Description
CVE-2024-54133 - Medium Severity Vulnerability
Vulnerable Library - actionpack-7.2.2.gem
Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.
Library home page: https://rubygems.org/gems/actionpack-7.2.2.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-7.2.2.gem
Dependency Hierarchy:
- rspec-rails-5.1.2.gem (Root Library)
- ❌ actionpack-7.2.2.gem (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the "content_security_policy" helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.
Publish Date: 2024-12-10
URL: CVE-2024-54133
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-vfm5-rmrh-j26v
Release Date: 2024-12-10
Fix Resolution: actionpack - 7.0.8.7,7.1.5.1,7.2.2.1,8.0.0.1
Step up your Open Source Security Game with Mend here