Ruby/actionpack/7.1.4.1

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

2 Security Vulnerabilities

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10T22:42:27Z
CVE: CVE-2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["8.0.0", "7.2.0", "7.2.1", "7.2.1.1", "7.2.1.2", "7.2.2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.1.4.1", "7.1.4.2", "7.1.5", "6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.0.8.1", "6.1.7.7", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.7.8", "7.0.8.5", "6.1.7.9", "7.0.8.6", "6.1.7.10"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10
Framework: rails
CVE: 2024-54133
Links:

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Affected versions: ["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.1.7.1", "6.0.6.1", "7.0.4.1", "7.0.4.2", "6.1.7.2", "7.0.4.3", "6.1.7.3", "7.0.5", "7.0.5.1", "6.1.7.4", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "6.1.7.6", "6.1.7.5", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "6.1.7.7", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "6.1.7.8", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4", "8.0.0.beta1", "7.2.1.1", "7.1.4.1", "6.1.7.9", "8.0.0.rc1", "7.2.1.2", "7.1.4.2", "6.1.7.10", "8.0.0.rc2", "7.2.2", "7.1.5", "8.0.0"]
Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]
Recommendation: Update to version 8.0.2.

497 Other Versions

Version License Security Released
5.0.0.rc2 MIT 17 2016-06-22 - 20:02 about 9 years
5.0.0.rc1 MIT 17 2016-05-06 - 21:56 about 9 years
5.0.0.beta4 MIT 17 2016-04-27 - 20:54 about 9 years
5.0.0.beta3 MIT 17 2016-02-24 - 16:15 over 9 years
5.0.0.beta2 MIT 17 2016-02-01 - 22:05 over 9 years
5.0.0.beta1 MIT 17 2015-12-18 - 21:17 over 9 years
5.0.0.beta1.1 MIT 17 2016-01-25 - 19:23 over 9 years
5.0.0.racecar1 MIT 21 2016-05-06 - 22:01 about 9 years
4.2.11.3 MIT 17 2020-05-15 - 18:35 about 5 years
4.2.11.2 MIT 17 2020-05-15 - 16:30 about 5 years
4.2.11.1 MIT 17 2019-03-13 - 16:37 over 6 years
4.2.11 MIT 17 2018-11-27 - 20:06 over 6 years
4.2.10 MIT 17 2017-09-27 - 14:28 almost 8 years
4.2.10.rc1 MIT 17 2017-09-20 - 19:41 almost 8 years
4.2.9 MIT 17 2017-06-26 - 21:30 about 8 years
4.2.9.rc2 MIT 17 2017-06-19 - 22:27 about 8 years
4.2.9.rc1 MIT 17 2017-06-13 - 18:49 about 8 years
4.2.8 MIT 17 2017-02-21 - 16:08 over 8 years
4.2.8.rc1 MIT 17 2017-02-10 - 02:45 over 8 years
4.2.7.1 MIT 17 2016-08-11 - 17:31 almost 9 years
4.2.7 MIT 18 2016-07-13 - 02:55 almost 9 years
4.2.7.rc1 MIT 18 2016-07-01 - 00:32 about 9 years
4.2.6 MIT 18 2016-03-07 - 22:32 over 9 years
4.2.6.rc1 MIT 18 2016-03-01 - 18:37 over 9 years
4.2.5.2 MIT 18 2016-02-29 - 19:16 over 9 years
4.2.5.1 MIT 21 2016-01-25 - 19:23 over 9 years
4.2.5 MIT 30 2015-11-12 - 17:06 over 9 years
4.2.5.rc2 MIT 30 2015-11-05 - 03:01 over 9 years
4.2.5.rc1 MIT 30 2015-10-30 - 20:47 over 9 years
4.2.4 MIT 30 2015-08-24 - 18:26 almost 10 years
4.2.4.rc1 MIT 30 2015-08-14 - 15:20 almost 10 years
4.2.3 MIT 30 2015-06-25 - 21:29 about 10 years
4.2.3.rc1 MIT 30 2015-06-22 - 14:22 about 10 years
4.2.2 MIT 30 2015-06-16 - 18:02 about 10 years
4.2.1 MIT 30 2015-03-19 - 16:41 over 10 years
4.2.1.rc4 MIT 30 2015-03-12 - 21:25 over 10 years
4.2.1.rc3 MIT 30 2015-03-02 - 21:35 over 10 years
4.2.1.rc2 MIT 30 2015-02-25 - 22:19 over 10 years
4.2.1.rc1 MIT 30 2015-02-20 - 22:20 over 10 years
4.2.0 MIT 30 2014-12-20 - 00:15 over 10 years
4.2.0.rc3 MIT 23 2014-12-13 - 02:58 over 10 years
4.2.0.rc2 MIT 23 2014-12-05 - 23:19 over 10 years
4.2.0.rc1 MIT 23 2014-11-28 - 17:52 over 10 years
4.2.0.beta4 MIT 23 2014-10-30 - 22:12 over 10 years
4.2.0.beta3 MIT 24 2014-10-30 - 18:35 over 10 years
4.2.0.beta2 MIT 26 2014-09-26 - 17:44 almost 11 years
4.2.0.beta1 MIT 26 2014-08-20 - 02:34 almost 11 years
4.1.16 MIT 19 2016-07-12 - 22:20 almost 9 years
4.1.16.rc1 MIT 19 2016-07-02 - 02:14 almost 9 years
4.1.15 MIT 19 2016-03-07 - 22:36 over 9 years