GHSA-fwhr-88qx-h9g7

Source

https://github.com/advisories/GHSA-fwhr-88qx-h9g7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-fwhr-88qx-h9g7/GHSA-fwhr-88qx-h9g7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-fwhr-88qx-h9g7

Aliases

CVE-2024-28103

Published

2024-06-04T22:26:24Z

Modified

2024-06-05T22:01:00.135360Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

Missing security headers in Action Pack on non-HTML responses

Details

Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our maintenance policy regarding security issues. They are in git-am format and consist of a single changeset.

6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.1.0

Fixed

6.1.7.8

Affected versions

6.*

6.1.0

6.1.1

6.1.2

6.1.2.1

6.1.3

6.1.3.1

6.1.3.2

6.1.4

6.1.4.1

6.1.4.2

6.1.4.3

6.1.4.4

6.1.4.5

6.1.4.6

6.1.4.7

6.1.5

6.1.5.1

6.1.6

6.1.6.1

6.1.7

6.1.7.1

6.1.7.2

6.1.7.3

6.1.7.4

6.1.7.5

6.1.7.6

6.1.7.7

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.8.4

Affected versions

7.*

7.0.0

7.0.1

7.0.2

7.0.2.1

7.0.2.2

7.0.2.3

7.0.2.4

7.0.3

7.0.3.1

7.0.4

7.0.4.1

7.0.4.2

7.0.4.3

7.0.5

7.0.5.1

7.0.6

7.0.7

7.0.7.1

7.0.7.2

7.0.8

7.0.8.1

7.0.8.2

7.0.8.3

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.1.0

Fixed

7.1.3.4

Affected versions

7.*

7.1.0

7.1.1

7.1.2

7.1.3

7.1.3.1

7.1.3.2

7.1.3.3

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.2.0.beta1

Fixed

7.2.0.beta2

Affected versions

7.*

7.2.0.beta1