Ruby/actionpack/7.2.0.beta3

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Repo Link: https://rubygems.org/gems/actionpack
License: MIT

3 Security Vulnerabilities

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

Published date: 2024-10-15

Framework: rails

CVE: 2024-41128

Links:

https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

Affected versions: ["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.3.rc3", "5.1.3.rc2", "5.1.2", "5.1.0.rc1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta1.1", "4.2.11.3", "4.2.11.2", "4.2.10", "4.2.9.rc2", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.1.16", "4.1.15", "4.1.14", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.5", "4.1.2", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.10.rc1", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.4", "4.0.3", "4.0.2", "4.0.1.rc2", "4.0.1.rc1", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.1", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.8", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.2", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.11", "3.1.10", "3.1.7", "3.1.4", "3.1.4.rc1", "3.1.2.rc1", "3.1.1.rc3", "3.1.1.rc1", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.0.rc1", "5.2.0.beta1", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.4.rc1", "5.1.3", "5.1.3.rc1", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.beta1", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1", "4.2.11.1", "4.2.11", "4.2.10.rc1", "4.2.9", "4.2.9.rc1", "4.2.7.rc1", "4.2.5", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.0.beta1", "4.1.16.rc1", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14.rc2", "4.1.12.rc1", "4.1.10.rc3", "4.1.7.1", "4.1.6.rc1", "4.1.4", "4.1.3", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.9", "4.0.6.rc1", "4.0.5", "4.0.4.rc1", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.0", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22", "3.2.17", "3.2.16", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9.rc1", "3.2.8.rc2", "3.2.8.rc1", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2.rc1", "3.2.1", "3.1.12", "3.1.9", "3.1.8", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.1", "3.1.1.rc2", "3.1.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.0.6.1", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4"]

Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]

Recommendation: Update to version 8.0.2.

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

Published date: 2024-10-15

Framework: rails

CVE: 2024-47887

Links:

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

Affected versions: ["6.0.3.3", "6.0.3", "6.0.2.2", "6.0.2.1", "6.0.2.rc2", "6.0.2.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.beta2", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.rc1", "5.2.1.1", "5.2.0", "5.2.0.rc2", "5.2.0.beta2", "5.1.7", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.3.rc3", "5.1.3.rc2", "5.1.2", "5.1.0.rc1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.beta1.1", "4.2.11.3", "4.2.11.2", "4.2.10", "4.2.9.rc2", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.3", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.1.16", "4.1.15", "4.1.14", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.5", "4.1.2", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.10.rc1", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.4", "4.0.3", "4.0.2", "4.0.1.rc2", "4.0.1.rc1", "6.1.0.rc1", "6.0.3.4", "6.0.3.2", "6.0.3.1", "6.0.3.rc1", "6.0.2", "6.0.1", "6.0.1.rc1", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta1", "5.2.4.4", "5.2.2.1", "5.2.2", "5.2.1", "5.2.1.rc1", "5.2.0.rc1", "5.2.0.beta1", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.4.rc1", "5.1.3", "5.1.3.rc1", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.beta1", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1", "4.2.11.1", "4.2.11", "4.2.10.rc1", "4.2.9", "4.2.9.rc1", "4.2.7.rc1", "4.2.5", "4.2.4.rc1", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.0.beta1", "4.1.16.rc1", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14.rc2", "4.1.12.rc1", "4.1.10.rc3", "4.1.7.1", "4.1.6.rc1", "4.1.4", "4.1.3", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.9", "4.0.6.rc1", "4.0.5", "4.0.4.rc1", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.0.3.6", "6.1.3.1", "5.2.5", "6.0.3.7", "5.2.6", "6.1.3.2", "5.2.4.6", "6.0.4", "6.1.4", "6.0.4.1", "6.1.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "6.1.4.3", "6.1.4.2", "6.0.4.2", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.1", "5.2.6.2", "5.2.6.1", "7.0.2.2", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "7.0.3", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.0.6", "7.0.4", "6.1.7", "6.0.6.1", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4"]

Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]

Recommendation: Update to version 8.0.2.

Possible Content Security Policy bypass in Action Dispatch

Published date: 2024-12-10

Framework: rails

CVE: 2024-54133

Links:

https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Secure versions: [7.0.8.7, 7.1.5.1, 7.2.2.1, 8.0.0.1, 8.0.1, 8.0.2]

Recommendation: Update to version 8.0.2.

497 Other Versions

Version	License	Security	Released
5.2.3.rc1	MIT	21	2019-03-22 - 03:34	over 6 years
5.2.2.1	MIT	21	2019-03-13 - 16:47	over 6 years
5.2.2	MIT	21	2018-12-04 - 18:13	over 6 years
5.2.2.rc1	MIT	21	2018-11-28 - 22:54	over 6 years
5.2.1.1	MIT	21	2018-11-27 - 20:13	over 6 years
5.2.1	MIT	21	2018-08-07 - 21:43	almost 7 years
5.2.1.rc1	MIT	21	2018-07-30 - 20:20	almost 7 years
5.2.0	MIT	21	2018-04-09 - 20:05	about 7 years
5.2.0.rc2	MIT	17	2018-03-20 - 17:53	over 7 years
5.2.0.rc1	MIT	17	2018-01-30 - 23:37	over 7 years
5.2.0.beta2	MIT	17	2017-11-28 - 05:03	over 7 years
5.2.0.beta1	MIT	17	2017-11-27 - 18:04	over 7 years
5.1.7	MIT	21	2019-03-28 - 02:47	over 6 years
5.1.7.rc1	MIT	21	2019-03-22 - 04:12	over 6 years
5.1.6.2	MIT	21	2019-03-13 - 16:45	over 6 years
5.1.6.1	MIT	21	2018-11-27 - 20:11	over 6 years
5.1.6	MIT	21	2018-03-29 - 18:28	over 7 years
5.1.5	MIT	21	2018-02-14 - 20:00	over 7 years
5.1.5.rc1	MIT	21	2018-02-01 - 18:59	over 7 years
5.1.4	MIT	21	2017-09-08 - 00:50	almost 8 years
5.1.4.rc1	MIT	21	2017-08-24 - 19:36	almost 8 years
5.1.3	MIT	21	2017-08-03 - 19:14	almost 8 years
5.1.3.rc3	MIT	21	2017-07-31 - 19:11	almost 8 years
5.1.3.rc2	MIT	21	2017-07-25 - 20:17	almost 8 years
5.1.3.rc1	MIT	21	2017-07-19 - 19:37	almost 8 years
5.1.2	MIT	21	2017-06-26 - 21:50	about 8 years
5.1.2.rc1	MIT	21	2017-06-20 - 17:03	about 8 years
5.1.1	MIT	21	2017-05-12 - 20:10	about 8 years
5.1.0	MIT	21	2017-04-27 - 20:59	about 8 years
5.1.0.rc2	MIT	21	2017-04-21 - 01:30	about 8 years
5.1.0.rc1	MIT	21	2017-03-20 - 18:57	over 8 years
5.1.0.beta1	MIT	21	2017-02-23 - 19:57	over 8 years
5.0.7.2	MIT	21	2019-03-13 - 16:40	over 6 years
5.0.7.1	MIT	21	2018-11-27 - 20:08	over 6 years
5.0.7	MIT	21	2018-03-29 - 17:58	over 7 years
5.0.6	MIT	21	2017-09-08 - 00:46	almost 8 years
5.0.6.rc1	MIT	21	2017-08-24 - 19:10	almost 8 years
5.0.5	MIT	21	2017-07-31 - 19:04	almost 8 years
5.0.5.rc2	MIT	21	2017-07-25 - 20:25	almost 8 years
5.0.5.rc1	MIT	21	2017-07-19 - 19:43	almost 8 years
5.0.4	MIT	21	2017-06-19 - 21:58	about 8 years
5.0.4.rc1	MIT	21	2017-06-14 - 20:48	about 8 years
5.0.3	MIT	21	2017-05-12 - 20:03	about 8 years
5.0.2	MIT	21	2017-03-01 - 23:13	over 8 years
5.0.2.rc1	MIT	21	2017-02-25 - 00:55	over 8 years
5.0.1	MIT	21	2016-12-21 - 00:06	over 8 years
5.0.1.rc2	MIT	21	2016-12-09 - 19:12	over 8 years
5.0.1.rc1	MIT	21	2016-11-30 - 20:01	over 8 years
5.0.0.1	MIT	21	2016-08-11 - 17:32	almost 9 years
5.0.0	MIT	22	2016-06-30 - 21:21	about 9 years