23 - 19:07 over 14 years
3.0.4 UNKNOWN 67 2011-02-08 - 21:15 over 14 years
3.0.4.rc1 UNKNOWN 73 2011-01-30 - 22:59 over 14 years
3.0.3 UNKNOWN 73 2010-11-16 - 16:28 over 14 years
3.0.2 UNKNOWN 73 2010-11-15 - 19:33 over 14 years
3.0.1 UNKNOWN 73 2010-10-14 - 20:55 over 14 years
3.0.0 UNKNOWN 73 2010-08-29 - 23:11 almost 15 years
3.0.0.rc2 UNKNOWN 42 2010-08-24 - 03:04 almost 15 years
3.0.0.rc UNKNOWN 42 2010-07-26 - 21:43 almost 15 years
3.0.0.beta4 UNKNOWN 41 2010-06-08 - 22:30 about 15 years
3.0.0.beta3 UNKNOWN 41 2010-04-13 - 19:22 about 15 years
3.0.0.beta2 UNKNOWN 41 2010-04-01 - 21:24 about 15 years
3.0.0.beta UNKNOWN 41 2010-02-05 - 02:59 over 15 years
2.3.18 UNKNOWN 35 2013-03-18 - 17:12 over 12 years
2.3.17 UNKNOWN 37 2013-02-11 - 18:16 over 12 years
2.3.16 UNKNOWN 37 2013-01-28 - 21:00 over 12 years
2.3.15 UNKNOWN 39 2013-01-08 - 20:06 over 12 years
2.3.14 UNKNOWN 39 2011-08-16 - 22:00 almost 14 years
2.3.12 UNKNOWN 45 2011-06-08 - 00:21 about 14 years
2.3.11 UNKNOWN 45 2011-02-08 - 21:15 over 14 years
2.3.10 UNKNOWN 48 2010-10-14 - 20:52 over 14 years
2.3.9 UNKNOWN 48 2010-09-04 - 21:54 almost 15 years
2.3.9.pre UNKNOWN 48 2010-08-30 - 03:31 almost 15 years
2.3.8 UNKNOWN 48 2010-05-25 - 04:52 about 15 years
2.3.8.pre1 UNKNOWN 48 2010-05-24 - 21:16 about 15 years
2.3.7 UNKNOWN 48 2010-05-24 - 08:22 about 15 years
2.3.6 UNKNOWN 48 2010-05-23 - 07:48 about 15 years
2.3.5 UNKNOWN 48 2009-11-27 - 00:12 over 15 years
2.3.4 UNKNOWN 50 2009-09-04 - 17:33 almost 16 years