GHSA-vfm5-rmrh-j26v

Suggest an improvement
Source
https://github.com/advisories/GHSA-vfm5-rmrh-j26v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/12/GHSA-vfm5-rmrh-j26v/GHSA-vfm5-rmrh-j26v.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vfm5-rmrh-j26v
Aliases
Published
2024-12-10T22:42:27Z
Modified
2024-12-20T10:42:25.440765Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Possible Content Security Policy bypass in Action Dispatch
Details

There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper in Action Pack.

Impact

Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks.

Releases

The fixed releases are available at the normal locations.

Workarounds

Applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Credits

Thanks to ryotak for the report!

Database specific
{
    "nvd_published_at": "2024-12-10T23:15:06Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-10T22:42:27Z"
}
References

Affected packages

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.2.0
Fixed
7.0.8.7

Affected versions

5.*

5.2.0
5.2.1.rc1
5.2.1
5.2.1.1
5.2.2.rc1
5.2.2
5.2.2.1
5.2.3.rc1
5.2.3
5.2.4.rc1
5.2.4
5.2.4.1
5.2.4.2
5.2.4.3
5.2.4.4
5.2.4.5
5.2.4.6
5.2.5
5.2.6
5.2.6.1
5.2.6.2
5.2.6.3
5.2.7
5.2.7.1
5.2.8
5.2.8.1

6.*

6.0.0.beta1
6.0.0.beta2
6.0.0.beta3
6.0.0.rc1
6.0.0.rc2
6.0.0
6.0.1.rc1
6.0.1
6.0.2.rc1
6.0.2.rc2
6.0.2
6.0.2.1
6.0.2.2
6.0.3.rc1
6.0.3
6.0.3.1
6.0.3.2
6.0.3.3
6.0.3.4
6.0.3.5
6.0.3.6
6.0.3.7
6.0.4
6.0.4.1
6.0.4.2
6.0.4.3
6.0.4.4
6.0.4.5
6.0.4.6
6.0.4.7
6.0.4.8
6.0.5
6.0.5.1
6.0.6
6.0.6.1
6.1.0.rc1
6.1.0.rc2
6.1.0
6.1.1
6.1.2
6.1.2.1
6.1.3
6.1.3.1
6.1.3.2
6.1.4
6.1.4.1
6.1.4.2
6.1.4.3
6.1.4.4
6.1.4.5
6.1.4.6
6.1.4.7
6.1.5
6.1.5.1
6.1.6
6.1.6.1
6.1.7
6.1.7.1
6.1.7.2
6.1.7.3
6.1.7.4
6.1.7.5
6.1.7.6
6.1.7.7
6.1.7.8
6.1.7.9
6.1.7.10

7.*

7.0.0.alpha1
7.0.0.alpha2
7.0.0.rc1
7.0.0.rc2
7.0.0.rc3
7.0.0
7.0.1
7.0.2
7.0.2.1
7.0.2.2
7.0.2.3
7.0.2.4
7.0.3
7.0.3.1
7.0.4
7.0.4.1
7.0.4.2
7.0.4.3
7.0.5
7.0.5.1
7.0.6
7.0.7
7.0.7.1
7.0.7.2
7.0.8
7.0.8.1
7.0.8.2
7.0.8.3
7.0.8.4
7.0.8.5
7.0.8.6

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.1.0
Fixed
7.1.5.1

Affected versions

7.*

7.1.0
7.1.1
7.1.2
7.1.3
7.1.3.1
7.1.3.2
7.1.3.3
7.1.3.4
7.1.4
7.1.4.1
7.1.4.2
7.1.5

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.2.0
Fixed
7.2.2.1

Affected versions

7.*

7.2.0
7.2.1
7.2.1.1
7.2.1.2
7.2.2

RubyGems / actionpack

Package

Name
actionpack
Purl
pkg:gem/actionpack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.0.0.1

Affected versions

8.*

8.0.0