Ruby/actionpack/7.0.8.6

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

1 Security Vulnerabilities

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10T22:42:27Z
CVE: CVE-2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["8.0.0", "7.2.0", "7.2.1", "7.2.1.1", "7.2.1.2", "7.2.2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.1.4.1", "7.1.4.2", "7.1.5", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.0.8.1", "6.1.7.7", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.7.8", "7.0.8.5", "6.1.7.9", "7.0.8.6", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

497 Other Versions

Version License Security Released
4.1.15.rc1 MIT 19 2016-03-01 - 18:43 over 9 years
4.1.14.2 MIT 19 2016-02-29 - 19:18 over 9 years
4.1.14.1 MIT 23 2016-01-25 - 19:23 over 9 years
4.1.14 MIT 32 2015-11-12 - 17:21 over 9 years
4.1.14.rc2 MIT 32 2015-11-05 - 02:54 over 9 years
4.1.14.rc1 MIT 32 2015-10-30 - 20:45 over 9 years
4.1.13 MIT 32 2015-08-24 - 18:02 almost 10 years
4.1.13.rc1 MIT 32 2015-08-14 - 15:12 almost 10 years
4.1.12 MIT 32 2015-06-25 - 21:25 about 10 years
4.1.12.rc1 MIT 32 2015-06-22 - 14:04 about 10 years
4.1.11 MIT 32 2015-06-16 - 17:59 about 10 years
4.1.10 MIT 32 2015-03-19 - 16:49 over 10 years
4.1.10.rc4 MIT 32 2015-03-12 - 21:32 over 10 years
4.1.10.rc3 MIT 32 2015-03-02 - 21:39 over 10 years
4.1.10.rc2 MIT 32 2015-02-25 - 22:21 over 10 years
4.1.10.rc1 MIT 32 2015-02-20 - 22:24 over 10 years
4.1.9 MIT 32 2015-01-06 - 20:03 over 10 years
4.1.9.rc1 MIT 32 2015-01-02 - 01:10 over 10 years
4.1.8 MIT 32 2014-11-17 - 15:58 over 10 years
4.1.7.1 MIT 34 2014-11-19 - 19:11 over 10 years
4.1.7 MIT 35 2014-10-30 - 18:35 over 10 years
4.1.6 MIT 37 2014-09-11 - 17:25 almost 11 years
4.1.6.rc2 MIT 37 2014-09-08 - 18:12 almost 11 years
4.1.6.rc1 MIT 37 2014-08-19 - 20:52 almost 11 years
4.1.5 MIT 37 2014-08-18 - 17:00 almost 11 years
4.1.4 MIT 37 2014-07-02 - 19:53 almost 11 years
4.1.3 MIT 37 2014-07-02 - 17:06 almost 11 years
4.1.2 MIT 37 2014-06-26 - 14:49 about 11 years
4.1.2.rc3 MIT 37 2014-06-23 - 17:28 about 11 years
4.1.2.rc2 MIT 37 2014-06-16 - 16:30 about 11 years
4.1.2.rc1 MIT 37 2014-05-27 - 16:12 about 11 years
4.1.1 MIT 37 2014-05-06 - 16:10 about 11 years
4.1.0 MIT 40 2014-04-08 - 19:20 about 11 years
4.1.0.rc2 MIT 36 2014-03-25 - 20:12 over 11 years
4.1.0.rc1 MIT 36 2014-02-18 - 20:58 over 11 years
4.1.0.beta2 MIT 36 2014-02-18 - 18:51 over 11 years
4.1.0.beta1 MIT 37 2013-12-18 - 00:14 over 11 years
4.0.13 MIT 35 2015-01-06 - 20:08 over 10 years
4.0.13.rc1 MIT 35 2015-01-02 - 00:54 over 10 years
4.0.12 MIT 35 2014-11-17 - 15:58 over 10 years
4.0.11.1 MIT 37 2014-11-19 - 19:09 over 10 years
4.0.11 MIT 37 2014-10-30 - 18:35 over 10 years
4.0.10 MIT 39 2014-09-11 - 17:32 almost 11 years
4.0.10.rc2 MIT 39 2014-09-08 - 17:55 almost 11 years
4.0.10.rc1 MIT 39 2014-08-19 - 20:48 almost 11 years
4.0.9 MIT 39 2014-08-18 - 17:02 almost 11 years
4.0.8 MIT 39 2014-07-02 - 19:41 almost 11 years
4.0.7 MIT 39 2014-07-02 - 17:03 almost 11 years
4.0.6 MIT 39 2014-06-26 - 16:28 about 11 years
4.0.6.rc3 MIT 39 2014-06-23 - 17:23 about 11 years